Weekly Threat Landscape Digest – Week 34

1. Vulnerability in Palo Alto Networks GlobalProtect

A medium-severity vulnerability (CVE-2025-2183, CVSS 4.5) has been identified in Palo Alto Networks’ GlobalProtect VPN client for Windows and Linux. The flaw arises from insufficient validation of server certificates, which allows attackers on the same network segment to redirect GlobalProtect traffic to a malicious server. By exploiting this weakness, adversaries can install fraudulent root certificates, which may then be used to deploy malicious software signed with attacker-controlled certificate authorities.

Key Details

• CVE ID: CVE-2025-2183
• Severity: Medium (CVSS 4.5)
• Vulnerability Type: Improper server certificate validation
• Impact:
  • Unauthorized root certificate installation
  • Execution of attacker-signed malicious software
  • Potential bypass of endpoint defenses reliant on code-signing trust

Affected Versions

• Windows: Versions prior to 6.3.2-h9, 6.3.3-h2, or 6.2.8-h3
• Linux: Versions prior to 6.3.3

Recommendations

• Upgrade to 6.3.2-h9 or 6.3.3-h2 (Windows) and 6.3.3 (Linux), or later versions.
• Restrict use of GlobalProtect on untrusted networks until patches are applied.
• Monitor for suspicious certificate installations and unauthorized software execution.

Reference:
https://security.paloaltonetworks.com/CVE-2025-2183

2. Multiple Vulnerabilities in Apache Tomcat

Apache Tomcat has released security updates addressing two significant vulnerabilities impacting multiple supported versions of its open-source application server. Successful exploitation could enable session fixation attacks or denial-of-service (DoS) via the MadeYouReset (HTTP/2) technique.

Vulnerability Details

1. CVE-2025-55668 – Session Fixation via Rewrite Valve

• Severity: Medium (CVSS 6.5)
• Description: A flaw in Tomcat’s rewrite valve mechanism allows attackers to set a user’s session ID before login, potentially hijacking sessions.
• Affected Versions:
  • Apache Tomcat 11.0.0-M1 to 11.0.7
  • Apache Tomcat 10.1.0-M1 to 10.1.41
  • Apache Tomcat 9.0.0.M1 to 9.0.105
  • Possibly older, end-of-life versions
• Fixed Versions:
  • Apache Tomcat 11.0.8+
  • Apache Tomcat 10.1.42+
  • Apache Tomcat 9.0.106+

1. CVE-2025-48989 – Denial-of-Service via MadeYouReset HTTP/2

• Severity: High (CVSS 7.5)
• Description: Tomcat is vulnerable to the MadeYouReset attack, where improper stream reset handling in HTTP/2 can cause resource exhaustion and service disruption.
• Affected Versions:
  • Apache Tomcat 11.0.0-M1 to 11.0.9
  • Apache Tomcat 10.1.0-M1 to 10.1.43
  • Apache Tomcat 9.0.0.M1 to 9.0.107
• Fixed Versions:
  • Apache Tomcat 11.0.10+
  • Apache Tomcat 10.1.44+
  • Apache Tomcat 9.0.108+

Potential Impact

• Session hijacking through fixation attacks
• Service disruption or downtime caused by resource exhaustion
• Increased risk of exploitation in internet-facing deployments

Recommendations

• Update Apache Tomcat immediately to the latest fixed versions.
• Restrict external access to administrative interfaces.
• Monitor server logs for anomalies related to session IDs or HTTP/2 reset floods.
• Apply network-level rate limiting for HTTP/2 connections where feasible.

References

• https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47
• https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf

3. Actively Exploited Vulnerability in Apple Products

Apple has released emergency security updates to patch a critical zero-day vulnerability in the Image I/O framework, which is actively exploited in targeted attacks. Successful exploitation can cause memory corruption and enable remote code execution (RCE) when a maliciously crafted image file is processed.

Vulnerability Details

• CVE ID: CVE-2025-43300
• Component: Apple Image I/O Framework
• Type: Out-of-bounds write
• Impact: Memory corruption leading to arbitrary code execution
• Exploitation: Actively exploited in sophisticated targeted campaigns
• Attack Vector: Malicious image files opened in vulnerable applications

Affected and Fixed Versions

• iOS & iPadOS: Prior to 18.6.2 → Fixed in 18.6.2
• iPadOS: Prior to 17.7.10 → Fixed in 17.7.10
• macOS Sequoia: Prior to 15.6.1 → Fixed in 15.6.1
• macOS Sonoma: Prior to 14.7.8 → Fixed in 14.7.8
• macOS Ventura: Prior to 13.7.8 → Fixed in 13.7.8

Potential Impact

• Execution of attacker-supplied code on vulnerable Apple devices
• Compromise of system integrity and confidentiality
• Potential lateral movement across connected environments

Recommendations

• Update immediately to the latest fixed versions released by Apple
• Avoid opening image files from untrusted or unknown sources
• Monitor devices for unusual behavior or unauthorized processes
• Enforce strong endpoint security measures, including behavior-based detection

References

• https://support.apple.com/en-us/100100

4. Security Updates – Chrome OS

Google has released security updates for ChromeOS and ChromeOS Flex to address multiple vulnerabilities affecting both the Long Term Support (LTS) and Stable channels. The updates include fixes for high-severity memory corruption and type confusion issues in critical components, including V8, WebRTC, and ANGLE, as well as third-party components.

