Weekly Threat Landscape Digest – Week 33

1. Microsoft August 2025 Security Updates

Microsoft has released its August 2025 Patch Tuesday updates, addressing 119 vulnerabilities across multiple products, including one publicly disclosed zero-day flaw. These patches cover vulnerabilities that could lead to remote code execution, privilege escalation, information disclosure, and security feature bypasses.

Zero-Day Vulnerability

• CVE-2025-53779 – Windows Kerberos Elevation of Privilege
  • CVSS 7.2 (High)
  • A relative path traversal flaw in Windows Kerberos could allow an authenticated attacker to gain domain administrator privileges.
  • Exploitation requires elevated access to certain dMSA attributes:
    • msds-groupMSAMembership – Enables usage of the dMSA.
    • msds-ManagedAccountPrecededByLink – Requires write access to specify a user the dMSA can act on behalf of.

Critical Severity Vulnerabilities

• Azure OpenAI (CVE-2025-53767) – CVSS 10.0
• Microsoft Graphics Component (CVE-2025-50165) – CVSS 9.8
• Windows GDI+ (CVE-2025-53766) – CVSS 9.8
• Remote Desktop Server (CVE-2025-50171) – CVSS 9.1
• Azure Portal (CVE-2025-53792) – CVSS 9.1

Potential Impact

• Unauthorized access to systems or services
• Remote code execution
• Privilege escalation
• Service disruption

Recommendations

• Apply August 2025 Microsoft security updates immediately.
• Prioritize patching of Kerberos and other critical CVSS 9.0+ vulnerabilities.
• Monitor authentication logs for unusual Kerberos activity.
• Review privileged account usage and restrict unnecessary dMSA access.

Reference:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Aug

2. Fortinet August 2025 Security Updates

Fortinet has released patches addressing multiple critical and high-severity vulnerabilities affecting FortiSIEM, FortiOS, FortiProxy, FortiPAM, and FortiWeb. Successful exploitation could allow unauthenticated attackers to execute arbitrary commands, bypass authentication, or gain unauthorized access to devices and sensitive data.

Vulnerability Details

• CVE-2025-25256 – Remote Unauthenticated Command Injection
  • Severity: Critical | CVSS: 9.8
  • Improper neutralization of special elements in OS commands allows unauthenticated attackers to execute arbitrary commands via crafted CLI requests.
  • Exploitation Status: Exploit code observed in the wild.
  • Impact: Full system compromise, data exfiltration, unauthorized command execution on FortiSIEM devices.
• CVE-2024-26009 – Weak Authentication (FGFM Protocol)
  • Severity: High | CVSS: 7.9
  • Authentication bypass using alternate path/channel may allow attackers to seize control of a managed device via crafted FGFM requests.
  • Impact: Unauthorized access, device takeover, network compromise.
• CVE-2025-52970 – Authentication Bypass via Invalid Parameter
  • Severity: High | CVSS: 7.7
  • Improper parameter handling allows attackers with knowledge of non-public info to log in as any existing user.
  • Impact: Unauthorized access, potential data exposure, elevated privilege attacks on FortiWeb devices.

Affected Versions & Fixed Releases

• FortiWeb – Upgrade to:
  • 7.6.4+, 7.4.8+, 7.2.11+, 7.0.11+
• FortiSIEM – Upgrade to:
  • 7.3.2+, 7.2.6+, 7.1.8+, 7.0.4+, 6.7.10+
• FortiOS – Upgrade to:
  • 6.4.16+, 6.2.17+, or migrate from 6.0 to a fixed release
• FortiPAM – Migrate to a fixed release (all versions)
• FortiProxy – Upgrade to:
  • 7.4.3+, 7.2.9+, 7.0.16+
• FortiSwitchManager – Upgrade to:
  • 7.2.4+, 7.0.4+

Potential Impact

• Complete compromise of affected systems
• Unauthorized device management
• Privilege escalation and data theft
• Disruption of network security operations

Recommendations

• Immediately apply the latest security updates to all affected Fortinet products.
• Prioritize patching CVE-2025-25256 due to active exploitation reports.
• Monitor FortiSIEM, FortiOS, and FortiWeb logs for suspicious login and command activity.
• Restrict CLI and FGFM protocol access from untrusted networks.

References:

• https://fortiguard.fortinet.com/psirt/FG-IR-25-152
• https://fortiguard.fortinet.com/psirt/FG-IR-24-042
• https://fortiguard.fortinet.com/psirt/FG-IR-25-448

3. Critical Privilege Escalation Vulnerability in Zoom
   Multiple vulnerabilities have been identified in Zoom Clients for Windows that could allow attackers to escalate privileges or perform unauthorized modifications.

