The week was marked by a concerning combination of critical vulnerabilities in identity components, browsers, and edge devices, alongside ransomware attacks and new software supply chain attack vectors. Oracle released fixes for a critical flaw in Oracle Identity Manager (CVE-2025-61757, CVSS 9.8), already under active exploitation, with the potential for full compromise of identity management environments. Fortinet also addressed a new critical vulnerability in FortiWeb (CVE-2025-64446, CVSS 9.1), actively exploited in the wild to enable remote command execution on WAFs.
On the user endpoint side, Chrome received an emergency patch for a zero-day in the V8 engine (CVE-2025-13223), also under active exploitation, reinforcing the browser’s role as a priority attack surface. In parallel, recent research shows an increase in incidents affecting OT environments, with ransomware and abuse of remote access gaining prominence, especially during periods of reduced operational coverage. From a business perspective, the central message is clear: identity, edge, and the software supply chain are now critical breaking points that demand rapid visibility and response.
Key Threats
Critical vulnerabilities
Beyond the Oracle Identity Manager and FortiWeb flaws, attention is also drawn to the current campaign against SonicWall devices (CVE-2025-40601, an SSLVPN flaw that allows firewalls to be taken down via DoS) and the Chrome zero-day. Together, these vulnerabilities expose three essential layers: centralized authentication, web application protection, and the user’s primary access point to the internet. For organizations heavily reliant on centralized identity and remote access, the priority should be to rapidly inventory affected versions, apply patches, and, where patching is not immediately possible, isolate services and harden access rules.
Attack campaigns and ransomware
The Qilin group, operating under a ransomware-as-a-service model, has claimed an attack against gaming and lottery technology giant IGT, with a possible leak of tens of thousands of files. This reinforces the risk faced by regulated, data-intensive sectors such as lotteries and gaming. Recent studies also show that more than half of ransomware attacks occur during holidays, weekends, and major corporate events, exploiting reduced staffing and change windows.
Social engineering and phishing
A recent Google report highlights the evolution of online fraud, with increased use of highly personalized messages, fake technical support, and sophisticated financial scams. Market data indicates that around two-thirds of phishing attempts target an organization’s own resources (access, credentials, billing), with the remainder focused on personal and financial data. A notable development is the growing use of voice and video deepfakes in social engineering attacks, including extortion and business fraud scenarios.
Software supply chain
This week also highlighted the “GhostAction” campaign, in which compromised GitHub workflows exfiltrated more than 3,300 secrets (PyPI, npm, and DockerHub tokens) from hundreds of repositories. This adds to recent compromises of widely used packages across npm, PyPI, and RubyGems—some affecting billions of downloads—underscoring the systemic impact of a single compromised maintainer.
Rainforest Strategic Insights
For organizations already running a DevSecOps pipeline, this is a moment to reinforce update discipline and coverage. SAST and SCA can identify the use of compromised libraries or vulnerable versions of components currently being exploited, while DAST and MAST help validate, in runtime environments, whether internet-exposed applications remain vulnerable to known attack vectors (such as WAF exploitation or input-handling flaws). Integrating these results into the pipeline shortens the gap between discovery and remediation, preventing critical vulnerabilities from reaching production.
At the infrastructure layer, IaC and cloud vulnerability scanners enable rapid detection of misconfigurations in VPNs, firewalls, WAFs, and identity components at the center of this week’s alerts. Correlating infrastructure findings with threat intelligence (for example, exploitation attempts against KEV-listed CVEs) helps prioritize what must be fixed first. Applied CTI—monitoring fraudulent domains, malicious emails, and leaked credentials or code—closes the loop: when a repository token, API key, or corporate subdomain appears in risky sources, response actions can be orchestrated based on existing inventories and pipelines.
Fraud and Digital Risk Radar
In the domain of digital fraud, there is a continued rise in registrations of domains visually similar to legitimate brands, used both in phishing campaigns and in supply chain attacks (such as fake “2FA update” pages targeting package maintainers). Increasingly subtle BEC (Business Email Compromise) patterns are also observed, with short messages, internal company language, and urgency cues—often combined with voice deepfakes to legitimize payment requests.
On the leakage side, the recent case of secret exfiltration via compromised GitHub workflows illustrates the risk of credentials stored in repositories and pipelines without continuous monitoring. For Brazilian organizations, this is particularly relevant in multicloud and multi-vendor environments, where access tokens for repositories, registries, and SaaS platforms are often widely reused. Monitoring credential leaks, correlating them with internal assets, and rapidly triggering key and token rotation routines becomes a baseline requirement for resilience.
Synthesis and Next Steps
In summary, the week reinforces three priorities:
- Rapidly harden identity, edge, and endpoint components against zero-days and critical vulnerabilities.
- Review ransomware and BEC protection posture during periods of reduced coverage (holidays, weekends, major events).
- Treat the software supply chain—repositories, package registries, and pipelines—as a strategic attack surface, with continuous monitoring and automated response.
For executives, this is an opportune moment to revisit risk appetite around identity, OT, and the software supply chain, and to assess whether current security investments are truly aligned with the organization’s exposure profile. For technical teams, a focused cycle this week is recommended to: review inventories of versions affected by the cited CVEs, verify scanner coverage across critical pipelines, and validate incident response plans for ransomware and supply chain incidents. For compliance and risk teams, prioritizing assessments that include evidence of monitoring for actively exploited vulnerabilities and protection against digital fraud and BEC is advised.
Your Rainforest account team and specialists can support the interpretation of these risks in the context of your specific environment—whether through a rapid exposure assessment or by orchestrating the SAST, DAST, MAST, SCA, IaC, and CTI capabilities already available on the platform.