Vulnerability Details

Long Term Support (LTS) Channel

• CVE-2025-7657: Use-after-free in WebRTC (High)
• CVE-2025-7656: Integer overflow in V8 (High)
• CVE-2025-8010: Type confusion in V8 (High)
• Fixed Version: 132.0.6834.241 (Platform Version: 16093.115.0)

Stable Channel – Third-Party Components

• CVE-2025-0932: Use-after-free in Arm Ltd Bifrost GPU Userspace Driver (High)
• CVE-2025-38349: Use-after-free vulnerability on Linux systems as a local user (Medium)

Stable Channel – Chrome Browser

• CVE-2025-8578: Use-after-free in Cast (Medium)
• CVE-2025-8581: Inappropriate implementation in Extensions (Low)
• CVE-2025-8576: Use-after-free in Extensions (Medium)
• CVE-2025-8580: Inappropriate implementation in Filesystems (Low)
• CVE-2025-8583: Inappropriate implementation in Permissions (Low)
• CVE-2025-8582: Insufficient validation of untrusted input in DOM (Low)
• CVE-2025-8901: Out-of-bounds write in ANGLE (High)
• CVE-2025-8881: Inappropriate implementation in File Picker (Medium)
• CVE-2025-8880: Race condition in V8 (High)
• CVE-2025-8879: Heap buffer overflow in libaom (High)
• Fixed Version: M-139, ChromeOS 16328.55.0 (Browser 139.0.7258.137)

Potential Impact

• Execution of attacker-supplied code via ChromeOS vulnerabilities
• Compromise of Chrome browser integrity and user data
• Escalation of privileges through third-party component flaws
• Denial of service or instability in ChromeOS environments

Recommendations

• Apply the latest security updates for ChromeOS and ChromeOS Flex immediately
• Ensure devices are updated to the fixed versions (LTS 132.0.6834.241 / Stable M-139)
• Monitor endpoints for abnormal behavior or exploit attempts targeting Chrome components

References

• https://chromereleases.googleblog.com/2025/08/long-term-support-channel-updatefor_20.html
• https://chromereleases.googleblog.com/2025/08/stable-channel-update-forchromeos.html

5. Security Updates – Mozilla

Mozilla has released security updates to address multiple vulnerabilities affecting Firefox, Firefox ESR, Thunderbird, and Focus for iOS. Successful exploitation of these vulnerabilities could result in sandbox escapes, same-origin policy bypass, memory corruption, spoofing, and denial-of-service (DoS) conditions.

Vulnerability Details

High-Severity Vulnerabilities

• CVE-2025-9179: Sandbox escape due to invalid pointer in Audio/Video: GMP component
• CVE-2025-9180: Same-origin policy bypass in Graphics: Canvas2D component
• CVE-2025-9184: Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142, and Thunderbird 142
• CVE-2025-9185: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142, and Thunderbird 142
• CVE-2025-9187: Memory safety bugs fixed in Firefox 142 and Thunderbird 142
• CVE-2025-55030: Content-Disposition headers incorrectly ignored for some MIME types
• CVE-2025-55032: Focus incorrectly ignores Content-Disposition headers for some MIME types

Moderate-Severity Vulnerabilities

• CVE-2025-9181: Uninitialized memory in JavaScript Engine component
• CVE-2025-55028: JavaScript alerts could impede UI interaction or allow denial of service attacks
• CVE-2025-55031: Passkey phishing within Bluetooth range
• CVE-2025-55033: Drag and drop gestures in Focus for iOS could allow JavaScript links to be executed incorrectly

Low-Severity Vulnerabilities

• CVE-2025-9182: Denial-of-service due to out-of-memory in Graphics: WebRender component
• CVE-2025-9183: Spoofing issue in Address Bar component
• CVE-2025-9186: Spoofing issue in Address Bar component of Firefox Focus for Android
• CVE-2025-55029: Malicious scripts could spam popups for denial of service attacks

Fixed Versions

• Thunderbird 140.2
• Thunderbird 128.14
• Thunderbird 142
• Focus for iOS 142
• Firefox for iOS 142
• Firefox ESR 140.2
• Firefox ESR 128.14
• Firefox ESR 115.27
• Firefox 142

Potential Impact

• Sandbox escape leading to broader system compromise
• Same-origin policy bypass allowing unauthorized cross-site data access
• Remote code execution via memory corruption flaws
• Spoofing attacks undermining user trust in browser security
• Denial-of-service conditions causing disruption in normal usage

Recommendations

• Update immediately to the latest fixed versions of Firefox, Firefox ESR, Thunderbird, and Focus for iOS
• Monitor for abnormal behavior on systems running outdated versions
• Enforce strict update policies across all environments using Mozilla products

References

• https://www.mozilla.org/en-US/security/advisories/

6. Privilege Escalation Vulnerability in ManageEngine Products

A high-severity vulnerability has been identified in ManageEngine products that could be exploited to gain unauthorized access, compromise user accounts, and expose sensitive information.

