VulnerabilityManagement

Security Advisory

Vulnerability in Spring Cloud Gateway Server WebFlux Discovered; Target of Ease by Attackers

Security Advisory: CVE-2025-41243, A critical vulnerability has been disclosed in Spring Cloud Gateway Server WebFlux. This vulnerability allows attackers to modify sensitive Spring Environment properties under specific configurations.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-41243 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability has been assigned the maximum CVSS score of 10.0. It arises when actuator endpoints are exposed without proper security controls, potentially allowing attackers to compromise application behavior. Organizations and users of affected versions are strongly urged to upgrade to the fixed releases. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Expression Language Property Modification  CVE-2025-41243  Spring Cloud Gateway WebFlux  Critical   v4.3.1,  
v4.2.5, v4.1.11, v3.1.11  

Technical Summary 

CVE-2025-41243 is a critical vulnerability occurs when the Spring Boot actuator is included as a dependency and the gateway actuator endpoint is explicitly exposed via the “management.endpoints.web.exposure.include=gateway” configuration.

In such cases, if actuator endpoints are unsecured or exposed to public networks, an attacker could exploit them to modify Spring Environment properties at runtime. This could cause unauthorized access, configuration tampering, and potential application compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41243    4.3.0 – 4.3.x 4.2.0 – 4.2.x 4.1.0 – 4.1.x 4.0.0 – 4.0.x 3.1.0 – 3.1.x Older, unsupported versions   Improperly secured actuator endpoints in Spring Cloud Gateway WebFlux allow unauthorized modification of Spring Environment properties. Unauthorized access potential privilege escalation 

Remediation – 

Upgrade Immediately patch to fixed versions: 

Affected Version Range Upgrade To 
4.3.x 4.3.1 
4.2.x 4.2.5 
4.1.x and 4.0.x 4.1.11 
3.1.x 3.1.11 
Unsupported versions Migrate to a supported release 

If you are unable to upgrade right now, here are the recommendations below 

  • Remove gateway from the “management.endpoints.web.exposure.include” property or secure the actuator endpoints. 
  • Secure actuator endpoints with proper authentication and access controls. 
  • Regularly audit and harden application configuration files. 
  • Monitor application and network logs for suspicious activity or unauthorized access attempts. 
  • Implement firewall rules or reverse proxies to restrict access to sensitive endpoints. 
  • Ensure all systems follow patch management and update policies. 

Conclusion 
CVE-2025-41243 is a critical vulnerability affecting Spring Cloud Gateway WebFlux, allowing remote attackers to modify environment properties when actuator endpoints are misconfigured and exposed.

While no active exploitation has been observed in the wild, vulnerability poses a high risk to application integrity and security due to its CVSS score of 10.0 and ease of exploitation in exposed systems.

Organizations are strongly advised to upgrade to the fixed versions, secure actuator endpoints, and follow best practices to reduce attack surface and prevent future exploitation. 

References 

Security Advisory

Critical WhatsApp Zero-Day Vulnerability Allows Remote Code Execution  

Summary 

OEM WhatsApp 
Severity Medium 
CVSS Score 5.4 
CVEs CVE-2025-55177 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A security vulnerability recently discovered in WhatsApp’s linked device feature that allows users to access WhatsApp across multiple devices, such as phones and computers.

CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting its significance. The flaw allows attackers to send crafted messages that forced WhatsApp to load malicious content from a rogue website without any user interaction. WhatsApp and Apple already patched the issue and users are urged to update their apps immediately to stay protected.

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
WhatsApp Incorrect Authorization Vulnerability  CVE-2025-55177 WhatsApp  Medium 2.25.21.73 and later. 
 
WB iOS 2.25.21.78 and later.  
WhatsApp Desktop for Mac 2.25.21.78 and later. 

Technical Summary 

The vulnerability was due to incomplete authorization of synchronization messages in WhatsApp’s linked device feature. This flaw allowed an attacker to send crafted sync messages that could trick WhatsApp into processing content from an arbitrary URL, even if the message came from an untrusted source.

