Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact Us
home News
Weekly Cyber Security Bulletin (22 – 28 September 2025)

Weekly Cyber Security Bulletin (22 – 28 September 2025)

Jaguar Land Rover Hit by Cyberattack, Production Restart Postponed

10/3/2025
Weekly Cyber Security Bulletin (22 – 28 September 2025)
Insert Sub Heading

Reading Time: 4 minutes

The week of September 22–28, 2025, saw a surge of critical security developments ranging from zero-day exploits to large-scale cyberattacks disrupting global enterprises. Organizations across industries must remain vigilant against both emerging vulnerabilities and advanced attack campaigns.

1. Vulnerability Details

1.1. Pandoc CVE-2025-51591
A newly disclosed SSRF vulnerability in Pandoc enables attackers to target AWS IMDS endpoints and attempt theft of EC2 IAM credentials. While IMDSv2 enforcement has blocked most attempts, unpatched applications on IMDSv1 remain at risk.

Mitigation: Enforce IMDSv2 and update Pandoc with sandbox options.

Read more: https://www.wiz.io/blog/imds-anomaly-hunting-zero-day

1.2. Cisco ASA Firewall Zero-Days
A state-sponsored campaign exploited multiple zero-days (CVE-2025-20362, -20333, -20363) in Cisco ASA firewalls, deploying RayInitiator (bootkit) and LINE VIPER (shellcode loader) malware for persistence, data theft, and command execution.

Mitigation: Apply vendor patches, enable Secure Boot, and disable unused VPN web services.

Read more: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

1.3. GitLab Denial-of-Service Flaws
Several high-severity DoS vulnerabilities (CVE-2025-10858, -8014) allow unauthenticated attackers to crash GitLab instances via crafted API and GraphQL queries.

Mitigation: Upgrade to versions 18.4.1, 18.3.3, or 18.2.7 immediately.

Read more: https://about.gitlab.com/releases/2025/09/25/patch-release-gitlab-18-4-1-released/

1.4. SolarWinds Web Help Desk RCE (CVE-2025-26399)
A critical unauthenticated RCE flaw in Web Help Desk could allow arbitrary command execution.

Mitigation: Apply Hotfix 1 to version 12.8.7 and restrict external exposure.

Read more: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm

2. Attack Campaigns

2.1. Jaguar Land Rover Production Halt
A cyberattack forced Tata Motors’ Jaguar Land Rover to postpone its production restart until October 1, 2025. The incident underscores risks in IT/OT integration within the automotive sector.

Read more: https://media.jaguarlandrover.com/news/2025/09/statement-cyber-incident-4

2.2. Weaponized Microsoft Teams Installer
Malvertising campaigns leveraged a fake Teams installer signed with short-lived certificates to deliver Oyster malware.

Mitigation: Verify downloads from official sources and enable Microsoft Defender ASR rules.

Read more: https://conscia.com/blog/from-seo-poisoning-to-malware-deployment-malvertising-campaign-uncovered/

3. Security News

3.1. WerFaultSecure.exe Exploit on Windows 11 24H2
A new technique leverages WerFaultSecure.exe to dump unencrypted LSASS memory, harvesting NTLM hashes and plaintext passwords. The method bypasses PPL protections using a custom loader (WSASS). No active exploits reported beyond proof-of-concept.
Mitigation: Monitor WerFaultSecure.exe outside System32, validate PPL process calls, restrict error-reporting tools, and use EDR to detect anomalous dumps.
Read more: https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html

3.2. Phishing Campaign Targets PyPI Maintainers
Attackers sent fraudulent emails mimicking official PyPI notices, redirecting users to spoofed domains to steal credentials. No PyPI compromise confirmed, but active exploitation observed.
Mitigation: Verify emails via official channels, enable MFA, monitor suspicious domains, and educate developers on phishing tactics.
Read more: https://blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea/

3.3. AI-Generated Code Used to Evade Defenses
A phishing campaign used SVG attachments disguised as PDFs to deliver obfuscated JavaScript for credential theft. Microsoft Security Copilot detected non-human code complexity; attacks were blocked by Defender ASR.
Mitigation: Train employees on suspicious attachments, enable ASR, monitor for obfuscated scripts, and verify email senders.

Read more: https://www.microsoft.com/en-us/security/blog/2025/09/24/ai-vs-ai-detecting-an-ai-obfuscated-phishing-campaign/

Cybersecurity threats are evolving rapidly—proactive defense and rapid patching are critical to safeguarding digital infrastructure. Protect your business from evolving cyber threats. Start your security audit now. Contact: [email protected] | +971553438693 | crowe.com/ae