Weekly Threat Landscape Digest – Week 30

1. Microsoft SharePoint Server – Multiple Zero-Day Vulnerabilities Actively Exploited

A cluster of critical vulnerabilities in Microsoft SharePoint Server—CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, and CVE-2025-49706—is being actively exploited in the wild. These flaws enable unauthenticated remote attackers to gain full administrative control over internet-facing on-premises SharePoint servers. Exploits involve deserialization of untrusted data, path traversal, and spoofing techniques, allowing arbitrary code execution, web shell installation, and persistent backdoor access. SharePoint Online (Microsoft 365) remains unaffected.

Exploit Details

• CVE-2025-53770 – RCE via deserialization & authentication bypass
• CVE-2025-53771 – Path Traversal (linked to CVE-2025-49706)
• CVE-2025-49704 – Remote Code Execution
• CVE-2025-49706 – Spoofing Vulnerability
• CVSS Score: 9.8 (Critical)
• Attack Vector: Network (Unauthenticated)
• Exploitation: Confirmed active in the wild

Affected Products and Patches

• SharePoint Server Subscription Edition – Patch available (KB5002768)
• SharePoint Server 2019 – Patch available (KB5002754, Build 16.0.10417.20027)
• SharePoint Server 2016 – Patch pending; configuration mitigations required

Detection Guidance

• Microsoft Defender AV Detections:
  • Exploit:Script/SuspSignoutReq.A
  • Trojan:Win32/HijackSharePointServer.A
• Indicators of Compromise (IOC):
  • spinstall0.aspx (SHA-256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514)
• Microsoft Defender for Endpoint Alerts:
  • Suspicious IIS worker process behavior
  • Possible web shell installation

Recommended Actions

1. Enable AMSI (Antimalware Scan Interface) and ensure real-time protection via Microsoft Defender.
2. Disconnect SharePoint Server from internet exposure if AMSI cannot be enabled.
3. Monitor for IOCs (spinstall0.aspx) and unusual outbound traffic.
4. Block external access to SharePoint servers at the firewall.
5. Enable detailed logging for SharePoint activity and process execution.
6. Isolate any compromised systems and preserve forensic artifacts.
7. Rotate SharePoint credentials, prioritizing service accounts.
8. Apply the latest security updates or follow Microsoft’s mitigations until patches are available.

References

• https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
• https://nvd.nist.gov/vuln/detail/CVE-2025-53770
• https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

2. Mozilla Firefox and Thunderbird – Multiple High-Severity Vulnerabilities Patched

Mozilla has released critical security updates addressing multiple high-severity vulnerabilities in Firefox and Thunderbird. These flaws could enable attackers to execute arbitrary code, manipulate browser behavior, or bypass security mechanisms through crafted web content or scripts.

Key Vulnerabilities

• CVE-2025-8027 – JavaScript Engine Stack Issue
  • Severity: High
  • Description: On 64-bit platforms, IonMonkey-JIT wrote only 32 bits of a 64-bit return value to the stack, while Baseline-JIT read all 64 bits, leading to potential memory corruption.
• CVE-2025-8028 – WASM Branch Table Truncation
  • Severity: High
  • Description: On ARM64, a large WASM br_table instruction could lead to a truncated label computation, resulting in incorrect branching and possible execution flaws.
• CVE-2025-8034 – Memory Safety Bugs
  • Severity: High
  • Description: Multiple memory safety bugs that could be exploited to run arbitrary code with sufficient effort.

Affected Products

• Mozilla Thunderbird
• Mozilla Firefox

Fixed Versions

• Thunderbird: 141, 128.13, 140.1
• Firefox: 141
• Firefox ESR: 115.26, 128.13, 140.1

Recommended Actions

1. Update Firefox and Thunderbird to the latest patched versions.
2. Deploy ESR updates in enterprise environments where long-term stability is needed.
3. Monitor for any abnormal browser behavior or unexpected crashes post-update.

References

• https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-57/#CVE-2025-8028
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-61/#CVE-2025-8029
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-62/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-63/

3. Google Chrome – Security Updates Addressing V8 Engine Vulnerabilities

Google has released security updates for Chrome across desktop (Windows, Mac, Linux) and Android platforms, fixing multiple vulnerabilities, including two high-severity type confusion flaws in the V8 JavaScript engine. These flaws could allow remote code execution, potential sandbox escapes, and system-level compromises if exploited via crafted web content.