This could result in WhatsApp loading and executing malicious content on the target device without any user interaction. The impact of the attack was significantly increased when combined with a separate Apple OS vulnerability (CVE-2025-43300), making it suitable for sophisticated, targeted exploitation.

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-55177 WhatsApp for iOS (v2.22.25.2 to v2.25.21.72) 
 WhatsApp Business for iOS (v2.22.25.2 to v2.25.21.77) 
 WhatsApp Desktop for Mac (v2.22.25.2 to v2.25.21.77		Incomplete authorization in the linked device sync feature allowed attackers to send crafted sync messages that caused WhatsApp to load content from an arbitrary URL without user interaction. This could be used to execute malicious code on the device. Remote code execution,.  Potential full device compromise.  

Remediation

Update the WhatsApp in iOS and mac devices to the latest version 

  • WhatsApp for iOS: Update to v2.25.21.73 or latest version 
  • WhatsApp Business for iOS: Update to v2.25.21.78 or latest version  
  • WhatsApp Desktop for Mac: Update to v2.25.21.78 or latest version 

Conclusion: 
The WhatsApp vulnerability highlights the growing risks of zero-click attacks, where devices can be compromised without any user interaction. This flaw has been exploited in targeted attacks and poses a serious threat to user security and privacy. It is important for all users to keep their apps and operating systems up to date and follow trusted security recommendations

References

Security Advisory

Chrome Update Released, Fixes RCE & Multiple Vulnerabilities

Summary 

OEM Google Chrome 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-9864, CVE-2025-9865, CVE-2025-9866, CVE-2025-9867 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Several security vulnerabilities were recently identified in Chromium-based browsers, affecting components such as the V8 JavaScript engine, Toolbar, Extensions and Downloads. The high severity vulnerability, use-after-free issue, could allow attackers to execute arbitrary code.

Additional medium-severity bugs were found in the Toolbar, Extensions, and Downloads components. The Chrome team has started rolling out Chrome 140 to the stable channel, and users are urged to update their browsers to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Use-after-free vulnerability in V8  CVE-2025-9864 Chrome  High  v140.0.7339.80/81 
​Inappropriate implementation vulnerability in Toolbar  CVE-2025-9865 Chrome  Medium  v140.0.7339.80/81 
Inappropriate implementation vulnerability in Extensions  CVE-2025-9866 Chrome  Medium  v140.0.7339.80/81 
Inappropriate implementation vulnerability in Downloads  CVE-2025-9867 Chrome  Medium  v140.0.7339.80/81 

Technical Summary 

Multiple vulnerabilities were addressed in Google Chrome prior to version 140.0.7339.80. The most critical, CVE-2025-9864, is a use-after-free issue in the V8 JavaScript engine that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Other medium-severity issues include a Toolbar vulnerability on Android that could be exploited via specific user gestures to spoof domains, a security gap in Extensions allowing attackers to bypass content security policies, and a Downloads flaw on Android that enabled UI spoofing through manipulated web pages.

These could allow attackers to misuse Chrome’s features or gain higher system privileges.  

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-9864  Chrome v139 and prior Use-after-free in V8 engine could allow attackers to execute arbitrary code via malicious webpage  Remote Code Execution 
 CVE-2025-9865  Chrome v139 and prior Improper handling Chrome’s Toolbar component could allow attackers misuse browser functions or gain privilege access  Domain Spoofing / UI Spoofing
 CVE-2025-9866  Chrome v139 and prior Inappropriate implementation in Chrome’s Extensions system, could allow attackers misuse or bypass content security policy  Content Security Policy Bypass
 CVE-2025-9867  Chrome v139 and prior Improper validation in Chrome’s Downloads could allow attackers to perform UI spoofing via crafted HTML   UI Spoofing 

Remediation

References

  • https://gbhackers.com/chrome-140-release/

Security Advisory

Fake Govt & Banking Apps Spreading Android Droppers Evolved as Malware

Security Advisory:  

Cybersecurity researchers have discovered a major shift in how Android malware is being delivered. Dropper apps, which were earlier used mainly to distribute banking trojans.

