Weekly Cybersecurity Bulletin Updates (15 – 21 Sept. 2025)

Reading Time: 4-5 minutes

As cyber threats evolve rapidly, organizations must remain vigilant against new vulnerabilities, sophisticated attack campaigns, and targeted intrusions. The week of 15th–21st September 2025 witnessed critical disclosures, zero-day exploits, and high-profile threat activity across multiple sectors. This bulletin consolidates the most significant developments to help organizations strengthen their security posture.

1. Vulnerability Disclosures

   1.1.Phoenix Attack Breaks DDR5 RowHammer Defenses

   CVE-2025-6202 | CVSS: 7.1 (High)
   Researchers from ETH Zürich and Google disclosed the Phoenix attack, a RowHammer variant that successfully bypasses DDR5 protections such as ECC and TRR. By exploiting refresh interval weaknesses, Phoenix enables privilege escalation in under two minutes.
   Impact: Risk of breaking cryptographic keys or escalating privileges in virtualized environments.
   Mitigation: Increase DRAM refresh rates, apply strict access controls, and use ECC/TRR-enhanced hardware.
   Read more: https://comsec-files.ethz.ch/papers/phoenix_sp26.pdf

   1.2.Jenkins Security Updates Against DoS and Data Exposure

   CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476 | CVSS up to 7.5 (High)
   Jenkins patched multiple vulnerabilities, including an HTTP/2 DoS flaw in Winstone-Jetty and permission-check omissions that exposed plugin data and agent names.
   Impact: Attackers could crash servers or enumerate sensitive configurations.
   Mitigation: Upgrade to Jenkins 2.528 or LTS 2.516.3; disable HTTP/2 if unpatched.
   Read more: https://www.jenkins.io/security/advisory/2025-09-17/

   1.3.Fortra GoAnywhere MFT Critical Vulnerability

   CVE-2025-10035 | CVSS: 10.0 (Critical)
   A deserialization flaw in the License Servlet enables remote attackers to execute arbitrary commands with forged license responses. Prior GoAnywhere vulnerabilities were widely abused by ransomware groups.
   Impact: Remote command execution and possible ransomware deployment.
   Mitigation: Upgrade immediately to v7.8.4 or 7.6.3 (Sustain Release). Restrict internet exposure of Admin Console.
   Read more: https://www.fortra.com/security/advisories/product-security/fi-2025-012

   1.4.Google Chrome Zero-Day Actively Exploited

   CVE-2025-10585 | CVSS: High
   Google released emergency patches for a V8 engine type confusion flaw actively exploited in the wild. This is Chrome’s sixth zero-day of 2025.
   Impact: Potential remote code execution via malicious web content.
   Mitigation: Update Chrome to 140.0.7339.185/.186 and apply updates across all Chromium-based browsers.
   Read more: https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop.html

2. Active Attack Campaigns

   2.1.AI-Powered Attacks Target Hospitality Sector

   Threat group TA558 leveraged AI-generated phishing lures in Portuguese and Spanish to deliver Venom RAT. The malware can steal credit card data, tamper with Microsoft Defender, maintain persistence, and spread via USB.
   Mitigation: Deploy EDR solutions, segment hotel networks, patch Office vulnerabilities, and train staff on phishing recognition.
   Read more: https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/

   2.2.Gamaredon & Turla Collaboration in Ukraine

   ESET uncovered joint operations between Gamaredon and Turla, two Russian APT groups, deploying the Kazuar backdoor via PowerShell loaders. The campaign has targeted Ukrainian defense and government systems.
   Mitigation: Block C2 domains/IPs, deploy EDR to monitor .NET malware, and conduct phishing awareness training.
   Read more: https://www.welivesecurity.com/en/eset-research/gamaredon-x-turla-collab/

3. Security News & Industry Impact

   3.1.UNC1549 Targets Telecom Networks with Advanced Phishing

   Iran-linked UNC1549 continues to exploit recruitment-themed phishing lures on LinkedIn, delivering the MINIBIKE backdoor. Attacks have impacted telecoms across 11 countries.
   Read more: https://catalyst.prodaft.com/public/report/modus-operandi-of-subtle-snail/overview#heading-1000

   3.2.SystemBC Botnet Powers Large-Scale DDoS

   The SystemBC botnet is hijacking over 1,500 VPS servers daily to rent out bandwidth for DDoS attacks, credential harvesting, and ransomware operations.
   Read more: https://blog.lumen.com/systembc-bringing-the-noise/

   3.3.CISA Alerts on Ivanti Zero-Day Exploits Affecting Aviation

A cyberattack leveraging Ivanti EPMM flaws disrupted airline check-in and baggage systems at major European airports, causing long delays.
Impact: Exposed vulnerabilities in aviation supply chains and third-party service providers.
Read more: https://www.cisa.gov/news-events/alerts/2025/09/18/cisa-releases-malware-analysis-report-malicious-listener-targeting-ivanti-endpoint-manager-mobile

Conclusion

The developments from this week highlight the increasing sophistication of threat actors, the persistent targeting of critical infrastructure, and the accelerating pace of zero-day exploitation. Organizations must stay proactive by:

• Patching critical software without delay.
• Hardening endpoint defenses with EDR/XDR.
• Enhancing staff awareness against phishing.
• Monitoring network traffic for anomalous behaviors.

Staying informed and implementing layered defenses remain the best strategies against today’s fast-evolving cyber threat landscape. For industry-specific cyberthreat assessments, contact Crowe UAE’s Cyber Threat Management team: +971 55 343 8693 | [email protected]