Key Vulnerabilities

• CVE-2025-8010 – Type confusion in V8 JavaScript engine
  • Impact: Remote code execution (RCE) through malicious web pages.
• CVE-2025-8011 – Type confusion in V8 engine
  • Impact: Similar RCE potential and browser sandbox escape risk.

Exploitation Impact

• Remote code execution inside the browser context.
• Possible data theft, malware installation, or system compromise.

Fixed Versions

• Desktop (Stable Channel):
  • Chrome 138.0.7204.168/.169 – Windows & Mac
  • Chrome 138.0.7204.168 – Linux
• Mobile: Chrome 138 (138.0.7204.168) for Android.

Recommended Actions

1. Update Google Chrome on all platforms (Windows, Mac, Linux, Android) to the latest patched version.
2. Enable automatic updates across enterprise environments to mitigate future zero-day risks.
3. Monitor for abnormal browser behavior or sandbox bypass attempts.

References

• https://chromereleases.googleblog.com/2025/07/stable-channel-update-fordesktop_22.html
• https://chromereleases.googleblog.com/

4. GitLab CE/EE – Security Updates Addressing XSS and Data Exposure Vulnerabilities

GitLab has released critical security patches for both Community Edition (CE) and Enterprise Edition (EE), addressing multiple vulnerabilities, including high-severity Cross-Site Scripting (XSS) flaws and unauthorized data exposure risks. If exploited, these vulnerabilities could lead to arbitrary script execution, unauthorized API access, or leakage of sensitive information.

Key Vulnerabilities

• CVE-2025-4700 – XSS in Kubernetes Proxy (CVSS 8.7)
  • Impact: Arbitrary JavaScript execution, potentially compromising user sessions and sensitive data.
• CVE-2025-4439 – XSS via Certain CDNs (CVSS 7.7)
  • Impact: Authenticated attackers can inject malicious scripts in specific CDN-hosted environments.
• CVE-2025-7001 – Unauthorized API Access to Resource Groups (CVSS 4.3)
  • Impact: Privileged users could gain unauthorized access to resource group data.
• CVE-2025-4976 – Internal Notes Exposure via GitLab Duo (CVSS 4.3) (EE only).
• CVE-2025-0765 – Custom Service Desk Email Disclosure (CVSS 4.3).
• CVE-2025-1299 – Unauthorized Access to Deployment Job Logs (CVSS 4.3).

Fixed Versions

• GitLab CE/EE: 18.2.1, 18.1.3, 18.0.5

Recommended Actions

1. Upgrade GitLab installations (CE/EE) to 18.2.1, 18.1.3, or 18.0.5.
2. Review API permissions and access logs for any suspicious activity.
3. Harden GitLab environments by limiting exposure to untrusted networks.
4. Educate users about the risk of XSS-based attacks and malicious scripts.

Reference

• https://about.gitlab.com/releases/2025/07/23/patch-release-gitlab-18-2-1-released/

5. SonicWall SSL-VPN – Critical Vulnerabilities in SMA100 Series

SonicWall has released urgent security updates addressing multiple vulnerabilities in the SMA100 Series appliances, including a critical arbitrary file upload vulnerability that could lead to remote code execution (RCE). Additional flaws, including buffer overflows and a reflected cross-site scripting (XSS) vulnerability, also pose risks of denial of service (DoS) and unauthorized script execution.

Key Vulnerabilities

• CVE-2025-40599 – Post-Authentication Arbitrary File Upload
  • CVSS: 9.1 (Critical)
  • Impact: Authenticated administrators can upload arbitrary files, leading to remote code execution.
• CVE-2025-40596 – Pre-Authentication Stack-Based Buffer Overflow
  • CVSS: 7.3 (High)
  • Impact: Remote unauthenticated attackers can cause DoS or potentially execute arbitrary code.
• CVE-2025-40597 – Pre-Authentication Heap-Based Buffer Overflow
  • CVSS: 7.3 (High)
  • Impact: Similar to CVE-2025-40596, allowing DoS or code execution pre-authentication.
• CVE-2025-40598 – Reflected XSS Vulnerability
  • CVSS: 6.3 (Medium)
  • Impact: Unauthenticated attackers can execute arbitrary JavaScript within user sessions.