The Malware’s being used to deliver simpler threats like SMS stealers and basic spyware as official government or banking apps, primarily targeting users in India, Southeast Asia, and some parts of Europe. 

ThreatFabric researchers warn of a shift in Android malware: dropper apps now deliver not just banking trojans, but also SMS stealers and spyware, mainly in Asia.

Vulnerability Details 

The recent surge in Android dropper apps introduces a critical security vulnerability affecting mobile users globally. These droppers are impersonating as banking apps, government services, or trading platforms,, bypass Google Play

Pilot Program by initially requesting minimal permissions to avoid detection, making them appear as legitimate applications.

Once installed, they fetch malicious payloads like spyware, SMS stealers, cryptocurrency miners, and banking trojans from remote servers. Attackers also exploit malvertising campaigns on social media to spread fake apps widely. This evolving tactic enables cybercriminals to switch payloads dynamically, making traditional security measures less effective and increasing the risk of data theft and device compromise. 

Source: cybersecuritynews 

Attack Flow 

Step Description 
1. Craft Attackers create malicious dropper apps disguised as government schemes, banking apps, or trading tools. These apps are designed to look harmless and request only minimal permissions initially. 
2. Send The droppers are distributed through third-party APK sites, malicious ads (e.g., Facebook), or fake update prompts, bypassing initial detection. 
3. Trigger The victim downloads and installs the dropper app, often believing it’s legitimate due to its official-looking design and branding. 
4. Execution When the user clicks “Update” or interacts with the app, the dropper fetches the real malicious payload (spyware, SMS stealer, or banking trojan) from a remote server. 
5. Exploit The installed malware requests high-risk permissions, such as SMS access or notification access, allowing attackers to steal data, track activities, or control the device remotely. 

Proof-of-Concept 

Once the user interacts, the dropper initiates an HTTPS request to a remote server 

Source: cybersecurity news 

Why It’s Effective 

Dynamic Payload Delivery – Attackers hide the real malicious file inside a harmless-looking dropper app. The payload is only downloaded after user interaction, making it harder to detect. 

Permission Evasion – Droppers initially request minimal or safe permissions and only ask for high-risk permissions (like SMS or accessibility access) after installation, bypassing Google Play Protest’sProtects initial scans. 

Fake Update Screens – Many droppers display legitimate looking “Update Required” prompts to trick users into downloading malware, increasing their success rate. 

Recommendations: 

Download Apps Safely  

  • Install apps only from trusted sources like Google Play Store, Apple store etc. 
  • Avoid third-party APKs, unknown links, or apps promoted through social media ads. 

Check Permissions Carefully  

  • Do not grant unnecessary permissions like SMS, notifications, or accessibility dependent on the app services. 
  • Always review requested permissions before installing or updating an app. 

Keep Devices Secure  

  • Enable Google Play Protect and keep your Android security patches up to date. 
  • Use a reliable mobile security solution for real-time malware detection. 

Stay Alert and Aware  

  • Be aware of fake update prompts; apps, and malicious sites. 
  • Stay updated on the latest tactics used by Android malware 

Conclusion: 

  • Android droppers are evolving fast, making them more flexible and harder to detect, increasing risks for both individuals and organizations.
  • Droppers started as tools for advanced banking malware, but now they’re used to install all kinds of harmful apps and sneak past local security.  
  • It is always recommended to stay vigilant, keep your phone and software updated from the original source  and avoid unverified apps installation to minimize the risk of infection. 

References

Security Advisory

Threat Actors Exploiting Microsoft Teams to Gain Remote Access & Transfer Malware 

Security Advisory:

A new wave of social engineering attacks is exploiting Microsoft Teams, one of the most trusted enterprise collaboration platforms as a malware delivery channel.