Vulnerability Details

• CVE ID: CVE-2025-8309
• Severity: High
• Type: Privilege Escalation due to overly permissive regex rules in URL mapping
• Cause: Improper wildcard handling in servlet URL mapping, resulting in unauthorized path matching
• Exploitation: An authenticated, low-privileged user can escalate privileges and gain control of accounts, including administrator accounts
• Impact: Data exposure, privilege abuse, and unauthorized administrative actions

Affected and Fixed Versions

• AssetExplorer – 7700 and below → Fixed in 7710
• ServiceDesk Plus – 15100 and below → Fixed in 15110
• ServiceDesk Plus MSP – 14930 and below → Fixed in 14940
• SupportCenter Plus – 14930 and below → Fixed in 14940

Potential Impact

• Escalation of privileges from low-level to administrative accounts
• Unauthorized access to sensitive user and organizational data
• Abuse of administrator-level functions and configurations
• Potential compromise of entire ManageEngine environment

Recommendations

• Apply the latest fixed versions of affected ManageEngine products immediately
• Review account activity for signs of unauthorized privilege escalation
• Limit access of low-privileged accounts until updates are applied
• Monitor logs for suspicious URL path matching or privilege-related anomalies

References

• https://www.manageengine.com/products/service-desk/cve-2025-8309.html

7. Security Updates – Google Chrome

Google has released security and stability updates for the Chrome browser across multiple platforms, including Chrome for Android, Chrome Stable Desktop, and the Extended Stable channel. The updates address a high-severity vulnerability in the V8 JavaScript engine and include additional stability and performance improvements.

Vulnerability Details

• CVE-2025-9132 – High Severity
• Type: Out-of-bounds write in V8 JavaScript engine
• Exploitation: Maliciously crafted web content could trigger memory corruption within the browser’s sandbox
• Impact: Arbitrary code execution, memory corruption, or browser crashes

Fixed Versions

• Stable Channel – Desktop
  • Chrome 139.0.7258.138/.139 for Windows, Mac
  • Chrome 139.0.7258.138 for Linux
• Chrome for Android
  • Chrome 139 (139.0.7258.143)
• Extended Stable Channel – Desktop
  • Chrome 138.0.7204.243 for Windows and Mac

Potential Impact

• Remote code execution via malicious web content
• Compromise of browser security leading to user data exposure
• Increased risk of drive-by download or watering hole attacks
• Potential chain exploitation with other vulnerabilities

Recommendations

• Update immediately to the latest versions of Chrome across all platforms
• Enable auto-update policies to ensure timely patching of future vulnerabilities
• Monitor browser activity for crashes or suspicious behavior after updates

References

• https://chromereleases.googleblog.com/2025/08/stable-channel-update-fordesktop_19.html
• https://chromereleases.googleblog.com/

8. Critical Vulnerability in WordPress Form Database Plugin

A critical vulnerability has been identified in the Database for Contact Form 7, WPForms, and Elementor Forms plugin for WordPress. This flaw could allow unauthenticated attackers to execute remote code or cause denial of service on affected websites.

Vulnerability Details

• CVE ID: CVE-2025-7384
• Severity: Critical
• CVSS Score: 9.8
• Type: Insecure deserialization in the get_lead_detail function leading to PHP Object Injection (POI)
• Exploitation:
  • Can be triggered by unauthenticated attackers through malicious input
  • When combined with a PHP Object Payload (POP) chain in Contact Form 7, attackers can delete arbitrary files (e.g., wp-config.php)
• Impact:
  • Remote Code Execution (RCE) – Possible if configuration files are replaced with malicious files
  • Arbitrary File Deletion – Removal of critical system or application files
  • Denial of Service (DoS) – Complete site outage if essential files are deleted
  • Full Site Compromise – If chained with other exploits

Affected and Fixed Versions

• Affected Versions: All versions up to and including 1.4.3
• Fixed Version: 1.4.4 and later

Potential Impact

• Loss of website availability and functionality
• Full compromise of the WordPress site and database
• Unauthorized control of the server hosting the WordPress installation
• Risk of lateral movement to other hosted applications or services

Recommendations

• Update immediately to version 1.4.4 or later
• Review WordPress server logs for signs of file deletion or suspicious activity
• Backup critical WordPress configuration files and databases before applying updates
• Consider enabling a WordPress security plugin (e.g., Wordfence) for additional protection

References

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/contactform-entries/database-for-contact-form-7-wpforms-elementor-forms-143-unauthenticated-php-object-injection-to-arbitrary-file-deletion 

9. Critical Vulnerability in Rockwell Automation FactoryTalk Linx

A critical vulnerability has been identified in Rockwell Automation’s FactoryTalk Linx software. Successful exploitation could allow attackers to bypass authentication and manipulate industrial network configurations, posing a significant risk to operational integrity and safety.

Vulnerability Details

• CVE ID: CVE-2025-7972
• Severity: Critical
• CVSS Score: 9.0
• Component: FactoryTalk Linx Network Browser
• Cause: By setting process.env.NODE_ENV to “development”, attackers can disable FTSP token validation, bypassing authentication
• Exploitation:
  • Unauthorized users could create, update, or delete FT Linx drivers
  • Rogue configurations may be introduced into industrial networks
• Impact:
  • Alter communication paths between control devices
  • Remove or corrupt driver configurations
  • Introduce rogue devices into the control network

Affected and Fixed Versions

• Affected Versions: All versions prior to 6.50
• Fixed Version: 6.50 and later

Potential Impact

• Loss of control network integrity
• Unauthorized changes to industrial communication drivers
• Increased risk of operational disruption and downtime
• Safety risks due to manipulated industrial device communication

Recommendations

• Update immediately to version 6.50 or later
• Monitor control system logs for unauthorized configuration changes
• Restrict access to FactoryTalk Linx interfaces to trusted administrators only
• Conduct a security review of industrial network configurations post-update

References

• https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1735.html

10. High-Severity Vulnerabilities in PostgreSQL

Multiple vulnerabilities have been identified in PostgreSQL that could allow sensitive information disclosure, arbitrary code execution during database restoration, and SQL injection attacks on affected systems.

