Weekly Threat Landscape Digest – Week 32

1. Actively Exploited Critical Flaws in Trend Micro Apex One

Trend Micro has identified and confirmed active exploitation of critical vulnerabilities in its Apex One (on-premise) Management Console. These flaws allow unauthenticated remote attackers to execute arbitrary commands on affected systems.

Key Details:

• Severity: Critical
• CVSS v3.1 Score: 9.4
• Exploitation Status: At least one vulnerability confirmed as actively exploited in the wild.
• Vulnerabilities:
  • CVE-2025-54948: Allows pre-authenticated remote attackers to upload malicious code and execute commands on Apex One (on-premise) installations.
  • CVE-2025-54987: Functionally similar to CVE-2025-54948 but targets a different CPU architecture, enabling the same attack method.
• Affected Product & Versions:
  • Product: Trend Micro Apex One (on-premise) 2019
  • Management Server: Version 14039 and below (Windows)
• Mitigation:
  • Update: Apply FixTool_Aug2025 (short-term mitigation) provided by Trend Micro.

Recommendation:
Organizations using affected Apex One versions should immediately apply the mitigation tool or upgrade to the latest fixed release provided by Trend Micro to prevent exploitation.

References:

• https://success.trendmicro.com/en-US/solution/KA-0020652

2. Security Updates – Huawei

Huawei has released its August 2025 security bulletin for HarmonyOS and EMUI devices, addressing multiple high- and medium-severity vulnerabilities in system components and third-party libraries. Successful exploitation could impact the confidentiality, availability, stability, or service integrity of affected devices.

Key Details:

• Severity: High to Medium
• Notable Vulnerabilities:
  • CVE-2025-54607: Authentication management flaw in ArkWeb module – may impact confidentiality.
  • CVE-2025-54611: EXTRA_REFERRER resource read issue in Gallery module – may impact confidentiality.
  • CVE-2025-54622: Binding authentication bypass in devicemanager module – may impact confidentiality.
  • CVE-2025-54627: Out-of-bounds write in skia module – may impact confidentiality.
• Affected Versions: Multiple Huawei phone and tablet models running HarmonyOS or EMUI.
• Fix: Apply the latest August 2025 updates as per Huawei’s official bulletin.

Recommendation:
Users should update all affected devices immediately to the latest firmware version to mitigate risks from these vulnerabilities.

References:

• https://consumer.huawei.com/en/support/bulletin/2025/8/

3. Security Updates – NVIDIA

NVIDIA has released security updates for its Triton Inference Server to address multiple critical vulnerabilities that could allow attackers to execute arbitrary code, cause denial of service, perform data tampering, or trigger information disclosure. These flaws pose a significant risk to system integrity, confidentiality, and availability.

Key Details:

• Severity: Critical
• Notable Vulnerabilities:
  • CVE-2025-23310: Stack buffer overflow via specially crafted inputs – may lead to code execution, DoS, information disclosure, or data tampering. (CVSS: 9.8)
  • CVE-2025-23311: Stack overflow through specially crafted HTTP requests – may lead to code execution, DoS, information disclosure, or data tampering. (CVSS: 9.8)
  • CVE-2025-23317: Reverse shell execution via crafted HTTP request to HTTP server – may lead to code execution, DoS, data tampering, or information disclosure. (CVSS: 9.1)
• Affected Versions: NVIDIA Triton Inference Server for Windows and Linux.
• Fix: Apply the latest updates as per NVIDIA’s August 2025 security bulletin.

Recommendation:
Update all affected NVIDIA Triton Inference Server installations immediately to the patched versions to mitigate the risk of exploitation.

References:

• https://nvidia.custhelp.com/app/answers/detail/a_id/5687

4. Security Updates – Android

Google has released its August 2025 Android Security Bulletin, patching multiple critical and high-severity vulnerabilities in the Android operating system. The most severe issue is a critical Remote Code Execution (RCE) vulnerability in the core System component, which can be exploited remotely without user interaction.