Threat actors are impersonating IT support staff to trick employees into installing remote access tools and running malicious PowerShell scripts, enabling full compromise of victim environments. 

This campaign represents an evolution beyond traditional phishing, weaponizing corporate communication channels that employees inherently trust. Once access is established, attackers deploy multifunctional malware loaders such as DarkGate and Matanbuchus, with capabilities for credential theft, persistence, lateral movement and ransomware deployment. 

Technical Summary 

Security researchers have observed financially motivated threat groups abusing Microsoft Teams chats and calls to impersonate IT administrators. Attackers create malicious or compromised Teams accounts often using convincing display names like “IT SUPPORT ” or “Help Desk Specialist” as looking like legitimate and verified account to initiate direct conversations with employees. The social engineering process typically follows this chain 

Attack Process                                                                             Source: permiso.io 

It included the malware features 

  • Credential theft via GUI-based Windows prompts. 
  • Persistence using Scheduled Tasks (e.g. Google LLC Updater) or Registry Run keys. 
  • Encrypted C2 communications with hardcoded AES keys & IVs. 
  • Process protection via RtlSetProcessIsCritical, making malware harder to remove. 
  • Harvesting system info for reconnaissance and follow-on payloads. 

The campaigns have been linked to threat actor groups such as Water Gamayun (aka EncryptHub), known for blending social engineering, custom malware and ransomware operations. 

Element Detail 
Initial Access Direct messages/calls via Microsoft Teams impersonating IT staff 
Social Engineering Fake IT accounts with display names like “IT SUPPORT ✅” and onmicrosoft.com domains 
Malicious Tools QuickAssist, AnyDesk, PowerShell-based loaders (DarkGate, Matanbuchus) 
Persistence Scheduled Tasks (Google LLC Updater), Registry autoruns 
Payload Features Credential theft, system profiling, encrypted C2, remote execution 
Target Enterprise employees, IT professionals, developers 
Objective Credential theft, long-term access, ransomware deployment 

IOCs 

Organizations are urged to block the following indicators immediately: 

Indicator Type 
https://audiorealteak[.]com/payload/build.ps1 URL 
https://cjhsbam[.]com/payload/runner.ps1 URL 
104.21.40[.]219 IPv4 
193.5.65[.]199 IPv4 
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6 UA 
&9*zS7LY%ZN1thfI Initialization Vector 
123456789012345678901234r0hollah Encryption Key 
62088a7b-ae9f-2333-77a-6e9c921cb48e Mutex 
Help Desk Specialist  User Display Name 
IT SUPPORT User Display Name 
Marco DaSilva IT Support  User Display Name 
IT SUPPORT  User Display Name 
Help Desk User Display Name 
@cybersecurityadm.onmicrosoft.com User Principal Name 
@updateteamis.onmicrosoft.com User Principal Name 
@supportbotit.onmicrosoft.com User Principal Name 
@replysupport.onmicrosoft.com User Principal Name 
@administratoritdep.onmicrosoft.com User Principal Name 
@luxadmln.onmicrosoft.com User Principal Name 
@firewalloverview.onmicrosoft.com User Principal Name 

Remediation

  1. Strengthen Microsoft Teams Security 
  • Restrict external tenants and enforce strict access control on Teams. 
  • Implement anomaly detection for suspicious Teams account activity. 
  • Block installation of unauthorized remote access tools (QuickAssist, AnyDesk). 

2. Enhance Endpoint & Network Defenses 

  • Monitor PowerShell execution with EDR/XDR solutions. 
  • Detect persistence artifacts (scheduled tasks, autorun keys, rundll32 activity). 
  • Block known IoCs at DNS/firewall levels. 

 3. Employee Awareness & MFA Security 

  • Train employees to verify IT support requests through independent channels. 
  • Warn staff against installing software via unsolicited Teams messages. 
  • Enforce multi-factor authentication (MFA) for all accounts. 