Vulnerability Details

• CVE-2025-8713 – Optimizer Statistics Information Disclosure
  • CVSS Score: 3.1 (Low)
  • PostgreSQL optimizer statistics may allow users to read sampled data from views they do not have permission to access.
  • Bypasses row security policies and view access controls, potentially exposing metadata such as histograms and most-common-values lists.
• CVE-2025-8714 – Arbitrary Code Execution via pg_dump
  • CVSS Score: 8.8 (High)
  • A malicious superuser of the origin server can craft database objects so that arbitrary code is executed on the client operating system during restoration with psql.
  • Could fully compromise client environments and allow persistent backdoor installation.
• CVE-2025-8715 – Improper Neutralization of Newlines in pg_dump
  • CVSS Score: 8.8 (High)
  • Improper handling of newline characters in pg_dump enables attackers to inject arbitrary code execution via crafted object names.
  • This issue, a regression of CVE-2012-0868, allows both restore-time code execution and SQL injection on the target restore server.

Affected and Fixed Versions

• Fixed Versions: PostgreSQL 17.6, 16.10, 15.14, 14.19, 13.22, or 18 Beta 3

Potential Impact

• Unauthorized access to sensitive statistical data from protected views
• Remote code execution during pg_dump restore operations
• SQL injection attacks against restoration servers
• Potential compromise of client environments through backdoored database objects

Recommendations

• Update to the latest fixed PostgreSQL versions (17.6, 16.10, 15.14, 14.19, 13.22, or 18 Beta 3) immediately
• Review database access policies and limit exposure of optimizer statistics
• Restrict the use of pg_dump and restoration processes to trusted administrators only
• Monitor client systems for anomalies if database restores were performed from untrusted sources

References

• https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and18-beta-3-released-3118/

11. MadeYouReset Vulnerability in HTTP/2 Enables DoS Attacks

A newly discovered attack technique, MadeYouReset, affects multiple HTTP/2 implementations and can be exploited to conduct powerful Denial-of-Service (DoS) attacks. The flaw enables attackers to bypass per-connection concurrent stream limits, causing resource exhaustion and potentially leading to out-of-memory conditions or server crashes.

Vulnerability Details

• Technique Name: MadeYouReset
• Type: Denial-of-Service (DoS)
• Cause: Abuse of the RST_STREAM mechanism in HTTP/2 protocol handling
• Attack Vector: Remote, unauthenticated attacker sends crafted HTTP/2 frames to trigger server-side stream resets while backend processing continues
• Bypass: Circumvents previous HTTP/2 DoS mitigations (including Rapid Reset, CVE-2023-44487) by exploiting server-initiated resets
• Impact:
  • Resource exhaustion (threads and memory)
  • Service degradation with delayed or dropped requests
  • Potential escalation to full server crash

Primitives Abused:

• WINDOW_UPDATE
• PRIORITY
• HEADERS
• DATA
  → These are used to trigger excessive RST_STREAM handling in a resource-intensive way

Affected Systems

• Apache Tomcat – CVE-2025-48989
• F5 BIG-IP – CVE-2025-54500
• Netty – CVE-2025-55163
• Potentially Others – Any server/proxy relying on vulnerable HTTP/2 libraries or weak stream reset/resource management

Potential Impact

• Large-scale denial-of-service against HTTP/2 endpoints
• Resource exhaustion leading to downtime and service disruption
• Increased risk for internet-facing systems using HTTP/2 (e.g., load balancers, APIs, proxies)
• Possible business continuity impact due to widespread unavailability

Recommendations

• Apply vendor-provided security updates for all affected products immediately
• Monitor for abnormal HTTP/2 stream activity and reset events
• Limit exposure of HTTP/2 endpoints to untrusted networks until patches are in place
• Review server configurations to ensure proper enforcement of stream limits and resource usage thresholds

References

• https://deepness-lab.org/publications/madeyoureset/

12. RCE Vulnerability in HPE Online Double Conversion UPS

A high-severity vulnerability has been identified in HPE Online Double Conversion UPS systems using the 1G Management Module (Q1C17A). Successful exploitation could allow remote code execution by unauthenticated attackers, potentially compromising power infrastructure and connected enterprise networks.

