Security Conscience: Enterprise Cyber Weekly

Issue #00 • Week of Nov 21, 2025

Hello and Welcome!

Welcome to SecurityConscience, a weekly look at where enterprise security is actually breaking, not just where the marketing slides say it might. If you are responsible for identity, edge, or email defenses in a real organization with legacy systems and political constraints, this is meant to be written at your altitude.

The stories this week cut straight through three of the pillars we quietly bet our environments on: identity governance that is “too core to fail,” security companies we may trust more than our own staff, and cloud edge platforms we treat as a permanent shield in front of fragile apps. When a pre auth RCE hits Oracle Identity Manager, an insider tests the guardrails at CrowdStrike, and a Cloudflare outage turns into a surprise pen test, it is a reminder that our strongest controls are also our largest blast radius if we do not design for failure.

We will start where it hurts most: CISA’s warning about active exploitation of Oracle Identity Manager and what that means if your identity stack still has unpatched OIM anywhere in the estate.

Top Story: CISA warns Oracle Identity Manager RCE flaw is being actively exploited

https://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-manager-rce-flaw-is-being-actively-exploited/

TLDR:
CISA added a critical pre authentication remote code execution vulnerability in Oracle Identity Manager to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw allows attackers to bypass authentication via exposed REST APIs and reach a Groovy script compilation endpoint, resulting in arbitrary command execution on affected servers. Oracle released a fix in the October Critical Patch Update, but many deployments remain unpatched and exposed.

Why it matters for enterprises:

• Oracle Identity Manager is core identity governance infrastructure in many large enterprises and government environments, meaning pre auth RCE here can lead to full identity takeover, lateral movement, and compromise of downstream applications.
• CISA’s KEV listing confirms real exploitation and increases the likelihood of widespread scanning, rapid weaponization, and inclusion in common attacker playbooks targeting any exposed Oracle IAM surface.

What to do this week:

• Inventory every Oracle Identity Manager instance (on prem, cloud, vendor hosted) and confirm they are running the patched version from the October CPU. If patching is delayed, immediately restrict external and internal network access to the REST API endpoints.
• Add monitoring and detection for suspicious requests to typical Oracle IAM REST paths, including attempts to trigger Groovy compilation. Review logs going back to late August for potential compromise indicators due to evidence of earlier zero day exploitation.

Big Stories

CrowdStrike catches insider feeding information to hackers

https://krebsonsecurity.com/2025/11/the-cloudflare-outage-may-be-a-security-roadmap/

What happened:
CrowdStrike disclosed that it terminated an employee who attempted to sell sensitive internal information to threat actors after being approached on a cybercrime forum. The insider was detected early, before any meaningful data was exfiltrated, and law enforcement has been engaged.

Why it matters:

• Even mature, security focused organizations face insider risk that can bypass traditional perimeter controls and directly expose defensive operations or customer environments.
• Enterprises must assume motivated insiders may be solicited by threat actors and strengthen monitoring, segmentation, and behavioral analytics around privileged users and sensitive systems.

The Cloudflare outage revealed hidden enterprise security gaps

What happened:
A major Cloudflare outage caused widespread availability issues and forced some organizations to temporarily bypass Cloudflare protections. During this window, sites that removed Cloudflare from their traffic path were suddenly exposed to direct internet traffic, giving attackers an opportunity to probe previously shielded applications.

Why it matters:

• Many enterprises rely heavily on Cloudflare’s WAF, bot protections, and OWASP Top Ten filtering, meaning the outage functioned as an involuntary penetration test that may have exposed latent vulnerabilities in applications and emergency routing paths.
• The incident highlights the operational and security risks of over reliance on a single control plane, emphasizing the need for multi vendor DNS, redundant WAF coverage, and clear fallback playbooks to prevent improvised, insecure failover behaviors.

Quick Hits

• SolarWinds Serv U patches three critical RCE vulnerabilities – Enterprise file transfer solution Serv U addressed three remote code execution flaws (CVE scores 9.1) that expose admin interfaces.
  https://www.securityweek.com/solarwinds-patches-three-critical-serv-u-vulnerabilities/
  
• Gartner predicts 50 percent of enterprises will invest in disinformation security by 2027 – Trust and identity operations now include defending against manipulated information and synthetic media.
  Gartner press release
  
• Major malware email attacks surged 131 percent year over year – Phishing and malware campaigns are sharply increasing, underscoring the need for hardened mail security and detection controls in large organizations.
  Yahoo Finance article
  

What now?

A week like this is a reminder that our real exposure is not just in vulnerabilities but in the assumptions we build into our architectures. Identity systems, WAF layers, and trusted platforms can all become single points of failure if we do not design for failure and continuously test our fallback paths. Make sure the controls you depend on have an intentional backup plan, not an improvised one discovered during an outage.