Key Details:

• Severity: Critical / High
• Notable Vulnerabilities:
  • CVE-2025-48530: Critical RCE in System component; remotely exploitable without user interaction or additional privileges; can be chained with other flaws for full device compromise.
  • CVE-2025-22441, CVE-2025-48533: High-severity local privilege escalation in the Android Framework, allowing apps to gain unauthorized system-level access.
  • CVE-2025-0932 (Arm); CVE-2025-27038, CVE-2025-21479 (Qualcomm): Critical/high flaws in third-party hardware components impacting confidentiality, integrity, and availability.
• Affected Versions: Multiple Android builds prior to August 2025 security patch level.
• Fix: Apply the August 2025 Android security update immediately.

Recommendation:
Update all Android devices to the latest security patch level as soon as possible to protect against potential exploitation.

References:

• https://source.android.com/docs/security/bulletin/2025-08-01

5. Critical RCE Vulnerability in NestJS Devtools Integration

A critical Remote Code Execution (RCE) vulnerability has been discovered in the @nestjs/devtools-integration package of the NestJS framework. Tracked as CVE-2025-54782 with a CVSS v4 score of 9.4 (Critical), the flaw allows attackers to execute arbitrary JavaScript code on developer machines during development with minimal user interaction.

Key Details:

• Vulnerability Location: /inspector/graph/interact endpoint in devtools package when enabled.
• Cause:
  • Insecure sandbox using Node.js’s vm.runInNewContext() (not intended for untrusted code execution).
  • Lack of validation for critical cross-origin headers (e.g., Origin, Content-Type).
  • Static Access-Control-Allow-Origin header allowing cross-origin requests from malicious sites.
• Impact: Remote code execution, data exfiltration, malware deployment, and full system compromise simply by visiting a malicious webpage.
• Affected Versions: <= 0.2.0
• Fixed Version: 0.2.1 or later.

Recommendation:
Immediately update to version 0.2.1 or later to mitigate the risk.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-54782

6. Security Updates – Google Chrome
   Google has released security updates for the Chrome browser addressing multiple medium- and low-severity vulnerabilities. These flaws could cause use-after-free conditions, improper handling of user input, and incorrect implementation of components, potentially leading to browser crashes, data leakage, or unauthorized behavior within extensions and browser features.

Medium-Severity Vulnerabilities:

• CVE-2025-8576: Use-after-free in Extensions.
• CVE-2025-8577: Inappropriate implementation in Picture-in-Picture.
• CVE-2025-8578: Use-after-free in Cast.

Low-Severity Vulnerabilities:

• CVE-2025-8579: Inappropriate implementation in Gemini Live in Chrome.
• CVE-2025-8580: Inappropriate implementation in Filesystems.
• CVE-2025-8581: Inappropriate implementation in Extensions.
• CVE-2025-8582: Insufficient validation of untrusted input in DOM.
• CVE-2025-8583: Inappropriate implementation in Permissions.

Affected Platforms & Fixed Versions:

• Stable Channel Update for Desktop:
  • Chrome 139.0.7258.66/67 (Windows & Mac)
  • Chrome 139.0.7258.66 (Linux)
• Additional Updates:
  • Chrome 138.0.7204.224 (Windows & Mac – Early Stable)
  • Chrome 139.0.7258.62 (Android)
  • Chrome 139.0.7258.76 (iOS)

Recommendation:
Update Google Chrome to the latest available version across all platforms.

References:

• https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/

7. Critical Zero-Day Vulnerabilities in Adobe Experience Manager (AEM)

Adobe has issued emergency security updates for Adobe Experience Manager (AEM) Forms on JEE, alerting users to two critical zero-day vulnerabilities—CVE-2025-54253 and CVE-2025-54254—along with a publicly available Proof-of-Concept (PoC) exploit chain.

Vulnerabilities:

• CVE-2025-54253 (Critical | CVSS 10.0): Misconfiguration leading to unauthenticated RCE, enabling full system compromise without user interaction.
• CVE-2025-54254 (High | CVSS 8.6): XXE (XML External Entity) injection, allowing arbitrary file read from the local filesystem—exposing credentials and sensitive configuration.

Affected Versions: AEM Forms on JEE version 6.5.23.0 and earlier.
Fixed Version: AEM Forms on JEE 6.5.0-0108 or later.

