November 2025 security update: Cybercrime scales with cross-border infrastructure

Today’s threat landscape 

AI tools have become a new attack vector 

A newly disclosed exploit in OpenAI’s ChatGPT Atlas browser highlights a serious emerging risk: prompt injection through URLs. Security researchers demonstrated how malicious web pages can embed hidden instructions inside URLs that Atlas automatically interprets when rendering or summarizing content. Once executed, these injected prompts can silently access or leak prior chat history, local data, or connected services - all without traditional malware involvement. 

The implications are significant. As AI browsers and assistants deepen integration with cloud drives, calendars, and corporate systems, they expand the attack surface. A simple click on a “clean-looking” link could now modify future assistant behavior or memory context. 

Organizations adopting AI copilots and browsing assistants should treat these tools like any other untrusted runtime: 

• Enforce strict URL sanitization and isolate unverified browsing sessions. 
• Disable memory or data-linking features for users handling sensitive information. 
• Educate employees that “social engineering” now includes malicious prompt payloads, not just deceptive emails. 

This incident underscores that AI is a new attack vector, and trust boundaries must evolve accordingly. 

Top 3 vulnerabilities 

Operation Zero Disco: A Cisco vulnerability actively exploited 

A serious stack-overflow vulnerability in the SNMP subsystem of devices running Cisco IOS and IOS XE has been actively exploited in a campaign dubbed “Operation Zero Disco.” Attackers have used the vulnerability (CVE-2025-20352 with CVSS score 7.7) to deploy file-less Linux rootkits on network switches, gaining persistence, disabling logging, bypassing authentication, and enabling lateral movement into older Linux systems with limited endpoint protection. 

The issue affects several widely deployed switch families, including the 9400, 9300, and legacy 3750G series. Because the vulnerability targets network infrastructure rather than end-user systems, successful exploitation can give threat actors deep, long-term control over critical environments. 

Cisco released a patch weeks ago, but many organizations have yet to apply the patch. Administrators should treat unpatched devices as potentially compromised and review SNMP activity closely for anomalies. 

Risk for perimeter compromise due to critical WatchGuard vulnerability

A critical out-of-bounds write vulnerability (CVE-2025-9242 with CVSS score 9.3) in the IKEv2 process of WatchGuard’s Fireware OS allows unauthenticated remote attackers to execute arbitrary code on affected devices. The vulnerability impacts both mobile user and branch-office VPN setups, particularly those configured with dynamic gateway peers. In some configurations, systems may remain vulnerable even after dynamic peers are removed if static connections persist. With tens of thousands of devices still exposed to the internet, this vulnerability poses a serious risk for perimeter compromise. 

WatchGuard provided Indicators of Attack (IoAs) and additional remediation guidance on Oct. 21st due to potential active exploits in the wild. They have issued updated firmware and organizations are urged to patch immediately, limit IKEv2 exposure, and monitor VPN logs for suspicious inbound connections or configuration changes. 

Oracle’s E-Business Suite actively exploited to reach internal systems 

Unauthenticated attackers can make internal HTTP requests and potentially access or manipulate sensitive resources due to a server-side request forgery (SSFR) vulnerability in Oracle E-Business Suite’s Configurator component. The vulnerability (CVE-2025-61884 with CVSS score 7.5), which affects versions 12.2.3 through 12.2.14, allows attackers to leverage SSRF to reach internal systems that would normally be protected by network segmentation, creating opportunities for further compromise. 

The vulnerability has been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog after confirmed exploitation in the wild. Oracle has released security updates, and organizations should apply them immediately, restrict external access to the Configurator module, and check logs for unusual outbound HTTP activity from ERP servers.

You can read our blog post on the zero-day in Oracle's E-Business Suite (EBS) that was exploited by Clop Group earlier last month.

Industry news 

Operation SIMCARTEL reveals telecom fraud at scale 

Europol, in cooperation with the Shadowserver Foundation, has taken down a major criminal network that was renting out phone numbers for use in online fraud and cybercrime. The group operated a vast network of SIM-boxes across several European countries, giving criminals access to tens of thousands of real phone numbers. These were used to bypass two-factor authentication, create fake online accounts, and carry out voice phishing operations at massive scale. Investigators seized more than 1,200 SIM-box devices and 40,000 SIM cards, linking the operation to thousands of fraudulent accounts and 4.5 million euros in losses. 

The investigation revealed just how professionalized telecom abuse has become. Criminals no longer need to rely on stolen identities or hacked systems - they can now rent legitimacy. By using local numbers, they made scam calls appear genuine and avoided detection by fraud filters designed to spot suspicious traffic. The infrastructure also made it easier to spread operations across borders, allowing different groups to plug into the same “as-a-service” system. 

The Europol takedown is another sign that traditional telecom infrastructure has become deeply entangled with cybercrime. What used to be a technical loophole is now a full-fledged business model - one that merges old-school telephony with modern digital fraud at a global scale.