This week’s top cybersecurity threats reveal how attackers are targeting core enterprise systems, critical infrastructure, and trusted internal tools to gain access and disrupt operations. A critical vulnerability in SolarWinds Web Help Desk, a ransomware attack that grounded airport systems across Europe, and stealthy abuses of Oracle Database Scheduler functionality all underscore the evolving nature of today’s threat landscape.
Below, we break down the most pressing cybersecurity threats and provide actionable guidance to reduce your exposure.
SolarWinds RCE Flaw Reopens High-Severity Risk for IT Support Systems
A newly disclosed vulnerability in SolarWinds Web Help Desk (CVE-2025-26399) has reopened a critical attack vector for enterprise support environments. The flaw, which affects version 12.8.7 and earlier, allows unauthenticated remote code execution via a deserialization bug in the AJAX proxy component. It essentially lets attackers execute arbitrary commands at the system level without needing credentials—granting full control over the host server. Notably, this vulnerability is a bypass of two prior patches (CVE-2024-28986 and CVE-2024-28988), meaning even organizations that previously addressed related issues may still be exposed. While there’s no confirmed exploitation in the wild, SolarWinds has acknowledged the severity by issuing a hotfix ahead of its standard release cycle.
To mitigate risk, organizations should immediately apply the 12.8.7 HF1 hotfix and verify the integrity of previous patching efforts related to earlier CVEs. Beyond software updates, it’s critical to isolate systems running Web Help Desk from open internet exposure and enforce access controls through firewalls or VPNs. SOC teams should configure logging to detect unexpected activity from AJAX proxy components and monitor for deserialization behavior indicative of exploit attempts. Given the platform’s common use in support and IT operations, a compromise could enable lateral movement or access to sensitive credentials stored in tickets or logs.
Ransomware Attack on Collins Aerospace Disrupts European Airport Operations
A widespread outage across several major European airports this week was traced to a ransomware attack on Collins Aerospace’s MUSE system—a vendor platform used to manage check-in and boarding operations. Airports including Heathrow, Brussels, and Berlin experienced significant delays and were forced to revert to manual processing after automated kiosks and gate systems went offline. Though full technical details are still emerging, early indications suggest a well-coordinated supply chain attack that targeted a centralized service provider, with the effects cascading into national and international travel infrastructure. Given the reliance on this third-party system by multiple airlines, the disruption underscores the systemic risk posed by single points of failure within shared digital ecosystems.
Organizations operating critical infrastructure or relying on third-party service platforms should use this incident as a prompt to re-evaluate their vendor risk management strategy. Ensure that core systems are not overly reliant on a single provider without fallback options. In addition to requiring vendors to implement strong cybersecurity protocols and incident response transparency, businesses should maintain tested contingency procedures that allow operations to continue in degraded mode. This includes ensuring the availability of offline tools, manual workflows, and clear communication channels for continuity during outages. Integrate business continuity planning with cybersecurity response to address disruptions caused by upstream attacks.
Oracle Scheduler Feature Exploited for Stealthy, In-Memory Command Execution
Enterprise environments running Oracle on Windows are facing a new stealthy attack vector as threat actors begin abusing the Oracle Database Scheduler’s External Jobs capability. By compromising exposed listener ports or exploiting weak administrative credentials, attackers can escalate privileges to SYSDBA and use the extjobo.exe executable to run arbitrary operating system commands. These payloads—often Base64-encoded PowerShell scripts—are executed directly in memory, allowing adversaries to bypass endpoint detection tools that rely on file-based scanning. Because the External Jobs feature is a legitimate administrative function, these attacks can blend into normal system activity, making detection especially difficult without advanced behavioral monitoring.
Security teams should immediately review Oracle database configurations to determine whether External Jobs are in use and necessary. If the feature isn’t operationally required, disable it entirely. In environments where it must stay active, enable logging for scheduler activity and actively monitor it for anomalies, including unexpected user-created jobs or unusual base64-encoded command strings. Additionally, administrators should review listener exposure and credential policies, including network segmentation, least-privilege enforcement, and strong password requirements. Threat actors launch textbook ‘living off the land’ attacks by turning your trusted tools against you—making it critical to monitor how administrators actively use legitimate functions.
Stay Ahead of the Curve Against Cybersecurity Threats
From patch bypasses and third-party disruptions to stealth techniques inside trusted systems, this week’s cybersecurity threats reflect the increasingly complex challenge facing enterprise defenders. Staying ahead requires more than just reactive patching—it means adopting a proactive security strategy that blends threat intelligence, privileged access management, and continuous monitoring.
Need expert help identifying vulnerabilities in your environment or preparing for these emerging threats? RSI Security offers end-to-end advisory services, technical testing, and compliance solutions tailored to your industry. Schedule a consultation today!