Vulnerability Details:

1. CVE-2025-49457 – Critical – CVSS 9.6
   • Type: Untrusted search path vulnerability
   • Impact: Allows unauthenticated remote attackers to execute malicious code in the context of the vulnerable application, potentially leading to full system compromise.
   • Affected Products:
     • Zoom Workplace for Windows < 6.3.10
     • Zoom Workplace VDI for Windows < 6.3.10 (except 6.1.16 & 6.2.12)
     • Zoom Rooms for Windows < 6.3.10
     • Zoom Rooms Controller for Windows < 6.3.10
     • Zoom Meeting SDK for Windows < 6.3.10
2. CVE-2025-49456 – Medium – CVSS 6.2
   • Type: Race condition in installer
   • Impact: Allows local attackers to manipulate application files/configurations, resulting in unauthorized modifications.
   • Affected Products:
     • Zoom Workplace for Windows version 6.4.10
     • Zoom Workplace VDI for Windows < 6.3.12 (except 6.2.15)
     • Zoom Rooms for Windows < 6.4.5
     • Zoom Rooms Controller for Windows < 6.4.5
     • Zoom Meeting SDK for Windows < 6.4.10

Recommendations:

• Apply the latest Zoom security updates immediately.
• Restrict physical and remote access to vulnerable systems until patched.
• Monitor for signs of unauthorized access or privilege escalation.

References:

• https://www.zoom.com/en/trust/security-bulletin/zsb-25030/
• https://www.zoom.com/en/trust/security-bulletin/zsb-25029/

4. Security Updates – Google Chrome
   Google has released security updates for Chrome on the Stable channel for Windows, Mac, Linux, and Android. These updates address multiple vulnerabilities, including high-severity flaws that could allow arbitrary code execution, memory corruption, security policy bypass, or browser crashes.

Vulnerability Details:

• CVE-2025-8879 – High – Heap buffer overflow in libaom; may lead to memory corruption and arbitrary code execution.
• CVE-2025-8880 – High – Race condition in V8 JavaScript engine; could allow exploitation of inconsistent memory states.
• CVE-2025-8901 – High – Out-of-bounds write in ANGLE; may cause memory corruption and enable code execution.
• CVE-2025-8881 – Medium – Inappropriate implementation in File Picker; may lead to security policy bypass.
• CVE-2025-8882 – Medium – Use-after-free in Aura; could allow arbitrary code execution or cause browser crashes.

Fixed Versions:

• Stable Channel Update for Desktop:
  • Chrome 139.0.7258.127/.128 for Windows, Mac
  • Chrome 139.0.7258.127 for Linux
• Chrome 139 (139.0.7258.123) for Android
• Early Stable Update for Desktop:
  • Chrome 138.0.7204.235 for Windows, Mac

Recommendations:

• Update Google Chrome to the latest available version for your platform.
• Enable automatic updates to ensure timely patching.
• Restart the browser after updating to apply changes.

References:

• https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop_12.html 
• https://chromereleases.googleblog.com/

5.Security Updates – SAP
SAP has released its August 2025 Security Updates, addressing multiple vulnerabilities across widely used products such as SAP S/4HANA, SAP Landscape Transformation, SAP Business One, and SAP NetWeaver AS ABAP. The most severe vulnerabilities are critical code injection flaws with CVSS scores of up to 9.9, which could allow remote code execution, authorization bypass, and data compromise.

Vulnerability Details (Selected):

• CVE-2025-42957 – Critical – SAP S/4HANA – Code injection (CVSS 9.9)
• CVE-2025-42950 – Critical – SAP Landscape Transformation – Code injection (CVSS 9.9)
• CVE-2025-27429 – Critical – SAP S/4HANA – Code injection, updated from April 2025 (CVSS 9.9)
• CVE-2025-42951 – High – Broken authorization in SAP Business One (CVSS 8.8)
• CVE-2025-42976 – High – Multiple issues in SAP NetWeaver AS ABAP (CVSS 8.1)
• CVE-2025-42946 – Medium – Directory traversal in SAP S/4HANA (CVSS 6.9)

Potential Impact:

• Remote Code Execution (RCE): Execution of arbitrary commands with elevated privileges.
• Authorization Bypass: Unauthorized access to restricted functions or sensitive business data.
• Data Theft or Manipulation: Extraction, alteration, or deletion of confidential information.
• System Compromise: Persistent access, lateral movement, and potential compromise of other connected SAP systems.

