Table of Contents
Additional Resources:
In this week’s Security Advisory
- PII, Credentials, Tokens, and More Saved in 3rd Party Code Editors
- Over 600 NPM Packages Infected in New Supply Chain Attack
- Critical Oracle Identity Manager Vulnerability Under Active Exploitation
- ASUS Patches Authorization Bypass Vulnerability
- SonicWall Releases Patch for SonicOS SSLVPN Service
- Grafana Patches Critical Spoofing Vulnerability
PII, Credentials, Tokens, and More Saved in 3rd Party Code Editors
Security researchers have discovered that the code editors JSONFormatter and CodeBeautify store anything entered on the site that is shared as a link. These links are not private and can be found by anyone navigating the websites. After exporting tens of thousands of files, they identified numerous instances of PII, passwords, API tokens, public keys, and other sensitive information from large companies across multiple industries.
The researchers also placed a honeypot token in a test file, which was then triggered hours later. This indicates that these researchers are not the only ones aware of this issue. These websites also follow a predictable URL pattern, which makes scraping data from them much easier.
Recommendations
- Never enter sensitive information into public websites.
- Review any internal usage to identify any potential usage.
More Reading / Information
- https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html
- https://www.bleepingcomputer.com/news/security/code-beautifiers-expose-credentials-from-banks-govt-tech-orgs/
Over 600 NPM Packages Infected in New Supply Chain Attack
640 NPM packages have been infected with a new iteration of the Shai-Hulud worm in a new wave of attacks. The first iteration of this took place in September, which was the largest NPM attack to date. Once the worm is executed on a system, the malware would search for NPM tokens, enumerate the packages the victim has access to, inject them with a post-install script, repackage them, and then publish the malicious package versions to the repository. This malware has compromised dozens of developer accounts and harvested credentials and other secrets from many more.
Recommendations
- Audit dependency trees.
- Pin safe versions.
- Monitor NPM advisories closely.
- Enforce strict token/scoped access policies.
More Reading / Information
- https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html
- https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
Critical Oracle Identity Manager Vulnerability Under Active Exploitation
The vulnerability, assigned CVE-2025-61757 (CVSS 9.8/10), allows an unauthenticated attacker the ability to bypass authentication, escalate privileges, and move laterally within the Oracle Identity Manager. This vulnerability was patched in Oracle’s October patch cycle; however, there are reports that exploitation took place weeks before the patch. It is recommended to apply this patch as soon as possible.
Affected Versions
- Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/
- https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixFMW
ASUS Patches Authorization Bypass Vulnerability
ASUS has released firmware updates to address nine vulnerabilities, including one critical vulnerability, CVE-2025-59366 (CVSS 9.2/10), that can lead to an authentication bypass. This vulnerability is only exploitable on routers with AiCloud enabled, which is a cloud-based remote access feature that comes with many ASUS routers.
Affected Versions
- All versions before 3.0.0.4_386 series.
- All versions before 3.0.0.4_388 series.
- All versions before 3.0.0.6_102 series.
Recommendations
- Upgrade to the newest versions.
More Reading / Information
- https://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/
- https://www.asus.com/security-advisory/
SonicWall Releases Patch for SonicOS SSLVPN Service
SonicWall is urging users to patch a high-severity vulnerability in SonicOS SSLVPN. The vulnerability, tracked as CVE-2025-40601 (CVSS 7.2/10), can lead to a denial-of-service that is caused by a stack-based buffer overflow impacting Gen8 and Gen7 (physical and virtual) firewalls. This vulnerability only affects firewalls that have the SonicOS SSLVPN interface or service enabled. Customers are advised to limit SonicOS SSL VPN access to trusted source IP addresses and disable access from untrusted sources.
Affected Versions
- Gen7 hardware Firewalls – TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700.
- Gen7 virtual Firewalls (NSv) – NSV270, NSv470, NSv870.
- Gen8 Firewalls – TZ80, TZ280, TZ380, TZ480, TZ580, TZ680, NSa 2800, NSa 3800, NSa 4800, NSa 5800.
Recommendations
- Upgrade Gen 7 Firewalls to versions 7.31-7013.
- Upgrade Gen 8 Firewalls to versions 8.03-8011.
More Reading / Information
- https://www.securityweek.com/sonicwall-patches-high-severity-flaws-in-firewalls-email-security-appliance/
- https://www.bleepingcomputer.com/news/security/new-sonicwall-sonicos-flaw-allows-hackers-to-crash-firewalls/
Grafana Patches Critical Spoofing Vulnerability
Grafana Labs has announced a patch for a critical-severity vulnerability in its Enterprise product. The vulnerability, CVE-2025-41115 (CVSS 10/10), is a privilege escalation vulnerability that can be exploited when the SCIM (System for Cross-domain Identity Management) provisioning feature is enabled and configured. If enabled, a threat actor can map a user with an external ID to be recognized as an internal account with any permission level.
Affected Versions
- Grafana Enterprise versions between 12.0.0 and 12.2.1 (when SCIM is enabled).
Recommendations
- Upgrade to Grafana Enterprise version 12.3.0.
- Upgrade to Grafana Enterprise version 12.2.1.
- Upgrade to Grafana Enterprise version 12.1.3.
- Upgrade to Grafana Enterprise version 12.0.6.1.
More Reading / Information
- https://www.bleepingcomputer.com/news/security/grafana-warns-of-max-severity-admin-spoofing-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2025-41115
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
