Category: Cybersecurity

Sep 10, 2025Ravie LakshmananSpyware / Vulnerability

Apple on Tuesday revealed a new security feature called Memory Integrity Enforcement (MIE) that’s built into its newly introduced iPhone models, including iPhone 17 and iPhone Air.

MIE, per the tech giant, offers “always-on memory safety protection” across critical attack surfaces such as the kernel and over 70 userland processes without sacrificing device performance by designing its A19 and A19 Pro chips, keeping this aspect in mind.

“Memory Integrity Enforcement is built on the robust foundation provided by our secure memory allocators, coupled with Enhanced Memory Tagging Extension (EMTE) in synchronous mode, and supported by extensive Tag Confidentiality Enforcement policies,” the company noted.

The effort is an aim to improve memory safety and prevent bad actors, specifically those leveraging mercenary spyware, from weaponizing such flaws in the first place to break into devices as part of highly-targeted attacks.

The technology that underpins MIE is EMTE, an improved version of the Memory Tagging Extension (MTE) specification released by chipmaker Arm in 2019 to flag memory corruption bugs either synchronously or asynchronously.

It’s worth noting that Google’s Pixel devices already have support for MTE as a developer option starting with Android 13. Similar memory integrity features have also been introduced by Microsoft in Windows 11.

“The ability of MTE to detect memory corruption exploitation at the first dangerous access is a significant improvement in diagnostic and potential security effectiveness,” Google Project Zero researcher Mark Brand said in October 2023, coinciding with the release of Pixel 8 and Pixel 8 Pro.

“The availability of MTE on a production handset for the first time is a big step forward, and I think there’s real potential to use this technology to make 0-day harder.”

Apple said MIE transforms MTE from a “helpful debugging tool” into a groundbreaking new security feature, offering security protection against two common vulnerability classes – buffer overflows and use-after-free bugs – that could result in memory corruption.

This essentially involves blocking out-of-bounds requests to access adjacent memory that has a different tag, and retagging memory as it gets reused for other purposes after it has been freed and reallocated by the system. As a result, requests to access retagged memory with an older tag (indicating use-after-free scenarios) also get blocked.

“A key weakness of the original MTE specification is that access to non-tagged memory, such as global variables, is not checked by the hardware,” Apple explained. “This means attackers don’t have to face as many defensive constraints when attempting to control core application configuration and state.”

“With Enhanced MTE, we instead specify that accessing non-tagged memory from a tagged memory region requires knowing that region’s tag, making it significantly harder for attackers to turn out-of-bounds bugs in dynamic tagged memory into a way to sidestep EMTE by directly modifying non-tagged allocations.”

Cupertino said it has also developed what it calls Tag Confidentiality Enforcement (TCE) to secure the implementation of memory allocators against side-channel and speculative execution attacks like TikTag that MTE was found susceptible to last year, resulting in the leak of an MTE tag associated with an arbitrary memory address by exploiting the fact that tag checks generate cache state differences during speculative execution.

“The meticulous planning and implementation of Memory Integrity Enforcement made it possible to maintain synchronous tag checking for all the demanding workloads of our platforms, delivering groundbreaking security with minimal performance impact, while remaining completely invisible to users,” it added.

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.

Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to privilege escalation, followed by remote code execution (22), information disclosure (14), and denial-of-service (3).

“For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Satnam Narang, senior staff research engineer at Tenable, said. “Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities.”

The patches are in addition to 12 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of August 2025’s Patch Tuesday update, including a security bypass bug (CVE-2025-53791, CVSS score: 4.7) that has been patched in version 140.0.3485.54 of the browser.

The vulnerability that has been flagged as publicly known is CVE-2025-55234 (CVSS score: 8.8), a case of privilege escalation in Windows SMB.

“SMB Server might be susceptible to relay attacks depending on the configuration,” Microsoft said. “An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks.”

The Windows maker said the update enables support for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA, allowing customers to assess their environment and detect any potential device or software incompatibility issues before deploying appropriate hardening measures.

“The key takeaway from the CVE-2025-55234 advisory, other than the explanation of the well-known attack surface around SMB authentication, is that this is one of those times where simply patching isn’t enough; in fact, the patches provide administrators with more auditing options to determine whether their SMB Server is interacting with clients that won’t support the recommended hardening options,” Adam Barnett, lead software engineer at Rapid7, said.

