Daily Digest

Triofox Zero-Day Exploited In-the-Wild; CMMC Enforcement Begins for DoD Contractors

Triofox Zero-Day Exploited In-the-Wild; CMMC Enforcement Begins for DoD Contractors

November 11, 2025
6 articles (5 new, 1 updated)
18 min read

Summary

This cybersecurity brief for November 11, 2025, covers several critical developments. A zero-day in Gladinet's Triofox (CVE-2025-12480) is being actively exploited for remote code execution. CISA added a zero-click Samsung mobile flaw (CVE-2025-21042) to its KEV catalog following active exploitation. The DoD has officially begun CMMC enforcement for its contractors. Other major incidents include a destructive campaign by the KONNI APT against Android users, and significant data breaches at Nikkei and Hyundai AutoEver.

Filter by Category

New Articles (5)

Critical Triofox Zero-Day Actively Exploited for System-Level Access

CRITICAL

UNC6485 Exploits Critical Triofox Zero-Day (CVE-2025-12480) for Full System Compromise

A critical, unauthenticated remote code execution vulnerability (CVE-2025-12480) in Gladinet's Triofox file-sharing platform is being actively exploited by a threat group tracked as UNC6485. The attackers are bypassing authentication by spoofing HTTP Host headers to 'localhost', allowing them to create rogue administrator accounts. They then abuse a built-in antivirus feature to execute malicious code with SYSTEM-level privileges, leading to full system compromise. Post-exploitation activity includes the deployment of commercial remote access tools like Zoho UEMS and AnyDesk to maintain persistence. Gladinet has released a patch, and organizations are urged to update immediately.

November 11, 2025
5 min read
zero-dayRCEfile sharingauthentication bypassprivilege escalation +2 more
Critical Triofox Zero-Day Actively Exploited for System-Level Access
Vulnerability
Cyberattack
Threat Actor

KONNI APT Weaponizes Google's Find Hub for Destructive Attacks

HIGH

North Korean KONNI APT Abuses Google's Find Hub to Remotely Wipe Android Devices

The North Korea-linked threat group KONNI has been observed in a novel campaign targeting individuals in South Korea. The attackers use social engineering to deploy PC malware that steals Google account credentials. With these credentials, they access the victim's Google account and abuse the legitimate 'Find Hub' service (formerly Find My Device) to track the real-time location of the victim's Android phone and remotely trigger a factory reset, wiping all data. This campaign highlights the group's creativity in weaponizing legitimate services for destructive purposes.

November 11, 2025
5 min read
KONNIAPTdata destructionsocial engineeringcredential theft +2 more
KONNI APT Weaponizes Google's Find Hub for Destructive Attacks
Threat Actor
Cyberattack
Malware

Pentagon Overhauls Cyber Force Model to Boost USCYBERCOM Readiness

INFORMATIONAL

Pentagon Announces New Cyber Force Generation Model to Bolster U.S. Cyber Command Effectiveness

The U.S. Department of War (DoW) has announced a new cyber force generation model aimed at enhancing the operational effectiveness, specialization, and lethality of forces assigned to U.S. Cyber Command (USCYBERCOM). The revised plan is designed to create a more integrated and agile cyber force by streamlining the processes of recruiting, training, and retaining personnel across all military branches. This strategic shift seeks to address emerging cyber threats and deter aggression in the cyber domain more effectively.

November 11, 2025
3 min read
USCYBERCOMDoDcyber policymilitaryworkforce development +1 more
Pentagon Overhauls Cyber Force Model to Boost USCYBERCOM Readiness
Policy and Compliance
Regulatory
Security Operations

Nikkei Slack Breach Exposes Data of 17,000 Users via Stolen Credentials

HIGH

Japanese Media Giant Nikkei Discloses Slack Data Breach Affecting 17,368 Users via Infostealer Malware

Japanese media giant Nikkei Inc., owner of the Financial Times, has disclosed a significant data breach affecting its internal Slack workspace. An attacker gained access using authentication credentials stolen from an employee's personal computer, which was infected with infostealer malware. The incident, which was detected in September 2025, exposed the names, email addresses, and chat histories of 17,368 employees and business partners. The breach highlights the persistent threat of infostealer malware and the security risks associated with credentials stored in web browsers.

November 11, 2025
4 min read
data breachinfostealerSlackcredential theftmedia +1 more
Nikkei Slack Breach Exposes Data of 17,000 Users via Stolen Credentials
Data Breach
Cyberattack
Malware

Hyundai IT Affiliate Discloses Major Data Breach Exposing PII and SSNs

HIGH

Hyundai AutoEver America Notifies Customers of Data Breach Exposing PII, Including Social Security Numbers

Hyundai AutoEver America, the IT services subsidiary of the Hyundai Group, has begun notifying customers of a major data breach that occurred between late February and early March 2025. The incident involved unauthorized access to the company's IT environment, exposing highly sensitive personally identifiable information (PII), including full names, driver's license numbers, and Social Security numbers. While the exact number of victims is unconfirmed, the company's software is used in up to 2.7 million vehicles in North America, indicating a potentially massive scale.

November 11, 2025
4 min read
data breachautomotivePIISSNHyundai
Hyundai IT Affiliate Discloses Major Data Breach Exposing PII and SSNs
Data Breach
Cyberattack
Other

Updated Articles (1)

Cisco Firewalls Under Renewed Assault as New DoS Attack Variant Emerges

CRITICAL

Cisco Issues Urgent Warning as New Attack Variant Exploits Critical ASA and FTD Firewall Vulnerabilities

Update:

New information reveals the exploited Cisco firewall vulnerabilities (CVE-2025-20333, CVE-2025-20362) were originally part of the 'ArcaneDoor' zero-day campaign, attributed to a state-sponsored actor. While the original campaign aimed for full device takeover, a new DoS variant is now actively exploiting these flaws, causing devices to reboot. This variant is believed to be from less sophisticated actors reverse-engineering the original exploits, widening the threat landscape. Despite patches being available since September, nearly 50,000 devices remained unpatched, underscoring the critical need for immediate updates.

November 7, 2025
Updated: November 11, 2025
6 min read
FirewallDoSRCEVulnerabilityCisco +1 more
Cisco Firewalls Under Renewed Assault as New DoS Attack Variant Emerges
Vulnerability
Cyberattack
Patch Management

📢 Share This Publication

Help others stay informed about cybersecurity threats