Ransomware attackers Exploit VMware ESXi arbitrary-write vulnerability
VMware ESXi VMware vulnerabilities
Continue ReadingRansomware
Surge in Cyber-Attacks Globally as Attackers Leverage AI; Check Point Report
AI-Driven Attacks Become More Autonomous
Continue Reading
Vulnerability Tracked in Oracle is being Exploited; CISA
CISA, the cyber security agency from US has added a serious vulnerability in Oracle E-Business Suite.As per CISA the flaw tracked in an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.
Vulnerability CVE-2025-61884
Oracle published CVE-2025-61884, a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, on October 11.
The bug received a CVSS score of 7.5 and does not require authentication to exploit. According to the company, attackers can use this vulnerability to gain “unauthorized access to critical data or full access to all Oracle Configurator data.”
Government organizations in the US must install patches before November 10. However, Oracle itself has not yet confirmed the exploitation.
In early October, Mandiant revealed that the Clop ransomware gang had begun sending extortion emails to companies, claiming that they had stolen data from Oracle E-Business Suite instances using zero-day flaws.
Oracle responded to this news by stating that the threat actors had exploited previously patched flaws disclosed in July.
As per Bleeping computers CVE-2025-61884 addresses the flaw by validating an attacker-supplied “return_url” using a regular expression. If the validation fails, the request is blocked.
To this day, it remains unclear why Oracle listed the ShinyHunters exploit as an IOC for CVE-2025-61882, when it is actually intended for CVE-2025-61884.
Oracle EBS under attack
Orcale E-Business Suit is under targeted atatck by threat actors and investigations by various research teams from Mandiant and Crowdstrike revealed that Oracle EBS had been targeted in two different campaigns.
- July campaign: Used an exploit that targeted an SSRF flaw in the “
/configurator/UiServlet” endpoint, which is now confirmed as CVE-2025-61884. - August campaign: Used a different exploit against the “
/OA_HTML/SyncServlet” endpoint, and was fixed under CVE-2025-61882 through mod_security rules to block the endpoint and by stubbing out the SYNCSERVLET class. This flaw is attributed to Clop.
Oracle disclosed CVE-2025-61884 on October 11 but did not confirm whether it had been exploited, despite having fixed the exploit used in the July attacks. Earlier when the vulnerability CVE-2025-61884 was discovered concerns an information disclosure flaw in the Runtime UI component.
Last week Oracle released an emergency patch this weekend for a critical vulnerability in E-Business Suite. This software flaw can be exploited by attackers without authentication to steal sensitive data.Oracle has assigned the vulnerability a CVSS score of 7.5, which underscores the severity of the problem.
CISA also confirmed that five new vulnerabilities are actually being used to attack systems in the real world. These 5 new CVE’s hit everything from business apps to CMS platforms to core Windows components.
These are
- Oracle EBS bugs give attackers an unauthenticated RCE path and data access through SSRF.
- The SMB flaw enables lateral movement inside networks.
- The Kentico pair lets attackers take over CMS environments used for staging and publishing.
- The Apple vulnerability shows the ongoing risk of legacy systems that missed critical patches.
Threat Mitigation by Oracle E Business Suit when hunting for Threat indicators
• Look for weird patterns in Oracle EBS requests – could be a SSRF issue
• See if there are any spikes in SMB share privileges & check Kentico logs for anything fishy
• Browser logs are the place to look for JavaScriptCore crashes or just weird execution
Oracle released critical patch for a wide range of products and this include
The Critical Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle Health Sciences Applications, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Systems, Oracle Utilities Applications, and Oracle Virtualization.
Sources: CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw
Deep Dive into AI Ransomware ‘PromptLock’ Malware
AI Ransomware ‘PromptLock’ uses OpenAI gpt-oss-20b Model for Encryption has been identified by ESET research team, is believed to be the first-ever ransomware strain that leverages a local AI model to generate its malicious components. As we Deep dive into AI Ransomware we discover the intricacies and challenges organizations face dure to AI ransomware.
The malware uses OpenAI’s gpt-oss:20b model via the Ollama API to create custom, cross-platform Lua scripts for its attack.
PromptLock is written in Golang and has been identified in both Windows and Linux variants on the VirusTotal repository and uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts in real-time.