Conclusion: 
By shifting malware delivery into Microsoft Teams, attackers are exploiting a platform that enterprises inherently trust. The blending of social engineering with technical abuse of PowerShell and remote access tools makes this campaign particularly dangerous, enabling attackers to infiltrate organizations without relying on traditional email phishing. 

Organizations must treat collaboration platforms as high-value attack surfaces not just communication tools. Strengthening monitoring, restricting external interactions and training employees to validate IT requests are critical to defending against this evolving threat.  

References

Security Advisory

Critical Chrome Use-After-Free Vulnerability in ANGLE Graphics Library 

Security Advisory: A critical use-after-free vulnerability has been identified in the ANGLE graphics library used by Google Chrome which enables applications designed for OpenGL ES (OpenGL used on mobile and embedded devices) or WebGL (a web-based 3D graphics API) to run on platforms that primarily use other graphics APIs, such as DirectX on Windows or Vulkan on Android.

OEM Google Chrome 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-9478 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This vulnerability could allow attackers to take control of your device simply by visiting a harmful website using HTML or WebGL which is just opening the wrong page could let hackers run their own code on our system. 

Google has already fixed this problem in the latest Chrome update (version 139.0.7258.154/.155 for Windows & macOS and 139.0.7258.154 for Linux). Users and administrators are strongly advised to apply the latest updates immediately. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Use-After-Free Vulnerability in ANGLE  CVE-2025- 9478 Google Chrome  High  v139.0.7258.154/.155 (Win/Mac), v139.0.7258.154 (Linux) 

Technical Summary 

This security issue happens when Chrome accidentally reuses computer memory that should no longer be in use. This is exploited by the attacker, if we visit a harmful website designed by cybercriminals, it can secretly run special graphics commands (through WebGL or Canvas). This could corrupt our system’s memory, crash our browser, or allow hackers to run their own code on our device remotely. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025- 9478 Chrome < 139.0.7258.154 A Vulnerability in Chrome’s graphics engine lets attackers reuse cleared memory through specially designed HTML/WebGL input. Remote code execution,  
Data theft  
 

Remediation

  • Update to Chrome latest versions 139.0.7258.154/.155 on Windows/macOS or 139.0.7258.154 on Linux or the later one. 

Here are some recommendations below 

  • Keep monitoring the logs for suspicious activities unusual WebGL or graphics API call. 
  • Conduct user awareness training to educate users about the risks of malicious websites, avoiding unknown links. 

Conclusion: 
This is a high-severity Chrome vulnerability that could allow remote code execution via malicious WebGL content. Although not yet exploited in the wild but immediate patching is essential. Users should update Chrome, monitor unusual graphics activity and stay informed about malicious website risks to ensure strong browser security. 

References

Security Advisory

Docker Desktop Vulnerability Allows Full Host Compromise via Exposed API 

A critical vulnerability has been discovered in Docker Desktop for Windows, macOS and Linux distributions.

The vulnerability allows malicious containers to gain full access to the host system by misusing an exposed Docker Engine API endpoint.

Docker Desktop

Docker a must to have in modern enterprise infrastructure, as a strong foundation pillar that powers cloud-native applications including CI/CD pipelines and microservices at massive scale. Any vulnerabilities in Docker images and runtimes are particularly dangerous as they can open the door to severe supply-chain attacks, container escapes, data leaks, and even full host compromise. 

OEM Docker 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9074 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

The vulnerability, considered as CVE-2025-9074, which affects Docker Desktop versions prior to 4.44.3. This exploitation requires no special configuration and can be triggered with minimal interaction. Docker has addressed this issue in version 4.44.3, administrator or user are suggested to upgrade to the latest version. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Docker Engine API Exposure / Container Escape  CVE-2025-9074 Docker Desktop 
(Windows, macOS, Linux) 		 Critical  v4.44.3 

Technical Summary 

The vulnerability comes from Docker Desktop’s internal API endpoint (http://192.168.65.7:2375) being accessible from any container running locally. The endpoint with lack of authentication allows privileged API commands such as creating new containers, mounting host directories, and controlling images. 

