In the early hours of November 3, 2025, Check Point Research’s blockchain threat monitoring systems flagged a suspicious pattern on the Ethereum mainnet. The alert stemmed from Balancer V2’s Vault contract, which soon revealed one of the most devastating DeFi vulnerabilities to date. Before defenders could intervene, attackers had siphoned $128.64 million from Balancer ComposableStablePool […]
On November 3, 2025, blockchain security monitoring systems detected a sophisticated exploit targeting Balancer V2’s ComposableStablePool contracts.
An attacker executed a precision loss vulnerability to drain $128.64 million across six blockchain networks in under 30 minutes.
The attack leveraged a rounding error in the _upscaleArray function combined with carefully crafted batchSwap operations, allowing the attacker to artificially suppress BPT (Balancer Pool Token) prices and extract value through repeated arbitrage cycles.
The exploitation occurred primarily during smart contract deployment, with the attacker’s constructor executing over 65 micro-swaps that compounded precision loss to devastating effect.
This incident represents a watershed moment for DeFi security, demonstrating how mathematical vulnerabilities in core protocol functions can be weaponized through automation and precise parameter tuning.
The attack’s sophistication lay not in exploiting a novel vulnerability type, but in recognizing how negligible rounding errors become catastrophic when amplified through dozens of operations in atomic transactions.
Check Point researchers noted that the attack exploited a fundamental weakness in how Balancer’s ComposableStablePools handle small-value swaps.
The attack exploited a mathematical vulnerability in how Balancer’s ComposableStablePools handle small-value swaps (Source – Check Point)
When token balances are pushed to specific rounding boundaries, particularly the 8-9 wei range, Solidity’s integer division causes significant precision loss.
The researchers identified that individual swaps produce negligible errors, but within a single batchSwap transaction containing 65 operations, these losses compound dramatically, creating exploitable arbitrage opportunities.
The attacker’s technical execution revealed a three-stage pattern repeated 65 times atomically. First, large BPT amounts were swapped for underlying tokens to push specific token balances to critical rounding boundaries.
Second, small swaps involving boundary-positioned tokens triggered precision loss through the _upscaleArray function’s mulDown operation, causing the invariant D (representing total pool value) to be underestimated and BPT price to drop artificially.
Third, the attacker purchased BPT at suppressed prices and immediately redeemed for underlying assets at full value, capturing the price discrepancy as profit.
The Exploit Contract Architecture and Technical Breakdown
Check Point analysts identified the exploit contract deployed at address 0x54B53503c0e2173Df29f8da735fBd45Ee8aBa30d operating with a sophisticated three-address structure designed for operational separation and fund management.
The vulnerability stemmed from the _upscaleArray function’s implementation, which performs integer division during balance scaling operations.
The mulDown function creates rounding errors that propagate directly to invariant calculations, ultimately determining BPT pricing.
The attacker’s constructor automatically executed the complete exploitation sequence targeting two Balancer pools simultaneously.
Analysis revealed 65 token transfers to Balancer’s Protocol Fees Collector, displaying characteristic patterns of iterative precision exploitation.
The stolen value accumulated in the contract’s internal balance through InternalBalanceChanged events: Pool 1 generated +4,623 WETH and +6,851 osETH, while Pool 2 contributed +1,963 WETH and +4,259 wstETH.
Following the initial theft, a secondary withdrawal function transferred the accumulated 6,586 WETH plus additional assets to the final recipient address.
