A critical vulnerability (CVE-2025-47812) in Wing FTP Server allows unauthenticated attackers to achieve complete server control. The vulnerability affects all versions up to 7.4.3 and has a maximum CVSSv4 score of 10.0. The flaw exploits improper NULL byte handling, enabling attackers to inject arbitrary Lua code and execute system commands with elevated privileges. This vulnerability's impact is particularly severe because Wing FTP Server typically runs with elevated privileges, resulting in complete administrative control over the affected server.

On November 14, 2025, Logitech disclosed a cybersecurity breach stemming from a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite, exploited by the Clop extortion gang since July 2025. The attack led to unauthorized data exfiltration from Logitech’s internal IT systems, including limited employee, consumer, customer, and supplier information. While no sensitive personal data (e.g., national IDs, credit cards) was compromised, the breach exposed non-sensitive records, raising risks of follow-on phishing or social engineering attacks.Logitech confirmed no operational disruption—manufacturing, financials, and business continuity remained unaffected—thanks to prompt detection, patching, and external cybersecurity support. The incident was contained, with regulatory notifications filed and affected parties being assessed for disclosure. However, the breach underscores third-party software risks and the evolving tactics of ransomware groups shifting from encryption to data theft-driven extortion.Though Logitech downplayed material impact, the exposure of internal and stakeholder data—even if non-critical—highlights vulnerabilities in supply chain security and the need for proactive zero-day defense strategies. Regulatory scrutiny (e.g., GDPR) may apply if European consumer data was involved, though no fines were reported at disclosure.

A Washington, D.C.-based cryptocurrency holder fell victim to a $230 million Bitcoin heist (now valued at over $384.5 million) in August 2024, orchestrated by a cybercrime ring led by individuals like Malone Lam (aka 'Greavys') and Jeandiel Serrano. The attackers used social engineering to compromise the victim’s crypto accounts, transferring 4,100+ Bitcoin into wallets under their control. The stolen funds were laundered via crypto mixers, peel chains, pass-through wallets, and VPNs, with some converted to Monero to obscure traces. Despite efforts to hide transactions, investigators linked the funds due to operational errors by the attackers. The group, comprising mostly 18- to 22-year-olds, operated across the U.S. and abroad, leveraging online gaming friendships to expand their network. Kunal Mehta (aka 'The Accountant') played a key role in laundering, using shell companies to convert crypto to cash, charging a 10% fee per transaction. The stolen funds financed luxury purchases, including private jets, 28 high-end cars (worth up to $3.8M), designer goods, and international travel. The attack involved conspiracy to commit wire fraud, cyber-enabled racketeering, and money laundering, with 14 suspects indicted by the DOJ in May 2025. The breach highlights vulnerabilities in cryptocurrency security, particularly against social engineering and phishing tactics, with no evidence of ransomware or direct physical harm but severe financial and reputational damage to the victim.