ESET researchers have discovered the first known AI-powered ransomware. The malware, which ESET has named PromptLock, has the ability to exfiltrate, encrypt and possibly even destroy data, though this last functionality appears not to have been implemented in the malware yet.
PromptLock was not spotted in actual attacks and is instead thought to be a proof-of-concept (PoC) or a work in progress, ESET’s discovery shows how malicious use of publicly-available AI tools could supercharge ransomware and other pervasive cyberthreats.
“The PromptLock malware uses the gpt-oss-20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes. PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption,” said ESET researchers.
New Era of AI Generated Ransomware
A tool can be used to automate various stages of ransomware attacks and the same can be said as AI-powered malware are able to adapt to the environment and change its tactics on the fly and warns of a new frontier in cyberattacks.
Its core functionality is different then traditional ransomware, which typically contains pre-compiled malicious logic. Instead, PromptLock carries hard-coded prompts that it feeds to a locally running gpt-oss:20b model.
As per researchers for its encryption payload, PromptLock utilizes the SPECK 128-bit block cipher, a lightweight algorithm suitable for this flexible attack model.
ESET researchers emphasize that multiple indicators suggest PromptLock is still in a developmental stage. For instance, a function intended for data destruction appears to be defined but not yet implemented.
Indicators of Compromise (IoCs)
Malware Family: Filecoder.PromptLock.A
SHA1 Hashes:
24BF7B72F54AA5B93C6681B4F69E579A47D7C102AD223FE2BB4563446AEE5227357BBFDC8ADA3797BB8FB75285BCD151132A3287F2786D4D91DA58B8F3F4C40C344695388E10CBF29DDB18EF3B61F7EF639DBC9B365096D6347142FCAE64725BD9F73270161CDCDB46FB8A348AEC609A86FF5823752065D2
Given LLMs’ success, many companies and academic groups are currently creating all kinds of models and constantly developing variants and improvements to LLM. In the context of LLMs, a “prompt” is an input text given to the model to generate a response.
The success rate is high so threat actors are leveraging these models for illicit purposes, making it easier to create sophisticated attacks like ransomware and evade traditional defenses. sale of models Now
By automating the creation of phishing emails, ransomware scripts, and malware payloads, LLMs allow less skilled attackers to conduct sophisticated campaigns.
For AI-powered ransomware
AI-powered ransomware is a challenging threat to organizations far and above older attack tactics adopted by cyber criminals. If organization’s basic defensive methods such as ensuring critical vulnerabilities are patched as soon as possible, network traffic is monitored and implementing offline backups applied on time.
How Intrucept helps Defend Against AI-Powered Ransomware
Analyzing threat by behavior allows for early detection and response to malware threats and alert generation,. This reduces the risk of data exfiltration.
Intru360
Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.
Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.
Here are some features we offer:
- Over 400 third-party and cloud integrations.
- More than 1,100 preconfigured correlation rules.
- Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
- Prebuilt playbooks and automated response capabilities.
Source of above graphics : Courtesy: First AI Ransomware ‘PromptLock’ Uses OpenAI gpt-oss-20b Model for Encryption
Zero-Day Exploitation in SonicWall Targeted by Akira Ransomware
Summary
A critical zero-day vulnerability is suspected in SonicWall SSL VPN appliances, which are currently being actively exploited by threat actors linked to the Akira ransomware group. These attacks began last month and exploit even fully patched devices and systems with multi-factor authentication (MFA) enabled. In many cases, attackers move quickly, encrypting victim systems within hours of gaining access.
Detailed Observation
The ongoing attacks targeting SonicWall SSL VPN appliances suggest the presence of a zero-day vulnerability that allows threat actors to gain unauthorized access to enterprise networks.
This exploitation may be limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled. The attack patterns indicate that the attackers may be exploiting a flaw in the VPN’s authentication or session management mechanisms which they can be able to bypass the MFA.
Security researchers also observed that the threat actors often used legitimate credentials, including recently rotated passwords, implying either credential theft or session hijacking.
These login attempts were traced back to Virtual Private Servers (VPS), a common tactic to obscure the attacker’s origin. Once threat actors on the network, they abuse the privileged accounts, then start establishing C2 and move laterally in the network, then at the last stage before deploying the ransomware they are disabling the defenses to smooth deploy.
