Nintendo denies hacker group’s breach claims

Nintendo has denied claims from a hacker group known as Crimson Collective that it had breached the company’s servers and accessed internal data. In a statement to the Sankei Shimbun on 15 October, the gaming giant confirmed there was no evidence of any data leakage or unauthorised access to its internal systems. While some external servers linked to its website were briefly rewritten, Nintendo stated that there has been no customer impact and its internal networks remain secure.

Crimson Collective, which previously claimed responsibility for a Red Hat breach, shared screenshots online allegedly showing Nintendo’s internal directories. However, experts caution that such materials can be easily fabricated. For now, Nintendo’s quick response has reassured the public that no verified breach has occurred.

CISA adds critical Adobe flaw to exploited vulnerabilities list

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in Adobe Experience Manager (AEM) to its Known Exploited Vulnerabilities (KEV) catalogue after confirming evidence of active exploitation.

Tracked as CVE-2025-54253 with a CVSS score of 10.0, the vulnerability stems from a misconfiguration in AEM Forms on JEE versions 6.5.23.0 and earlier. The issue allows attackers to execute arbitrary system commands through an exposed /adminui/debug servlet, which evaluates user input as Java code without authentication. Adobe patched the flaw in version 6.5.0-0108, released in August 2025, alongside CVE-2025-54254.

CISA has urged federal agencies to apply updates by 5 November 2025. This alert follows the addition of another critical bug in SKYSEA Client View, originally disclosed in 2016, highlighting ongoing risks from both new and legacy software vulnerabilities.

Microsoft patches 172 vulnerabilities, including six zero-days

Microsoft’s October 2025 Patch Tuesday delivers fixes for 172 security flaws, including six zero-day vulnerabilities, two of which were publicly disclosed and three actively exploited. Among the flaws, eight are rated Critical, with five enabling remote code execution and three allowing elevation of privilege.

Breakdown of vulnerabilities includes: 80 elevation of privilege, 31 remote code execution, 28 information disclosure, 11 denial of service, 11 security feature bypass, and 10 spoofing flaws.

Notably, this release marks the final Patch Tuesday for Windows 10, as the operating system reaches end of support. Users can continue receiving protection through Microsoft’s Extended Security Updates (ESU) programme.

The zero-days include flaws in Windows SMB Server, Microsoft SQL Server, and an Agere Modem driver exploited for privilege escalation. Organisations are urged to apply the latest updates immediately.

ICO fines Capita £14 million for 2023 data breach

The UK Information Commissioner’s Office (ICO) has fined Capita £14 million following a 2023 data breach that exposed the personal details of 6.6 million people. The incident affected hundreds of clients, including 325 pension scheme providers, after hackers accessed around 4% of Capita’s internal IT infrastructure.

Attackers gained entry when an employee downloaded a malicious file, allowing the Black Basta ransomware group to infiltrate Capita’s network for 58 hours before the compromised device was isolated. The ICO cited poor access controls, delayed response to alerts, and inadequate penetration testing as key failings.

Originally set at £45 million, the fine was reduced after Capita accepted responsibility and implemented major security improvements.

Mango discloses data breach via third-party marketing vendor

Spanish fashion retailer MANGO has notified customers of a data breach after one of its external marketing providers suffered unauthorised access exposing personal data. The breach, disclosed on 14 October 2025, affected information used for marketing purposes, including first names, countries, postal codes, email addresses, and phone numbers.

MANGO confirmed that no financial data, IDs, or account credentials were compromised, and its corporate infrastructure remains unaffected, ensuring normal business operations. The company has reported the incident to Spain’s Data Protection Agency (AEPD) and set up dedicated support channels for affected customers.

While the breach poses limited direct risk, cybersecurity experts warn that the leaked data could still be exploited in targeted phishing campaigns. MANGO has not attributed the attack, and no ransomware groups have claimed responsibility.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.