ZeroFox Daily Intelligence Brief - October 17, 2025

ZeroFox Daily Intelligence Brief - October 17, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Hackers Exploit Airport PA Systems to Spread Political Messages
• NetcoreCloud Server Misconfiguration Exposes 40 Billion Email Records
• Geopolitical Focus: European NATO, Peru’s Emergency, and More

Hackers Exploit Airport PA Systems to Spread Political Messages

Source: https://edition.cnn.com/2025/10/15/us/airport-cyber-breach-pennsylvania-canada-hnk

What we know: Threat actors have hijacked public address and display systems at four airports, Harrisburg (United States), and Kelowna, Victoria, and Windsor (Canada), to broadcast pro-Hamas messages. The incidents caused confusion among passengers and briefly disrupted airport communications and boarding announcements.

Context: Attackers gained unauthorized access to the airport's public address (PA) and information display systems, which is suspected to have occurred through a compromised cloud-based or third-party service. This incident closely follows the first phase of Israel-Hamas ceasefire coming into effect.

Analyst note: With the ceasefire taking effect, other threat actors of similar political stances could use repeat hijacks to disrupt other airports and carriers through third-party vendors to have their geopolitical cause advertised publicly.

NetcoreCloud Server Misconfiguration Exposes 40 Billion Email Records

Source: https://hackread.com/misconfigured-netcorecloud-server-40-billion-records/

What we know: An unsecured and publicly accessible server linked to Indian company NetcoreCloud has exposed over 40 billion records (13.4 TB) of email and marketing data, including sensitive communication logs and technical details.

Context: NetcoreCloud provides email marketing and automation services to over 6,500 global brands across industries like finance, healthcare, and ecommerce. The exposed data included internal SMTP details, healthcare notifications, banking alerts, and employment emails.

Analyst note: Threat actors could use the exposed data, including email patterns and configuration data for mass phishing, identity theft, and corporate espionage. Attackers could also exploit SMTP configuration data to spoof trusted domains or hijack legitimate email infrastructure.

Geopolitical Focus: European NATO, Peru’s Emergency, and More

• On October 15, 2025, U.S. Secretary of War Pete Hegseth called for a European-led North Atlantic Treaty Organization (NATO). His comments are likely part of a wider U.S. shift away from spearheading foreign policy commitments abroad and instead relying on the most powerful regional actors to take the lead on their own national security priorities.
• Russia launched a massive assault on Ukraine’s energy infrastructure with hundreds of drones and missiles on October 16, 2025. Ukraine President Volodymyr Zelenskyy prepared to meet U.S. President Donald Trump to request more air defenses, while Trump announced plans to meet Russian President Vladimir Putin in Budapest.
• Peru’s government has announced a state of emergency in capital Lima, after one person was killed and dozens were injured in a civil unrest against newly appointed President José Jerí.
• Four people were killed in Kenya on October 16, after the police fired shots to disperse crowds that had gathered to mourn the death of 80-year-old opposition leader Raila Odinga. Operations at Nairobi's international airport were also disrupted as mourners interrupted President William Ruto's ceremony while receiving Odinga's body.
• Bangladeshi prosecutors have demanded the death penalty for former Prime Minister Sheikh Hasina, accusing her of ordering a deadly crackdown on student protests. On the other hand, Hasina remains in exile in India.

DEEP AND DARK WEB INTELLIGENCE

Sotheby data breach: Major auction giant Sotheby’s disclosed a data breach detected on July 24, in which threat actors stole sensitive customer information, including names, Social Security numbers (SSNs), and financial account details. This breach exposes clients to risks of identity theft, financial fraud, and targeted social engineering attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-54253: This flaw in Adobe Experience Manager enables unauthenticated attackers to execute arbitrary code via a misconfigured AEM Forms servlet. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation. Threat actors could exploit this flaw to steal personally identifiable information, customer records, intellectual property, and other files.

Affected products: Adobe Experience Manager versions 0 through 6.5.23

CVE-2025-55315: Microsoft has patched the company’s highest ever critical vulnerability in the Kestrel web server. The ASP[.]NET Core vulnerability enables request smuggling and security bypass. The flaw could enable attackers to hide unauthorized requests within legitimate ones. Successful exploitation is likely to enable account access or further injection attacks.

Affected products: The affected products are listed in this advisory.