The internet never stays quiet. Every week, new hacks, scams, and security problems show up somewhere.
This week’s stories show how fast attackers change their tricks, how small mistakes turn into big risks, and how the same old tools keep finding new ways to break in.
Read on to catch up before the next wave hits.
-
Unauthenticated RCE risk
A high-severity security flaw has been disclosed in Redis (CVE-2025-62507, CVSS score: 8.8) that could potentially lead to remote code execution by means of a stack buffer overflow. It was fixed in version 8.3.2. JFrog’s analysis of the flaw has revealed that the vulnerability is triggered when using the new Redis 8.2 XACKDEL command, which was introduced to simplify and optimize stream cleanup. Specifically, it resides in the implementation of xackdelCommand(), a function responsible for parsing and processing the list of stream IDs supplied by the user. “The core issue is that the code does not verify that the number of IDs provided by the client fits within the bounds of this stack-allocated array,” the company said. “As a result, when more IDs are supplied than the array can hold, the function continues writing past the end of the buffer. This results in a classic stack-based buffer overflow.” The vulnerability can be triggered remotely in the default Redis configuration just by sending a single XACKDEL command containing a sufficiently large number of message IDs. “It is also important to note that by default, Redis does not enforce any authentication, making this an unauthenticated remote code execution,” JFrog added. As of writing, there are 2,924 servers susceptible to the flaw.
-
Signed malware evasion
BaoLoader, ClickFix campaigns, and Maverick emerged as the top three threats between September 1 and November 30, 2025, according to ReliaQuest. Unlike typical malware that steals certificates, BaoLoader’s operators are known to register legitimate businesses in Panama and Malaysia specifically to purchase valid code-signing certificates from major certificate authorities to sign their payloads. “With these certificates, their malware appears trustworthy to both users and security tools, allowing them to operate largely undetected while being dismissed as merely potentially unwanted programs (PUPs),” ReliaQuest said. The malware, once launched, abuses “node.exe” to run malicious JavaScript for reconnaissance, in-memory command execution, and backdoor access. It also routes command-and-control (C2) traffic through legitimate cloud services, concealing outbound traffic as normal business activity and undermining reputation-based blocking.
-
RMM abuse surge
Phishing emails disguised as holiday party invitations, overdue invoices, tax notices, Zoom meeting requests, or document signing notifications are being used to deliver Remote Monitoring and Management (RMM) tools like LogMeIn Resolve, Naverisk, and ScreenConnect in multi-stage attack campaigns. In some cases, ScreenConnect is used to deliver secondary tools, including other remote access programs, alongside HideMouse and WebBrowserPassView. While the exact strategy behind installing duplicate remote access tools is not clear, it’s believed that the threat actors may be using trial licenses, forcing them to switch them to avoid them expiring. In another incident analyzed by CyberProof, attackers transitioned from targeting an employee’s personal PayPal account to establishing a corporate foothold through a multi-layered RMM strategy involving the use of LogMeIn Rescue and AnyDesk by tricking victims into installing the software over the phone by pretending to be support personnel. The email is designed to create urgency by masquerading as PayPal alerts.