Recommendation:
Apply the security update immediately, particularly on internet-facing or internal AEM deployments, to prevent exploitation.

Reference:

• https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html 

8. High-Severity Flaws in Rockwell Arena Simulation
   Multiple high-severity memory abuse vulnerabilities have been identified in Rockwell Automation’s Arena Simulation software. These flaws can be exploited via malicious files or webpages and pose a significant risk, especially in sectors like manufacturing, healthcare, and supply chains where Arena is used for modeling critical systems.

Vulnerabilities:

• CVE-2025-7025, CVE-2025-7032, CVE-2025-7033 (High | CVSS 7.8)
• Type: Memory corruption / abuse
• Impact: Remote Code Execution and Information Disclosure
• Attack Vector: Malicious file or webpage
• User Interaction: Required

Affected Versions: Arena Simulation 16.20.09 and earlier
Fixed Version: Arena Simulation 16.20.10 and later

Recommendation:
Update to the latest vendor-provided patch immediately to mitigate exploitation risks.

Reference:

• https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1731.html

9. Critical Vulnerability in Everest Forms Plugin

A critical vulnerability (CVE-2025-52709) has been identified in the Everest Forms plugin for WordPress, allowing potential Remote Code Execution (RCE), data exfiltration, and full site compromise. The flaw (CVSS 9.8) exists in the plugin’s handling of serialized data in form submissions via the evf_maybe_unserialize function, triggered when an administrator views form entries. Attackers can exploit this by submitting crafted serialized payloads that instantiate arbitrary PHP objects.

• Severity: Critical (CVSS 9.8)
• Vulnerability: CVE-2025-52709 – Unsafe deserialization in evf_maybe_unserialize function.
• Impact: RCE, data exfiltration, full compromise of affected WordPress sites.
• Affected Versions: Everest Forms ≤ 3.2.2
• Fixed Version: Everest Forms ≥ 3.2.3
• Recommendation: Update to version 3.2.3 or later immediately to mitigate exploitation risks.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-52709
• https://patchstack.com/articles/critical-vulnerability-impacting-over-100k-sitespatched-in-everest-forms-plugin/

10. Critical Vulnerability in Exchange Hybrid Deployments

A newly disclosed, high-severity vulnerability (CVE-2025-53786) affects Microsoft Exchange Server 2016, 2019, and Subscription Edition when deployed in hybrid mode with Exchange Online. Successful exploitation can allow attackers with administrative access to an on-premises Exchange server to escalate privileges within the connected Exchange Online environment—potentially leading to a complete domain compromise—without leaving clear audit trails.

Key Details:

• CVE: CVE-2025-53786
• Severity: High (CVSS 8.0)
• Exploitation Vector: Abuse of shared service principal identity used for authentication between on-premises Exchange and Exchange Online. Once compromised, this trust can be exploited to forge tokens or API calls accepted as legitimate by the cloud environment.
• Potential Impact:
  • Cloud privilege escalation
  • Unauthorized access to Exchange Online
  • Total hybrid and cloud domain compromise
  • Bypassed auditing/logging mechanisms

Affected Systems:

• Microsoft Exchange Server 2016 (Hybrid Configuration)
• Microsoft Exchange Server 2019 (Hybrid Configuration)
• Microsoft Exchange Server Subscription Edition (Hybrid Configuration)

Recommendations:

• Install April 2025 Exchange Server Security Updates: Apply the hotfix updates released by Microsoft to all affected on-premises Exchange servers.
• Deploy Dedicated Hybrid Application: Move hybrid authentication to a dedicated application identity to reduce shared service principal exposure.
• Reset Shared Service Principal Credentials: Use Microsoft’s Service Principal Clean-Up Mode to rotate/reset keyCredentials.
• Run Microsoft Exchange Health Checker: Verify that all mitigation steps are correctly implemented.
• Disconnect Unsupported or EOL Servers: Isolate or decommission any unsupported Exchange or SharePoint servers.
• Harden On-Premises Environments: Restrict administrative access, harden PowerShell, and monitor for unusual traffic between on-prem and cloud.