Recommendations:

• Apply the August 2025 SAP Security Updates immediately.
• Review SAP landscape configurations to ensure no exposed or unused components remain active.
• Implement strict access controls and monitor logs for suspicious activity post-patch.

Reference:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august2025.html

6. Multiple Vulnerabilities in Ivanti Products
   Ivanti has released critical security updates for Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access, addressing multiple high- and medium-severity vulnerabilities. Exploitation could result in denial-of-service (DoS) attacks, arbitrary file reads, and service disruptions, potentially impacting VPN and secure access services.

Vulnerability Details (Selected):

• CVE-2025-5456 – High – Buffer over-read – Remote unauthenticated DoS.
• CVE-2025-5462 – High – Heap-based buffer overflow – Remote unauthenticated DoS.
• CVE-2025-5466 – Medium – XML External Entity (XXE) – Remote authenticated admin-triggered DoS.
• CVE-2025-5468 – Medium – Improper symbolic link handling – Local authenticated arbitrary file read.

Potential Impact:

• Remote Denial-of-Service: Downtime of VPN and secure access systems due to service crashes.
• Local File Disclosure: Exposure of sensitive system files to authenticated local attackers.
• Privileged User Disruption: Admin users could trigger unavailability of secure services.

Affected Versions:

• Ivanti Connect Secure: 22.7R2.7 and prior
• Ivanti Policy Secure: 22.7R1.4 and prior
• Ivanti ZTA Gateway: 22.8R2.2
• Ivanti Neurons for Secure Access: 22.8R1.3 and prior

Fixed Versions:

• Ivanti Connect Secure: 22.7R2.8 or later, or 22.8R2
• Ivanti Policy Secure: 22.7R1.5
• Ivanti ZTA Gateway: 22.8R2.3-723
• Ivanti Neurons for Secure Access: 22.8R1.4

Recommendations:

• Upgrade all affected Ivanti products to the fixed versions immediately.
• Monitor Ivanti release notes and advisories for additional mitigations or security guidance.
• Review VPN and secure access service logs for signs of anomalous or failed connection attempts.

Reference:
https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect-SecurePolicy-Secure-ZTA-Gateways-MultipleCVEs?language=en_US

7. Arbitrary File Write Vulnerability in 7-Zip
   A security flaw in 7-Zip, affecting versions prior to 25.01, can be exploited to write files outside the intended extraction directory during archive extraction. This occurs due to improper handling of symbolic links within archives. A maliciously crafted archive could overwrite critical system files, potentially enabling arbitrary code execution, persistence, or security bypass.

Vulnerability Details:

• CVE-2025-55188 – Low Severity – CVSS 3.6
• Exploitation possible when symbolic links in an archive are followed during extraction.
• Attackers could overwrite sensitive files such as SSH keys, .bashrc, startup scripts, or configuration files.
• Impact includes:
  • Execution of arbitrary commands or code.
  • Establishment of persistent backdoors.
  • Manipulation of system configurations to bypass security controls.

Affected Versions:

• 7-Zip versions prior to 25.01

Fixed Version:

• 7-Zip 25.01 or later

Recommendations:

• Update immediately to 7-Zip 25.01 or later from the official 7-Zip site.
• Avoid extracting archives from untrusted or unknown sources.
• Use sandboxed or isolated environments when handling potentially malicious files.

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-55188
https://seclists.org/oss-sec/2025/q3/82

8. Actively Exploited Vulnerability in Erlang/OTP SSH Daemon
   A critical remote code execution (RCE) vulnerability (CVE-2025-32433) in the native SSH daemon of Erlang’s Open Telecom Platform (OTP) is being actively exploited in the wild. The flaw allows unauthenticated attackers to send specially crafted SSH protocol messages (codes ≥ 80) that are processed before authentication, enabling arbitrary code execution without credentials. Due to Erlang/OTP’s use in telecommunications, finance, 5G, and industrial OT systems, exploitation poses a high risk to critical infrastructure.

Vulnerability Details:

• CVE-2025-32433 – CVSS 10.0 (Critical)
• Vulnerability type: Improper state enforcement in SSH daemon.
• Attack vector: Network – malicious SSH protocol messages sent to an open Erlang/OTP SSH port.
• Commonly observed ports: Non-standard (e.g., TCP/2222).
• Impact: Unauthenticated RCE, potential full system compromise.
• Affected Versions:
  • OTP-27: prior to 27.3.3
  • OTP-26: prior to 26.2.5.11
  • OTP-25: prior to 25.3.2.20

Indicators of Compromise (IOCs):

• .dns.outbound.watchtowr[.]com
• 194.165.16[.]71
• 146.103.40[.]203

Recommendations:

• Upgrade Erlang/OTP to 27.3.3, 26.2.5.11, or 25.3.2.20 (or later).
• Disable Erlang/OTP SSH service if not in use.
• Restrict SSH access to trusted IP addresses via firewall rules.
• Review logs for anomalous SSH protocol messages occurring before authentication.
• Monitor for listed IOCs in DNS, firewall, and endpoint logs.
• Implement IT/OT network segmentation to reduce cross-environment compromise.
• Deploy intrusion prevention signatures for known exploit patterns.
• Regularly audit exposed OT endpoints, especially on non-standard ports.