Vulnerability Details

• CVE ID: CVE-2024-6387
• Severity: High
• CVSS Score: 8.1
• Component: HPE G2 UPS with 1G Network Management Module (Q1C17A)
• Exploitation: Remote, unauthenticated attackers may execute unauthorized code on affected devices
• Impact:
  • Compromise of power infrastructure and UPS management
  • Lateral movement within enterprise networks
  • Denial of service through disruption of UPS operations

Affected Versions

• HPE G2 R5000 3U L630/208V 4out NA/JP UPS – Prior to v3.1.21
• HPE G2 R5000 3U L630/208V 5out NA/JP UPS – Prior to v3.1.21
• HPE G2 R6000 3U IEC/230V 9out INTL UPS – Prior to v3.1.21
• HPE G2 R8000 6U Hardware 208V NA/JP UPS – Prior to v3.1.21
• HPE G2 R8000 6U Hardware 230V INTL UPS – Prior to v3.1.21

Fixed Versions

• HPE G2 R5000 – Firmware 3.1.21 or later (Q1C17A module)
• HPE G2 R6000 – Firmware 3.1.21 or later (Q1C17A module)
• HPE G2 R8000 – Firmware 3.1.21 or later (Q1C17A module)

Potential Impact

• Unauthorized control of UPS systems leading to power disruption
• Risk to data center and enterprise network availability
• Potential entry point for further attacks across critical infrastructure

Recommendations

• Update affected HPE UPS devices to firmware 3.1.21 or later immediately
• Restrict remote access to UPS management interfaces to trusted networks only
• Monitor for unusual activity on UPS management modules
• Conduct a security review of connected infrastructure to identify potential lateral movement risks

References

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf04852en_us&docLocale=en_US 

13. Security Updates – Adobe

Adobe has released its August 2025 security updates addressing multiple vulnerabilities across a wide range of products, including 3D design, content creation, publishing, and other solutions. A total of 13 advisories were published, covering critical and important issues that could allow arbitrary code execution, privilege escalation, denial of service, information disclosure, or security feature bypass.

Vulnerability Details

Substance 3D Suite (Viewer, Modeler, Painter, Sampler, Stager)

• Patched critical arbitrary code execution vulnerabilities
• Fixed important memory leak issues

Adobe Commerce & Magento Open Source

• Fixed critical privilege escalation vulnerabilities
• Addressed denial of service and arbitrary file system read issues
• Security feature bypass flaws resolved

Adobe Animate

• Critical arbitrary code execution vulnerability fixed
• Memory leak issue addressed

Adobe Illustrator

• Critical code execution vulnerabilities patched
• Denial of service issue resolved

Adobe Photoshop

• Critical arbitrary code execution vulnerability fixed

Adobe Dimension

• Memory leak issue addressed

Adobe FrameMaker

• Critical arbitrary code execution vulnerabilities patched

Adobe InCopy & InDesign

• Critical vulnerabilities resolved, primarily affecting arbitrary code execution

Potential Impact

• Remote code execution via crafted files or malicious inputs
• Unauthorized privilege escalation on affected systems
• Denial of service disrupting availability of Adobe products
• Information disclosure leading to data leakage
• Security feature bypass undermining built-in protections

Recommendations

• Apply the latest Adobe security updates across all affected products immediately
• Review Adobe Security Bulletins for CVE identifiers and fixed versions relevant to your environment
• Ensure auto-update is enabled where supported
• Monitor systems for unusual behavior or attempted exploitation of Adobe applications

References

• https://helpx.adobe.com/security/security-bulletin.html

14. High-Severity Vulnerabilities in HPE ProLiant Servers

High-severity vulnerabilities have been identified in HPE ProLiant servers that could allow local attackers to escalate privileges and gain unauthorized access to affected systems.

Vulnerability Details

• CVE-2025-22839
  • Severity: High (CVSS 7.5)
  • A vulnerability in the Intel Out-of-Band Management (OOBM) Services Module in HPE ProLiant DL/ML/XD products with Intel processors.
  • Exploitable locally to escalate privileges.
• CVE-2025-22840
  • Severity: High (CVSS 7.4)
  • A vulnerability affecting HPE ProLiant DL/ML/XD Gen12 servers using Intel Xeon 6 Scalable Processors.
  • Locally exploitable to escalate privileges under specific conditions.

Affected Versions

• HPE ProLiant Compute DL320 Gen12 – Prior to 1.40_05-22-2025
• HPE ProLiant Compute DL340 Gen12 – Prior to 1.40_05-22-2025
• HPE ProLiant Compute DL360 Gen12 – Prior to 1.40_05-22-2025
• HPE ProLiant Compute DL380 Gen12 – Prior to 1.40_05-22-2025
• HPE ProLiant Compute DL380a Gen12 – Prior to 1.40_05-22-2025
• HPE ProLiant Compute DL384 Gen12 – Prior to 1.40_05-22-2025
• HPE ProLiant Compute DL580 Gen12 – Prior to 1.40_05-22-2025
• HPE ProLiant Compute ML350 Gen12 – Prior to 1.40_05-22-2025
• HPE ProLiant Compute XD230 – Prior to 1.40_05-22-2025

Fixed Versions

• BIOS v1.40_05-22-2025 or later

Potential Impact

• Unauthorized privilege escalation on affected servers
• Compromise of server integrity and confidentiality
• Increased risk of insider threats and lateral movement
• Potential disruption of enterprise workloads hosted on ProLiant servers

Recommendations

• Update all affected HPE ProLiant servers to BIOS version 1.40_05-22-2025 or later
• Restrict local access to servers until updates are applied
• Monitor for unusual privilege escalation attempts on vulnerable systems
• Review access policies to ensure proper segregation of administrative privileges

References

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf04934en_us&docLocale=en_US 
• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf04933en_us&docLocale=en_US 

15. Critical Vulnerability in Apache Tika PDF Parser

A critical XML External Entity (XXE) vulnerability has been identified in Apache Tika’s PDF parser module. Successful exploitation could allow attackers to access sensitive data or pivot into internal networks.