References:

• https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidancehigh-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786

11. Critical RCE Vulnerability in Squid

A critical vulnerability (CVE-2025-54574) has been discovered in Squid, the open-source HTTP caching and forwarding proxy, which could enable remote code execution and sensitive data exposure. The flaw stems from a buffer overflow in Squid’s URN (Uniform Resource Name) handling mechanism, allowing attackers to execute arbitrary code on affected systems without authentication or user interaction.

Key Details:

• CVE: CVE-2025-54574
• Severity: Critical
• CVSS Score: 9.3
• Vulnerability Type: Heap Buffer Overflow
• Attack Vector: Specially crafted URN requests exploiting incorrect buffer management in URN Trivial-HTTP responses.
• Potential Impact:
  • Remote Code Execution
  • Memory disclosure of up to 4KB
  • Exposure of sensitive credentials and confidential data

Affected Versions:

• Squid 4.x: ≤ 4.17
• Squid 5.x: ≤ 5.9
• Squid 6.x: ≤ 6.3

Fixed Versions:

• Squid 6.4 or later

Recommendations:

• Upgrade to Squid 6.4 or later immediately.
• Monitor proxy logs for suspicious or malformed URN requests.
• Restrict external access to Squid services where possible.
• Implement network-level protections to block unexpected URN traffic.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-54574

12. High-Severity Vulnerabilities in Sophos Intercept X

Multiple high-severity local privilege escalation vulnerabilities have been identified in Sophos Intercept X for Windows, affecting the updater, installer, and Device Encryption module. If exploited, these flaws could allow a local attacker to gain SYSTEM-level privileges, potentially enabling full control over the affected system.

Vulnerability Details:

• CVE-2024-13972 – Improper registry permissions in the updater may allow privilege escalation during product upgrades.
• CVE-2025-7433 – A flaw in the Device Encryption component enables arbitrary code execution for local privilege escalation.
• CVE-2025-7472 – The Windows installer, when executed as SYSTEM, can be exploited to gain SYSTEM-level privileges.

Affected Versions:

• CVE-2024-13972:
  • Sophos Intercept X for Windows < Core Agent 2024.3.2
• CVE-2025-7433:
  • Sophos Intercept X for Windows Central Device Encryption < 2025.1
• CVE-2025-7472:
  • Sophos Intercept X for Windows Installer < 1.22

Fixed Versions:

• CVE-2024-13972:
  • Core Agent 2024.3.2, FTS 2024.3.2.23.2, LTS 2025.0.1.1.2, Windows Server FTS 2024.3.2.23.2, Windows Server LTS 2025.0.1.1.2
• CVE-2025-7433:
  • Device Encryption 2025.1, FTS 2024.3.2.23.2, LTS 2025.0.1.1.2
• CVE-2025-7472:
  • Windows Installer 1.22

Recommendations:

• Apply the latest patches provided by Sophos for all affected components.
• Restrict local administrative access to reduce exploitation opportunities.
• Monitor systems for unusual privilege elevation events.
• Regularly audit endpoint configurations and update security policies.

Reference:

• https://www.sophos.com/en-us/security-advisories/sophos-sa-20250717-cix-lpe

13. Critical Vulnerability in SUSE Manager (CVE-2025-46811)

A critical vulnerability has been identified in SUSE Manager that allows unauthenticated remote attackers to execute arbitrary commands as root. Exploitation could lead to full system compromise without credentials or user interaction.

Vulnerability Overview:

• CVE ID: CVE-2025-46811
• CVSS 4.0 Score: 9.3 (Critical)
• Cause: Authentication bypass in the websocket interface endpoint /rhn/websocket/minion/remote-commands
• Impact: Any actor with network access to the endpoint can issue arbitrary root commands
• Exploitation Requirements: No prior access; network-level reachability is sufficient

Potential Consequences:

• Installation of persistent malware or backdoors
• Exfiltration of sensitive data or credentials
• Modification or destruction of critical configurations
• Use of compromised systems as pivot points for lateral movement

Affected Versions:

• Multiple versions of SUSE Manager, including container version 5.0.5.7.30.1
• SLES15-SP4-Manager-Server images
• SUSE Manager Server Module 4.3
• Various containerized and cloud images for Azure, Amazon EC2, and Google Cloud Engine