References:
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
https://nvd.nist.gov/vuln/detail/CVE-2025-32433

9. Critical Remote DoS Vulnerability in Apache bRPC
   A critical vulnerability (CVE-2025-54472) in Apache bRPC’s Redis protocol parser could allow remote attackers to cause a Denial-of-Service (DoS) via memory exhaustion. The flaw occurs due to improper memory allocation when parsing network data, making it possible for an attacker to crash services by sending a specially crafted Redis packet.

Vulnerability Details:

• CVE-2025-54472
• Vulnerability type: Improper memory allocation in Redis protocol parser.
• Impact: Remote Denial-of-Service (service crash).
• Attack vector: Network – sending malicious Redis packets with excessively large integer values.
• Component affected: Redis Protocol Parser in Apache bRPC.
• Affected versions: All versions prior to 1.14.1.
• Fixed version: 1.14.1.

Exploitable Scenarios:

• bRPC as a Redis Server: Accepting connections from untrusted clients.
• bRPC as a Redis Client: Connecting to untrusted Redis services.

Recommendations:

• Upgrade Apache bRPC to version 1.14.1 or later.
• Restrict Redis protocol connections to trusted clients and servers.
• Monitor logs for unusual or large Redis packet sizes.
• Consider applying network-level filtering to block unexpected Redis protocol traffic from untrusted sources.

References:
https://lists.apache.org/thread/pvw31sxjj1yz0f8f8lp9m09h70w9hnct

10. Critical Vulnerability in Packet Power Devices
    A critical authentication bypass vulnerability (CVE-2025-8284) has been identified in Packet Power’s EMX and EG products. The flaw allows attackers with network access to gain full access to affected devices without providing credentials. Exploitation could enable unauthorized viewing and manipulation of operational data, alteration of device configurations, and disruption or control of connected systems.

This vulnerability is particularly impactful in data center power monitoring and industrial control environments, where device compromise could threaten operational continuity and infrastructure safety.

Vulnerability Details:

• CVE-2025-8284
• Severity: Critical
• CVSS v3 Score: 9.8
• Vulnerability type: Missing authentication / unauthorized access
• Component affected: Packet Power Monitoring and Control Web Interface
• Impact: Full device compromise, unauthorized configuration changes, and operational disruption
• Affected versions:
  • EMX: Prior to 4.1.0
  • EG: Prior to 4.1.0
• Fixed version: 4.1.0

Recommendations:

• Upgrade EMX and EG devices to version 4.1.0 or later.
• Restrict network access to Packet Power devices to trusted management networks only.
• Implement network segmentation to isolate critical infrastructure components.
• Monitor logs for unauthorized or anomalous access attempts.

Reference:
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-05

11. libxslt Vulnerabilities in F5 Traffix SDC
    Two high-severity use-after-free vulnerabilities have been discovered in the third-party libxslt library, affecting F5 Traffix SDC. If exploited, these flaws could allow arbitrary code execution within the application context, potentially resulting in full system compromise, service disruption, or unauthorized actions.

Vulnerability Details:

• CVE-2025-24855 – Located in numbers.c. In nested XPath evaluations, an XPath context node can be modified but never restored. Affects xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.
• CVE-2024-55549 – Located in xsltGetInheritedNsList. Triggered during exclusion of result prefixes, leading to a use-after-free condition.
• Severity: High
• CVSS v3.1 Score: 7.8
• Vulnerable Component: libxslt
• Impact:
  • Arbitrary code execution
  • Unauthorized control of the system
  • Data corruption or leakage
  • Service interruptions

Affected Products:

Recommendations:

• Upgrade to the fixed version 5.2.0 CF8 or later.
• Restrict access to the Traffix SDC interface to trusted networks only.
• Monitor system logs for suspicious activity that may indicate exploitation attempts.
• Apply vendor-provided security updates promptly.