On Windows with WSL, this becomes riskier because attackers could mount your C: drive with the same rights, giving them full access to the machine. With the safety settings like Enhanced Container Isolation (ECI) or disabling TCP exposure, don’t fully block this problem. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-9074  v4.25 before v4.44.3  An internal HTTP API is automatically open to containers on the default network. This could allow us to run powerful commands – creating containers, managing images or accessing the host system  Full host compromise, including file system and resource access 

Remediation

  • Upgrade to Docker Desktop version 4.44.3 or later across all supported platforms. 

Recommendations: 

Here are some recommendations below  

  • Don’t depend only on container isolation, treat development tools as part of the security perimeter. 
  • Use network segmentation and zero-trust controls to protect container workloads. 
  • Monitor container traffic for unauthorized API access attempts. 
  • Apply strict IAM rules and give users only the permissions they really need on Docker hosts. 

Conclusion: 
CVE-2025-9074 is a critical container escape vulnerability exposing host systems to complete compromise. While no active exploitation has been reported, the weakness is easy to exploit. Immediate patching and environment hardening are strongly recommended for all Docker Desktop users. 

References: 

Security Advisory

Microsoft Patch Tuesday August Patches 119 Vulnerabilities; Publicly Disclosed Kerberos Zero‑Day

Microsoft Patch Tuesday : Key points:

119 vulnerabilities discovered & 13 are classified as Critical rating meaning as per Microsoft’ they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

CVE-2025-53779 is Windows Kerberos Elevation of Privilege Vulnerability

The vulnerabilities fall into multiple categories, including Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Spoofing, Denial of Service (DoS), and Tampering. Below is a detailed breakdown of the vulnerabilities by category, along with key insights for organizations to prioritize their patching efforts.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-08-12 
No. of Patches  119 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Microsoft has released security updates addressing 119 vulnerabilities in the August 2025 Patch Tuesday cycle, including one publicly disclosed zero-day in Windows Kerberos. Of these, 13 are classified as Critical, covering a wide range of products such as Windows components, Office, Azure, Exchange and SharePoint. 

  • 111 Microsoft CVEs addressed 
  • 8 non-Microsoft CVEs addressed 

Breakdown of August 2025 Vulnerabilities 

  • 44 Elevation of Privilege Vulnerabilities 
  • 35 Remote Code Execution Vulnerabilities 
  • 18 Information Disclosure Vulnerabilities 
  • 9 Spoofing Vulnerabilities 
  • 4 Denial of Service Vulnerabilities 
  • 1 Tampering vulnerabilities 
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Kerberos Elevation of Privilege Vulnerability CVE-2025-53779 Windows Server 2025 High 7.2 

Technical Summary 

The August 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-53779 in Windows Kerberos.

This elevation of privilege flaw, related to improper path handling in domain-managed service accounts (dMSA), could allow a local attacker to gain domain administrator privileges.

Microsoft also patched several critical Remote Code Execution (RCE) vulnerabilities across Windows Graphics, GDI+, Office, DirectX, and Hyper-V. Many of these vulnerabilities require minimal or no user interaction, such as simply opening a file in the preview pane or processing crafted image or network messages, making them high-risk for enterprise environments. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-53779 Microsoft Windows Server 2025 Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network. Privilege escalation 

Source: Microsoft and NVD 

In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed: 

  • CVE202550165 and CVE202553766: Graphics-related RCEs, particularly vulnerable due to their ability to execute code without user interaction and potential wormable behavior. 
  • CVE202553792: Azure Portal, privilege escalation vulnerability, critical impact on cloud administration surface. 
  • CVE202550171: Remote Desktop Server, allows remote code execution over RDP. 
  • CVE202553778: Windows NTLM, elevation of privilege exploitation includes lateral movement across enterprise networks. 
  • CVE202553786: Microsoft Exchange Server, hybrid environment vulnerability with potential for cloud environment hijacking. 