Affected Products

• SMA 100 Series (SMA 210, 410, 500v) – 10.2.1.15-81sv and earlier versions

Fixed Versions

• SMA 100 Series (SMA 210, 410, 500v) – 10.2.2.1-90sv and later

Recommended Actions

1. Upgrade all SMA100 devices to 10.2.2.1-90sv or higher.
2. Apply SonicWall’s official mitigation or workarounds if immediate patching is not possible.
3. Restrict access to web management interfaces from untrusted networks.
4. Monitor logs for abnormal login attempts or suspicious activity.

Reference

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0012
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014

6. CrushFTP – Critical Zero-Day Vulnerability (CVE-2025-54309)

A critical zero-day vulnerability (CVE-2025-54309) with a CVSS score of 9.0 has been identified in CrushFTP, a secure file transfer server widely used in enterprise environments. The flaw allows remote, unauthenticated attackers to exploit the HTTP(S) interface, enabling unauthorized administrative access and potentially full system compromise. The vulnerability is actively being exploited in the wild.

Impact

• Remote code execution with administrative privileges.
• Creation of unauthorized admin-level accounts.
• Deployment of malware and manipulation of server configurations.
• Disruption of business-critical file transfer operations.

Indicators of Compromise (IOCs)

• Unauthorized changes to: CrushFTP/users/MainUsers/default/user.XML.
• Presence of last_logins field in user.XML (unusual behavior).
• Creation of suspicious long random user IDs with admin rights (e.g., 7a0d26089ac528941bf8cb998d97f408m).
• Any unknown administrative accounts detected.

Affected Versions

• CrushFTP Version 10: All builds below 10.8.5.
• CrushFTP Version 11: All builds below 11.3.4_23.

Fixed Versions

• CrushFTP Version 10: 10.8.5 or later.
• CrushFTP Version 11: 11.3.4_23 or later.

Recommended Actions

1. Restore the default user profile from backups prior to July 16, 2025.
   • Path: CrushFTP/users/MainUsers/default (replace or delete user.XML to auto-recreate a clean profile).
2. Use non-native archive tools (e.g., WinRAR, WinZip, macOS Archive Utility) to extract backups.
3. Review server logs for suspicious upload/download activity.
4. Upgrade immediately to 10.8.5 (v10) or 11.3.4_23 (v11).
5. Restrict administrative access to trusted IP ranges.
6. Enable automatic updates and deploy a DMZ instance for added security in enterprise environments.

Reference

• https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025

7. Sophos Firewall – Multiple Critical Vulnerabilities (CVE-2025-6704, CVE-2025-7624, CVE-2025-7382, CVE-2024-13974, CVE-2024-13973)

Sophos has disclosed multiple critical and high-severity vulnerabilities in its Firewall that could enable remote or pre-authentication code execution, arbitrary file writing, SQL injection, command injection, and DNS manipulation across various components such as SPX, SMTP proxy, WebAdmin, and Up2Date.

Key Vulnerabilities

• CVE-2025-6704 – Arbitrary File Writing
  • Severity: Critical (CVSS 9.1)
  • Exploitation of the SPX feature in HA mode could lead to pre-authentication RCE.
• CVE-2025-7624 – SQL Injection in SMTP Proxy
  • Severity: Critical (CVSS 9.1)
  • Affects legacy transparent SMTP proxy when quarantining policies are active.
• CVE-2025-7382 – Command Injection in WebAdmin
  • Severity: High
  • Allows adjacent attackers to achieve pre-auth RCE on HA auxiliary devices if OTP authentication is enabled.
• CVE-2024-13974 – Up2Date DNS Manipulation
  • Severity: High
  • Could allow attackers to control DNS settings and execute remote code.
• CVE-2024-13973 – SQL Injection in WebAdmin
  • Severity: Medium
  • Post-auth vulnerability enabling arbitrary code execution for administrators.

Affected Versions

• CVE-2025-6704, CVE-2025-7624, CVE-2025-7382: Sophos Firewall v21.5 GA (21.5.0) and older.
• CVE-2024-13974, CVE-2024-13973: Sophos Firewall v21.0 GA (21.0.0) and older.