Reference:
https://my.f5.com/manage/s/article/K000152944?utm_source=f5support&utm_medium=RSS

12. Critical Vulnerability in Siemens SIMATIC RTLS Locating Manager

A critical vulnerability in Siemens SIMATIC RTLS Locating Manager could allow an authenticated remote attacker with high privileges to execute arbitrary code with NT Authority/SYSTEM privileges. Successful exploitation could result in full system compromise, operational disruption, or lateral movement within the network.

Vulnerability Details:

• CVE ID: CVE-2025-40746
• Severity: Critical
• CVSS v3.1 Score: 9.1
• Vulnerability Type: Improper input validation in backup script processing
• Impact:
  • Arbitrary code execution with NT Authority/SYSTEM privileges
  • Full control of affected systems
  • Configuration tampering
  • Operational disruption
  • Lateral movement across network environments

Affected Versions:

• All versions prior to V3.2

Fixed Version:

• V3.2 or later

Recommendations:

• Upgrade to V3.2 or later immediately.
• Restrict administrative privileges to trusted personnel only.
• Monitor systems for unusual activity and verify integrity of configurations.
• Isolate vulnerable systems until the update is applied.

Reference:
https://cert-portal.siemens.com/productcert/html/ssa-493787.html

13. High-Severity Vulnerabilities in GitLab CE and EE

Multiple high-severity vulnerabilities have been identified in GitLab Community Edition (CE) and Enterprise Edition (EE), potentially enabling account takeover, stored cross-site scripting (XSS) attacks, privilege escalation, and service disruption. These vulnerabilities affect core functionality and could be exploited by both authenticated and unauthenticated attackers under specific conditions.

High-Severity Vulnerabilities:

1. CVE-2025-7734 – Cross-Site Scripting in Blob Viewer
   • CVSS Score: 8.7
   • Description: A flaw in the blob viewer could allow attackers to perform actions on behalf of other users by injecting malicious content.
2. CVE-2025-7739 – Stored Cross-Site Scripting in Labels
   • CVSS Score: 8.7
   • Description: Authenticated users can inject persistent malicious HTML into scoped label descriptions, potentially enabling session hijacking.
3. CVE-2025-6186 – Cross-Site Scripting in Work Items
   • CVSS Score: 8.7
   • Description: Malicious HTML injected into work item names could result in account takeover when viewed by other users.
4. CVE-2025-8094 – Improper Permission Handling in Project API
   • CVSS Score: 7.7
   • Description: Maintainers could manipulate shared infrastructure resources, disrupting CI/CD pipelines beyond their intended permission scope.

Other Vulnerabilities Addressed:

• CVE-2024-12303 – Incorrect privilege assignment in issue deletion
• CVE-2025-2614 – Resource exhaustion in release name creation
• CVE-2024-10219 – Authorization flaw in jobs API
• CVE-2025-8770 – Merge request approval policy bypass
• CVE-2025-2937 – Regex complexity DoS in Wiki
• CVE-2025-1477 – Mattermost integration DoS
• CVE-2025-5819 – ID token permission escalation
• CVE-2025-2498 – IP restriction bypass for assigned issues

Affected Versions:

• GitLab CE and EE prior to 18.2.2, 18.1.4, and 18.0.6

Fixed Versions:

• GitLab CE and EE: 18.2.2, 18.1.4, 18.0.6

Recommendations:

• Upgrade to the latest fixed version immediately.
• Review and sanitize user-generated content to mitigate potential XSS injection points.
• Restrict high-privilege accounts and enable two-factor authentication (2FA).
• Monitor for suspicious pipeline disruptions or unauthorized changes in project configurations.

Reference:
https://about.gitlab.com/releases/2025/08/13/patch-release-gitlab-18-2-2-released/

14. Critical RCE Vulnerability in Cisco Secure Firewall Management Center

Cisco has disclosed a maximum severity vulnerability (CVE-2025-20265, CVSS 10.0) in the RADIUS subsystem of its Secure Firewall Management Center (FMC). Exploitation allows unauthenticated remote attackers to execute arbitrary shell commands with elevated privileges, potentially leading to full system compromise. The flaw exists due to improper handling of user-supplied input during the RADIUS authentication phase.

Impact:

• Remote code execution with administrative privileges
• Full compromise of FMC and connected firewalls
• Potential for lateral movement across the network

Affected Versions:

• FMC 7.0.7
• FMC 7.7.0
  (Only when RADIUS authentication is enabled via Web UI, SSH, or both)

Mitigation:

• Primary recommendation: Upgrade to the latest fixed version provided by Cisco.
• If patching is not possible: Disable RADIUS authentication and switch to alternative methods such as local accounts, external LDAP, or SAML SSO.
• Verify applicability and test mitigation in your environment before deployment.