Vulnerability Details

• CVE ID: CVE-2025-54988
• Severity: Critical
• Component: Apache Tika PDF Parser Module (org.apache.tika:tika-parser-pdf-module)
• Type: XML External Entity (XXE) Injection
• Affected Versions: 1.13 through 3.2.1
• Fixed Version: 3.2.2
• Affected Packages (via dependency):
  • tika-parsers-standard-modules
  • tika-parsers-standard-package
  • tika-app
  • tika-grpc
  • tika-server-standard
• Exploitation Impact:
  • Read sensitive files on the host system
  • Trigger server-side request forgery (SSRF)
  • Exfiltrate data to attacker-controlled servers

Potential Impact

• Unauthorized access to sensitive files and metadata
• Internal network compromise through SSRF attacks
• Exfiltration of confidential information to external servers
• Potential chaining with other vulnerabilities for lateral movement

Recommendations

• Update immediately to Apache Tika version 3.2.2 or later
• Audit applications using Apache Tika to identify vulnerable dependencies
• Restrict network access for applications parsing untrusted PDF files
• Monitor logs for suspicious PDF parsing requests or outbound connections

References

• https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w

16. Critical Vulnerability in tar-fs NPM Package

A critical vulnerability has been identified in the widely used tar-fs NPM package. Successful exploitation could allow attackers to manipulate tar archive extraction, enabling arbitrary file writes outside the intended directory and potentially leading to data compromise or system takeover.

Vulnerability Details

• CVE ID: CVE-2025-48387
• Severity: Critical
• Type: Directory Traversal via malicious tar files
• Proof-of-Concept (PoC): Available publicly
• Exploitation:
  • Attackers can craft malicious tar files that perform directory traversal
  • Allows arbitrary file writes outside the designated extraction directory
  • Can result in privilege escalation, data corruption, or remote code execution

Affected Versions

• tar-fs < 3.0.8
• tar-fs < 2.1.2
• tar-fs < 1.16.4

Fixed Versions

• tar-fs v3.0.9
• tar-fs v2.1.3
• tar-fs v1.16.5

Potential Impact

• Arbitrary file overwrite leading to privilege escalation
• Remote code execution on vulnerable systems
• Data corruption or deletion of critical files
• Full system compromise when combined with other attack vectors

Recommendations

• Upgrade immediately to tar-fs v3.0.9, v2.1.3, or v1.16.5 depending on the branch in use
• Validate integrity of tar archives before extraction
• Run tar extraction under least-privilege contexts to minimize potential damage
• Review systems for signs of unauthorized file modifications following tar-fs usage

References

• https://github.com/google/security-research/security/advisories/GHSA-xrg4-qp5w-2c3w

17. Charon Ransomware Targets Middle East with APT-Style Tactics

A new ransomware family, Charon, has been observed in targeted campaigns against the Middle East’s public sector and aviation industry. The attacks blend APT-grade tactics with ransomware objectives, including DLL sideloading, process injection, and anti-EDR evasion.

Attack Chain Overview

• Initial Vector: Legitimate browser component (Edge.exe, renamed from cookie_exporter.exe) is abused to sideload a malicious DLL loader (msedge.dll – “SWORDLDR”).
• Payload Delivery: SWORDLDR decrypts shellcode stored in DumpStack.log which drops the Charon ransomware executable.
• Execution: Ransomware injected into a new svchost.exe process to masquerade as a Windows service and evade defenses.
• Persistence: Creates a mutex OopsCharonHere to prevent reinfection.
• Ransom Note: Customized per victim, highlighting the campaign’s targeted nature.

File Encryption Method

• Curve25519 for key agreement; ChaCha20 for file stream encryption
• Partial encryption for speed and impact
• Files appended with .Charon extension and marker: hCharon is enter to the urworld!
• Skips encryption of system-critical files and ransom note itself

Attribution

• Potential links to Earth Baxia based on shared toolchain and DLL sideloading methodology

Potential Impact

• Operational Disruption: Multi-threaded, fast encryption across endpoints and shares
• Data Loss: Backups, shadow copies, and recycle bin deleted to prevent recovery
• Financial/Reputational Risk: Tailored ransom demands, downtime, and potential data leaks
• Elevated Threat: Use of APT-level tactics increases likelihood of bypassing defenses

Recommendations

• Prevent Execution & Lateral Movement:
  • Restrict unsigned/suspicious DLL execution alongside legitimate binaries
  • Monitor anomalies such as Edge.exe spawning svchost.exe
  • Limit access to network shares; disable ADMIN$ unless required
• Strengthen Backups & Recovery:
  • Maintain offline or immutable backups
  • Test restoration processes regularly
  • Restrict and monitor backup privileges
• Enhance Detection & Response:
  • Enable advanced EDR features to detect DLL sideloading, process injection, and encryption activity
• User Awareness & Privilege Management:
  • Train staff to identify malicious attachments/executables
  • Enforce least privilege for accounts and services

References

• https://www.trendmicro.com/en_us/research/25/h/new-ransomware-charon.html

18. Contactless Card Data Theft Attributed to PhantomCard Malware

A new Android malware, PhantomCard, is being used to steal contactless payment card data and conduct remote fraudulent transactions. The malware disguises itself as a card protection service app and is distributed via fake websites imitating Google Play.

