This Month in Security: October 2025 - Massive Patch Tuesday, AWS Outages, F5 BIG-IP, Discord, and Jaguar Land Rover breaches

"Countries initially affected in WannaCry ransomware attack" by This SVG version is by TheAwesomeHwyh, original PNG version by User:Roke is licensed under CC BY-SA 3.0.

WannaCry was a worldwide ransomware attack in 2017.

October brought several critical infrastructure vulnerabilities, including unencrypted satellite communications, vulnerable networking hardware, and several Microsoft Zero-Day exploits. We also saw an alarming rise in ransomware attacks that could bypass traditional database security controls. 

‍

Critical Zero-Day Exploits

This month saw several critical, actively exploited zero-days from Microsoft, Oracle, and Adobe products.

• Microsoft's Barrage of Zero-Days: Microsoft's October 14th Patch Tuesday was a major event, fixing at least six zero-day vulnerabilities. Three of these were actively being exploited:
  
  • CVE-2025-24990: A privilege escalation flaw in the Windows Agere Modem Driver was patched. The patch removed the vulnerable legacy driver entirely (Rapid7).
  • CVE-2025-59230: A second privilege escalation vulnerability, this one in the Windows Remote Access Connection Manager (RASMan), was patched as well. This could allow an attacker to gain SYSTEM-level privileges (Qualys).
  • CVE-2025-47827: A Secure Boot bypass in IGEL OS was also patched (BleepingComputer).
• Oracle E-Business Suite (CVE-2025-61882): A critical zero-day in Oracle's E-Business Suite (EBS) was actively exploited in a widespread extortion campaign. Threat actors targeted the vulnerability to gain remote code execution and steal data, prompting Oracle to release emergency patches (Google Cloud).
• Adobe Experience Manager (AEM) (CVE-2025-54253): CISA added a critical (CVSS 10.0) remote code execution vulnerability in AEM to its Known Exploited Vulnerabilities (KEV) catalog, indicating it was under active attack and requiring federal agencies to patch by early November (SOCRadar).

‍

Notable Threats and Incidents

Third-party compromises, infrastructure flaws, and sophisticated ransomware attacks inflicted major damage this month.

• AWS DynamoDB Outage in US-EAST-1: On October 19th and 20th, an Amazon DynamoDB service disruption in the US-EAST-1 region, caused by a latent race condition in its DNS management system, led to increased API error rates. This initial failure had cascading effects, and subsequently caused an increase of connection errors for some Network Load Balancers and failures for new EC2 instance launches (AWS). 
• F5 BIG-IP Source Code Breach: F5 confirmed a catastrophic breach by suspected state-backed threat actors who stole BIG-IP source code and details of unpatched vulnerabilities. The UK's NCSC later confirmed active exploitation, and CISA issued an emergency directive in response, as over 260,000 devices were reportedly exposed (Medium, NCSC.gov.uk).
• Leaky Satellites Exposing Global Secrets: Research revealed that a significant portion of satellite internet traffic—including data from maritime, aviation, and military sectors—is being broadcast without encryption. This allows anyone with a simple satellite dish and TV tuner to intercept sensitive data, including phone calls, emails, and corporate documents (Wired).
• The Rise of Direct-to-Database Ransomware: Security firm Wiz reported on a new wave of ransomware campaigns that specifically target public-facing cloud databases. Attackers are scanning for and exploiting misconfigured databases (like PostgreSQL and MySQL) with weak credentials, encrypting the data directly, and demanding a ransom for its return (Wiz.io).
• Costliest Cyber Attack in UK History: A cyber attack on Jaguar Land Rover (JLR), estimated to be the costliest in UK history at £2.1 billion, halted the car manufacturer's production for five weeks. The ransomware attack caused significant delays across JLR’s supply chain (BBC News).
• Red Hat Internal Data Breach: The "Crimson Collective" extortion group claimed to have stolen 570GB of data from Red Hat's internal GitLab and GitHub repositories. Red Hat confirmed a breach of a consulting team's separate GitLab instance, which contained customer engagement details and internal data (Bright Defence).
• Discord Trust & Safety and Support Breach: More than 70,000 users were affected by a breach at Discord's third-party help and support provider, 5CA. No internal Discord infrastructure was affected by this breach (Bright Defence).

‍

Policy and Framework Updates

A key U.S. legislative provision lapsed, and a proclamation officially designated October as National Cybersecurity Awareness Month. 

• National Cybersecurity Awareness Month: Though October has been recognized as Cybersecurity Awareness Month since 2004, the White House issued a presidential proclamation officially designating October 2025 as National Cybersecurity Awareness Month (White House, NIST).  
• Cybersecurity Information Sharing Act (CISA) Expires: A critical U.S. law facilitating cyber threat intelligence sharing between the government and the private sector expired on October 1st during a government shutdown. This has created uncertainty and led to a unified push from tech industry leaders for its urgent reauthorization (World Economic Forum)  

‍

October Patches and Vulnerabilities

October’s Patch Tuesday was one of the most significant of the year.  

• Microsoft's October 2025 Patch Tuesday: On October 14th, Microsoft released patches for over 170 vulnerabilities, including six zero-days. The update also fixed numerous critical remote code execution (RCE) vulnerabilities across its product suite (BleepingComputer).
• Windows 10 Reaches End-of-Support: This month's Patch Tuesday marked the end of an era. October 14, 2025, was the official end-of-support date for Windows 10, meaning it will no longer receive automated security updates. Businesses that have not migrated can purchase Extended Security Updates (ESU) to remain protected (SOCRadar).
• Oracle Emergency Patches: In response to the active zero-day attacks, Oracle released emergency out-of-band patches on October 4th and October 11th to secure its E-Business Suite (Google Cloud).
• Windows 11 Updates Break Localhost Connections: Following the monthly patches, users began reporting that recent Windows 11 updates were breaking connections to localhost/127.0.0.1. The issue primarily affects software developers, causing "connection reset" errors (BleepingComputer).

‍

Key Takeaways for Staying Secure

• Prioritize Zero-Day Patches: The actively exploited zero-days in Microsoft's portfolio (CVE-2025-24990, CVE-2025-59230) and Oracle EBS (CVE-2025-61882) should be patched immediately.
• Migrate Off Windows 10: With Windows 10 officially unsupported, any remaining devices are at significant risk. Prioritize migration to a supported OS or purchase Extended Security Updates (ESU) as a temporary gap measure.
• Assume All Communications Can Be Intercepted: The satellite data leaks are a stark reminder that data in transit must be encrypted. Review all data transmission channels and enforce strong encryption protocols.
• Secure Your Cloud Databases: The rise of database ransomware means that securing your cloud assets is more critical than ever. Ensure that no databases are unnecessarily exposed to the internet, enforce strong and unique passwords, and regularly audit access controls.
• Scrutinize Third-Party Risk: The Red Hat and Discord breaches highlight the immense risk from supply chain and third-party integrations. Audit tools for excessive permissions and exposure.
• Review Your Security Posture: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. 

‍

About the Author

‍

Jordan Darrah is a Security Consultant at Cloud Security Partners. Jordan's interest in IT started when she was working as a menswear fashion designer and bridal seamstress. Since then, she has built a diverse technical background spanning hardware repair, systems administration, regulatory compliance, and penetration testing.

Currently, Jordan specializes in application and cloud security assessments, where she evaluates system vulnerabilities and conducts penetration tests. Jordan holds multiple industry certifications, including CISSP, eJPT, and CompTIA PenTest+. She also runs an OSCP study group and maintains a blog where she breaks down concepts and tools for new security professionals.

‍