Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact Us
home News
Aaaa

Weekly Cyber Threat Advisory (3–9 Nov 2025)

Critical Flaws in AMD, Cisco, NVIDIA, and Active APT Campaigns

11/11/2025
Aaaa

Reading time: 4 minutes

As cyber threats continue to evolve, this week’s global security landscape highlights multiple critical vulnerabilities, active state-sponsored attacks, and new malware distribution methods. From hardware-level flaws in AMD Zen 5 processors to unauthenticated exploits in Cisco Contact Centers, the period between November 3–9, 2025, has seen a sharp uptick in both sophistication and scale of cyber risk.

1. Key Vulnerability Highlights

1.1. AMD Zen 5 Flaw Makes Cryptographic Keys Predictable (CVE-2025-62626)

A high-severity flaw in AMD Zen 5 CPUs has raised alarms across the security community. The vulnerability in the RDSEED instruction returns predictable “zero” values while signaling success, undermining encryption randomness. This weakness can lead to authentication bypass and key compromise.
Patches are scheduled for release across EPYC, Ryzen, and Threadripper series by early 2026. In the meantime, administrators should force 64-bit RDSEED or implement retry-on-zero logic to mitigate exposure.

Reference: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html

1.2. Cisco Contact Center Express Zero-Click Exploit (CVE-2025-20354 & CVE-2025-20358)

Cisco has disclosed two critical vulnerabilities that allow remote code execution (RCE) and authentication bypass in its Unified Contact Center Express (CCX) platforms. Attackers can gain full administrative control—without authentication or user interaction—by exploiting the Java RMI service and OAuth flow.
Cisco urges immediate upgrades to versions 12.5 SU3 ES07 or 15.0 ES01. As a stopgap, organizations should block TCP ports 1099 and 8080 and monitor suspicious connections from “ccxadmin” or “java” processes.

Reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

1.3. NVIDIA App Vulnerability Enables Local Privilege Escalation (CVE-2025-23358)

A search path flaw in the NVIDIA App for Windows (pre-11.0.5.260) allows local attackers to execute arbitrary code and escalate privileges. The issue stems from DLL hijacking, enabling attackers to inject malicious files into trusted installation paths.
Users should upgrade immediately and verify installer signatures to avoid privilege misuse or ransomware injection.

Reference:  https://nvidia.custhelp.com/app/answers/detail/a_id/5717

1.4. Amazon WorkSpaces Linux Client Token Theft (CVE-2025-12779)

Amazon’s WorkSpaces Client for Linux (2023.0–2024.8) contained a vulnerability allowing token theft and session hijacking by any local user. This could enable unauthorized access to active WorkSpaces environments.
The flaw is fixed in version 2025.0+, and administrators are urged to upgrade immediately and restrict shared machine use.

Reference: https://aws.amazon.com/security/security-bulletins/AWS-2025-025/

2. Active Attack Campaigns

2.1. China-Linked Hackers Target IIS Servers in the U.S.

Security researchers report ongoing APT operations exploiting IIS server flaws and legacy vulnerabilities like Log4j and Struts to infiltrate U.S. entities. Once compromised, attackers deploy DLL side-loading tools and remote access trojans (RATs) such as Godzilla and GotoHTTP, enabling deep persistence.
Organizations should patch outdated systems, rotate credentials, and block C2 IPs associated with this campaign.

Reference:  https://www.security.com/threat-intelligence/china-apt-us-policy

2.2. €600M Cryptocurrency Fraud Network Dismantled

Europol and Eurojust dismantled a massive crypto fraud operation spanning Cyprus, Spain, and Germany, responsible for defrauding investors of over €600 million. The professionalized scam leveraged fake trading platforms, social media ads, and celebrity endorsements to lure victims.
Authorities urge users to verify platforms and avoid unsolicited investment offers.

Reference: https://www.eurojust.europa.eu/news/decisive-actions-against-cryptocurrency-scammers-earning-over-eur-600-million

3. Emerging Security Trends

3.1. Sandworm APT Deploys OpenSSH & Tor Backdoor via Fake Military PDF

Cybersecurity firm Cyble uncovered a Sandworm (APT44) campaign targeting UAV personnel using a malicious ZIP file disguised as a Belarusian military document. The embedded LNK file triggers a PowerShell script that installs OpenSSH and a Tor hidden service, granting attackers covert remote access. The malware uses sandbox evasion and scheduled tasks for persistence. Active exploitation is confirmed.
Mitigation: Block .zip and .lnk attachments in emails, restrict PowerShell execution, and monitor task scheduler activities in sensitive environments.

Reference: https://cyble.com/blog/weaponized-military-documents-deliver-backdoor/

3.2. Malvertising: Fake PuTTY and Teams Installers Deliver Malware

Rhysida ransomware operators are using malvertising on Bing and Windows 11 Start Menu ads to spread fake versions of PuTTY and Microsoft Teams. These downloads drop OysterLoader and Latrodectus malware, both capable of lateral movement and ransomware deployment.
Always download from official sources and enforce Application Control policies to prevent such infections.

Reference: https://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/

3.3. Hyper-V Abuse for Stealth Linux VMs

Russian-linked Curly COMrades group is abusing Windows Hyper-V to run hidden Linux VMs containing backdoors. These stealth VMs bypass endpoint security by tunneling commands via HTTPS and SSH proxies.
Admins should disable unused Hyper-V features, monitor VM creation events, and use EDR tools capable of virtual machine introspection.

Reference: https://blog.xlab.qianxin.com/smoking-gun-uncovered-rpx-relay-at-polaredges-core-exposed/

Defensive Recommendations

Patch all systems affected by the above CVEs immediately.

Restrict PowerShell and disable automatic mounting of ZIP/LNK files in email gateways.

Audit outbound traffic for unusual Tor, SSH, or Hyper-V activity.

Validate digital signatures on all installers.

Conduct regular awareness sessions to prevent social engineering and fake ad exposure.

Conclusion

This week’s advisory reinforces the urgency of proactive patching, threat monitoring, and user vigilance. From hardware-level crypto flaws to social engineering at scale, attackers are exploiting every vector to gain persistence and profit. Staying secure means staying updated—every week.

Stay secure. Stay informed.
Crowe Mak Technology – Cyber Threat Management

+971 542468006 | [email protected]

Crowe UAE Cyber Security Operation Centre: SOC | 24/7 Cybersecurity Monitoring & Rapid Threat Response | Crowe UAE