eastbaycyber

Nucor Breach, ClickFix, EDRKillShifter, SAP NetWeaver Exposure, and Critical CVEs

Threat digests 10 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-15
Week of 15 MAY 2026

This threat digest 2026-05-15 centers on three recurring realities: attackers still monetize disruption and data theft together, social engineering keeps adapting faster than many user-awareness programs, and exposed enterprise infrastructure remains a top intrusion path. For related coverage, see our ransomware response checklist and how to spot social engineering attacks.

Top Stories

Nucor confirms data theft in recent cyberattack

Nucor confirmed that threat actors stole some data in the cyberattack it disclosed earlier this week. That matters for two reasons: this is no longer only an availability or operational event, and the risk profile now includes downstream extortion, secondary phishing, and possible follow-on targeting of partners or employees using stolen information.

For defenders, the lesson is familiar but important: when a large industrial or manufacturing organization confirms data theft, assume the incident may progress in phases. Initial disruption may be followed by coercive outreach, leak-site pressure, or credential abuse attempts. Security teams supporting manufacturing, logistics, or industrial operations should review whether segmentation between business systems and operational environments is actually enforceable under stress.

ClickFix expands beyond Windows and now targets Linux users too

According to BleepingComputer, ClickFix campaigns have evolved into a cross-platform social-engineering technique targeting both Windows and Linux users. The core mechanism is simple and effective: present a fake issue, then provide “fix” steps that push the user to execute attacker-controlled commands.

This is especially relevant in mixed environments where Linux administrators, developers, and DevOps teams may be conditioned to trust terminal-based remediation steps. User education that only warns about Office macros or classic phishing is not enough here. Defenders should train users to treat any prompt that instructs them to paste commands into a shell, PowerShell, or terminal as suspicious unless it comes through a verified internal workflow.

EDRKillShifter reportedly becoming a favored cybercrime tool

Reporting cited via Google News indicates that RansomHub’s EDRKillShifter malware has become increasingly popular in cybercrime operations.

The strategic point is clear: adversaries continue to invest in defense evasion before encryption, data theft, or lateral movement. If an operator can blind or weaken endpoint controls early, every subsequent action becomes easier. Organizations should interpret any tamper alert, unexpected agent outage, or sudden drop in telemetry volume as a potentially urgent event, not a routine endpoint health issue.

BreachForums guilty plea is notable, but forum-based crime will adapt

The alleged BreachForums administrator has reportedly pleaded guilty in connection with running the cybercrime marketplace.

This is an important law-enforcement milestone, but defenders should avoid overreading the impact. Criminal communities are resilient. Takedowns, seizures, and arrests can disrupt trust and operations in the short term, but they rarely eliminate the underlying demand for stolen data, access brokerage, or fraud tooling. Monitoring requirements for leaked credentials, customer data, and internal identifiers remain unchanged.

More banks are formalizing vulnerability reporting

KrebsOnSecurity reports that many banks now offer structured pathways for reporting security issues.

This is good news for defenders. Formal vulnerability reporting programs help reduce chaos when researchers find issues, improve triage quality, and create a healthier signal path than ad hoc outreach to random inboxes or social media accounts. For SMBs and midmarket firms, the takeaway is practical: even if a full bug bounty program is out of reach, a clearly published vulnerability disclosure policy and intake process is now baseline maturity.

SAP NetWeaver exposure deserves immediate review

A report via Google News says hundreds of SAP NetWeaver servers are likely still vulnerable as exploit activity emerges.

For many enterprises, internet-facing application infrastructure remains one of the fastest paths from exposure to compromise. If your environment runs SAP NetWeaver, this should be in today’s priority queue. Validate exposure, review vendor guidance directly, inspect authentication and application logs, and confirm whether external access is necessary at all.

Critical Vulnerabilities

CVE-2025-32709 : glibc iconv out-of-bounds write

NVD entry

Severity: HIGH
CVSS v3.1: 8.8

This issue affects the iconv function in GNU C Library (glibc) 2.39 and earlier when processing invalid UCS4 input in the ISO-2022-CN-EXT converter. The flaw can write up to four bytes out of bounds to the output buffer, which may cause memory corruption or crashes.

Why it matters: glibc sits deep in the Linux software stack. Even when exploitability is context-dependent, bugs in foundational libraries deserve priority because they can surface across multiple applications and appliances. Teams should inventory affected systems, identify software paths using vulnerable character-set conversion behavior, and prioritize externally reachable or high-value workloads first.

CVE-2025-4427 : FreeIPA password reset and account compromise risk

NVD entry

Severity: HIGH
CVSS v3.1: 8.8

This FreeIPA flaw can allow a malicious user to trigger a crafted request sequence that causes a victim browser to submit a password-changing request. In practice, that creates account takeover potential when combined with the right conditions or additional weaknesses.

Identity systems always deserve elevated urgency. Even if exploitation requires chaining or social conditions, the business impact of unauthorized password changes is high. Review administrative exposure paths, monitor password reset and credential change events, and assess whether privileged or sensitive accounts may be at greater risk.

CVE-2025-4426 : FreeIPA SCEP request handling denial of service

NVD entry

Severity: HIGH
CVSS v3.1: 8.6

A flaw in FreeIPA’s handling of SCEP requests allows an unauthenticated attacker to send crafted requests that crash the affected service.

Availability issues in identity infrastructure can quickly become enterprise-wide operational problems. If FreeIPA supports authentication or certificate-related workflows in your environment, monitor for unexplained service instability, failed enrollment activity, and abnormal request patterns originating from untrusted networks.