Other High-Severity Vulnerabilities Addressed:

• CVE-2025-20217 – Secure Firewall Threat Defense Snort 3 DoS
• CVE-2025-20222 – ASA & Secure FTD IPv6 over IPsec DoS
• CVE-2025-20148 – Secure Firewall Management Center HTML injection
• CVE-2025-20244 – ASA & Secure FTD Remote Access VPN web server DoS
• CVE-2025-20133, CVE-2025-20243 – ASA & Secure FTD Remote Access SSL VPN DoS
• CVE-2025-20134 – ASA & Secure FTD SSL/TLS certificate DoS
• CVE-2025-20136 – ASA & Secure FTD NAT DNS inspection DoS
• CVE-2025-20251 – ASA & Secure FTD VPN web server DoS
• CVE-2025-20224, CVE-2025-20225 – IOS, IOS XE, ASA & Secure FTD IKEv2 DoS
• CVE-2025-20263 – ASA & Secure FTD web services DoS
• CVE-2025-20127 – ASA & Secure FTD TLS 1.3 cipher DoS (Mitigation: remove TLS 1.3 cipher)

Recommendations:

• Apply Cisco security updates immediately.
• Monitor authentication logs for anomalies and suspicious login activity.
• Restrict external management access to FMC to trusted networks only.
• Review and update firewall and device access controls.

Reference:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79 

https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-flaw-in-firewall-management-center/ 

15. Zero-Day Vulnerability in WinRAR
    A zero-day path traversal vulnerability in the Windows version of WinRAR (CVE-2025-8088) is being actively exploited in the wild. The flaw allows specially crafted archives to manipulate the extraction process and place malicious files in unintended system locations, enabling arbitrary code execution without user awareness.

Vulnerability Details:

• CVE ID: CVE-2025-8088
• Severity: High
• CVSS v3.1 Score: 8.4
• Description: Vulnerable versions of WinRAR may honor attacker-controlled embedded file paths instead of the user’s designated extraction folder. This affects multiple Windows-based components, including RAR, UnRAR, the portable UnRAR source code, and UnRAR.dll.

Impact:
Exploitation could allow attackers to:

• Plant malicious files in sensitive directories.
• Overwrite critical system or application files.
• Execute arbitrary code upon extraction without additional user action.

Observed Attack Vector:
Attackers are delivering malicious archives via phishing and other social engineering techniques.

Affected Products:

• All vulnerable Windows versions of WinRAR (including earlier releases of RAR, UnRAR, portable UnRAR source code, and UnRAR.dll).

Fixed Versions:

• WinRAR 7.13 or later.

Recommendations:

• Update immediately to WinRAR 7.13 or later from the official WinRAR website.
• Avoid opening archives from untrusted or unknown sources.
• Scan all archive files with updated endpoint security tools before extraction.

Reference:

• https://nvd.nist.gov/vuln/detail/CVE-2025-8088

16. Actively Exploited Vulnerabilities in D-Link IP Cameras

An active exploitation campaign is targeting legacy D-Link IP cameras and NVRs, posing a significant risk to network integrity. The vulnerabilities enable unauthorized access, remote code execution, and persistent compromise of affected devices. Some models are end-of-life (EoL) and have no available patches.

Vulnerability Details:

1. CVE-2020-25078 – Admin Credential Disclosure
   • Affected Devices: D-Link DCS-2530L, DCS-2670L
   • Severity: High
   • Description: An unauthenticated endpoint (/config/getuser) allows attackers to retrieve administrator passwords.
   • Impact: Enables admin access without authentication, potentially leading to full device compromise.
   • Fixed Versions:
     • DCS-2530L: Firmware v1.07.00
     • DCS-2670L: Firmware v2.03.00
2. CVE-2020-25079 – Authenticated Command Injection
   • Affected Devices: D-Link DCS-2530L, DCS-2670L
   • Severity: High
   • Description: Authenticated users can inject commands via cgi-bin/ddns_enc.cgi.
   • Impact: Can be used as a second-stage exploit after CVE-2020-25078 to execute arbitrary commands remotely.
   • Fixed Versions:
     • DCS-2530L: Firmware v1.07.00
     • DCS-2670L: Firmware v2.03.00
3. CVE-2022-40799 – Persistent Backdoor via Startup Script
   • Affected Device: D-Link DNR-322L
   • Severity: Critical
   • Description: Exploits the backup/restore feature to modify the rc.init.sh startup script, enabling persistent code execution at boot.
   • Impact: Maintains persistent attacker access. Public proof-of-concept available.
   • Fixed Version: None – Device is End-of-Life.

