Weekly Cybersecurity Threat Advisory: September 8 – 14, 2025

Reading Time: 4 minutes

The past week has seen significant developments in the global cybersecurity landscape, with critical vulnerabilities, sophisticated attack campaigns, and expanding malware threats. This advisory provides an overview of the most pressing incidents and actionable recommendations for organizations to strengthen their defenses.

Critical Vulnerabilities

Adobe Commerce Flaw (CVE-2025-54236)
Adobe disclosed a critical vulnerability affecting Adobe Commerce, Magento Open Source, and Adobe Commerce B2B. The flaw, known as SessionReaper, allows unauthenticated attackers to hijack customer accounts via the REST API. With a CVSS score of 9.1, it poses a major threat to e-commerce businesses, potentially enabling session hijacking and even remote code execution. Adobe has issued a hotfix and updated modules, while urging organizations to invalidate sessions, rotate API keys, and monitor logs immediately.

Read more: https://helpx.adobe.com/security/products/magento/apsb25-88.html

SAP NetWeaver and S/4HANA Patches
SAP released patches for multiple high-impact vulnerabilities, including a deserialization flaw (CVE-2025-42944) rated at CVSS 10.0. This bug enables remote attackers to execute arbitrary OS commands, leading to complete system compromise. Other patched issues included file upload vulnerabilities and missing authorization checks. Organizations are strongly advised to apply SAP’s September security notes, implement network segmentation, and enforce authorization controls.

Read more: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html 

Microsoft Patch Tuesday (September 2025)
Microsoft addressed 80 vulnerabilities, eight of which were critical. Among them, a privilege escalation flaw in Azure Networking (CVE-2025-54914) and a remote code execution vulnerability in HPC Pack (CVE-2025-55232) stand out. Additionally, a Windows SMB flaw (CVE-2025-55234) could enable relay attacks if SMB signing is disabled. Immediate patching, enabling SMB signing, and auditing of credentials are strongly recommended.

Read more: https://msrc.microsoft.com/update-guide/releaseNote/2025-Sep

Attack Campaigns

Cornwell Quality Tools Data Breach
Cornwell Quality Tools disclosed a breach impacting more than 100,000 individuals, with compromised personal, financial, and even health data. The incident highlights the long-term risks of identity theft and fraud when personally identifiable information (PII) and protected health information (PHI) are exposed.

Read more: https://straussborrelli.com/2025/09/09/cornwell-quality-tools-data-breach-investigation-2/

FBI Alert: Salesforce Attacks by UNC6040 and UNC6395
The FBI issued a flash alert regarding cybercriminal groups targeting Salesforce platforms. Tactics included exploiting compromised OAuth tokens and using phishing/vishing to steal data via custom tools. Active exploitation has been confirmed, making it crucial for Salesforce users to revoke compromised tokens, enforce MFA, and audit API logs for anomalies.

Read more: https://www.ic3.gov/CSA/2025/250912.pdf

Emerging Threats in the Wild

TOR-Based Cryptojacking Campaign
Attackers are exploiting misconfigured Docker APIs to deploy containers linked to TOR networks, enabling stealthy cryptomining and botnet expansion. The campaign uses advanced persistence methods and could expand to additional services in the future. Restricting Docker APIs to localhost, enforcing TLS, and monitoring container activity are critical countermeasures.

Read more: https://www.akamai.com/blog/security-research/new-malware-targeting-docker-apis-akamai-hunt 

Cross-Platform Malware: CHILLYHELL & ZynorRAT
Two newly identified malware families are targeting multiple operating systems:

CHILLYHELL, linked to suspected espionage actors, delivers modular backdoor capabilities on macOS.

ZynorRAT, a Go-based RAT, leverages Telegram for command-and-control, targeting Linux and Windows systems.

Organizations should enhance monitoring for unauthorized persistence mechanisms, revoke suspicious certificates, and enforce endpoint detection strategies.

Read more: https://www.sysdig.com/blog/zynorrat-technical-analysis-reverse-engineering-a-novel-turkish-go-based-rat

https://www.jamf.com/blog/chillyhell-a-modular-macos-backdoor/

SonicWall SSL VPN Exploitation by Akira Ransomware
The Akira ransomware group continues to exploit a SonicWall SSL VPN vulnerability (CVE-2024-40766). Attackers bypass Active Directory controls, gain privileged access, and deploy ransomware across networks. With hundreds of victims already claimed, security teams must rotate credentials, patch affected appliances, and restrict portal access to internal networks.

Read more: https://www.rapid7.com/blog/post/dr-akira-ransomware-group-utilizing-sonicwall-devices-for-initial-access/

Conclusion

This week’s advisories emphasize a recurring theme: unpatched vulnerabilities remain the most attractive entry points for attackers. With Adobe, SAP, and Microsoft releasing urgent updates, patch management is once again the frontline defense. At the same time, campaigns against Salesforce and SonicWall show how attackers increasingly target trusted business platforms and remote access solutions.

Organizations should:

• Apply vendor patches without delay.
• Enforce multi-factor authentication across platforms.
• Monitor logs for unusual activity.
• Segment networks to reduce lateral movement.
• Continuously educate employees about phishing and social engineering threats.

Cybersecurity resilience depends on a proactive stance—anticipating threats, applying timely defenses, and ensuring visibility across infrastructure.

For tailored cybersecurity solutions, partner with Crowe UAE’s Cyber Threat Management team: +971 55 343 8693 | [email protected] to strengthen your defenses against evolving cyber security threats.