The ransomware group suggests Akira, has been seen deploying malware and encrypting data within hours, showcasing a high level of automation and operational efficiency.
The pattern and speed of these attacks point to a well-orchestrated campaign that likely began months earlier (as early as October 2024) but surged in mid-July 2025. This level of sophistication, combined with the failure of traditional defenses, strongly supports the theory that attackers are leveraging an undisclosed vulnerability in SonicWall’s SSL VPN stack.
Remediation:
Until an official SonicWall patch is released, organizations should take the following immediate actions:
- Disable SonicWall SSL VPN if possible, especially for external access.
- Enforce network segmentation to limit the radius of any potential breach.
- Monitor access logs for suspicious login attempts (especially from VPS-hosting IP ranges).
- Block known malicious IPs and ASNs used in previous attacks.
- Rotate all VPN credentials, especially for admin or privileged users.
- Harden MFA configuration (though current evidence shows bypasses are possible).
- Enable IP reputation and botnet protection features in SonicWall firewalls.
- Audit all VPN user accounts, removing any inactive or unnecessary ones.
IOCs
| Attacker IP | Threat Actors used tools | ASN/CIDR hosting adversary infrastructure | User & Password created |
| 42.252.99[.]59 | w.exe | AS24863 – LINK-NET – 45.242.96.0/22 | backupSQL (U) |
| 45.86.208[.]240 | win.exe | AS62240 – Clouvider – 45.86.208.0/22 | lockadmin (U) |
| 77.247.126[.]239 | C:\ProgramData\winrar.exe | AS62240 – Clouvider – 77.247.126.0/24 | Password123$ (P) |
| 104.238.205[.]105 | C:\ProgramData\OpenSSHa.msi | AS23470 – ReliableSite LLC – 104.238.204.0/22 | Msnc?42da (P) |
| 104.238.220[.]216 | C:\Program Files\OpenSSH\sshd.exe | AS23470 – ReliableSite LLC – 104.238.220.0/22 | VRT83g$%ce (P) |
| 181.215.182[.]64 | C:\programdata\ssh\cloudflared.exe | AS174 – COGENT-174 – 181.215.182.0/24 | |
| 193.163.194[.]7 | C:\Program Files\FileZilla FTP Client\fzsftp.exe | AS62240 – Clouvider – 193.163.194.0/24 | |
| 193.239.236[.]149 | C:\ProgramData\1.bat | AS62240 – Clouvider – 193.239.236.0/23 | |
| 194.33.45[.]155 | C:\ProgramData\2.bat | AS62240 – Clouvider – 194.33.45.0/24 |
- Source: huntress.com
Conclusion:
The exploitation of a suspected zero-day in SonicWall SSL VPN poses an immediate and critical threat to enterprise environments.
The ability of attackers to bypass authentication and deploy ransomware within hours is highly dangerous and points to a sophisticated, active campaign.
Organizations using SonicWall VPNs must take preemptive steps now, including disabling VPN access if feasible and aggressively monitoring for anomalies, until SonicWall releases a formal patch or mitigation advisory
References:
Surge in Ransomware attack reveal sophistication of Threat actors that strategically focuses on industries to incentivizes Ransom payment
- The United States remains the primary target for Ransomware attacks
- UK is preparing to ban any Ransomware payments for critical infrastructure companies
- Manufacturing, Technology and Healthcare top targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks as per Zscaler report
- RaaS market growth drivers
There has been improvement in cyber resilience but it has been observed when too many entities pay ransom, each payment provides gateway for next attack as the payment incentivise.
Ransomware attack target pattern reveals how threat actors are strategically focusing on industries where operational disruption, data sensitivity, and regulatory concerns create maximum leverage.
In the beginning of July 2025, Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued a high-priority advisory warning about the escalating threat posed by the Medusa ransomware group.
Medusa ransomware group ramped up its attacks, increasingly targeting users of major email service providers like Gmail and Outlook. Medusa’s reach extends across multiple industries, with healthcare, education, legal services, insurance, technology, and manufacturing among the hardest hit.
Now UK is preparing to ban any Ransomware payments for critical infrastructure companies, local governments, schools and publicly funded entities like the NHS. The new ransomware payment proposal is just one part of a package of new regulations slated to soon go into effect in the UK, mostly centered on the Cyber Resilience Bill.