Fixed Versions & Hotfix Timeline

• CVE-2025-6704: Fixed in v21.0 MR2+ (Hotfix released on June 24 & July 1, 2025).
• CVE-2025-7624: Fixed in v21.0 MR2+ (Hotfix released on July 15, 2025).
• CVE-2025-7382: Fixed in v21.0 MR2+ (Hotfix released on June 30 & July 2, 2025).
• CVE-2024-13974: Fixed in v21.0 MR1+ (Hotfix released January 6-7, 2025).
• CVE-2024-13973: Fix included in v21.0 MR1+.

Recommended Actions

1. Upgrade Sophos Firewall to the latest patched versions (v21.0 MR2 or higher).
2. Review firewall logs for any signs of suspicious SPX or SMTP proxy activity.
3. Disable unused features like legacy SMTP proxy or SPX if not required.
4. Apply network segmentation to limit access to WebAdmin and management interfaces.
5. Enforce strong OTP and MFA for all admin accounts.

Reference:

• https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce

8. Synology BeeDrive for Desktop – Multiple High-Severity Vulnerabilities (CVE-2025-54158, CVE-2025-54159, CVE-2025-54160)

Synology has released critical updates addressing multiple high-severity vulnerabilities in its BeeDrive for desktop application. These vulnerabilities could allow attackers to execute arbitrary code locally or delete arbitrary files remotely, resulting in system compromise and data loss.

Key Vulnerabilities

• CVE-2025-54158
  • Impact: Local arbitrary code execution.
  • Severity: Important (CVSS 7.8).
  • Root Cause: Missing authentication for critical function (CWE-306).
• CVE-2025-54159
  • Impact: Remote arbitrary file deletion.
  • Severity: Important (CVSS 7.5).
  • Root Cause: Missing authorization (CWE-862).
• CVE-2025-54160
  • Impact: Local arbitrary code execution.
  • Severity: Important (CVSS 7.8).
  • Root Cause: Path traversal vulnerability (CWE-22).

Fixed Version

• BeeDrive for Desktop: Upgrade to 1.4.2-13960 or later.

Recommended Actions

1. Upgrade to the latest BeeDrive for desktop version (1.4.2-13960+) immediately.
2. Restrict local user access to prevent unauthorized code execution attempts.
3. Monitor for any unexpected file deletions or system modifications.
4. Apply endpoint monitoring solutions to detect suspicious local or remote operations.

Reference:

• https://www.synology.com/en-my/security/advisory/Synology_SA_25_08

9. Kubernetes Image Builder – High-Severity Vulnerability (CVE-2025-7342)

A high-severity vulnerability has been identified in the Kubernetes Image Builder project that could allow attackers to gain unauthorized root-level access on Windows nodes. The flaw, tracked as CVE-2025-7342 (CVSS 8.1 – High), affects virtual machine images built using the Nutanix or OVA providers in Image Builder versions v0.1.44 and earlier.

Vulnerability Details

• CVE ID: CVE-2025-7342
• Severity: High (CVSS 8.1)
• Impact: Default Windows Administrator credentials are included in VM images if not explicitly overridden during the build process.
• Risk: Attackers with network access can log in using default credentials, escalate privileges, and compromise the cluster.

Affected Versions

• v0.1.44 and earlier

Fixed Versions

• v0.1.45 or later

Recommended Actions

1. Audit Existing Images:
   Review all Windows VM images built using Kubernetes Image Builder (Nutanix/OVA). Treat any image with default credentials as compromised until verified.
2. Upgrade Image Builder:
   Update to Image Builder v0.1.45 or later, which requires explicit credential configuration via:
   • WINDOWS_ADMIN_PASSWORD environment variable, or
   • admin_password JSON parameter.
3. Rebuild and Redeploy:
   Rebuild Windows images using the patched version and redeploy across all affected nodes.

Reference:

• https://github.com/kubernetes/kubernetes/issues/133115

10. TP-Link NVRs – Command Injection Vulnerabilities (CVE-2025-7723 & CVE-2025-7724)

TP-Link has released security updates addressing two high-severity command injection vulnerabilities affecting its VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 models. These flaws allow both authenticated and unauthenticated attackers to execute arbitrary operating system commands, potentially leading to full system compromise, unauthorized control of the NVRs, and data breaches.