Key Affected Products and Services 

The vulnerabilities addressed in August 2025 impact a wide range of Microsoft products and services, including: 

  • Windows Core and Authentication Systems 

Includes fixes in Windows Server (Kerberos), Windows Graphics Component, GDI+, DirectX Graphics Kernel, NTLM, Hyper‑V, MSMQ, Remote Desktop and more. 

  • Microsoft Office Suite and Productivity Tools 

Microsoft Office and Word, notably through Preview Pane RCE flaws, as well as SharePoint (RCE and EoP), Exchange Server (Privilege Escalation in hybrid setups) and Teams. 

  • Cloud and Azure Ecosystem 

Critical issues in Azure Virtual Machines (spoofing and info disclosure), Azure Stack Hub and potentially Azure Portal. 

  • Virtualization and Hypervisor Technologies 

Updates include vulnerabilities in Hyper‑V (RCE and privilege escalation) and DirectX graphics kernel components relevant to virtualization. 

  • Development Tools 

Fixes include vulnerabilities affecting Visual Studio and GitHub Copilot, reinforcing development environments. 

  • Messaging and Queuing Services 

Includes a critical RCE in Microsoft Message Queuing (MSMQ). 

  • Browsers: 
    Microsoft Edge (Chromium-based). 

Remediation

  • Apply Patches Promptly: Install the August 2025 security updates immediately to mitigate risks. 

Conclusion: 

Microsoft’s August 2025 Patch Tuesday, disclosed zero-day CVE-2025-53779 is another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.

Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services.

References

Security Advisory

7-Zip Security Flaw Allows Malicious File Writes and Potential Exploits 

Summary Security Advisory: 7-Zip Security Flaw

A vulnerability in 7-Zip (versions before 25.01) allows attackers to abuse symbolic links in archive files to write files outside the intended extraction directory.

Severity Low 
CVSS Score 3.6 
CVEs CVE-2025-55188 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This can lead to overwriting sensitive files, potentially enabling code execution or privilege escalation. The flaw is primarily exploitable on Linux systems due to common file permission models but can also impact Windows under specific conditions. Affected archive formats include ZIP, TAR, 7Z and RAR. 

The security flaw was  reported and discoverd by security researcher lunbun, who identified that 7-Zip fails to properly validate symbolic links when extracting certain archive formats.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ 7-Zip Arbitrary File Write via Symbolic Link Flaw  CVE-2025-55188 7-Zip  Low  25.01 and later. 

Technical Summary 

Cause: Improper validation of symbolic links during archive extraction. 

Attack Vector: Malicious archives can contain symlinks pointing outside the extraction directory. 

Impact: Overwrites arbitrary files on the system. On Linux, this can replace startup scripts, configuration files, or binaries to gain elevated privileges. On Windows, exploitation requires write access to target paths. 

Affected Formats: ZIP, TAR, 7Z, RAR. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-55188 3.6 Linux, Windows 7-Zip versions 7-Zip mishandles symbolic links in archives, letting attackers write files anywhere on the system during extraction. Code execution, Privilege escalation 

Recommendations: 

Here are some recommendations below 

  • Update 7-Zip to version 25.01 or latest one.  
  • Avoid extracting archives from untrusted sources. 
  • Always consider using sandboxed environments for unknown files extraction. 

Conclusion: 
While CVE-2025-55188 carries a low CVSS score, the real-world impact can be severe in certain environments, especially on Linux systems with high-privilege extraction processes.

Immediate patching to 7-Zip 25.01 or later is strongly advised to mitigate the risk of arbitrary file overwrite attacks. 

The researcher has submitted a request for reevaluation of the CVSS score and offered to provide proof-of-concept demonstrations to package repository maintainers who require additional verification.

References

Security Advisory

Zero-Day Exploitation in SonicWall Targeted by Akira Ransomware 

Summary 

A critical zero-day vulnerability is suspected in SonicWall SSL VPN appliances, which are currently being actively exploited by threat actors linked to the Akira ransomware group. These attacks began last month and exploit even fully patched devices and systems with multi-factor authentication (MFA) enabled. In many cases, attackers move quickly, encrypting victim systems within hours of gaining access. 