Threat Details

• Malware Name: PhantomCard
• Platform: Android
• Technique: Near Field Communication (NFC)-based trojan
• Distribution: Fake websites mimicking Google Play Store
• Functionality:
  • Prompts victims to tap their bank cards for “verification”
  • Captures NFC payment card data and transmits it to attacker-controlled servers
  • Sends data to command-and-control (C2) infrastructure, alerting attackers when a card is ready for fraudulent use
  • Capable of requesting and transmitting PINs for larger withdrawals or purchases

Fraudulent Operations

• Captured card data is used to simulate real-time transactions at:
  • Remote point-of-sale (POS) terminals
  • Automated Teller Machines (ATMs)
• Enables unauthorized purchases and cash withdrawals
• PIN harvesting enables bypassing of transaction limits

Attribution

• Origin: Localized adaptation of the Chinese-developed NFU Pay Malware-as-a-Service platform
• Operator: Brazilian threat actor Go1ano
• Indicators of localization:
  • Use of /baxi/b endpoint (reference to Brazil)
  • Customized for Brazilian victims, but adaptable to other markets

Potential Impact

• Large-scale financial fraud using NFC payment card data
• Victims suffer monetary losses due to unauthorized withdrawals and purchases
• Risk of malware expansion to new regions beyond Brazil
• Growth of regionalized Malware-as-a-Service models making advanced fraud tools more accessible in underground markets

Recommendations

• Avoid downloading apps from unofficial websites or links outside of Google Play Store
• Monitor Android devices for suspicious permissions or unexpected NFC activity
• Financial institutions should:
  • Enhance monitoring of unusual card transactions
  • Implement additional fraud detection controls on NFC-based payments
• Educate users about phishing websites and fake “card protection” apps
• Consider disabling NFC on devices when not in use

References

• https://www.scworld.com/brief/contactless-card-data-theft-attributed-to-phantomcard-malware

19. GodRAT Trojan Targets Trading Firms Using Steganography and Gh0st RAT Code

A new remote access trojan (RAT) named GodRAT is being used in targeted attacks against financial institutions, particularly trading and brokerage firms. The malware blends steganography techniques with legacy Gh0st RAT code, enabling advanced persistence, data theft, and secondary malware delivery.

Threat Details

• Malware Name: GodRAT
• First Observed: September 2024 (campaigns active as recently as August 12, 2025)
• Targeted Regions: Hong Kong, UAE, Lebanon, Malaysia, Jordan
• Initial Infection Vector:
  • Malicious .SCR (screen saver) files disguised as financial documents
  • Distributed via Skype messenger
• Payload Delivery:
  • Self-extracting executable with embedded malicious DLL
  • DLL sideloading by legitimate executable
  • Extracts shellcode hidden inside .JPG files (steganography)
  • Shellcode retrieves and deploys GodRAT from a command-and-control (C2) server

Technical Capabilities

• C2 Communication: Establishes TCP connection to C2 server, exfiltrates system info and AV software list
• Core Functions:
  • Inject plugin DLLs into memory
  • Execute additional payloads (AsyncRAT, password stealers)
  • Close sockets and terminate RAT processes
  • Download and execute files using CreateProcessA
  • Open URLs via Internet Explorer shell commands
• FileManager Plugin:
  • Enumerates file system, performs file operations, opens folders, searches files
  • Drops secondary payloads (e.g., Chrome/Edge password stealer, AsyncRAT)

Attribution

• Based on Gh0st RAT code (leaked 2008), commonly used by Chinese APT groups
• Evolution of AwesomePuppet backdoor (documented in 2023)
• Likely attributed to Winnti / APT41 (Chinese state-linked threat actor)

Builder Details

• GodRAT client and builder source code was uploaded to VirusTotal (July 2024)
• Builder allows generation of executable or DLL payloads
• Legitimate binaries supported for injection:
  • svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe, QQScLauncher.exe
• Supported output file types: .exe, .com, .bat, .scr, .pif

Potential Impact

• Unauthorized system access and persistence within financial environments
• Exfiltration of credentials and sensitive trading/financial data
• Deployment of additional RATs and password-stealing tools
• Increased risk of financial fraud, espionage, and operational disruption

Recommendations

• Block and monitor .SCR file execution across enterprise environments
• Inspect traffic for anomalous JPG file transfers containing hidden payloads
• Enable EDR monitoring for DLL sideloading and unusual process injections (e.g., Edge.exe → svchost.exe)
• Patch and harden Skype usage policies in corporate environments
• Review endpoint logs for unauthorized file operations and abnormal TCP connections to unknown servers
• Apply YARA/IOC detections for GodRAT artifacts where available

References

• https://thehackernews.com/2025/08/new-godrat-trojan-targets-trading-firms.html

20. GenAI-Enabled Phishing Campaigns: Fashionable Phishing Bait

Threat actors are increasingly misusing generative AI (GenAI) platforms to create realistic phishing content, clone trusted brands, and automate phishing campaigns. Recent investigations highlight a surge in phishing attacks leveraging AI-powered website builders, writing assistants, and chatbots, making social engineering more convincing and scalable.

