ZeroFox Daily Intelligence Brief - November 19, 2025

ZeroFox Daily Intelligence Brief - November 19, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• WhatsApp Vulnerability Enabled Global Phone Number Harvesting
• Iran-Linked Espionage Campaign Hits Aerospace and Aviation Sectors
• Cloudflare Outage Reportedly Not Caused by Cyberattack

WhatsApp Vulnerability Enabled Global Phone Number Harvesting

Source: https://www.wired.com/story/a-simple-whatsapp-security-flaw-exposed-billions-phone-numbers/

What we know: Researchers have uncovered a major privacy flaw in WhatsApp’s contact-discovery feature that enabled anyone to rapidly enumerate billions of phone numbers due to weak rate-limiting and the platform’s reliance on predictable phone numbers as account identifiers.

Context: By automating lookup requests through WhatsApp Web, researchers collected 3.5 billion registered numbers, many with publicly exposed profile photos and “About” text. The issue had been known since 2017 but remained exploitable until Meta implemented stricter rate limits in October 2025.

Analyst note: The research shows systemic risks in phone-number-based identity systems that threat actors could leverage for large-scale scraping to sell on dark web forums. The vulnerability is also likely to be used by authoritarian governments to identify and track users.

Iran-Linked Espionage Campaign Hits Aerospace and Aviation Sectors

Source: https://thehackernews.com/2025/11/iranian-hackers-use-deeproot-and.html

What we know: Iran‑associated advanced persistent threat (APT) UNC1549 reportedly conducted sustained espionage attacks on aerospace, aviation, and defense organizations across the Middle East from 2023 to 2025. The group leveraged credentials from suppliers and broke out of virtual desktop environments to infiltrate high‑security networks.

Context: Once inside, they deployed custom backdoors like TWOSTROKE and DEEPROOT alongside extensive tunneling tools for persistence and data theft. Researchers observed UNC1549 using command and control domains crafted to mimic victim industries.

Analyst note: The Iran‑linked actors are likely to have gained access to highly sensitive aerospace, aviation, and defense information, including intellectual property, strategic plans, and technical designs. Access to sensitive data is likely to enable Iran to accelerate its own military and technological programs.

Cloudflare Outage Reportedly Not Caused by Cyberattack

Source: https://www.securityweek.com/cloudflare-says-highly-disruptive-outage-not-caused-by-attack/

What we know: Cloudflare confirmed widespread outages on November 18, 2025 were not caused by a cyberattack but due to a routine configuration change that triggered a latent bug in its bot-mitigation system. The issue has since been resolved.

Context: The outages disrupted major services worldwide including ChatGPT, the League of Legends game, critical organizations such as New York City Emergency Management, New Jersey Transit, and the French national railway company SNCF.

Analyst note: The incident reveals the widespread dependency of services on Cloudflare, making such infrastructure a prime target for attackers. It is likely to require significant resources and skills to be able to disrupt Cloudflare given its defences and infrastructure. However, hacktivist or hacker groups are also likely to falsely claim credit for high-profile outages.

DEEP AND DARK WEB INTELLIGENCE

Pajemploi data breach: URSSAF, the French organization that collects social security contributions, has confirmed a data breach at its Pajemploi service affecting up to 1.2 million employees and employers. The exposed data includes names, birth details, addresses, Social Security numbers (SSNs), bank names, and Pajemploi numbers. Direct account access is unlikely because passwords or bank account numbers were not leaked. However, the data is likely to be leveraged for ransom demands, phishing, impersonation, and social engineering attacks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-13223: Google has released a patch for this type confusion vulnerability in the V8 JavaScript engine. The bug could enable arbitrary code execution and system crashes. Successful exploitation is likely to lead to full system compromise via a crafted HTML page. Threat actors are likely to steal credentials, cookies, and other data stored on Chrome web browser in case of a successful exploit.

Affected products: The affected products are listed in this advisory.