Daily CISO Briefing Note | December 3, 2025

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Full access to CybersecurityHQ’s deep-dive intelligence, weekly executive cyber briefings, premium research, and analytic tools — $299/year.
Enterprise and team licenses available.

Summary

The past 48 hours included a company disclosure from an Ivy League institution confirming data theft from an enterprise financial application, security vendor research identifying a phishing campaign targeting marketing platform credentials across multiple enterprise environments, and security vendor research describing a command injection vulnerability in an AI-powered developer tool. These disclosures came from distinct sectors and appeared within the same reporting window through routine vulnerability coordination and breach notification timelines.

Theme 1: University of Pennsylvania data breach disclosure following Oracle E-Business Suite exploitation

A company disclosure filed with the Maine Attorney General confirmed unauthorized access to Oracle E-Business Suite servers at the University of Pennsylvania between August 3 and August 6, 2025, with notification sent to 1,488 Maine residents. The university stated it was among approximately 100 organizations affected by exploitation of CVE-2025-61882, a vulnerability in Oracle's financial application platform. The disclosure identified data from supplier payments, reimbursements, and general ledger entries as potentially affected. Other Ivy League institutions including Harvard and Dartmouth filed similar disclosures in recent weeks referencing the same vulnerability. Executive relevance sits in the presence of Oracle E-Business Suite within financial operations, procurement workflows, and vendor payment systems that process transactional data across administrative functions.

Theme 2: Calendly-themed phishing campaign targeting Google Workspace and Facebook Business credentials

Security vendor research from Push Security described an ongoing phishing campaign using Calendly-branded job invitations to harvest Google Workspace and Facebook Business credentials. The campaign impersonates recruiters from over 75 brands including LVMH, Lego, Mastercard, Uber, and Disney. Attack infrastructure employs attacker-in-the-middle and browser-in-the-browser techniques to capture session tokens, with specific targeting of Google Ads Manager MCC accounts. Push Security identified 31 unique phishing URLs associated with the campaign, some dating back more than two years. Executive relevance sits in the interconnection between enterprise identity providers, marketing platform credentials, and advertising budget authority where a single compromised session can traverse multiple downstream applications through federated authentication.

Theme 3: OpenAI Codex CLI command injection vulnerability disclosed by Check Point Research

Security vendor research from Check Point described CVE-2025-61260, a command injection vulnerability in OpenAI Codex CLI affecting how the tool processes Model Context Protocol server entries from project-local configuration files. The vulnerability allowed arbitrary command execution without user approval when developers ran Codex within repositories containing specially crafted configuration files. Check Point assigned a CVSS score of 9.8 and demonstrated proof-of-concept payloads including reverse shell execution. OpenAI released version 0.23.0 in August 2025 to address the vulnerability following responsible disclosure. Executive relevance sits in the presence of AI-assisted development tools within software engineering workflows that automatically execute configuration directives from shared code repositories connected to production build and deployment systems.

Synthesis

Multiple unrelated sectors appeared within the same reporting window through breach notification filing timelines, coordinated vulnerability disclosure schedules, and independent security research publication cycles.

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.