Cyber Brief: Ivanti, Gladinet and Oracle Breaches

Each day brings new threats, vulnerabilities, and developments shaping the cybersecurity landscape. In today’s Cyber Brief, we highlight key stories affecting UK organisations - from newly disclosed vulnerabilities to active exploits and supply-chain risks - along with practical steps your team can take to stay secure.

Ivanti under scrutiny as 13 critical vulnerabilities disclosed

Ivanti’s Endpoint Manager platform faces renewed attention after security researchers disclosed 13 unpatched vulnerabilities, several rated critical. The flaws include remote-code-execution and privilege-escalation weaknesses that could let attackers move laterally through corporate networks.
These issues were uncovered by the Zero Day Initiative (ZDI) and remain unaddressed in currently released versions. While no active exploitation has been confirmed, researchers warn that public disclosure raises the risk of opportunistic scanning and proof-of-concept weaponisation.
For many UK organisations, Ivanti is woven into IT operations for endpoint deployment and patch automation, making prompt mitigation essential. Until fixes arrive, experts advise restricting admin privileges, monitoring for unexpected service activity, and tightening segmentation between management servers and end-user devices.
Why it matters: Widely deployed IT-management platforms represent a single point of failure. Even one unpatched flaw can provide attackers with privileged network-wide access.
Source: ZDI / SecurityWeek

Gladinet TrioFox zero-day exploited in the wild

A newly discovered vulnerability in Gladinet’s CentreStack and TrioFox enterprise file-sharing products is being actively exploited. The flaw allows attackers to perform local file inclusion and escalate to remote-code execution without authentication.
Security researchers report that threat actors are scanning for exposed servers and attempting to steal data from cloud storage integrations. No patch has yet been issued, though temporary mitigations are available to disable public access and restrict configuration interfaces.
For SMEs and service providers relying on these tools for secure collaboration, the zero-day serves as a reminder that even niche SaaS components can create large-scale exposure if overlooked in vulnerability management cycles. Regular monitoring and intrusion-detection alerts on storage gateways are advised until permanent fixes are released.
Why it matters: File-sharing and sync platforms often bridge cloud and on-prem environments. When compromised, they can become direct conduits for sensitive data theft.
Source: The Hacker News / Cybersecurity News

Hacktivists test water-utility defences in honeypot exercise

Forescout’s threat-intelligence team has detailed a campaign by the hacktivist collective "TwoNet", which targeted a decoy network designed to mimic a water-treatment facility. Attackers attempted to manipulate operational-technology (OT) controls, demonstrating an understanding of industrial protocols used in real-world utilities.
Although the target was a honeypot, the incident highlights ongoing interest in UK and global critical-infrastructure systems. Forescout’s telemetry shows similar reconnaissance across manufacturing and energy networks, suggesting adversaries are probing for weaknesses long before launching disruptive attacks.
The findings underscore how cyber and physical security overlap in essential services. Continuous OT monitoring, network segmentation between IT and plant systems, and patching of outdated PLC interfaces remain key safeguards.
Why it matters: Critical-infrastructure security is no longer theoretical - attackers are already practising. Real-time detection and clear incident-response playbooks are vital for resilience.
Source: Forescout / Industrial Cyber

Oracle-linked campaign hits more than 100 organisations

Google’s threat-analysis team has confirmed that over 100 organisations were affected by a hacking campaign exploiting a vulnerability in Oracle’s E-Business Suite. The campaign, attributed to a sophisticated group using supply-chain infiltration tactics, focused on data exfiltration and persistence through compromised third-party systems.
The breach demonstrates how quickly known vulnerabilities can be folded into broad exploitation efforts. Even organisations that patched late, or whose suppliers lagged, may have been exposed.
Google recommends enterprises reassess their dependency chains and ensure vendors apply security updates promptly. Organisations running Oracle-based platforms should also review logs for unusual database queries or administrative actions.
Why it matters: Supply-chain compromise extends risk far beyond your perimeter. Trust must be verified continuously through monitoring and supplier assurance.
Source: Reuters / Google Threat Analysis Group

🔍 Today’s Key Actions

1. Review vendor bulletins for Ivanti Endpoint Manager and apply mitigations or network isolation immediately.
2. Restrict external access to Gladinet CentreStack and TrioFox servers and monitor for exploitation attempts.
3. For OT environments, verify segmentation and logging between IT and control systems.
4. Conduct a rapid supplier-risk check to confirm patch status and incident notification readiness.

💬 Secarma Insight

Cybersecurity resilience depends on visibility, verification, and collaboration. Through Secarma’s ACT Framework - Advise, Certify, Test - we help organisations understand exposure, validate defences, and strengthen supplier assurance. If today’s developments highlight gaps in your security posture, our consultants can guide you toward pragmatic, measurable improvements.

Get in touch with us to start a conversation about your organisation’s security journey.