The new UK rules would additionally require all business types that are not impacted to notify the government when they intend to make a ransomware payment and may be required to seek guidance on the possibility of the payment violating sanctions on cybercriminal groups.
Surge in ransomware attacks
Zscaler released its annual ThreatLabz 2025 Ransomware Report, revealing a dramatic 146% surge in ransomware attacks blocked by their cloud platform
The report highlights a significant shift in attack strategies, with threat actors increasingly focusing on data extortion over encryption.
Key findings show that ransomware groups stole 238 TB of data, representing a 92% increase year-over-year.
The report identifies Manufacturing, Technology, and Healthcare as the most targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks.
The United States remains the primary target, accounting for 50% of all attacks with 3,671 incidents. RansomHub emerged as the most active group with 833 publicly named victims, followed by Akira (520) and Clop (488).
Ransomware and Crypto market
Well ransomware technique might have changed its pattern but not tactics, with crytpcurrencies it marked a major change and turning point in the world of cyber security.
How can we forget WannaCry (2017), it was perhaps the most infamous ransomware attack in history, caused global disruption by exploiting a Windows vulnerability.
The demand was Bitcoin, but its scale and method were more advanced but not the first.
BlackSuit ransomware extortion sites seized in Operation Checkmate
Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
Yesterday 28 july, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.
Key trends Key driving the Ransomware Protection Market
The demand for ransomware protection solutions is further fuelled by the growing number of cyber-attacks targeting businesses, particularly in the BFSI sector, which remains the largest revenue generator in the market.
The demand for RaaS based products growing due to corporate digitization, and the advent of crypto currency like Bitcoin are the key market drivers enhancing the market demand and growth.
This include technological advancements and increasing cyber threats.
- Market size in 2024: USD 32.24 billion; projected to reach USD 93.35 billion by 2032.
- End-point security segment accounted for 35% of market revenue.
- BFSI sector generated the most income, with significant ransomware attacks reported.
- Managed services segment dominated the market, catering to SMEs for enhanced cyber security.
Of all the reasons, cyber attacks now focus on any vulnerability as many businesses are switching to cloud services. In response to the ransom, distributed denial-of-service (DDoS) attacks are launched, which continue until the ransom is paid or the data risks being permanently lost.
Cybercriminals may breach into sites for trading cryptocurrencies and steal money. Crypto currency is currently the most widely used payment method in the event of a ransomware attack
Email remained the primary entry point in 96% of the reviewed breaches, accounting for 93%.
Social attacks are roughly three times more likely to cause breaches in businesses than physical vulnerabilities, highlighting the importance of regular staff cybersecurity training.
It has caused business to start researching ransomware defenses and has significantly increased demand for these defenses in the market under investigation.
Around the world, there are more data leaks and other security breaches. Phishing attacks have been used against numerous businesses from various industries at some point.
APEC market for Ransomware expected to grow
The Asia-Pacific Ransomware Protection Market is expected to grow at the fastest CAGR from 2023 to 2032.
This is due to the growing economies of China, India, and Australia spending extensively on cyber security solutions; Asia Pacific is also predicted to have growth potential in the ransomware prevention market.
Moreover, China’s Ransomware Protection market held the largest market share, and The Asia-Pacific region’s fastest-growing market for ransomware protection was India.
The market for Ransomware Protection industry has recently provided some of the most important benefits. Major players in the Ransomware Protection market, are attempting to increase market demand by investing in research and development operations.
Ransomware Protection Industry Developments
Intrucept has launched Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.
Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.
Here are some features we offer:
- Over 400 third-party and cloud integrations.
- More than 1,100 preconfigured correlation rules.
- Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
- Prebuilt playbooks and automated response capabilities.
Source:
BlackSuit ransomware extortion sites seized in Operation Checkmate
Ransomware attacks surge despite international enforcement effort | Cybersecurity Dive
SEO Poisoning Campaign Targets IT Admins with Weaponized PuTTY & WinSCP
SEO poisoning & malvertising campaign Summary
A sophisticated SEO poisoning and malvertising campaign has been active since early June 2025, targeting IT administrators with Trojanized installers of commonly used tools like PuTTY and WinSCP.