CVE-2025-47729 : TYPO3 insecure deserialization

NVD entry

Severity: HIGH
CVSS v3.1: 8.8

This TYPO3 issue affects multiple branches and can enable remote code execution, privilege escalation, or access to sensitive data in backend contexts or through chained attacks. The NVD notes fixes in the following versions:

  • 9.5.52 ELTS
  • 10.4.51 ELTS
  • 11.5.45 ELTS
  • 12.4.31 LTS
  • 13.4.12 LTS

If TYPO3 is deployed internally or for external-facing business functions, verify version status immediately. Also review backend account exposure, extension hygiene, and whether any known weaknesses elsewhere in the application stack could make chaining easier.

CVE-2025-4653 : Devika path traversal in /api/download-project

NVD entry

Severity: HIGH
CVSS v3.1: 8.6

This vulnerability in stitionai/devika version 1.0 is a path traversal issue in the /api/download-project endpoint. The project_name parameter can allegedly be manipulated to traverse directories and overwrite files on the local system.

Self-hosted AI tooling often lands in environments faster than normal hardening and governance controls. If teams are experimenting with internal AI platforms, verify whether these services are exposed beyond trusted networks, what filesystem permissions they hold, and whether they can overwrite configuration or service files.

Operational note on SAP NetWeaver

The reported SAP NetWeaver exposure story is not listed above as a CVE item in today’s supplied vulnerability feed, but it still deserves immediate operational attention because active exploit interest against widely deployed enterprise software can outrun normal patch-validation cycles. Treat this as a parallel exposure management task, not something to wait on until the next maintenance window.

What Defenders Should Do Today

1. Hunt for ClickFix-style lures across multiple channels

Look beyond email. Review browser pop-up complaints, collaboration tools, helpdesk impersonation attempts, and unusual user reports involving “verification,” “repair,” or “copy/paste this command” instructions.

Brief users and administrators on one simple rule:

If a message or page tells you to paste commands into PowerShell, Command Prompt, Bash, or a Linux terminal to fix a problem, stop and verify through a trusted support channel.

This guidance works because it targets behavior, not a single malware family.

2. Review EDR health and tamper indicators now

Given the reporting around EDRKillShifter, validate that endpoint agents are:

  • installed on critical systems,
  • currently running,
  • checking in normally,
  • generating expected telemetry volume, and
  • alerting on tamper or disable attempts.

A quiet endpoint is not automatically a healthy endpoint. Investigate sudden telemetry gaps, disabled services, or inconsistent policy application, especially on high-value servers and admin workstations.

3. Prioritize exposure-driven patching

Focus first on:

  • internet-facing systems,
  • identity infrastructure,
  • content management platforms,
  • self-hosted AI tooling,
  • and any system processing untrusted external input.

For today’s listed vulnerabilities, that means reviewing glibc, FreeIPA, TYPO3, and Devika deployments, while also checking any SAP NetWeaver presence. Where immediate patching is not possible, document compensating controls such as network restrictions, WAF or reverse-proxy rules, reduced backend access, and tighter monitoring.

4. Add targeted monitoring for FreeIPA

For environments using FreeIPA, review:

  • password change events,
  • browser-driven workflows touching account management,
  • SCEP-related errors or spikes,
  • unexplained service crashes,
  • and request sequences that deviate from known-good patterns.

Because identity attacks often blend technical abuse with legitimate workflows, log review should include both security events and application behavior anomalies.

5. Lock down TYPO3 backend exposure

For TYPO3 instances:

  • confirm running versions against fixed releases,
  • restrict backend access by network and role,
  • review admin account hygiene,
  • minimize unnecessary extensions,
  • and inspect whether any prior compromise indicators exist.

Insecure deserialization issues become more dangerous when backend access is broad, weakly segmented, or already reachable through another foothold.

6. Reduce risk from self-hosted AI applications

If your organization runs Devika or similar tools:

  • remove public exposure unless there is a documented business requirement,
  • restrict service accounts and filesystem write permissions,
  • monitor API requests for traversal attempts,
  • and review whether development systems are bypassing normal security review.

These tools often sit in gray zones between dev experimentation and production reliance. Attackers do not care which category you intended.

7. Prepare for data-theft-led extortion scenarios

The Nucor case is a reminder that operational incidents frequently include data exposure. For organizations in manufacturing and other ransomware-targeted sectors, verify:

  • backup integrity and restoration speed,
  • segmentation between critical functions,
  • incident communications workflows,
  • legal and executive escalation paths,
  • and dark-web or leak-site monitoring where appropriate.

Do not wait for a ransom note to determine whether your extortion response process exists. If your team needs encrypted remote access during incident response, choose a vetted VPN service rather than ad hoc tools; options readers often compare include NordVPN and Surfshark.

8. Refresh SOC detections and escalation criteria

Make sure the SOC or monitoring team has current watch items for:

  • credential theft,
  • suspicious password changes,
  • browser-based fake support lures,
  • shell or PowerShell execution spawned from unusual parent processes,
  • endpoint tamper attempts,
  • web application exploitation patterns,
  • and access anomalies around identity and CMS platforms.

Just as important: ensure analysts know which events require immediate escalation today. Speed matters most when the affected systems are identity, externally exposed applications, or endpoint security controls.

Bottom Line

Today’s threat picture is not defined by a single campaign. It is defined by convergence:

  • social engineering that pushes users to execute commands,
  • malware aimed at blinding defenses,
  • real-world incidents that combine disruption with data theft,
  • and high-severity flaws in software that often sits close to the business core.

If you only have time for a short action list today, do these three things:

  1. Check internet-facing enterprise applications, especially SAP NetWeaver and TYPO3.
  2. Validate endpoint protection health and investigate tamper or telemetry gaps.
  3. Brief users and admins that command-paste “fix” instructions are now a mainstream cross-platform attack pattern.

That set of actions will reduce risk faster than waiting for perfect attribution or complete campaign detail.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-15

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.