Critical access control flaw in WordPress Survey Maker plugin (CVE-2025-64276) exposes survey data and privilege escalation paths — Researchers disclosed a severe access-control vulnerability in the popular Survey Maker plugin that allows unauthenticated users to manipulate surveys and potentially access stored respondent information, with a fixed version now available (16-11-2025) [Global]. DFIR teams supporting WordPress estates should hunt for suspicious survey changes in logs, verify plugin patch levels across fleets, and update containment playbooks for CMS-based business workflows (Source: Managed-WP, 16-11-2025).

DoorDash confirms data breach after social engineering attack on employee account — Food delivery platform DoorDash reported that an attacker tricked an employee into granting access, exposing contact information for customers across the US, Canada, Australia and New Zealand while stating that payment card data and passwords were not affected (17-11-2025) [AMER/APAC]. The incident underscores the importance of embedding social-engineering playbooks into incident response, including strong identity proofing, rapid access revocation and proactive notification workflows for SaaS-heavy environments (Source: CyberInsider, 17-11-2025).

West Midlands Police highlights impact of its first digital forensics apprentice cohort on serious crime cases — One year after launching, West Midlands Police reports that its new digital forensics apprentices are already helping to solve murders, kidnappings and serious sexual offences through rapid device triage and evidence recovery (15-11-2025) [EMEA]. For DFIR practitioners, the update signals how UK forces are professionalising cyber investigation capacity, increasing demand for robust evidence handling processes and interoperable tooling with law enforcement partners (Source: West Midlands Police, 15-11-2025).

CyberSEE project boosts digital forensics and electronic evidence skills across South-East Europe — The Council of Europe reports that its CyberSEE joint project hosted a Digital Forensics Conference in Belgrade focused on strengthening regional capabilities for handling electronic evidence, from seizure and analysis through to court presentation (08-11-2025) [EMEA]. Although framed as capacity-building, the programme directly affects how future cross-border cyber investigations will collect, preserve and share artefacts with corporate DFIR teams and international partners (Source: Council of Europe Cybercrime Programme Office, 08-11-2025).

Logitech discloses cyberattack exploiting third-party zero-day, exposing limited customer, employee and supplier data — Logitech filed an 8-K with the US SEC confirming that attackers abused a zero-day in a third-party platform to access internal systems and exfiltrate data relating to some customers, employees and suppliers, although core products and manufacturing operations were reportedly unaffected (15-11-2025) [Global]. The case demonstrates how supply-chain zero-days can cascade into high-profile brands and highlights the need for DFIR teams to track SaaS dependencies, maintain vendor risk inventories and prepare for forensic investigations where the root cause lies outside their own infrastructure (Source: CyberInsider, 15-11-2025).

Checkout.com reveals ShinyHunters data breach involving legacy cloud storage of merchant documents — Check Point’s latest threat intelligence bulletin notes that payment processor Checkout.com has notified regulators and merchants after ShinyHunters accessed documents in a poorly decommissioned legacy storage system, potentially impacting around a quarter of active merchants but not payment card data (17-11-2025) [EMEA/Global]. For incident responders in payment ecosystems, the breach reinforces the need to treat decommissioned cloud services as live assets until securely wiped, with clear chain-of-custody and configuration baselines maintained for post-incident investigations (Source: Check Point Research, 17-11-2025).

Ransomware group “J Group” claims breach of Australian defence contractor IKAD via exploited VPN flaw — Check Point reports that J Group says it exfiltrated around 800GB of data from Australian engineering firm IKAD after months of covert access through a VPN vulnerability, with the company confirming a cyber incident and theft of non-sensitive contract and HR data (17-11-2025) [APAC]. The intrusion underlines how long-dwelling access via remote-access weaknesses can quietly drain sensitive operational data, making continuous VPN hardening, log retention and anomaly detection critical for organisations in defence-adjacent supply chains (Source: Check Point Research, 17-11-2025).

Russian port operator Port Alliance reports three days of cyberattacks disrupting digital services — Port Alliance, a major Russian operator for coal and fertiliser exports, has reported sustained DDoS and intrusion attempts that disrupted digital services for three days while terminals remained operational, with the attack leveraging a botnet of over 15,000 rotating IPs (17-11-2025) [EMEA]. For maritime and logistics DFIR teams, the incident illustrates how attackers can target business and customer-facing systems to create operational friction without directly impacting OT, demanding integrated playbooks across IT, OT and business continuity (Source: Check Point Research, 17-11-2025).

Cl0p’s Oracle E-Business Suite (CVE-2025-61882) zero-day campaign expands victim list across media, tech and finance — Check Point details how Cl0p continues exploiting Oracle EBS CVE-2025-61882, with confirmed breaches at The Washington Post, Logitech, Allianz UK and GlobalLogic and an unconfirmed listing for the UK’s NHS, using large-scale data theft and extortion emails against Oracle customers (17-11-2025) [Global]. Threat hunters should enrich asset inventories with Oracle EBS exposure, proactively scan for exploitation artefacts and coordinate with business owners on emergency patching and offline backup strategies (Source: Check Point Research, 17-11-2025).