Attackers are manipulating search engine results and sponsored ads to lead users to fake websites, which deliver backdoored versions of these tools. Arctic Wolf security researchers have uncovered thia malvertising campaign that has been targeting IT professionals since early June 2025.
The malicious campaign leverages search engine manipulation to promote fake download sites that closely mimic legitimate software repositories.
Technical Summary
A threat campaign has been leveraging SEO poisoning and malicious advertisements to trick IT professionals into downloading Trojanized versions of PuTTY and WinSCP from fake websites. Once installed, a malware known as Oyster (aka Broomstick) creates persistent access within the victim’s environment, posing a severe risk to enterprise infrastructure.
This malware establishes persistence by creating a scheduled task that triggers every three minutes, invoking rundll32.exe to execute a malicious DLL named twain_96.dll using the DllRegisterServer export function, a technique commonly used to bypass traditional detection.
The attackers specifically target IT administrators and system operators due to their elevated privileges, which allows rapid lateral movement, access to sensitive systems such as domain controllers and the potential deployment of additional payloads like ransomware.
The campaign’s effectiveness stems from its exploitation of everyday workflows, especially IT admins’ reliance on search engines to download tools making it both highly targeted and socially engineered for success.
| Element | Detail |
| Initial Access | SEO poisoning and fake sponsored ads redirect users to malicious download sites. |
| Malicious Tools | Trojanized installers of PuTTY and WinSCP. |
| Payload | Backdoor malware is known as Oyster/Broomstick. |
| Persistence | Scheduled Task every 3 minutes executing twain_96.dll using rundll32.exe via DllRegisterServer. |
| Target | IT admins with elevated privileges (Domain Admins, Server Admins). |
| Objective | Network penetration, domain controller access, data exfiltration, possible ransomware deployment. |
Malicious Sponsored PuTTY Ad on Bing. Source: Arcticwolf
Observed Malicious Domains
Organizations are urged to block the following domains immediately:
- updaterputty[.]com
- zephyrhype[.]com
- putty[.]run
- putty[.]bet
- puttyy[.]org
These domains host fake versions of PuTTY and WinSCP and are actively used in the ongoing campaign.
Remediation:
1. Enforce Trusted Software Acquisition Policies
- Mandate the use of verified internal software repositories or direct access to official vendor websites.
- Where feasible, implement ad-blocking or web filtering to restrict access to software download categories known to be targeted by malvertising.
2. Strengthen Network and Endpoint Security Controls
- Block known malicious domains at firewall and DNS levels.
- Continuously monitor endpoints for suspicious behavior, including:
- The creation of unauthorized or high frequency scheduled tasks.
- DLL execution via rundll32.exe, especially involving non-standard DLLs such as twain_96.dll.
- Deploy or enhance EDR/XDR solutions to detect backdoor persistence methods.
3. User Awareness
- Educate IT staff on SEO poisoning and the risks of downloading tools via search results.
Conclusion:
By focusing on widely used administrative tools like PuTTY and WinSCP, threat actors are exploiting the trust and habits of IT professionals through convincing social engineering and poisoned search results.
This approach turns essential tools into delivery mechanisms for backdoors and persistent threats, compromising high-privilege users at the core of enterprise infrastructure.
Organizations must respond decisively by reinforcing endpoint monitoring, tightening software acquisition policies and implementing robust network-level defenses to mitigate the risks posed by this rapidly evolving threat landscape.
References:
AI seen as potential for improved threat detection & cost optimization; Wipro Report
As sophisticated cyber threat grows so is the cost and leaders are now preferring to leverage AI for improved threat detection, incident response and cost optimization.
Wipro report on ‘State of Cybersecurity Report 2025’ say 35% cybersecurity leaders which is nearly 33%, globally are opting for AI-driven automation at the forefront of their strategic priorities.
The report surveyed over 100 global cybersecurity leaders and consultants and found that AI-driven automation and cost optimization were among the main cybersecurity priorities for organizations.
Key findings:
30% of respondents state that investing in AI automation to bolster cybersecurity operations and reduce costs is a top priority.
Other strategies used by CISOs to optimize costs include tools rationalization (26%), security and risk management process optimization (23%) and operating model simplification (20%).
The report also highlights the growing role of AI in managing cyber threats and how investing in advanced AI-driven security solutions, continuously monitoring AI developments.