This two-stage approach separated theft execution from fund extraction, demonstrating operational discipline and reducing detection surface during the critical exploitation window.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cisco has issued a critical security advisory addressing two severe vulnerabilities in its Unified Contact Center Express (CCX) platform that could enable remote attackers to execute arbitrary commands and gain unauthorized system access. The vulnerabilities, published on November 5, 2025, require immediate attention from organizations running Cisco Unified CCX systems. CVE ID Vulnerability Type CVSS […]
Security researchers have identified a sophisticated new malware family, Airstalk, that exploits VMware’s AirWatch API—now known as Workspace ONE Unified Endpoint Management—to establish covert command-and-control channels. The discovery represents a significant threat to evolution, with both PowerShell and .NET variants discovered in what researchers assess with medium confidence was a nation-state-sponsored supply chain attack. The […]
Introduction
Financial institutions are facing a new reality: cyber-resilience has passed from being a best practice, to an operational necessity, to a prescriptive regulatory requirement.
Crisis management or Tabletop exercises, for a long time relatively rare in the context of cybersecurity, have become required as a series of regulations has introduced this requirement to FSI organizations in
Cisco has disclosed multiple critical vulnerabilities in Unified Contact Center Express (CCX) that allow unauthenticated remote attackers to execute malicious code and escalate privileges.
The vulnerabilities affect the Java Remote Method Invocation (RMI) process and authentication mechanisms, potentially compromising entire contact center deployments.
RCE and Authentication Bypass Vulnerability
The primary vulnerability, CVE-2025-20354, has a critical CVSS score of 9.8, allowing attackers to upload arbitrary files via the Java RMI process without authentication.
Successful exploitation allows attackers to execute commands with root privileges on affected systems.
The vulnerability stems from improper authentication mechanisms in Cisco Unified CCX, leaving organizations’ contact center infrastructure exposed to complete compromise.
Attackers can leverage this flaw to establish persistent access, steal sensitive customer data, or deploy ransomware across entire contact center networks.
CVE-2025-20358 presents an equally dangerous authentication bypass affecting the CCX Editor application.
Rated 9.4 on the CVSS scale, this vulnerability allows attackers to redirect the authentication flow to malicious servers, tricking the CCX Editor into believing legitimate authentication occurred.
Once bypassed, attackers gain administrative permissions to create and execute arbitrary scripts as internal non-root users.
This dual-vulnerability combination creates a sophisticated attack chain that allows remote attackers to escalate privileges and maintain control over contact center operations progressively.
CVE ID
Vulnerability Type
CVSS Score
CVE-2025-20354
Remote Code Execution
9.8
CVE-2025-20358
Authentication Bypass
9.4
Cisco has released software updates addressing both vulnerabilities, with no workarounds available.
Organizations running Unified CCX version 12.5 SU3 and earlier must upgrade immediately to version 12.5 SU3 ES07, while users on version 15.0 must install version 15.0 ES01.
The vulnerabilities affect all Unified CCX configurations regardless of deployment settings. Other Cisco products, including Unified Contact Center Enterprise (CCE) and Packaged Contact Center Enterprise, remain unaffected.
Cybercrime has stopped being a problem of just the internet — it’s becoming a problem of the real world. Online scams now fund organized crime, hackers rent violence like a service, and even trusted apps or social platforms are turning into attack vectors.
The result is a global system where every digital weakness can be turned into physical harm, economic loss, or political
Django, one of the most popular Python web development frameworks, has disclosed two critical security vulnerabilities that could allow attackers to execute SQL injection attacks and launch denial-of-service attacks.
The vulnerabilities, identified as CVE-2025-64458 and CVE-2025-64459, affect core components of the framework and require immediate attention from developers using Django in their applications.
The more serious of the two vulnerabilities, CVE-2025-64459, carries a high severity rating and involves a potential SQL injection weakness in Django’s QuerySet and Q objects.
SQL Injection and Windows-Specific DoS Vulnerability
Security researcher Cyberstan discovered that the QuerySet.The filter(), QuerySet.exclude(), and QuerySet.get() methods, along with the Q() class, are vulnerable when processing specially crafted dictionaries that use the _connector keyword argument with dictionary expansion.
This flaw could enable malicious actors to inject arbitrary SQL commands into database queries, potentially compromising sensitive data or gaining unauthorized access to backend systems.