Mitigation & Recommendations:

• Patch Immediately – Apply the latest security updates from SUSE.
• Restrict Network Access – Block external access to /rhn/websocket/minion/remote-commands.
• Audit Logs – Check for signs of compromise, especially on internet-exposed systems.
• Isolate Unpatched Systems – Temporarily remove vulnerable instances from production.
• Monitor for Root-Level Activity – Watch for unauthorized elevated command execution.
• Network Segmentation – Keep administrative interfaces separate from general networks.
• Run Internal Vulnerability Scans – Identify all affected deployments.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-46811
• https://www.suse.com/security/cve/CVE-2025-46811.html

14. Critical BIOS Vulnerabilities in Lenovo Desktops (CVE-2025-4421 to CVE-2025-4426)
    Multiple critical vulnerabilities have been discovered in the InsydeH2O BIOS firmware used in Lenovo IdeaCentre AIO 3 and Yoga All-in-One desktop series. These flaws impact System Management Mode (SMM), a highly privileged CPU execution mode, and could allow local attackers with administrative privileges to execute arbitrary code at the firmware level, read sensitive memory, and achieve persistent system compromise.

Vulnerability Details:

• CVE-2025-4421 – SMM memory corruption in gEfiSmmCpuProtocol (CVSS 8.2)
• CVE-2025-4422 – SMM memory corruption in EfiPcdProtocol (CVSS 8.2)
• CVE-2025-4423 – Arbitrary code execution via SetupAutomationSmm (CVSS 8.2)
• CVE-2025-4424 – Unsanitized input in SmmSetVariable calls (CVSS 6.0)
• CVE-2025-4425 – Stack overflow in SMI handler (CVSS 8.2)
• CVE-2025-4426 – Information exposure via SMRAM disclosure (CVSS 6.0)

Potential Impact:

• Read or modify sensitive firmware memory (SMRAM)
• Execute arbitrary code at the firmware level
• Permanently compromise the integrity of the OS and installed security controls

Affected Systems:

• IdeaCentre AIO 3 (24ARR9, 27ARR9) – Fixed in BIOS version O6BKT1AA
• Yoga AIO (27IAH10, 32ILL10, 32IRH8) – Fixes scheduled for phased release between September and November 2025

Recommendations:

• Apply the latest BIOS updates provided by Lenovo for the affected models
• Limit administrative privileges on endpoints until patches are deployed
• Monitor for abnormal firmware-level activity
• Enable firmware write protection where available

Reference:

• https://support.lenovo.com/in/en/product_security/LEN-201013

15. Google Among Victims in Ongoing Salesforce Data Theft Campaign
    Google has confirmed it is among the victims of an ongoing data theft campaign targeting Salesforce instances. While the data retrieved was largely publicly available business information (e.g., business names and contact details), the incident highlights a broader, financially motivated threat operation.

Threat Actor:

• Group: ShinyHunters (tracked by Google Threat Intelligence Group as UNC6040 and UNC6240)
• Motivation: Financially driven
• Tactics: Voice phishing (vishing) campaigns targeting Salesforce users to steal login credentials and MFA codes for large-scale data theft and extortion

Incident Details:

• The affected Google Salesforce instance stored contact information and related notes for small and medium businesses
• Google has conducted an impact analysis, initiated mitigations, and confirmed the absence of sensitive or private customer data in the stolen set
• The campaign has also impacted multiple other global brands, including Chanel, Pandora, Allianz Life, Adidas, Qantas, and several LVMH brands

Escalation Warning:

• GTIG has warned that ShinyHunters may launch a data leak site to escalate extortion tactics
• Current extortion methods involve phone calls or emails demanding bitcoin payment within 72 hours
• A leak site could increase reputational and operational pressure on victims

Recent Developments:

• Early August 2025 breaches disclosed by Chanel and Pandora were linked to this campaign
• Threat actors claim many attacks remain unreported, suggesting additional victim disclosures in the coming weeks

Key Recommendations:

• Restrict administrative access to Salesforce instances and enforce strong MFA policies
• Educate employees on vishing threats, including the dangers of sharing MFA codes over the phone
• Monitor Salesforce logs for suspicious login activity and unusual API calls
• Implement IP restrictions and device trust policies for accessing CRM platforms

Reference:

• https://www.infosecurity-magazine.com/news/google-salesforce-data-theft/

16. Akira Ransomware Campaign Exploiting SonicWall SSL VPN Zero-Day Vulnerability
    
    A major ransomware campaign by the Akira group is actively exploiting a likely zero-day vulnerability in SonicWall SSL VPN appliances. Attackers are achieving rapid network compromise, bypassing even Time-based One-Time Password (TOTP) MFA protections, and deploying ransomware within minutes of initial access. Fully patched devices remain at risk.