Microsoft October Patch Tuesday resolves actively exploited Windows kernel zero-day CVE-2025-62215 — The same Check Point bulletin notes that Microsoft’s October updates fix 63 vulnerabilities including an exploited Windows kernel privilege escalation bug, CVE-2025-62215, and a 9.8 CVSS GDI+ remote code execution flaw impacting Windows and Office (17-11-2025) [Global]. DFIR and vulnerability management teams should prioritise these patches, update detection rules for exploit behaviour and treat unpatched endpoints as high-risk when triaging anomalous privilege escalation and document-handling activity (Source: Check Point Research, 17-11-2025).

Actively exploited zero-days uncovered in Cisco ISE, Citrix products and Triofox enterprise file sharing — Check Point reports active exploitation of critical flaws in Cisco Identity Services Engine (CVE-2025-20337), Citrix NetScaler (CVE-2025-5777) and Triofox (CVE-2025-12480), enabling unauthenticated remote code execution, in-memory webshells and creation of rogue admin accounts (17-11-2025) [Global]. These vulnerabilities demand immediate patching, enhanced monitoring for anomalous admin activity and forensic review of authentication and management logs to detect stealthy lateral movement (Source: Check Point Research, 17-11-2025).

Whisper-Leak side-channel attack shows how LLM models can leak user prompt topics across chats — New research highlighted by SecurityWeek describes “Whisper-Leak”, a side-channel technique that can infer the rough topic of user prompts to large language models by measuring resource usage, even without direct access to prompt content (15-11-2025) [Global]. For security architects deploying LLMs, the findings reinforce the need for strong tenant isolation, traffic shaping and monitoring of AI workloads as part of threat modelling, especially where sensitive investigative or legal data is processed (Source: SecurityWeek, 15-11-2025).

Five defendants plead guilty to helping North Korea evade sanctions via overseas IT worker schemes — US authorities announced that five individuals admitted to roles in a scheme that placed DPRK IT workers in foreign companies under false identities, generating illicit revenue for Pyongyang in violation of international sanctions (17-11-2025) [AMER/APAC]. The case spotlights how routine hiring and remote-work arrangements can be abused for state-backed operations, urging security leaders to tighten identity verification, monitor anomalous remote access and support law enforcement with high-quality telemetry when suspect accounts are uncovered (Source: SecurityAffairs summarising US Department of Justice filings, 17-11-2025).

UK National Crime Agency launches campaign to protect men from crypto investment fraud — The NCA has rolled out its first targeted awareness campaign on crypto investment scams, focusing on men under 45 who are disproportionately victimised by high-pressure schemes promising unrealistic returns (11-11-2025) [EMEA]. For fraud and cyber units, the initiative underlines the importance of behavioural analytics and public education alongside technical controls, and it offers material DFIR teams can reuse when helping victims and stakeholders understand evolving social-engineering patterns (Source: WiredGov / UK National Crime Agency, 11-11-2025).

Analysis outlines five major changes for organisations under the UK Cyber Security and Resilience Bill — A new legal briefing on the UK Cyber Security and Resilience Bill highlights sweeping reforms including expanded coverage beyond traditional operators of essential services, stronger obligations to report incidents and enhanced enforcement powers for regulators (16-11-2025) [EMEA]. CISOs operating in or with the UK should map these changes against existing NIS and incident-response arrangements now, ensuring governance, board reporting and supplier contracts are aligned ahead of the Bill’s final passage (Source: InsidePrivacy / Covington & Burling, 16-11-2025).

UK Amber Alert on “shadow fleet” sanctions evasion flags cyber and data red flags for compliance teams — AML Intelligence reports that a new UK Amber Alert, issued with input from the National Crime Agency, warns banks and shipping firms about deceptive practices used by “shadow fleet” tankers to evade Russian oil sanctions, including spoofed AIS, forged documentation and obfuscated beneficial ownership (17-11-2025) [EMEA]. For cyber and financial crime teams, the alert reinforces the need to fuse OSINT, maritime data and internal telemetry to detect sanctions-evasion patterns, and to treat shipping, KYC and cyber controls as a combined risk surface (Source: AML Intelligence, 17-11-2025).

NIST seeks final comments on updated CSF 2.0 Manufacturing Profile as deadline arrives — NIST has reminded stakeholders that the public comment window for its updated Cybersecurity Framework 2.0 Manufacturing Profile closes on 17 November, inviting feedback on how the profile maps CSF functions to real-world industrial control environments (17-11-2025) [AMER/Global]. Manufacturers, MSPs and DFIR providers working in OT-heavy sectors should review the draft now to ensure their controls, incident-response procedures and monitoring architectures align with the emerging baseline for CSF 2.0-aligned operations (Source: NIST / GovDelivery bulletin, 17-11-2025).

UK government publishes incident reporting factsheet under Cyber Security and Resilience Bill — A new UK government factsheet clarifies which organisations will be required to report cyber incidents under the Cyber Security and Resilience Bill, the timeframes involved and how notifications will interface with existing regulatory and law-enforcement channels (12-11-2025) [EMEA]. Compliance and DFIR teams should use the guidance to refine incident-severity thresholds, data-capture requirements and communication runbooks so that reportable events can be escalated quickly without losing forensic integrity (Source: UK Government, 12-11-2025).