Weekly Top 10: 10.27.2025: Medusa Ransomware Leaks Claimed 834 GB After $1.2m Demand; Toolshell’ Exploitation Campaign Hits Multiple Sectors; E-Business Suite SSRF Zero-Day Actively Exploited, and More.

WEEKLY TOP TEN: October 27, 2025, 16:00 GMT

1. Medusa Ransomware Leaks Claimed 834 GB After $1.2m Demand
   
   The Medusa ransomware group published a large trove it claims to have stolen from Comcast, after a reported $1.2 million demand went unmet. The leak—posted as a multi-file archive—arrived weeks after the group first advertised access and attempted to sell the dataset. Comcast did not provide public confirmation at the time of reporting. For defenders, the case illustrates leak-site extortion cadence: teaser posts, price setting, then mass disclosure to amplify pressure. Impacted partners should monitor for credential reuse and targeted phishing.
2. CISA Adds Five Actively Exploited Vulnerabilities Added to the KEV Catalog
   
   The U.S. Cybersecurity and Infrastructure Security Agency expanded its Known Exploited Vulnerabilities catalog with five new entries, signaling confirmed in-the-wild exploitation and setting binding remediation timelines for federal agencies. The additions covered issues impacting multiple vendor products commonly deployed in enterprise networks. By mandating patch deadlines for government networks, CISA effectively nudged private-sector risk prioritization as well, since many organizations align patch queues to KEV. The update underscores the week’s elevated exploitation tempo and the need to validate exposure, patch levels, and any available compensating controls.
3. October Updates Break Smart Card Auth Across Windows Fleets
   
   Microsoft acknowledged that its October security updates introduced changes in Cryptographic Services that broke smart card authentication and certificate operations across Windows 10/11 and Windows Server. Enterprises reported login failures and downstream access issues tied to TLS and certificate mapping, forcing admins to roll back or apply mitigations while awaiting fixes. The disruption affected on-prem and hybrid environments and complicated compliance windows for patching. Microsoft documented the scope and known issues and began issuing guidance to reduce authentication impact until a permanent remedy was available.
4. Toolshell’ Exploitation Campaign Hits Multiple Sectors
   
   Suspected China-nexus operators exploited CVE-2025-53770 (ToolShell) in Microsoft SharePoint to target government agencies, universities, telecommunications providers, and financial institutions across four continents. Intrusions leveraged the flaw for code execution, footholds, and follow-on actions. The activity highlights enduring risk from internet-exposed SharePoint and the need for strict patching and external surface reduction. Organizations were urged to apply updates, hunt for persistence, and review web server logs and command execution traces.
5. Adobe Commerce/Magento ‘Sessionreaper’ Actively Exploited at Scale
   
   E-commerce platforms running Adobe Commerce (Magento) faced active exploitation of CVE-2025-54236 (“SessionReaper”), with hundreds of attack attempts recorded by researchers. The flaw enables account hijacking via REST API abuse, opening paths to order fraud, data theft, and service disruption. Merchants were advised to patch immediately, rotate secrets, invalidate sessions, and audit administrative access and webhook integrations. Web-application firewalls should enforce strict API request validation and rate limits.
6. Iran-Linked Muddywater Campaign Pits Phoenix Backdoor V4 Against 100+ Government Orgs
   
   A new campaign attributed to MuddyWater (aka Static Kitten/Mercury/Seedworm) targeted over 100 government entities, deploying Phoenix backdoor version 4. The operators used regionally familiar social engineering and living-off-the-land techniques to persist and exfiltrate. Victimology skewed toward the Middle East, but tradecraft travels: defenders elsewhere should watch for similar C2 patterns, DLL side-loading, and abused signed binaries. Segmenting sensitive networks and enforcing attack-surface reduction rules reduces blast radius.
7. UK Ministry of Defence: ICO Defends Decision Not to Probe Afghan Data Leak
   
   The UK data regulator publicly defended its decision not to investigate the Ministry of Defence over a February 2022 Afghan data breach after reviewing the department’s handling and remediation. The case, which eventually became public when details surfaced on social media, continues to draw scrutiny due to sensitivity and potential harm to affected individuals. The regulator’s stance underscores how post-incident process and containment influence enforcement actions—even when the underlying exposure is severe.
8. Rust Ecosystem RCE Vulnerability Dubbed ‘Tarmageddon’ in Async-Tar Enables Archive Smuggling
   
   A high-severity flaw in the popular Rust async-tar library could let attackers craft archives that smuggle additional entries and trigger remote code execution in consumers of affected parsers. Because multiple Rust tar parsers are impacted, downstream projects that handle user-supplied archives may be at risk. Maintainers released fixes, and projects should update dependencies, regenerate lockfiles, and add integrity checks on extracted paths. This class of vulnerability is notorious for enabling path traversal and implant delivery.
9. Report Highlights Prompt-Injection Risks in New OpenAI Atlas Browser
   
   Coverage of prompt-injection tests against a newly released browser showed that indirect commands embedded in webpages could steer the agent into unsafe actions. While not a breach of a specific enterprise, the findings matter for companies piloting agentic browsing tools in production settings. Controls like strict allow-lists, content sanitization, and non-reused credentials are essential when evaluating such tools for corporate workflows.
10. E-Business Suite SSRF Zero-Day Actively Exploited
    
    CISA confirmed active exploitation of a server-side request forgery (SSRF) flaw in Oracle E-Business Suite, tracked as CVE-2025-61884. Attackers are abusing the vulnerability to pivot from exposed application endpoints to internal resources, enabling data access and further compromise. The agency added the bug to KEV, elevating patch urgency for agencies and signaling high risk for enterprises that run the ERP platform. Organizations were urged to apply Oracle’s emergency fixes and review access logs for suspicious internal requests originating from application servers.