Key Observations:

• Zero-Day Exploitation: Vulnerability allows bypass of standard authentication mechanisms, including TOTP MFA.
• Impact on Fully Patched Devices: Compromises reported on up-to-date appliances, even after credential resets.
• Rapid Attack Lifecycle: Ransomware deployed shortly after VPN access is established.
• Infrastructure Used: Access from VPS-hosted IP addresses for anonymity and speed.

Tactics & Techniques:

• Exploitation of SonicWall SSL VPNs
• MFA bypass techniques
• Swift transition from access to ransomware deployment
• Use of VPS networks instead of consumer broadband

Suspicious Autonomous System Numbers (ASNs):

• AS23470 – ReliableSite.Net LLC
• AS215540 – Global Connectivity Solutions LLP
• AS64236 – UnReal Servers, LLC
• AS14315 – 1GSERVERS, LLC
• AS62240 – Clouvider Limited

Impacted Systems:

• All SonicWall firewall appliances with SSL VPN enabled
• All versions potentially affected, regardless of patch status

Mitigation & Recommendations:

• Enhance Monitoring: Enable full VPN access logging, deploy EDR across all endpoints, and monitor for suspicious post-access behavior.
• Audit Authentication Activity: Review login history for unusual access or MFA bypass. Investigate successful logins after credential changes.
• Enable Security Services: Activate Botnet Protection and similar services.
• Harden Access: Enforce MFA for all remote access, remove unused accounts, and follow strong password hygiene.
• Stay Updated: Subscribe to SonicWall advisories for timely updates and patches.

Reference:
https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/ 

17. ECScape Flaw in Amazon ECS Enables Cross-Task Credential Theft
    
    Security researchers from Sweet Security have uncovered a critical privilege escalation flaw in Amazon Elastic Container Service (ECS), codenamed ECScape, which allows a low-privileged container to steal AWS credentials from other ECS tasks running on the same EC2 instance. This can enable lateral movement, access to sensitive data, and full cloud environment takeover.

Key Observations:

• Undocumented Protocol Abuse: Attackers exploit an internal ECS protocol to impersonate the ECS agent and harvest IAM credentials from other tasks.
• Bypassing Isolation: Even with separate IAM roles, tasks on the same EC2 instance are vulnerable due to shared metadata access at 169.254.170[.]2.
• Stealthy Execution: The malicious connection mimics legitimate agent behavior, avoiding detection.
• Cross-Task Privilege Escalation: Enables low-privilege containers to assume higher-privileged roles and act with their permissions.

Attack Sequence:

1. Obtain EC2 instance IAM role credentials to impersonate the ECS agent.
2. Identify ECS control plane endpoint and gather necessary identifiers (cluster name, instance ARN, agent version, etc.).
3. Forge a signed Agent Communication Service (ACS) WebSocket request with sendCredentials=true.
4. Retrieve IAM role credentials for all running tasks on the instance.

Impact:

• Credential theft from other ECS tasks
• Lateral movement within the cloud environment
• Access to sensitive secrets and services
• Potential complete environment compromise

Recommendations:

• Avoid running high-privilege and untrusted tasks on the same EC2 instance.
• Use AWS Fargate for true container isolation.
• Disable or restrict ECS Instance Metadata Service (IMDS) access for tasks.
• Limit ECS agent permissions to only what is necessary.
• Implement CloudTrail alerts for unusual IAM role usage.
• Apply the principle of least privilege to all Service Accounts (SAs) and remove legacy SAs.
• Keep all cloud services and dependencies updated with the latest patches.

Reference:
https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html