The CVE with the highest CVSS score for this month is CVE-2025-54914 (CVSS score: 10.0), a critical flaw impacting Azure Networking that could result in privilege escalation. It requires no customer action, given that it’s a cloud-related vulnerability.

Two other shortcomings that merit attention include a remote code execution flaw in Microsoft High Performance Compute (HPC) Pack (CVE-2025-55232, CVSS score: 9.8) and an elevation of privilege issue affecting Windows NTLM (CVE-2025-54918, CVSS score: 8.8) that could allow an attacker to gain SYSTEM privileges.

“From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Kev Breen, senior director of threat research at Immersive, said.

“The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.”

Lastly, the update also remediates a security flaw (CVE-2024-21907, CVSS score: 7.5) in Newtonsoft.Json, a third-party component used in SQL Server, that could be exploited to trigger a denial-of-service condition, as well as two privilege escalation vulnerabilities in Windows BitLocker (CVE-2025-54911, CVSS score: 7.3, and CVE-2025-54912, CVSS score: 7.8).

Microsoft’s Hussein Alrubaye has been credited with discovering and reporting both the BitLocker flaws. The two flaws add to four other vulnerabilities (collectively called BitUnlocker) in the full-disk encryption feature that were patched by Microsoft in July 2025 –

• CVE-2025-48003 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability via WinRE Apps Scheduled Operation
• CVE-2025-48800 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting ReAgent.xml Parsing
• CVE-2025-48804 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting Boot.sdi Parsing
• CVE-2025-48818 (CVSS score: 6.8) – BitLocker Security Feature Bypass Vulnerability by Targeting Boot Configuration Data (BCD) Parsing

Successful exploitation of any of the above four flaws could allow an attacker with physical access to the target to bypass BitLocker protections and gain access to encrypted data.

“To further enhance the security of BitLocker, we recommend enabling TPM+PIN for pre-boot authentication,” Security Testing and Offensive Research at Microsoft (STORM) researchers Netanel Ben Simon and Alon Leviev said in a report last month. “This significantly reduces the BitLocker attack surfaces by limiting exposure to only the TPM.”

“To mitigate BitLocker downgrade attacks, we advise enabling the REVISE mitigation. This mechanism enforces secure versioning across critical boot components, preventing downgrades that could reintroduce known vulnerabilities in BitLocker and Secure Boot.”

The disclosure comes as Purple Team detailed a new lateral movement technique dubbed BitLockMove that involves the remote manipulation of BitLocker registry keys via Windows Management Instrumentation (WMI) to hijack specific COM objects of BitLocker.

BitLockMove, developed by security researcher Fabian Mosch, works by initiating a remote connection to the target host through WMI and copying a malicious DLL to the target over SMB. In the next phase, the attacker writes a new registry key that specifies the DLL path, ultimately causing BitLocker to load the copied DLL by hijacking its COM objects.

“The purpose of the BitLocker COM Hijacking is to execute code under the context of the interactive user on a target host,” Purple Team said. “In the event that the interactive user has excessive privileges (i.e., domain administrator), this could also lead to domain escalation.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —

• Adobe
• Arm
• Broadcom (including VMware)
• Cisco
• Commvault
• Dell
• Drupal
• F5
• Fortra
• FUJIFILM
• Gigabyte
• GitLab
• Google Android and Pixel
• Google Chrome
• Google Cloud
• Google Wear OS
• Hikvision
• Hitachi Energy
• HP
• HP Enterprise (including Aruba Networking)
• IBM
• Ivanti
• Jenkins
• Juniper Networks
• Lenovo
• Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
• MediaTek
• Mitsubishi Electric
• Moxa
• Mozilla Firefox, Firefox ESR, and Thunderbird
• NVIDIA
• QNAP
• Qualcomm
• Rockwell Automation
• Salesforce
• Samsung
• SAP
• Schneider Electric
• Siemens
• Sitecore
• Sophos
• Spring Framework
• Supermicro
• Synology
• TP-Link, and
• Zoom

Sep 10, 2025Ravie LakshmananMalware / Cyber Espionage

The House Select Committee on China has formally issued an advisory warning of an “ongoing” series of highly targeted cyber espionage campaigns linked to the People’s Republic of China (PRC) amid contentious U.S.–China trade talks.

“These campaigns seek to compromise organizations and individuals involved in U.S.-China trade policy and diplomacy, including U.S. government agencies, U.S. business organizations, D.C. law firms and think tanks, and at least one foreign government,” the committee said.

The committee noted that suspected threat actors from China impersonated Republican Party Congressman John Robert Moolenaar in phishing emails sent to trusted counterparts with an aim to deceive them and trick them into opening files and links that would grant them unauthorized access to their systems and sensitive information without their knowledge.

The end goal of the attacks was to steal valuable data by abusing software and cloud services to cover up traces of their activity, a tactic often adopted by state-sponsored hackers to evade detection.

“This is another example of China’s offensive cyber operations designed to steal American strategy and leverage it against Congress, the Administration, and the American people,” said Moolenaar, who is also the Chairman of the House Select Committee on the Communist Party of China (CCP). “We will not be intimidated, and we will continue our work to keep America safe.”

The statement comes days after a report from The Wall Street Journal, which revealed on September 7, 2025, that several trade groups, law firms, and U.S. government agencies received an email message from Moolenaar asking their input on proposed sanctions against China.

“Your insights are essential,” the contents of the message allegedly read, along with an attachment containing a draft version of the legislation that, when launched, deployed malware to gather sensitive data and gain entrenched access to the targeted organizations.

The attack is believed to be the work of APT41, a prolific hacking group known for its targeting of diverse sectors and geographies for cyber espionage.

“China firmly opposes and combats all forms of cyber attacks and cyber crime,” the Chinese embassy in Washington told Reuters in a statement. “We also firmly oppose smearing others without solid evidence.”

“By impersonating Rep. Moolenaar (R-MI), a known Beijing critic, the attackers created urgency and legitimacy that encouraged fast responses,” Yejin Jang, vice president of government affairs at Abnormal AI, told The Hacker News.

“Political communication extends beyond official government devices or accounts. Sophisticated adversaries understand this reality and actively exploit it. By masquerading as trusted officials through personal or non-official channels, attackers bypass traditional security controls while amplifying authenticity.”

The committee also noted that the campaign follows another spear-phishing campaign in January 2025 that targeted its staffers with emails that falsely claimed to be from the North America representative of ZPMC, a Chinese state-owned crane manufacturer.

The attack used fake file-sharing notifications in an attempt to trick the recipients into clicking on a link that’s designed to steal Microsoft 365 login credentials. The adversaries also exploited developer tools to create hidden pathways and covertly exfiltrated data straight to servers under their control.

It’s worth noting that the committee, in September 2024, published an investigative report alleging how ZPMC’s dominance in the ship-to-shore (STS) port crane market could “serve as a Trojan horse” and help the CCP and China exploit and manipulate U.S. maritime equipment and technology at their request.

“Based on the targeting, timing, and methods, and consistent with outside assessments, the Committee believes this activity to be CCP state-backed cyber-espionage aimed at influencing U.S. policy deliberations and negotiation strategies to gain an advantage in trade and foreign policy,” it said.

Introduction

Managed service providers (MSPs) and managed security service providers (MSSPs) are under increasing pressure to deliver strong cybersecurity outcomes in a landscape marked by rising threats and evolving compliance requirements. At the same time, clients want better protection without managing cybersecurity themselves. Service providers must balance these growing demands with the need to work efficiently, deliver consistent results, and scale their offerings.

Yet, many service providers still rely on manual processes that slow down delivery, make it harder to maintain consistency across clients, and limit the time teams have to focus on more strategic initiatives. Even experienced service providers can find themselves stretched thin as they try to meet rising client expectations while managing operational complexity.

In this environment, automation offers an opportunity to work more effectively and deliver greater value. By streamlining repetitive tasks, improving consistency, and freeing up time and resources, automation helps providers expand their services, strengthen client relationships, and grow sustainably.

We created The Service Provider’s Guide to Automating Cybersecurity and Compliance Management to help providers navigate the transition to automation. Inside, you’ll find a practical overview of current challenges, real-world examples, and guidance for identifying where automation can have the biggest impact.

The Hidden Costs of Manual Work

Tasks like risk assessments, policy development, framework mapping, remediation planning, and executive reporting often require 13 to 15 hours of manual work each. This level of effort places mounting pressure on internal teams, extends project timelines, and delays client outcomes all of which can restrict growth.

Over time, these inefficiencies quietly erode both profitability and service quality, making it harder to scale and compete effectively.

Key hidden costs include:

• Time delays that impact client satisfaction and slow down revenue cycles
• Inconsistencies across assessments and documentation, undermining trust
• Talent inefficiency as senior staff handle administrative work instead of strategic tasks
• Missed revenue opportunities due to limited capacity for upselling or onboarding new clients

Manual processes also create specific bottlenecks across five critical areas of service delivery:

1. Onboarding & Assessments – Repetitive, slow, and often inconsistent
2. Framework Mapping – Labor-intensive and prone to errors
3. Remediation Management – Hard to scale and standardize
4. Progress Reporting – Time-consuming and lacks consistency and clarity
5. Service Customization – Manual adjustments reduce repeatability

Automation is key to overcoming these barriers and unlocking scalable, high-margin service delivery.

According to The State of the Virtual CISO 2025 Report, vCISO providers using AI or automation report a 68% average reduction in cybersecurity and compliance workload over the past year.

AI-powered technologies like Cynomi’s vCISO Platform automate and standardize vCISO workflows end-to-end, cutting manual efforts by up to 70%. Here are five key areas where automation can make a measurable impact:

1. Risk Assessments & Onboarding: Interactive, guided questionnaires and centralized data capture replace emails and interviews, cutting hours from onboarding timelines.
2. Policy Development: Automated platforms generate client-specific policies mapped to frameworks like NIST and ISO.
3. Compliance Tracking: Tasks are automatically mapped to frameworks and updated as standards evolve, reducing oversight and error risk.
4. Remediation Planning: Tasks are prioritized and assigned automatically, allowing teams to track progress and outcomes in a centralized hub.
5. Progress Reporting: Client-branded, progress reports are generated in clicks, turning security activity into clear, business-focused insights without the usual delays.
6. Standardizing Service Delivery: Automation streamlines core tasks like onboarding and compliance management, allowing providers to deliver consistent, high-quality services across clients without reinventing the wheel each time.

The ROI of Automation

One of the most effective ways to measure automation’s value is through work hours saved. Tasks that once took over 13 hours can now be completed in just a few, freeing up nearly 10 hours per task to reinvest elsewhere. Multiply that across clients, and the impact on margins and capacity becomes substantial.

As Steve Bowman, Business Partner at Model Technology Solutions, noted, “When we started, it was four or five months before I’d have somebody doing an assessment on their own. Now it’s down to one month.” This dramatic improvement in ramp-up time underscores the transformative effect automation can have not only on day-to-day operations but also on long-term scalability.

Here are some examples of time-consuming tasks and the time savings service providers achieve through automating them:

For more real-world insights into how much time automation can save across key cybersecurity functions, explore The Service Provider’s Guide to Automating Cybersecurity and Compliance Management. It includes practical examples and a straightforward formula to calculate ROI in both hours and dollars, so you can instantly see the measurable benefits automation can bring.

How to Implement Security and Compliance Automation

Here’s a practical roadmap for managed service providers aiming to integrate automation into their vCISO or compliance operations.

1. Assess Current Processes: Start by mapping your existing workflows, including onboarding, assessments, remediation planning, and reporting. Identify manual, repetitive tasks that slow you down or create inconsistencies.
2. Define Automation Goals: Clarify what you want to achieve through automation, such as reducing task time, increasing capacity, or improving service consistency. Measurable goals help prioritize efforts and guide platform selection.
3. Select a Deployment Model: Explore three options: build your own tools, use a GRC platform for compliance, or adopt an all-in-one cybersecurity and compliance management platform like Cynomi. Each varies in complexity, scalability, and resource demands.
4. Pilot Before Scaling: Test your automation strategy with a single client or team to identify strengths, challenges, and integration needs before broader rollout.
5. Train Teams and Clients: Provide tailored training and maintain open communication to ensure smoother adoption and build confidence in the new platform.
6. Measure Impact and Optimize: Track key metrics, such as time saved and reporting turnaround. Use these insights to refine processes and maximize ROI.

Conclusion: Automation Is the New Differentiator

In today’s cybersecurity landscape, automation through AI has become a strategic necessity. It empowers service providers to streamline operations, deliver consistent value, and scale without increasing overhead. Those who embrace it, position themselves to move faster, serve more clients, and elevate their role from technical support to trusted business advisor.

Whether you’re just starting out or refining your current approach, The Service Provider’s Guide to Automating Cybersecurity and Compliance Management provides practical insights into current challenges, real-world examples, and guidance on what to automate, what to keep manual, and how to choose the right tools to scale effectively.

Sep 10, 2025The Hacker NewsMalware Analysis / Enterprise Security

Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has uncovered a new entrant: Salty2FA, a phishing kit designed to bypass multiple two-factor authentication methods and slip past traditional defenses.

Already spotted in campaigns across the US and EU, Salty2FA puts enterprises at risk by targeting industries from finance to energy. Its multi-stage execution chain, evasive infrastructure, and ability to intercept credentials and 2FA codes make it one of the most dangerous PhaaS frameworks seen this year.

Why Salty2FA Raises the Stakes for Enterprises

Salty2FA’s ability to bypass push, SMS, and voice-based 2FA means stolen credentials can lead directly to account takeover. Already aimed at finance, energy, and telecom sectors, the kit turns common phishing emails into high-impact breaches.

Who is Being Targeted?

ANY.RUN analysts mapped Salty2FA campaigns and found activity spanning multiple regions and industries, with the US and EU enterprises most heavily hit.

When Did Salty2FA Start Hitting Enterprises?

Based on data from the ANY.RUN Sandbox and TI, Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April. Confirmed campaigns have been active since late July and continue to this day, generating dozens of fresh analysis sessions daily.

Real-World Case: How Salty2FA Exploits Enterprise Employees

One recent case analyzed by ANY.RUN shows just how convincing Salty2FA can be in practice. An employee received an email with the subject line “External Review Request: 2025 Payment Correction”, a lure designed to trigger urgency and bypass skepticism.

When opened in the ANY.RUN sandbox, the attack chain unfolded step by step:

View real-world case of Salty2FA attack

Malicious email with Salty2FA attack analyzed inside ANY.RUN sandbox

Stage 1: Email lure

The email contained a payment correction request disguised as a routine business message.

Stage 2: Redirect and fake login

The link led to a Microsoft-branded login page, wrapped in Cloudflare checks to bypass automated filters. In the sandbox, ANY.RUN’s Automated Interactivity handled the verification automatically, exposing the flow without manual clicks and cutting investigation time for analysts.

Cloudflare verification completed automatically inside ANY.RUN sandbox

Stage 3: Credential theft

Employee details entered on the page were harvested and exfiltrated to attacker-controlled servers.

Fake Microsoft page, ready to steal credentials from victims

Stage 4: 2FA bypass

If the account had multi-factor authentication enabled, the phishing page prompted for codes and could intercept push, SMS, or even voice call verification.

By running the file in the sandbox, SOC teams could see the full execution chain in real time, from the first click to credential theft and 2FA interception. This level of visibility is critical, because static indicators like domains or hashes mutate daily, but behavioral patterns remain consistent. Sandbox analysis gives faster confirmation of threats, reduced analyst workload, and better coverage against evolving PhaaS kits like Salty2FA.

Stopping Salty2FA: What SOCs Should Do Next

Salty2FA shows how fast phishing-as-a-service is evolving and why static indicators alone won’t stop it. For SOCs and security leaders, protection means shifting focus to behaviors and response speed:

• Rely on behavioral detection: Track recurring patterns like domain structures and page logic rather than chasing constantly changing IOCs.
• Detonate suspicious emails in a sandbox: Full-chain visibility reveals credential theft and 2FA interception attempts in real time.
• Harden MFA policies: Favor app-based or hardware tokens over SMS and voice, and use conditional access to flag risky logins.
• Train employees on financial lures: Common hooks like “payment correction” or “billing statement” should always raise suspicion.
• Integrate sandbox results into your stack: Feeding live attack data into SIEM/SOAR speeds detection and reduces manual workload.

By combining these measures, enterprises can turn Salty2FA from a hidden risk into a known and manageable threat.

Boost SOC Efficiency with Interactive Sandboxing

Enterprises worldwide are turning to interactive sandboxes like ANY.RUN to strengthen their defenses against advanced phishing kits such as Salty2FA. The results are measurable:

• 3× SOC efficiency by combining interactive analysis and automation.
• Up to 50% faster investigations, cutting time from hours to minutes.
• 94% of users report faster triage, with clearer IOCs and TTPs for confident decision-making.
• 30% fewer Tier 1–Tier 2 escalations, as junior analysts gain confidence and senior staff are freed to focus on critical tasks.

With visibility into 88% of threats in under 60 seconds, enterprises get the speed and clarity they need to stop phishing before it leads to a major breach.

Try ANY.RUN today: built for enterprise SOCs that need faster investigations, stronger defenses, and measurable results.

Sep 10, 2025Ravie LakshmananSoftware Security / Vulnerability

SAP on Tuesday released security updates to address multiple security flaws, including three critical vulnerabilities in SAP Netweaver that could result in code execution and the upload arbitrary files.

The vulnerabilities are listed below –

• CVE-2025-42944 (CVSS score: 10.0) – A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious payload to an open port through the RMI-P4 module, resulting in operating system command execution
• CVE-2025-42922 (CVSS score: 9.9) – An insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an attacker authenticated as a non-administrative user to upload an arbitrary file
• CVE-2025-42958 (CVSS score: 9.1) – A missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series that could allow highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities

“[CVE-2025-42944] allows an unauthenticated attacker to execute arbitrary OS commands by submitting a malicious payload to an open port,” Onapsis said. “A successful exploit can lead to full compromise of the application. As a temporary workaround, customers should add P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port.”

Also addressed by SAP is a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1) that could permit an attacker with high privilege access to ABAP reports to delete the content of arbitrary database tables, should the tables not be protected by an authorization group.

The patches arrive days after SecurityBridge and Pathlock disclosed that a critical security defect in SAP S/4HANA that was fixed by the company last month (CVE-2025-42957, CVSS score: 9.9) has come under active exploitation in the wild.

While there is no evidence that the newly disclosed issues have been weaponized by bad actors, it’s essential that users move to apply the necessary updates as soon as possible for optimal protection.

Sep 10, 2025Ravie LakshmananVulnerability / Software Security

Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts.

The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it’s not aware of any exploits in the wild.

“A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API,” Adobe said in an advisory issued today.

The issue impacts the following products and versions –

Adobe Commerce (all deployment methods):

• 2.4.9-alpha2 and earlier
• 2.4.8-p2 and earlier
• 2.4.7-p7 and earlier
• 2.4.6-p12 and earlier
• 2.4.5-p14 and earlier
• 2.4.4-p15 and earlier

Adobe Commerce B2B:

• 1.5.3-alpha2 and earlier
• 1.5.2-p2 and earlier
• 1.4.2-p7 and earlier
• 1.3.4-p14 and earlier
• 1.3.3-p15 and earlier

Magento Open Source:

• 2.4.9-alpha2 and earlier
• 2.4.8-p2 and earlier
• 2.4.7-p7 and earlier
• 2.4.6-p12 and earlier
• 2.4.5-p14 and earlier

Custom Attributes Serializable module:

Adobe, in addition to releasing a hotfix for the vulnerability, said it has deployed web application firewall (WAF) rules to protect environments against exploitation attempts that may target merchants using Adobe Commerce on Cloud infrastructure.

“SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),” e-commerce security company Sansec said.

The Netherlands-based firm said it successfully reproduced one possible way to exploit CVE-2025-54236, but noted that there are other possible avenues to weaponize the vulnerability.

“The vulnerability follows a familiar pattern from last year’s CosmicSting attack,” it added. “The attack combines a malicious session with a nested deserialization bug in Magento’s REST API.”

“The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability.”

Adobe has also shipped fixes to contain a critical path traversal vulnerability in ColdFusion (CVE-2025-54261, CVSS score: 9.0) that could lead to an arbitrary file system write. It impacts ColdFusion 2021 (Update 21 and earlier), 2023 (Update 15 and earlier), and 2025 (Update 3 and earlier) on all platforms.

Sep 10, 2025Ravie LakshmananSoftware Security / Vulnerability

SAP on Tuesday released security updates to address multiple security flaws, including three critical vulnerabilities in SAP Netweaver that could result in code execution and the upload arbitrary files.

The vulnerabilities are listed below –

• CVE-2025-42944 (CVSS score: 10.0) – A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious payload to an open port through the RMI-P4 module, resulting in operating system command execution
• CVE-2025-42922 (CVSS score: 9.9) – An insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an attacker authenticated as a non-administrative user to upload an arbitrary file
• CVE-2025-42958 (CVSS score: 9.1) – A missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series that could allow highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities

“[CVE-2025-42944] allows an unauthenticated attacker to execute arbitrary OS commands by submitting a malicious payload to an open port,” Onapsis said. “A successful exploit can lead to full compromise of the application. As a temporary workaround, customers should add P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port.”

Also addressed by SAP is a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1) that could permit an attacker with high privilege access to ABAP reports to delete the content of arbitrary database tables, should the tables not be protected by an authorization group.

The patches arrive days after SecurityBridge and Pathlock disclosed that a critical security defect in SAP S/4HANA that was fixed by the company last month (CVE-2025-42957, CVSS score: 9.9) has come under active exploitation in the wild.

While there is no evidence that the newly disclosed issues have been weaponized by bad actors, it’s essential that users move to apply the necessary updates as soon as possible for optimal protection.

Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft’s Direct Send feature to form a “highly efficient attack pipeline” in recent phishing campaigns, according to new findings from ReliaQuest.

“Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined,” the cybersecurity company said in a report shared with The Hacker News. “Out of 32 flagged user agents observed in this timeframe, Axios accounted for 24.44% of all activity.”

The abuse of Axios was previously flagged by Proofpoint in January 2025, detailing campaigns utilizing HTTP clients to send HTTP requests and receive HTTP responses from web servers to conduct account takeover (ATO) attacks on Microsoft 365 environments.

ReliaQuest told The Hacker News that there is no evidence to suggest these activities are related, adding that the tool is regularly exploited alongside popular phishing kits. “The usefulness of Axios means it is almost certainly being adopted by all types of threat actors regardless of sophistication levels or motivation,” the company added.

Similarly, phishing campaigns have also been observed increasingly using a legitimate feature in Microsoft 365 (M365) called Direct Send to spoof trusted users and distribute email messages.

In amplifying Axios abuse through Microsoft Direct Send, the attack aims to weaponize a trusted delivery method to ensure that their messages slip past secure gateways and land in users’ inboxes. Indeed, attacks that paired Axios with Direct Send have been found to achieve a 70% success rate in recent campaigns, surging past non-Axios campaigns with “unparalleled efficiency.”

The campaign observed by ReliaQuest is said to have commenced in July 2025, initially singling out executives and managers in finance, health care, and manufacturing sectors, before expanding its focus to target all users.

Calling the approach a game changer for attackers, the company pointed out that the campaign not only is successful at bypassing traditional security defenses with improved precision, but also enables them to mount phishing operations at an unprecedented scale.

In these attacks, Axios is used to intercept, modify, and replay HTTP requests, thereby making it possible to capture session tokens or multi-factor authentication (MFA) codes in real-time or exploit SAS tokens in Azure authentication workflows to gain access to sensitive resources.

“Attackers use this blind spot to bypass MFA, hijack session tokens, and automate phishing workflows,” ReliaQuest said. “The customizability offered by Axios lets attackers tailor their activity to further mimic legitimate workflows.”

“This credential harvesting operation leverages the routine nature of hotel booking communications,” the company said. “The campaign employs urgent, business-critical subject lines designed to prompt immediate action from hotel managers and staff.”

The findings also follow the discovery of an ongoing campaign that has employed a nascent phishing-as-a-service (PhaaS) offering called Salty 2FA to steal Microsoft login credentials and sidestep MFA by simulating six different methods: SMS authentication, authenticator apps, phone calls, push notifications, backup codes, and hardware tokens.

The attack chain is notable for leveraging services like Aha[.]io to stage initial landing pages that masquerade as OneDrive sharing notifications to deceive email recipients and trick them into clicking on fake links that redirect to credential harvesting pages, but not before completing a Cloudflare Turnstile verification check to filter automated security tools and sandboxes.

The phishing pages also include other advanced features like geofencing and IP filtering to block traffic from known security vendor IP address ranges and cloud providers, disable shortcuts to launch developer tools in web browsers, and assign new subdomains for each victim session. In incorporating these techniques, the end goal is to complicate analysis efforts.

These findings illustrate how phishing attacks have matured into enterprise-grade operations, utilizing advanced evasion tactics and convincing MFA simulations, while exploiting trusted platforms and mimicking corporate portals to make it harder to distinguish between real and fraudulent activity.

“The phishing kit implements dynamic branding functionality to enhance social engineering effectiveness,” Ontinue said. “Technical analysis reveals the malicious infrastructure maintains a corporate theme database that automatically customizes fraudulent login interfaces based on victim email domains.”

“Salty2FA demonstrates how cybercriminals now approach infrastructure with the same methodical planning that enterprises use for their own systems. What makes this particularly concerning is how these techniques blur the line between legitimate and malicious traffic.”

Sep 09, 2025Ravie LakshmananMobile Security / Threat Intelligence

A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud.

“RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat,” the Dutch mobile security company said in a report published today.

The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic.

Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It’s worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to display extortion messages.

The first sample distributing RatOn was detected in the wild on July 5, 2025, with more artifacts discovered as recently as August 29, 2025, indicating active development work on the part of the operators.

RatOn has leveraged fake Play Store listing pages masquerading as an adult-friendly version of TikTok (TikTok 18+) to host malicious dropper apps that deliver the trojan. It’s currently not clear how users are lured to these sites, but the activity has singled out Czech and Slovakian-speaking users.

Once the dropper app is installed, it requests permission from the user to install applications from third-party sources so as to bypass critical security measures imposed by Google to prevent abuse of Android’s accessibility services.

The second-stage payload then proceeds to request device administration and accessibility services, as well as permissions to read/write contacts and manage system settings to realize its malicious functionality.

This includes granting itself additional permissions as required and downloading a third-stage malware, which is nothing but the NFSkate malware that can perform NFC relay attacks using a technique called Ghost Tap. The malware family was first documented in November 2024.

“The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well,” ThreatFabric said, describing the malware as built from scratch and sharing no code similarities with other Android banking malware.

That’s not all. RatOn can also serve overlay screens that resemble a ransom note, claiming that users’ phones have been locked for viewing and distributing child pornography and that they need to pay $200 in cryptocurrency to regain access in two hours.

It’s suspected that the ransom notes are designed to induce a false sense of urgency and coerce the victim into opening the cryptocurrency apps, making the transaction immediately, and enabling the attackers to capture the device PIN code in the process.

“Upon corresponding command, RatOn can launch the targeted cryptocurrency wallet app, unlock it using stolen PIN code, click on interface elements which are related to security settings of the app, and on the final step, reveal secret phrases,” ThreatFabric said, detailing its account takeover features.

The sensitive data is subsequently recorded by a keylogger component and exfiltrated to an external server under the control of the threat actors, who can then use the seed phrases to obtain unauthorized access to the victims’ accounts and steal cryptocurrency assets.

Some notable commands that are processed by RatOn are listed below –

• send_push, to send fake push notifications
• screen_lock, to change the device lock screen timeout to a specified value
• WhatsApp, to launch WhatsApp
• app_inject, to change the list of targeted financial applications
• update_device, to send a list of installed apps with device fingerprint
• send_sms, to send a SMS message using accessibility services
• Facebook, to launch Facebook
• nfs, to download and run the NFSkate APK malware
• transfer, perform ATS using George Česko
• lock, to lock the device using device administration access
• add_contact, to create a new contact using a specified name and phone number
• record, to launch a screen casting session
• display, to turn on/off screen casting

“The threat actor group initially targeted the Czech Republic, with Slovakia likely being the next country of focus,” ThreatFabric said. “The reason behind concentrating on a single banking application remains unclear. However, the fact that automated transfers require local banking account numbers suggests that the threat actors may be collaborating with local money mules.”