This post is part of our ongoing daily CTI briefing series, highlighting verified, high-impact cyber incidents from the past 48 hours. All entries meet strict inclusion criteria and have been validated across multiple authoritative sources to support operational decision-making and strategic situational awareness.
Cl0p exploits Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion
Date of Incident (ET): August 2025
Date of Disclosure/Publication (ET): Oct. 6, 2025
Oracle issued an emergency patch after Mandiant confirmed Cl0p exploited CVE-2025-61882 in multiple customer environments for large-scale data exfiltration and extortion.
Source: thehackernews.com/2025/10/o…
Zimbra zero-day (CVE-2025-27915) exploited via malicious ICS files against Brazil’s military
Date of Incident (ET): Earlier in 2025
Date of Disclosure/Publication (ET): Oct. 6, 2025
A stored XSS vulnerability in Zimbra’s Classic Web Client was exploited using crafted calendar invites. Exploitation occurred in the wild before vendor fixes were issued.
Source: thehackernews.com/2025/10/z…
Asahi Group ransomware attack disrupts Japanese beverage production and distribution
Date of Incident (ET): Sept. 29, 2025
Date of Disclosure/Publication (ET): Oct. 6, 2025
Asahi halted operations across many facilities in Japan due to ransomware. Production restarts began Oct. 6 but systems are not fully restored, with supply chain impacts persisting.
Source: www.ft.com/content/6…
Discord third-party support provider breach exposes PII and scanned government IDs
Date of Incident (ET): Sept. 20, 2025
Date of Disclosure/Publication (ET): Oct. 4, 2025
Attackers compromised a customer service vendor, accessing names, emails, partial payment data and a subset of scanned IDs for users who contacted Discord support.
Source: www.bleepingcomputer.com/news/secu…
Surge in scans of Palo Alto Networks login portals indicates targeted reconnaissance
Date of Incident (ET): Oct. 3, 2025
Date of Disclosure/Publication (ET): Oct. 4, 2025
GreyNoise observed a nearly 500 per cent spike in unique IPs probing Palo Alto Networks portals, likely preceding password-spraying or credential-stuffing attempts.
Source: www.bleepingcomputer.com/news/secu…