Vulnerability Details

• CVE-2025-7723: CVSS v4.0 score 8.5 (High). OS command injection vulnerability.
• CVE-2025-7724: CVSS v4.0 score 8.7 (High). OS command injection vulnerability.

Affected Versions and Fixes

• VIGI NVR1104H-4P V1: Versions earlier than 1.1.5 Build 250518 are vulnerable. Fixed in 1.1.5 Build 250518.
• VIGI NVR2016H-16MP V2: Versions earlier than 1.3.1 Build 250407 are vulnerable. Fixed in 1.3.1 Build 250407.

Recommended Actions

1. Update all affected TP-Link NVR devices to the fixed firmware versions.
2. Restrict remote access to NVR interfaces from untrusted networks.
3. Monitor device logs for unusual commands or unauthorized access attempts.
4. Apply network segmentation to limit the impact of potential compromise.

Reference:
https://www.tp-link.com/us/support/faq/4547/

11. HP Poly Clariti Manager – Multiple Vulnerabilities (CVE-2025-43020 to CVE-2025-43489)

HP has released security updates addressing multiple vulnerabilities in Poly Clariti Manager, which could allow remote code execution, privilege escalation, and disclosure of sensitive information on affected systems. The vulnerabilities include medium- and high-severity flaws across various components of the platform.

Vulnerability Details

• CVE-2025-43020: CVSS 5.7 (Medium)
• CVE-2025-43021: CVSS 5.9 (Medium)
• CVE-2025-43022: CVSS 7.3 (High) – Remote code execution possible
• CVE-2025-43483: CVSS 5.9 (Medium)
• CVE-2025-43484: CVSS 6.0 (Medium)
• CVE-2025-43485: CVSS 5.7 (Medium)
• CVE-2025-43486: CVSS 5.7 (Medium)
• CVE-2025-43487: CVSS 6.9 (Medium)
• CVE-2025-43488: CVSS 2.0 (Low)
• CVE-2025-43489: CVSS 2.0 (Low)

Affected Versions

• Poly Clariti Manager 10.12.1 or lower

Fixed Versions

• Poly Clariti Manager 10.12.2 or later

Recommended Actions

1. Upgrade to Poly Clariti Manager 10.12.2 or later immediately.
2. Limit access to management interfaces to trusted networks.
3. Monitor logs for signs of unauthorized access or privilege escalation attempts.
4. Review and strengthen security policies for systems using Poly Clariti Manager.

Reference:
https://support.hp.com/us-en/document/ish_12781425-12781447-16/hbsbpy04037

12. AWS Client VPN for Windows – Local Privilege Escalation (CVE-2025-8069)

A high-severity local privilege escalation vulnerability (CVE-2025-8069) has been identified in AWS Client VPN for Windows. The flaw arises due to insecure handling of an OpenSSL configuration file during the installation process, allowing low-privileged users to escalate privileges to SYSTEM-level.

Vulnerability Details

• CVE ID: CVE-2025-8069
• CVSS Score: 7.3 (High)
• Impact: Local privilege escalation to SYSTEM-level.
• Cause: The installer references a writable hardcoded path:
  C:\usr\local\windows-x86_64-openssl-localbuild\ssl.
  If a malicious user creates a crafted OpenSSL configuration file in this directory, and an administrator installs the VPN client, arbitrary code may execute with elevated privileges.

Affected Versions

• AWS Client VPN for Windows: 4.1.0, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.2.1.

Fixed Version

• AWS Client VPN for Windows: 5.2.2 or later.

Impact

• Full system compromise on multi-user or managed devices.

Recommended Actions

1. Update AWS Client VPN for Windows to version 5.2.2 or later.
2. Restrict write permissions on the directory C:\usr\local\windows-x86_64-openssl-localbuild\ssl.
3. Regularly audit installations on shared or enterprise environments for privilege escalation attempts.

Reference:
https://aws.amazon.com/security/security-bulletins/AWS-2025-014/

ChatGPT said:

13. Supply Chain Attack Targets npm Packages with Backdoor Malware

A newly uncovered supply chain attack, dubbed “Scavenger”, has compromised multiple popular npm-hosted JavaScript type testing utilities to distribute cross-platform backdoor malware. The attack, first detected on July 19, 2025, involved phishing campaigns that hijacked maintainer accounts and published malicious versions of trusted packages.