Fostering a culture of innovation and adaptation within cybersecurity teams can play a significant role in risk management.
Many CISOs are leveraging AI to improve threat detection and response times (31 %) and to build enhanced incident response capabilities (24%).
“Cybersecurity budgets are struggling to keep pace with the growing sophistication of cyber threats,” said Tony Buffomante, SVP & Global Head — Cybersecurity & Risk Services, Wipro Limited. “AI offers a solution by helping organizations strengthen defenses while optimizing costs. This allows CISOs to adopt a more outcome-driven focus by prioritizing risk-adjusted returns on investments.
However, even with AI’s growing significance, the implementation of Zero Trust security frameworks remains the predominant investment focus for nearly all surveyed leaders.
AI The crime enabler
In the beginning of 2025, reports came from various sources attackers are weaponizing AI and what cyber security leaders will do about it.
We all know how AI AI has been a good force in helping organizations detect anomalies, automate security responses and to some extent strengthen defense measures. But cost is high and requires lot of investments which many organizations are unbale to do.
At the same time cybercriminals have started to leverage the same technology to supercharge their attacks. The dark web we all know has long been a marketplace for malware and stolen credentials, but in 2025, we’re seeing a surge in AI-powered Cybercrime-as-a-Service (CaaS). Even low-skilled hackers can now rent AI-driven attack tools, making sophisticated threats accessible to a wider pool of cybercriminals.
But what is concerning the type of attacks that selects high-value targets, customizes ransom demands and known as Automated ransomware.
Also malicious actors deploying AI Bots scan for vulnerabilities and analyze defenses, to launch cyber attacks with precisions.
Lot of voice and video spoofing kits have arrived in the market embedded with AI tools that generate convincing deepfake audio or video for fraud and impersonation scams.
Wake up call for Business & Organization
The rise of AI-powered cyber threats is a wake-up call for businesses, governments, and individuals alike and the ‘State of Cybersecurity Report 2025‘ exactly pin-points the necessity to have AI automation to bolster cybersecurity operations and reduce costs.
The next wave of cyber crime is going to be more tactful embedded with AI. AI can analyze vast amounts of publicly available data to create detailed psychological profiles of potential victims.
This enables cyber criminals and prepares them for highly targeted and persuasive social engineering attacks. Having automation driven by AI allows attacks to unfold much more rapidly, leaving defenders with less time to react.
Conclusion: AI-Powered Security Solutions: Just as attackers are leveraging AI, so too must defenders. Implementing AI-powered security tools will act as first line defense and will be able to adapt to new threats in real-time.
Sources: CISOs Increasingly Rely on AI to Navigate Cost Pressures and Enhance Resilience: Wipro Report
Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild
As per researchers hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. Regarding this urgent patch has been released by SAP to fix CVE-2025-31324, a zero-day vulnerability in SAP NetWeaver Visual Composer.
Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild
The vulnerability in SAP NetWeaver Visual Composer that may have allowed unauthenticated and unauthorized code execution in certain Java Servlets.
Several cybersecurity companies have reported active exploitation in the wild.
Summary
| OEM | SAP |
| Severity | Critical |
| CVSS Score | 10.0 |
| CVEs | CVE-2025-31324 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
This vulnerability enables remote uploading and execution of malicious files by unauthenticated attackers, potentially compromising the entire system.
It is highly advised to implement patching or mitigation measures right away in order to guard against possible espionage, sabotage, data theft, and operational disruption.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Missing Authorization in Metadata Uploader | CVE-2025-31324 | SAP | Critical | 10.0 |
Technical Summary
The vulnerability stems from a missing authorization check in the Metadata Uploader component of SAP NetWeaver Visual Composer.
Attackers can exploit this by sending crafted unauthenticated POST requests to the development server/meta data uploader endpoint, allowing them to upload arbitrary JSP webshell files.
Once uploaded, attackers can interact with these shells via simple GET requests to execute arbitrary commands, resulting in remote code execution (RCE) with <sid>adm operating system privileges — effectively giving full control over SAP systems.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-31324 | SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50) | Missing authorization check at /developmentserver/metadatauploader enables unauthenticated malicious file uploads. Webshells planted can be used to execute OS-level commands, deploy additional malware, and move laterally across the network. | Full system compromise including: – Remote Command Execution – Privilege Escalation – Data Exfiltration – Ransomware Deployment – Potential Espionage/Sabotage/Fraud |
Key Exploitation Details:
- Exploited Path: /developmentserver/metadatauploader
- Common Webshell Files: helper.jsp, cache.jsp, and others with randomized names.