Detailed Observation 

The ongoing attacks targeting SonicWall SSL VPN appliances suggest the presence of a zero-day vulnerability that allows threat actors to gain unauthorized access to enterprise networks.

This exploitation may be limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled. The attack patterns indicate that the attackers may be exploiting a flaw in the VPN’s authentication or session management mechanisms which they can be able to bypass the MFA.

Security researchers also observed that the threat actors often used legitimate credentials, including recently rotated passwords, implying either credential theft or session hijacking.

These login attempts were traced back to Virtual Private Servers (VPS), a common tactic to obscure the attacker’s origin. Once threat actors on the network, they abuse the privileged accounts, then start establishing C2 and move laterally in the network, then at the last stage before deploying the ransomware they are disabling the defenses to smooth deploy.

The ransomware group suggests Akira, has been seen deploying malware and encrypting data within hours, showcasing a high level of automation and operational efficiency.

The pattern and speed of these attacks point to a well-orchestrated campaign that likely began months earlier (as early as October 2024) but surged in mid-July 2025. This level of sophistication, combined with the failure of traditional defenses, strongly supports the theory that attackers are leveraging an undisclosed vulnerability in SonicWall’s SSL VPN stack. 

Remediation

Until an official SonicWall patch is released, organizations should take the following immediate actions: 

  • Disable SonicWall SSL VPN if possible, especially for external access. 
  • Enforce network segmentation to limit the radius of any potential breach. 
  • Monitor access logs for suspicious login attempts (especially from VPS-hosting IP ranges). 
  • Block known malicious IPs and ASNs used in previous attacks. 
  • Rotate all VPN credentials, especially for admin or privileged users. 
  • Harden MFA configuration (though current evidence shows bypasses are possible). 
  • Enable IP reputation and botnet protection features in SonicWall firewalls. 
  • Audit all VPN user accounts, removing any inactive or unnecessary ones. 

IOCs 

Attacker IP Threat Actors used tools ASN/CIDR hosting adversary infrastructure User & Password created  
42.252.99[.]59 w.exe AS24863 – LINK-NET – 45.242.96.0/22 backupSQL (U) 
45.86.208[.]240 win.exe AS62240 – Clouvider – 45.86.208.0/22 lockadmin (U) 
77.247.126[.]239 C:\ProgramData\winrar.exe AS62240 – Clouvider – 77.247.126.0/24 Password123$ (P) 
104.238.205[.]105 C:\ProgramData\OpenSSHa.msi AS23470 – ReliableSite LLC – 104.238.204.0/22 Msnc?42da (P) 
104.238.220[.]216 C:\Program Files\OpenSSH\sshd.exe AS23470 – ReliableSite LLC – 104.238.220.0/22 VRT83g$%ce (P) 
181.215.182[.]64 C:\programdata\ssh\cloudflared.exe AS174 – COGENT-174 – 181.215.182.0/24  
193.163.194[.]7 C:\Program Files\FileZilla FTP Client\fzsftp.exe AS62240 – Clouvider – 193.163.194.0/24  
193.239.236[.]149 C:\ProgramData\1.bat AS62240 – Clouvider – 193.239.236.0/23  
194.33.45[.]155 C:\ProgramData\2.bat AS62240 – Clouvider – 194.33.45.0/24  
  • Source: huntress.com 

Conclusion: 
The exploitation of a suspected zero-day in SonicWall SSL VPN poses an immediate and critical threat to enterprise environments.

The ability of attackers to bypass authentication and deploy ransomware within hours is highly dangerous and points to a sophisticated, active campaign.

Organizations using SonicWall VPNs must take preemptive steps now, including disabling VPN access if feasible and aggressively monitoring for anomalies, until SonicWall releases a formal patch or mitigation advisory 

References

Scroll to top