Key Highlights

• Attackers compromised the popular “is” npm package (v3.3.1), which was downloaded millions of times weekly. The infected version remained online for six hours before being removed and replaced by a clean build (v3.3.2).
• Other targeted packages include eslint-config-prettier, eslint-plugin-prettier, [email protected], @pkgr/[email protected], [email protected], and got-fetch.
• Phishing emails were sent to maintainers using the typosquatted domain npnjs.org, tricking them into handing over access.
• The malware uses a cross-platform JavaScript loader compatible with Node.js 12+ (macOS, Linux, Windows), establishing persistent Command and Control (C2) channels.
• The campaign largely evaded detection, with most anti-malware engines on VirusTotal failing to flag the malicious packages.

Why npm?
npm package maintainers hold high-value accounts that, once compromised, can spread malware to hundreds or thousands of organizations. Attackers prefer this method due to the widespread reach and high return on effort.

Recommendations for Developers

1. Mandate Multi-Factor Authentication (MFA) for all maintainer accounts.
2. Lock dependencies using package-lock.json to prevent unauthorized updates.
3. Use security tools to analyze packages before installation and cross-check versions with official repositories.
4. Avoid automatic updates of npm packages without thorough vetting.
5. Regularly monitor npm advisories and security feeds for newly reported malicious packages.

Reference:
https://www.csoonline.com/article/4028412/supply-chain-attack-compromises-npm-packages-to-spread-backdoor-malware.html

14. Lumma Stealer Resurfaces with Stealthier Tactics

Overview:
Following its takedown in May 2025, Lumma Stealer, a notorious information-stealing malware-as-a-service (MaaS), has re-emerged with more covert distribution methods and enhanced evasion techniques. From June to July 2025, Trend Micro researchers observed a resurgence in targeted accounts, signaling that the group behind Lumma (referred to as Water Kurita) has adapted its operations post-disruption.

Key Highlights:

• Persistence after Takedown: Law enforcement seized over 2,300 malicious domains linked to Lumma’s command-and-control (C2) infrastructure, but the group quickly rebuilt its operations.
• Covert Infrastructure: Lumma has reduced reliance on Cloudflare and shifted to alternative hosting providers, including Russia-based Selectel, to evade law enforcement monitoring.
• Stealthy Malware Delivery:
  • Fake Cracked Software: Malvertising and search engine manipulation lure users into downloading malware disguised as software cracks and key generators.
  • ClickFix Campaigns: Fake CAPTCHA sites trick users into executing malicious PowerShell commands, which decrypt and run Lumma in memory, bypassing traditional AV detection.
  • GitHub Abuse: Automated GitHub repositories with AI-generated README files promote infected game cheats and exploits.
  • Social Media Campaigns: YouTube videos, Facebook posts, and fake sites redirect victims to Lumma-hosting pages.

Capabilities:

• Steals credentials, private files, and cryptocurrency wallets.
• Operates cross-platform via .NET assemblies and XOR-based loaders.
• Delivered as a MaaS platform, enabling low-skilled cybercriminals to leverage Lumma’s tools.

Impact:
Lumma’s return underscores the resilience of MaaS operations and their ability to adapt quickly after law enforcement crackdowns. Its broad distribution channels and sophisticated obfuscation techniques pose severe data theft risks to both individuals and enterprises.

Recommended Actions:

1. Block Known IOCs: Monitor for suspicious files like TempSpoofer.exe and domains linked to Lumma’s infrastructure.
2. User Awareness Training: Educate employees about the dangers of downloading cracks, keygens, and unverified content.
3. Apply Script Controls: Restrict the use of PowerShell and enforce script signing to block ClickFix-based infections.
4. Repository and Package Vetting: Validate GitHub or npm packages before integration into projects.
5. Monitor Cloud Traffic: Track anomalies in outbound network connections to detect C2 communications.

Reference:
https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html

15. Cisco ISE / ISE-PIC — CVSS 10.0 RCE bugs now actively exploited (CVE-2025-20281, CVE-2025-20282, CVE-2025-20337)

Executive summary
Cisco has confirmed in-the-wild exploitation of its previously disclosed unauthenticated remote code execution flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). Successful exploitation lets a remote, unauthenticated attacker execute OS commands as root, effectively turning the NAC policy engine into an entry point for full network compromise.