Threat Details

• Technique: Abuse of GenAI services for phishing and malicious content hosting
• Observed Misuse:
  • Website Generators: Used to quickly create phishing landing pages that impersonate legitimate companies or retail promotions
  • Writing Assistants: Misused to generate phishing lures and host credential-stealing pages
  • Chatbots: Deployed to socially engineer victims or redirect them to malicious content
• Example:
  • Fake coupon/gift card websites generated by AI-powered builders
  • Phishing sites hosted on AI writing assistant platforms redirecting to fake Microsoft login pages
• Distribution: Primarily through phishing emails, fake promotional links, and malicious redirects

Industry and Adoption Trends

• Industries leading GenAI adoption:
  • High Tech (74%)
  • Education (9.1%)
  • Telecommunications (5.6%)
  • Professional & Legal Services (3.1%)
• AI service categories most adopted:
  • Writing Assistants (31.8%)
  • Media Generators (24.5%)
  • Chatbots (13.2%)
  • Data/Workflow Automation (15.8%)
• Top AI services abused for phishing:
  • Website Generators (~40%)
  • Writing Assistants (~30%)
  • Chatbots (~11%)

Potential Impact

• Large-scale deployment of brand-impersonating phishing pages
• Fraudulent collection of login credentials and sensitive data
• Amplification of Business Email Compromise (BEC) campaigns using realistic AI-generated content
• Long-term risk as AI website builders and content generators improve sophistication

Recommendations

• For Organizations:
  • Deploy Advanced DNS Security and URL Filtering to block known malicious AI-generated domains
  • Monitor for sudden increases in domains impersonating your brand or sector
  • Strengthen employee training on phishing detection, emphasizing realistic AI-generated lures
• For Security Teams:
  • Integrate GenAI-related phishing IOCs into SIEM and EDR solutions
  • Restrict or sandbox access to AI-powered website builders and content-generation platforms where unnecessary
  • Hunt for anomalous website builder traffic within enterprise networks
• For Individuals:
  • Verify websites and offers before interacting with promotional content
  • Avoid entering credentials on unverified pages, even if they appear professional or brand-consistent

References

• https://unit42.paloaltonetworks.com/genai-phishing-bait/

21. Salty 2FA Phishing-as-a-Service Attacking Microsoft 365 Users

A sophisticated new Phishing-as-a-Service (PhaaS) framework dubbed Salty 2FA has been identified targeting Microsoft 365 users. The framework is notable for its ability to bypass multi-factor authentication (MFA/2FA), enabling persistent access to corporate accounts across multiple sectors.

Threat Details

• Name: Salty 2FA
• Type: Phishing-as-a-Service (PhaaS)
• Targeted Platform: Microsoft 365
• Targeted Sectors: Finance, telecommunications, energy, logistics, education
• Discovery: Identified by ANY.RUN during phishing campaign analysis
• Distribution Vector: Phishing emails with lures such as:
  • Fake voicemail notifications
  • Document access requests
  • Fake billing statements
• Domain Infrastructure:
  • Complex redirection chains
  • Use of compound .com domains paired with .ru domains
  • Cloudflare Turnstile protection to evade automated analysis

Technical Details

• Multi-Stage Execution Chain (5 stages):
  1. Initial Loader: Obfuscated JavaScript with “inspirational quote” comments to hinder analysis
  2. ID Encoding: Base64 + XOR encoded element identifiers decoded at runtime
  3. Dynamic Logic: Heavy reliance on jQuery with dynamically generated IDs
  4. Anti-Analysis: Debugging shortcut blocking, execution time measurements to detect sandboxes
  5. Exfiltration: XOR with session-derived keys, data sent via encoded POST requests to Russian-hosted servers
• Bypasses:

• Intercepts MFA/2FA tokens including:
  • Push notifications
  • SMS codes
  • Voice call verification
  • Authenticator app tokens
• Maintains persistence beyond credential theft

Indicators of Compromise (IoCs)

Domains

• innovationsteams[.]com
• marketplace24ei[.]ru
• nexttradeitaly[.]it[.]com
• frankfurtwebs[.]com[.]de

URLs

• hxxps[://]telephony[.]nexttradeitaly[.]com/SSSuWBTmYwu/
• hxxps[://]parochially[.]frankfurtwebs[.]com[.]de/ps6VzZb/
• hxxps[://]marketplace24ei[.]ru//
• hxxps[://]marketplace24ei[.]ru/790628[.]php

IP Addresses (Email-extracted)

• 153[.]127[.]234[.]4
• 51[.]89[.]33[.]171
• 191[.]96[.]207[.]129
• 153[.]127[.]234[.]5

Email

• izumi[@]yurikamome[.]com

Potential Impact

• Credential Theft: Compromise of Microsoft 365 accounts
• MFA Bypass: Persistent unauthorized access despite 2FA
• Business Risk: Email compromise, financial fraud, lateral movement
• Evasion: Obfuscation and redirection chains complicate detection and mitigation

Recommendations

• Implement phishing-resistant MFA (e.g., FIDO2/WebAuthn hardware keys)
• Block and monitor IoCs across email, proxy, and firewall logs
• Deploy advanced URL filtering and DNS security to disrupt malicious redirections
• Train employees to identify phishing lures involving voicemail, billing, or document requests
• Enforce conditional access policies for Microsoft 365 accounts (e.g., device compliance, geo-restrictions)
• Review mail forwarding and inbox rules for compromised accounts

References

• https://cybersecuritynews.com/new-salty-2fa-phaas-platform/