InfoSec.Watch — Issue 114 • December 1, 2025

This week, identity platforms and third-party providers are under direct assault: CISA flags an actively exploited Oracle Identity Manager zero-day, OpenAI cuts ties with Mixpanel after an analytics breach, and ransomware knocks offline a widely used US emergency alert system. Here’s what your team needs to know going into Monday.

CISA added CVE-2025-61757, a critical authentication-bypass flaw in Oracle Identity Manager, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The bug targets a core identity-governance platform that often sits at the center of SSO and account lifecycle management.
Coverage: The Hacker News, SOCRadar

💡 Key Takeaway: Treat Oracle IdM like domain controllers: emergency patching, strict segmentation, and immediate admin activity review.

OpenAI disclosed that analytics vendor Mixpanel suffered a breach exposing developer names, email addresses, and IP-based geolocation. No passwords or API keys were accessed, but the data is enough for targeted phishing.
Coverage: TechRadar, Windows Central, BankInfoSecurity

💡 Key Takeaway: Prepare for phishing targeting engineering and security teams. Strengthen MFA, SSO, and security-key usage.

A ransomware attack against Crisis24’s OnSolve CodeRED platform disrupted emergency alerts across multiple US jurisdictions and triggered a data breach involving resident contact details.
Coverage: SecurityWeek, Cyber News Centre

💡 Key Takeaway: Include mass-alert platforms in BCP and tabletop planning. Third-party outages can disrupt critical communications chains.

CISA added multiple actively exploited FortiWeb traversal flaws (CVE-2025-64446, CVE-2025-58034) to KEV, enabling file access and tampering on affected appliances.
Coverage: CISA

💡 Key Takeaway: Harden WAF appliances like untrusted workloads—restrict management access, patch immediately, verify logs.

ReliaQuest observed Akira ransomware abusing SonicWall SSL VPN flaw CVE-2025-40601 in acquired SMB networks where inherited assets remained unpatched.
Coverage: TechRadar

💡 Key Takeaway: M&A security due diligence must include VPN hardening and mandatory patch verification.

Microsoft patched an actively exploited Windows kernel flaw now in KEV, enabling privilege escalation after initial access.
Coverage: NVD, CISA KEV

💡 Key Takeaway: Patch high‑risk user groups first and validate EDR detection for kernel‑level post‑exploitation patterns.

Attackers increasingly compromise organizations via upstream vendors, analytics feeds, identity providers, and MSPs. This week’s Mixpanel breach, Oracle IdM zero-day, CodeRED outage, and recent supply-chain intrusions all illustrate the same trend: your real perimeter is defined by the systems and services around you.

💡 Key Takeaway: Integrate vendor dependencies directly into threat modeling, IR planning, and red-team scenarios. Treat third‑party services as extensions of your own environment.

The FCC levied a $1.5M penalty after a ransomware attack at a debt‑collection vendor compromised customer data.
Coverage: Reuters

💡 Key Takeaway: Regulators now expect enterprises to own vendor breaches. Strengthen contracts, oversight, and notification requirements.

What it is:
Wiz’s Threat Research Hub is a free, continuously updated resource that publishes deep-dive analyses of cloud vulnerabilities, misconfigurations, exploitation paths, and real-world cloud attack techniques. It includes hands-on detection guidance, exploitation breakdowns, PoC risks, and configuration fixes across AWS, Azure, and GCP.

Why it’s excellent:
Wiz publishes some of the highest-quality technical cloud security research available, often flagging cloud provider issues weeks before they are broadly known. Their breakdowns are highly actionable for enterprise defenders and map directly to real cloud IAM, storage, serverless, and network risks.

Link:
https://www.wiz.io/blog

If you operate workloads in AWS, Azure, or GCP, adding Wiz’s research feed to your weekly intelligence cycle helps you spot emerging cloud risks before they reach widespread exploitation. It’s one of the fastest ways to improve cloud configuration hygiene and stay ahead of cloud-native attack paths.

Qilin ransomware turns Korean MSP breach into multi‑victim campaign — A South Korean MSP compromise enabled Qilin ransomware to hit 28 downstream financial-services organizations. The Hacker News
💡 Key Takeaway: MSP segmentation and privileged‑access controls are essential to limit blast radius.

SitusAMC vendor breach ripples across US banking sector — A cyber incident at a major real‑estate technology vendor impacted multiple banks' mortgage data flows. Cybersecurity Dive
💡 Key Takeaway: Shared vendors represent systemic risk across an entire sector—map your overlap.

Asahi confirms 1.5M person data breach — The Japanese brewer disclosed significant customer and employee data exposure after a ransomware attack. ITPro
💡 Key Takeaway: Consumer brands and manufacturers remain prime ransomware targets—segment OT and IT.

2025 breach recap: third‑party and credential‑based attacks surge — A new analysis highlights ransomware in ~45% of incidents and sharp increases in credential misuse. Bluefin
💡 Key Takeaway: Improving credential hygiene and vendor governance must occur together.

US county ransomware breach exposes resident and employee data — A recent incident revealed sensitive PII including SSNs and financial data for more than 45,000 individuals. PKWARE
💡 Key Takeaway: Local governments need stronger defaults and clear crisis‑response playbooks.

Run a “critical vendors + critical platforms” tabletop. Identify your 10 highest‑impact vendors and platforms that touch identity, analytics, or emergency communications. Simulate a Mixpanel‑style breach or CodeRED‑style outage and validate contracts, logging, IR plans, and failover paths.

💡 Key Takeaway: A focused three‑hour tabletop can uncover silent dependencies and remediation gaps long before a real crisis.

The perimeter now runs directly through identity systems, analytics feeds, MSPs, and alerting platforms. Treat them as core security infrastructure with controls, contracts, monitoring, and continuity plans to match.

You’re receiving InfoSec.Watch because you subscribed for weekly, no-nonsense security briefings.