- Post-Exploitation Tools:
- Brute Ratel: Used for C2 operations, credential theft, privilege escalation.
- Heaven’s Gate: 32-to-64 bit transition technique for evading endpoint detection.
Risk Factors:
- Systems where Visual Composer is enabled (even though it is not enabled by default).
- Systems exposed to the internet.
- Systems without custom security measures protecting the Metadata Uploader endpoint.
Remediation:
- Apply SAP Patch: Updated the patches released by SAP without waiting for routine patch cycles.
- Restrict Access: Block external access to the /development server/metadata uploader endpoint via firewall or reverse proxy rules.
- Disable Visual Composer: If Visual Composer is not critical to business operations, disable it to remove the attack surface.
Recommendations:
- Conduct Threat Hunting:
Scan for suspicious JSP files (e.g., helper.jsp, cache.jsp) in these directories:
- /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
- /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work
- /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync
- Monitoring and SIEM: Forward logs from the NetWeaver server to SIEM tools and monitor for unauthorized file upload activity.
- Utilize Open-Source Tools: Use scanners (such as those released by Onapsis) to check system vulnerability.
Conclusion:
Given the criticality and active exploitation of CVE-2025-31324, organizations running SAP NetWeaver Visual Composer should prioritize patching and mitigation efforts. The potential for full system compromise, ransomware attacks, and data exfiltration represents a severe business risk. Immediate action is strongly advised to secure SAP environments and prevent exploitation.
References:
April Zero-Day Threats Addressed in Microsoft’s Patch Tuesday
Summary of Microsoft April Patch Tuesday
Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.
- 126 Microsoft CVEs addressed
- 9 non-Microsoft CVEs included
Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-04-08 |
| No. of Vulnerabilities Patched | 135 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.
The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.
On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability] | CVE-2025-29824 | Windows | High | 7.8 |
| Remote Desktop Gateway Service RCE Vulnerability | CVE-2025-27480 CVE-2025-27482 | Windows | High | 8.1 |
| LDAP Service RCE Vulnerability | CVE-2025-26663 | Windows | High | 8.1 |
| LDAP Client RCE Vulnerability | CVE-2025-26670 | Windows | High | 8.1 |
Technical Summary
The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-29824 | Windows 10/11, Windows Server | An elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges. | Elevation of Privilege |
| CVE-2025-27480 CVE-2025-27482 | Windows RDS | Race condition in Remote Desktop Gateway; triggers use-after-free allowing code execution | Remote Code Execution |
| CVE-2025-26663 | Windows LDAP | Crafted LDAP call causes use-after-free, leading to arbitrary code execution | Remote Code Execution |
| CVE-2025-26670 | Windows TCP/IP | Memory mismanagement during DHCPv6 handling, complex exploit chain. | Remote Code Execution |
Source: Microsoft & NVD
In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:
- CVE-2025-27745, CVE-2025-27748, CVE-2025-27749 – Office Use-After-Free RCE Vulnerability
These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.
- CVE-2025-27752 – Excel Heap Overflow RCE Vulnerability
An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.
- CVE-2025-29791 – Excel Type Confusion RCE Vulnerability
This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.
- CVE-2025-26686 – Windows TCP/IP RCE Vulnerability
Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.
- CVE-2025-27491 – Windows Hyper-V RCE Vulnerability
This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.
Remediation:
- Apply Patches Promptly: Install the April 2025 security updates immediately to mitigate risks.
General Recommendations:
- Prioritize Zero-Day & Critical Vulnerabilities: Focus on patching actively exploited vulnerabilities, especially those affecting Windows CLFS, RDS, LDAP, Excel, and SharePoint-related CVEs.
- Secure File System Access: Implement security controls to prevent unauthorized access to NTFS and FAT file systems, particularly against USB-based attack vectors.
- Educate Employees: Train users in phishing risks to reduce the chances of executing malicious Microsoft Access files.
- Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.
“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.
Conclusion:
The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.
Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.
IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.
References: