Aggregator

Austin, TX, USA, 6th August 2025, CyberNewsWire

CISA published a Malware Analysis Report (MAR) with analysis and associated detection signatures on files related to Microsoft SharePoint vulnerabilities:

• CVE-2025-49704 [CWE-94: Code Injection],
• CVE-2025-49706 [CWE-287: Improper Authentication],
• CVE-2025-53770 [CWE-502: Deserialization of Untrusted Data], and
• CVE-2025-53771 [CWE-287: Improper Authentication]

Cyber threat actors have chained CVE-2025-49704 and CVE-2025-49706 (in an exploit chain publicly known as “ToolShell”) to gain unauthorized access to on-premises SharePoint servers. CISA analyzed six files including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.  

CISA added CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities Catalog on July 22, 2025, and CVE-2025-53770 on July 20, 2025.

CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this MAR to identify malware.

Downloadable copy of IOCs associated with this malware:

MAR-251132.c1.v1.CLEAR_stix2 (JSON, 84.95 KB )

Downloadable copies of the SIGMA rule associated with this malware:

CMA SIGMA 251132 1 (YAML, 4.22 KB ) CMA SIGMA 251132 2 (YAML, 2.86 KB ) CMA SIGMA 251132 (YAML, 5.55 KB )

For more information on the malware files and YARA rules for detection, see MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities.

Disclaimer:  

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 

Update (08/12/2025): CISA has updated this alert to provide clarification on identifying Exchange Servers on an organization’s networks and provided further guidance on running the Microsoft Exchange Health Checker.

Update (08/07/2025): CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE-2025-53786.

CISA is aware of the newly disclosed high-severity vulnerability, CVE-2025-53786, that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service. 

While Microsoft has stated there is no observed exploitation as of the time of this alert’s publication, CISA strongly urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance outlined below, or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise.  

1. Organizations should first inventory all Exchange Servers on their networks (organizations should leverage existing visibility tools or publicly available tools, such as NMAP or PowerShell scripts, to accomplish this task).
2. If using Exchange hybrid, review Microsoft’s guidance Exchange Server Security Changes for Hybrid Deployments to determine if your Microsoft hybrid deployments are potentially affected and available for a Cumulative Update (CU).
3. Install Microsoft’s April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server and follow Microsoft’s configuration instructions Deploy dedicated Exchange hybrid app.
4. For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft's Service Principal Clean-Up Mode for guidance on resetting the service principal’s keyCredentials.
5. Upon completion, run the Microsoft Exchange Health Checker with appropriate permissions to identify the CU level of each Exchange Server identified and to determine if further steps are required.

CISA highly recommends entities disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be discontinued if still in use.   

Organizations should review Microsoft’s blog Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions for additional guidance as it becomes available. 

Disclaimer:   

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.  

The public meetings will include updates on NIST’s investigations into the impacts of Hurricane Maria and the partial collapse of the Champlain Towers South.

ControlVault3 firmware vulnerabilities impacting over 100 Dell laptop models can allow attackers to bypass Windows login and install malware that persists across system reinstalls. [...]

The company will integrate Prompt Security's platform, which detects AI tools used in browsers and on desktops, into its Singularity platform.

Rockwell Automation has disclosed three critical memory corruption vulnerabilities in its Arena Simulation software that could allow attackers to execute malicious code remotely. The vulnerabilities, discovered during routine internal testing, affect all versions of Arena Simulation 16.20.09 and earlier, potentially exposing industrial automation environments to significant security risks. Critical Security Flaws Identified The three vulnerabilities, […]

The post Rockwell Arena Simulation Flaws Allow Remote Execution of Malicious Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Вайб-кодинг или троян — выбор за пользователем.

Unauthenticated command injection vulnerabilities (CVE-2025-54948, CVE-2025-54987) affecting the on-premise version of Trend Micro’s Apex One endpoint security platform are being probed by attackers, the company has warned on Wednesday. Unfortunately for those organizations that use it, a patch is still in the works and is expected to be released around the middle of August 2025. But the company has provided a “fix tool” that mitigates the risk of exploitation in the short term – though … More →

The post Trend Micro Apex One flaws exploted in the wild (CVE-2025-54948, CVE-2025-54987) appeared first on Help Net Security.

Security researchers have identified a sophisticated new tactic employed by Akira ransomware operators, who are exploiting legitimate Windows drivers to evade antivirus and endpoint detection systems while targeting SonicWall VPN infrastructure. This development represents a significant escalation in the group’s technical capabilities and poses serious challenges for enterprise cybersecurity defenses. Campaign Overview and Timeline From […]

The post Akira Ransomware Uses Windows Drivers to Bypass AV/EDR in SonicWall Attacks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A sophisticated evasion technique employed by Akira ransomware affiliates, exploiting legitimate Windows drivers to bypass antivirus and endpoint detection and response (EDR) systems during recent SonicWall VPN attack campaigns.  The attacks, which have escalated from late July through early August 2025, demonstrate the threat actors’ evolving tactics to maintain persistence and avoid detection in compromised […]

The post Akira Ransomware Uses Windows Drivers to Bypass AV/EDR in SonicWall Attacks appeared first on Cyber Security News.

A vulnerability was found in Emby MediaBrowser 4.9.0.35 and classified as problematic. This issue affects some unknown processing. The manipulation leads to unverified password change. The identification of this vulnerability is CVE-2025-46389. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in Emby MediaBrowser 4.9.0.35 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to information disclosure. This vulnerability was named CVE-2025-46388. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Emby MediaBrowser 4.9.0.35. This affects an unknown part. The manipulation leads to authorization bypass. This vulnerability is uniquely identified as CVE-2025-46387. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability classified as problematic was found in Emby MediaBrowser 4.9.0.35. Affected by this vulnerability is an unknown functionality. The manipulation leads to observable response discrepancy. This vulnerability is known as CVE-2025-46390. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in Emby MediaBrowser 4.9.0.35. Affected by this issue is some unknown functionality. The manipulation leads to improper access controls. This vulnerability is handled as CVE-2025-46391. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Elgato Key Light, Key Light Air, Key Light Mini, Key Light Neo, Ring Light, Light Strip and Light Strip Pro up to 1.0.3(218). Affected is an unknown function. The manipulation leads to cross-site request forgery. This vulnerability is traded as CVE-2025-7202. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in Emby MediaBrowser 4.9.0.35. It has been rated as critical. This issue affects some unknown processing. The manipulation leads to authorization bypass. The identification of this vulnerability is CVE-2025-46386. The attack may be initiated remotely. There is no exploit available.

A vulnerability was found in TechPowerUp ThrottleStop 3.0.0.0. It has been declared as critical. This vulnerability affects the function MmMapIoSpace in the library ThrottleStop.sys of the component IOCTL Interface. The manipulation leads to exposed ioctl with insufficient access control. This vulnerability was named CVE-2025-7771. The attack needs to be approached locally. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in SATO CL4-6NX Plus and CL4-6NX-J Plus. It has been classified as critical. This affects an unknown part. The manipulation leads to os command injection. This vulnerability is uniquely identified as CVE-2025-22469. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.