SQL injection remains one of the most dangerous web application vulnerabilities, making this discovery particularly concerning for organizations relying on Django for their web infrastructure.
The second vulnerability, CVE-2025-64458, affects Django installations running on Windows.
CVE ID
Vulnerability Type
Affected Versions
CVSS Score
CVE-2025-64458
Denial-of-Service (DoS)
Django 4.2, 5.1, 5.2, 6.0 (beta)
5.3
CVE-2025-64459
SQL Injection
Django 4.2, 5.1, 5.2, 6.0 (beta)
9.8
Seokchan Yoon from ch4n3.KR identified this moderate-severity denial-of-service weakness in the HttpResponseRedirect and HttpResponsePermanentRedirect functions. The issue stems from slow NFKC normalization in Python on Windows.
Attackers can exploit this performance bottleneck by submitting inputs containing vast numbers of Unicode characters, causing the application to consume excessive resources and potentially become unresponsive.
Although rated moderate severity, this vulnerability could still disrupt services and affect user experience on Windows-based Django deployments.
Django developers should update their installations to the latest patched versions as soon as possible.
Organizations using Django on Windows systems should pay particular attention to the DoS vulnerability. At the same time, all Django users must address the SQL injection flaw regardless of their operating system.
Regular security updates and following Django’s security best practices remain essential for maintaining secure web applications.
Bitdefender has once again been recognized as a Representative Vendor in the Gartner® Market Guide for Managed Detection and Response (MDR) — marking the fourth consecutive year of inclusion. According to Gartner, more than 600 providers globally claim to deliver MDR services, yet only a select few meet the criteria to appear in the Market Guide. While inclusion is not a ranking or comparative
International law enforcement agencies have taken down three sophisticated fraud and money laundering networks in a coordinated operation that uncovered one of the largest credit card fraud schemes in recent history.
The operation, codenamed “Chargeback,” revealed criminal activity affecting over 4.3 million cardholders across 193 countries, with total damages exceeding EUR 300 million and attempted fraud exceeding EUR 750 million.
On November 4, 2025, authorities executed a massive enforcement action involving more than 60 house searches and 18 arrests across multiple countries.
Coordinated International Action Targets Criminal Networks
The operation was spearheaded by Germany’s Cybercrime Department at the General Prosecutor’s Office in Koblenz and the Federal Criminal Police Office (Bundeskriminalamt), which had been investigating these networks since December 2020.
Europol provided critical support throughout the investigation, coordinating efforts to apprehend 44 suspects from Germany and other nations.
In Germany, over 250 officers from various agencies, including the Federal Criminal Police Office, the Federal Financial Supervisory Authority (BaFin), and tax investigation units, conducted 29 premises searches across multiple states.
Five arrest warrants were executed, and authorities secured assets worth over EUR 35 million in Luxembourg and Germany.
The arrested individuals include alleged network operators, executives from German payment service providers, intermediaries, crime-as-a-service providers, and an independent risk manager.
Between 2016 and 2021, the criminal networks allegedly created approximately 19 million fake online subscriptions using stolen credit card information.
These fraudulent subscriptions were disguised as legitimate services for pornography, dating, and streaming websites that were professionally designed to avoid detection by search engines.
The websites could be accessed only via direct URLs or specific links, making them difficult for victims to discover.
The suspects purposely kept monthly charges around EUR 50 with vague transaction descriptions, making it challenging for cardholders to identify unauthorized charges on their statements.
This strategy allowed the fraud to continue undetected for extended periods, maximizing the criminals’ profits while minimizing the risk of discovery.
Six suspects, including executives and compliance officers, allegedly cheated with the fraud networks by providing access to payment infrastructure from four major German payment service providers in exchange for fees.
To further conceal their activities, the criminals established numerous shell companies, primarily registered in the United Kingdom and Cyprus, obtained through crime-as-a-service providers who supplied complete corporate structures with fake directors and fraudulent Know-Your-Customer documents.
.webp)