Before we begin today's briefing, we have a critical security alert. CVE-2025-61757, a remote code execution in Oracle Identity Manager REST WebService, has been added to the CISA Known Exploited Vulnerabilities catalog.
Good morning. This is your security briefing for Friday, November 21, 2025, covering three articles from yesterday's developments. All attribution is by the article authors. All article analysis is automated.
SecurityScorecard reports on Operation WrtHug, a massive global espionage campaign exploiting end-of-life ASUS routers. The campaign, potentially linked to China-affiliated actors, has compromised over 50,000 unique IP addresses to establish an Operational Relay Box network, with the highest concentration of 30 to 50 percent occurring in Taiwan.
The attackers are exploiting multiple CVEs including OS command injection and arbitrary command execution flaws, specifically targeting the AiCloud service for initial access. A distinctive indicator of compromise is the use of a 100-year self-signed TLS certificate.
FoxIO has released JA4D and JA4D6, new DHCP fingerprinting tools that identify devices and operating systems on networks through DHCP message analysis. These tools can detect malicious activities including the Pretender tool, which exploits DHCPv6 to hijack network traffic by impersonating DHCPv6 servers.
The fingerprinting capabilities enable network defenders to identify unauthorized devices and detect threat actor tools without requiring MAC addresses or active scanning.
ENISA has published its 2024 sectorial threat landscape report analyzing cyber threats facing the public administration sector across the EU. The report utilizes open-source intelligence to identify key threats, threat types, and adversaries targeting government entities, supporting national and EU authorities as well as private sector partners in improving cybersecurity posture and resilience.
That concludes today's security briefing.