Recommendations:

• Replace affected EoL devices with supported hardware.
• Apply firmware updates for supported devices:
  • DCS-2530L → v1.07.00
  • DCS-2670L → v2.03.00
• Restrict network access to camera management interfaces.
• Monitor for unusual traffic from affected devices.

Reference:

• https://www.cisa.gov/news-events/alerts/2025/08/05/cisa-adds-three-knownexploited-vulnerabilities-catalog

17. Active Exploitation of Citrix NetScaler ADC CVE-2025-6543 in Critical Sectors

Summary:
The Dutch National Cyber Security Centre (NCSC-NL) has confirmed active exploitation of CVE-2025-6543 (CVSS 9.2) affecting Citrix NetScaler ADC and Gateway products. The flaw has been exploited as a zero-day since early May 2025, targeting critical organizations in the Netherlands.

Vulnerability Details:

• CVE-2025-6543 – Critical Control Flow & DoS Flaw
  • Severity: Critical (CVSS 9.2)
  • Affected Configurations: Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
  • Impact: Unintended control flow, denial-of-service, and potential remote compromise
  • Exploitation: Web shells deployed on compromised devices for persistent remote access
  • Zero-Day Status: Exploited ~2 months before public disclosure (late June 2025)

Affected Versions (Fixed in):

• NetScaler ADC / Gateway 14.1 – prior to 14.1-47.46
• NetScaler ADC / Gateway 13.1 – prior to 13.1-59.19
• NetScaler ADC 13.1-FIPS & NDcPP – prior to 13.1-37.236-FIPS and NDcPP

Mitigation & Response:

1. Apply vendor patches to fixed versions or later immediately.
2. Terminate active sessions to remove potential attacker footholds:

kill icaconnection -all

kill pcoipConnection -all

kill aaa session -all

kill rdp connection -all

clear lb persistentSessions

1. Hunt for Indicators of Compromise (IoCs):
   • Search for .php files in system directories
   • Check for newly created privileged accounts on the NetScaler device
   • Use NCSC-NL-provided shell script for automated scanning
2. Monitor for persistence & lateral movement in the network.

Additional Context:

• CVE-2025-6543 added to CISA KEV Catalog on 30 June 2025.
• Related flaw: CVE-2025-5777 (CVSS 9.3) also actively exploited in July 2025.

References:

https://thehackernews.com/2025/08/dutch-ncsc-confirms-active-exploitation.html 

https://github.com/NCSC-NL/citrix-2025 

18. Global Brute-Force Campaign Targets Fortinet SSL VPNs Before Shifting to FortiManager

Threat intelligence firm GreyNoise has reported a significant global spike in brute-force attacks targeting Fortinet SSL VPN devices on August 3, 2025, followed by a pivot in attacker activity towards FortiManager systems after August 5.

Incident Details:

• Initial Wave (Pre–Aug 5, 2025)
  • Over 780 unique malicious IPs detected on August 3.
  • Targeted Fortinet SSL VPNs with precision (FortiOS profile).
  • IP sources: United States, Canada, Russia, Netherlands.
  • Targeted regions: United States, Hong Kong, Brazil, Spain, Japan.
  • Linked to a single TCP signature indicating sustained, coordinated brute-force attempts.
• Second Wave (Post–Aug 5, 2025)
  • Shifted focus from FortiOS SSL VPNs to FortiManager.
  • Traffic fingerprinted with a different TCP/client meta signature.
  • Historical data shows similar signature activity in June 2025 targeting a FortiGate device in a U.S. residential ISP block (Pilot Fiber Inc.), suggesting:
    • Possible initial testing of tooling from a home network, or
    • Use of residential proxies for obfuscation.

Threat Landscape Insight:

• Activity is deliberate and not opportunistic.
• Consistent with patterns where malicious spikes precede disclosure of a new CVE affecting the same technology within ~6 weeks.
• Enterprise edge technologies like VPNs, firewalls, and remote access tools remain prime targets for advanced threat actors.

Recommendations:

1. Apply Latest Patches – Ensure FortiOS and FortiManager are updated to the latest vendor-supported versions.
2. Enable MFA for all remote access accounts.
3. Restrict Access – Limit VPN and FortiManager exposure to trusted IP ranges.
4. Increase Brute-Force Detection – Monitor failed login attempts and anomalous traffic spikes.
5. Threat Hunting:
   • Review logs for repeated failed authentications from the reported geolocations.
   • Investigate any unusual admin logins or config changes.