Vulnerabilities (all CVSS 10.0 / Critical)

• CVE-2025-20281 – Insufficient input validation in a public API → unauth RCE as root
• CVE-2025-20337 – Additional API input validation flaw → unauth RCE as root
• CVE-2025-20282 – Missing file validation in an internal API → unauth arbitrary file upload & execution as root

Affected / fixed versions

• Affected: ISE / ISE-PIC 3.3 and 3.4 (CVE-2025-20282 impacts 3.4 only).
• Not affected: 3.2 and earlier.
• Fixed: 3.3 Patch 7 and 3.4 Patch 2 (upgrade to these or later).
• Hot patches previously circulated (e.g., ise-apply-CSCwo99449) are insufficient—upgrade fully.

Why this matters
Compromising ISE can let attackers bypass NAC, mint/steal session tokens, alter authorization policies, pivot laterally, and disable logging/telemetry, giving them broad, stealthy access to internal networks.

Immediate actions

1. Patch now to 3.3 Patch 7 or 3.4 Patch 2 (or later) across all nodes (PSNs, PANs, MNTs).
2. Audit for exposure: Confirm no internet-facing ISE admin/API interfaces; restrict to management networks/VPN with MFA.
3. Hunt for compromise indicators
   • Unexpected privileged (“root”) commands from ISE services
   • Web/API logs showing anomalous requests to vulnerable endpoints
   • New/modified system files or binaries owned by root in privileged paths
4. Rotate secrets used by ISE (admin creds, service accounts, pxGrid certificates, device admin passwords, TACACS+/RADIUS shared secrets) if exploitation is suspected.
5. Increase monitoring
   • Enable/forward detailed ISE logs (Admin, Operational, TACACS+/RADIUS) to SIEM
   • Watch for policy manipulation, sudden authorization rule changes, or abnormal device posture results
6. Segment & harden
   • Isolate ISE nodes, apply strict egress ACLs, and limit outbound traffic to required services only
   • Enforce least privilege on ISE CLI/GUI accounts

References

• https://thehackernews.com/2025/07/cisco-confirms-active-exploits.html
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

16. New ACRStealer Variant Leveraging Google Docs and Steam for C2 (DDR Technique)

Overview
A new and sophisticated variant of ACRStealer, an information-stealing malware active since early 2024, has emerged with advanced evasion techniques and a novel use of legitimate platforms like Google Docs and Steam for command-and-control (C2) communication via a Dead Drop Resolver (DDR) technique. By blending malicious activity with normal user traffic on trusted services, this variant poses a significant detection challenge.

Key Highlights

• Abuse of Legitimate Platforms: Uses Google Docs and Steam as covert C2 channels, bypassing traditional network monitoring.
• Low-level Networking: Drops conventional HTTP libraries, opting for direct Windows AFD (Ancillary Function Driver) interactions through NtCreateFile and NtDeviceIoControlFile, bypassing library-based security hooks.
• Heaven’s Gate Technique: Executes x64 code within WoW64 processes, switching between 32-bit and 64-bit modes to obfuscate execution flow and evade automated and manual analysis.
• Anti-analysis Features: Incorporates multi-layer detection evasion and advanced stealth mechanisms designed for enterprise-grade defenses.
• Persistence and Evolution: Indicates a well-resourced campaign, with continuous development of new variants expanding its functionality.

Impact
The primary objective remains credential and sensitive data theft, but the advanced C2 mechanisms and evasive strategies enhance persistence and complicate detection, especially in environments relying on behavior-based monitoring.

Recommended Actions

1. Monitor traffic to and from Google Docs and Steam APIs for anomalies, especially in corporate environments where such communications are uncommon.
2. Implement EDR rules for detecting suspicious WoW64 process behavior, particularly transitions between 32-bit and 64-bit execution (Heaven’s Gate).
3. Deploy network telemetry to identify unusual AFD device calls or raw socket usage by untrusted processes.
4. Harden endpoint defenses with memory analysis tools capable of identifying in-memory code injections and reflective loaders.
5. Conduct regular threat hunting using IOCs and techniques associated with ACRStealer.

Reference:
https://cybersecuritynews.com/new-acrstealer-abuses-google-docs/