References:

https://thehackernews.com/2025/08/fortinet-ssl-vpns-hit-by-global-brute.html 

19. SmartLoader Malware Campaign Masquerading as Legitimate GitHub Repositories

AhnLab Security Intelligence Center (ASEC) has identified a massive malware distribution campaign leveraging fake GitHub repositories to deliver the SmartLoader malware. The campaign primarily targets users seeking game cheats, cracked software, and automation tools. These repositories are designed to mimic legitimate open-source projects with detailed README files, feature lists, and installation instructions.

Infection Chain:

1. Lure & Delivery
   • Fake GitHub repos rank high on Google/GitHub search results for terms like “game hacks” or “software crack.”
   • Targets popular games (Maple Story, Minecraft, Call of Duty) and utilities (Instagram boosters, VPN cracks).
   • Release downloads contain malicious ZIP archives.
2. Malicious Archive Contents:
   • java.exe – Legitimate LuaJIT executable (luajit.exe).
   • Launcher.cmd – Malicious batch script triggering infection.
   • lua51.dll – Lua runtime interpreter.
   • module.class – Obfuscated Lua script containing SmartLoader logic.
3. Execution & Persistence:
   • Launcher.cmd launches SmartLoader via luajit.exe.
   • Files copied to %AppData%\ODE3.
   • Persistence via scheduled task “SecurityHealthService_ODE3”.
4. C2 Communication & Payload Retrieval:
   • Sends screenshots (BMP) and encoded system info to C2 (Base64 + custom byte manipulations).
   • Receives JSON configs with instructions and payloads.
5. Payloads Identified:
   • adobe.lua – Similar to module.class, registers persistence as “WindowsErrorRecovery_ODE4”, connects to secondary C2.
   • _x64.bin / _x86.bin – Rhadamanthys infostealer shellcode targeting credentials, online banking, FTP accounts; injects into processes (openwith.exe, dialer.exe, dllhost.exe, rundll32.exe).

Impact:

• Theft of sensitive data including emails, FTP credentials, and banking information.
• Potential secondary infections with Rhadamanthys, Redline, Lumma Stealer.
• Abuse of GitHub’s trust model for large-scale distribution.

Mitigation Recommendations:

• Verify Repository Authenticity: Check commit history, contributors, and project legitimacy before downloading.
• Use Official Sources: Avoid downloading cracked software or cheats from unknown repos.
• Endpoint Protection: Deploy EDR with script and behavioral detection.
• Monitor for IOCs: Block listed MD5 hashes and C2 URLs at network perimeter.
• Hunt for Persistence Artifacts: Look for scheduled tasks “SecurityHealthService_ODE3” and “WindowsErrorRecovery_ODE4”.

Indicators of Compromise (IOCs):

Reference:

https://gbhackers.com/smartloader-malware-masquerades-as-legitimate-github-repository/ 

20. Muddled Libra’s Strike Teams – Decentralized Cybercrime Operations
    Muddled Libra (also known as Scattered Spider / Octo Tempest) is not a single, structured group but a loose network of cybercriminal personas collaborating via social chat applications. Since late 2022, at least seven distinct “strike teams” have been identified, each with unique skillsets, tradecraft, and objectives. Members frequently move between teams, share successful techniques, and adapt their targeting strategies over time.

Key Characteristics:

• Fluid Membership: Personas frequently join, leave, or collaborate across teams.
• Distinct Tradecraft: Each team leaves identifiable “fingerprints” in their operations.
• Shared TTPs: Effective techniques spread quickly between teams.
• Predictable Evolution: Objectives shift but often follow established patterns.

Targeted Industries:

• Primary Focus: Initially cryptocurrency theft, expanding into retail, entertainment, SaaS, telecommunications, hospitality, finance, and government.
• Attack Types:
  • Cryptocurrency “whale” hunting
  • Intellectual property theft (media/software firms)
  • Ransomware & extortion campaigns targeting high-availability sectors
  • Credential harvesting for resale on dark web
  • Mass personal data collection for profiling high-value targets

Notable Observations:

• Strike teams have moved beyond crypto to broader high-value targets.
• Some target unique and private datasets, making data classification and access control critical.
• Extortion campaigns threaten both data leaks and operational disruption.

Defensive Recommendations:

• Implement strict data classification, retention policies, and segmentation.
• Enforce restrictive access control and data loss prevention (DLP).
• Maintain tested business continuity and disaster recovery (BC/DR) plans.
• Strengthen customer authentication to prevent credential abuse.
• Focus on risk-based defense-in-depth strategies rather than only tracking specific TTPs.

Reference:

https://unit42.paloaltonetworks.com/muddled-libras-strike-teams/