Weekly Cyber Security Bulletin (01 – 07 September 2025)

1. Vulnerability Details

1.1 SAP S/4HANA Critical Vulnerability (CVE-2025-42957)

A critical ABAP code injection flaw (CVE-2025-42957) in SAP S/4HANA is being actively exploited, allowing low-privileged users to bypass authorization and gain full system control, including creating superusers, modifying databases, and stealing credentials. While large-scale attacks are not yet observed, exploitation is easy.

SAP patched the issue in August 2025. Organizations are urged to apply updates, monitor for suspicious RFC activity, restrict risky authorizations, enable SAP UCON, segment systems, and maintain backups.

More details: https://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-sap/protect-your-sap-s-4hana-from-critical-code-injection-vulnerability-cve/ba-p/14208866

1.2. Qualcomm Critical Vulnerabilities (CVE-2025-21483, CVE-2025-27034)

On September 2, 2025, Qualcomm revealed two critical RCE vulnerabilities—CVE-2025-21483 and CVE-2025-27034—each with a CVSS score of 9.8. The first involves a heap-based buffer overflow in RTP packet reassembly, enabling kernel-level code execution without user interaction. The second stems from improper array index validation in PLMN response handling, allowing memory corruption and privilege escalation. Affected chipsets include Snapdragon 8 Gen1/Gen2, FastConnect 7800, X55, and various IoT/automotive modems.

While no active exploits are confirmed, the zero-click nature demands urgent patching. Qualcomm’s September 2025 Security Bulletin urges OEMs to apply fixes and implement strict SELinux policies, traffic filtering, and bounds-checking routines.

More details: https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html

1.3. IBM Watsonx SQL Injection Vulnerability (CVE-2025-0165)

On September 1, 2025, IBM disclosed a high-severity Blind SQL injection vulnerability (CVE-2025-0165) in the Watsonx Orchestrate Cartridge for IBM Cloud Pak for Data. Caused by improper input sanitization (CWE-89), the flaw allows low-privilege authenticated users to inject malicious SQL via exposed API endpoints, potentially enabling unauthorized data access, modification, or deletion. It affects versions 4.8.4–4.8.5 and 5.0.0–5.2, compromising database confidentiality (high), integrity (low), and availability (low). IBM released a fix in version 5.2.0.1 with strict input validation and parameterized queries.

No workarounds exist, and mitigation includes upgrading, monitoring logs, deploying WAFs, and enforcing least privilege. While no active exploits are confirmed, the vulnerability’s low complexity and network accessibility demand urgent attention

More details: https://www.ibm.com/support/pages/security-bulletin-ibm-watsonx-orchestrate-cartridge-affected-vulnerability-blind-sql-injection

1.4. TP-Link Router Flaws (CVE-2023-50224, CVE-2025-9377)

On September 4, 2025, CISA added two actively exploited TP-Link router vulnerabilities—CVE-2025-9377 and CVE-2023-50224—to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-9377 (CVSS 8.6) is an OS command injection flaw enabling remote code execution on Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. CVE-2023-50224 (CVSS 6.5) allows authentication bypass via spoofing in the httpd service of TL-WR841N, exposing stored credentials. Affected models, including TL-WR841N/ND and Archer C7, are end-of-life, though TP-Link issued firmware updates in November 2024 following botnet exploitation by China-linked Storm-0940. Exploitation risks include unauthorized access, credential theft, and full network compromise.

Mitigation requires firmware updates, hardware upgrades, internet isolation, disabling remote management, and monitoring port 80 traffic. FCEB agencies must act by September 24, 2025.

More details: https://www.cisa.gov/news-events/alerts/2025/09/03/cisa-adds-two-known-exploited-vulnerabilities-catalog

2. Attack Campaigns

2.1. Record-Breaking 11.5 Tbps DDoS Attack Blocked by Cloudflare

On September 3, 2025, Cloudflare mitigated a massive 11.5 Tbps DDoS attack, part of a surge in hyper-volumetric incidents driven by botnets of infected IoT and cloud devices. The attack, mainly a UDP flood, lasted 35 seconds and followed thousands of similar events in Q2 2025. Concurrently, Bitsight reported the RapperBot botnet takedown, which exploited NVR web servers to leak credentials and deploy malware via NFS mounts. RapperBot used DNS-based C2 channels and brute-force scanning to propagate.

Mitigation includes DDoS protection, firmware patching, restricting NFS/web access, and blocking known malicious domains and IPs. Active exploitation confirmed.

More details: https://blog.cloudflare.com/ddos-threat-report-for-2025-q2/

2.2 Ollama AI Servers Exposed Online

On September 4, 2025, Meterpreter analysts uncovered over 1,100 Ollama AI servers exposed online without proper security, with 20% actively serving models like mistral:latest and llama3.1:8b. These instances allow unauthorized access, model extraction, and backdoor injection via open APIs, while inactive servers remain vulnerable to uploads and DoS attacks. Most exposures were found in the U.S. (36.6%), China (22.5%), and Germany (8.9%). No CVE is assigned, but the lack of authentication and network protection enables easy exploitation.

Mitigation includes binding to localhost, using reverse proxies with authentication, changing default ports, applying rate limits, and auditing with Shodan or Nmap.

More details: https://blogs.cisco.com/security/detecting-exposed-llm-servers-shodan-case-study-on-ollama

3. Security News

3.1. Cloudflare Data Breach via Salesforce Integration

• Threat actor GRUB1 exfiltrated support case data, affecting Cloudflare, Palo Alto, Zscaler, and Google.
• Mitigation: Rotate credentials, disable risky third-party integrations, audit Salesforce access.

More details: https://blog.cloudflare.com/response-to-salesloft-drift-incident/

3.2. GhostRedirector Campaign Targets Windows Servers

• China-linked actor compromised 65 servers using SQLi and PowerShell to deploy Rungan backdoor & Gamshen IIS module.
• Mitigation: Disable xp_cmdshell, audit IIS modules, strengthen SQLi defenses.

More details: https://www.welivesecurity.com/en/eset-research/ghostredirector-poisons-windows-servers-backdoors-side-potatoes/

3.3. Linux Kernel Race Condition Vulnerability (CVE-2025-38352)

• Added to CISA KEV list; exploited for privilege escalation & data tampering.
• Mitigation: Apply vendor patches immediately; patch deadline for U.S. federal agencies: Sept 25, 2025.

More details: https://www.cisa.gov/news-events/alerts/2025/09/04/cisa-adds-three-known-exploited-vulnerabilities-catalog

Key Takeaway: Immediate patching of SAP, Qualcomm, TP-Link, and Linux vulnerabilities is critical. Organizations must strengthen DDoS defenses, secure exposed AI servers, and review third-party integrations to prevent breaches.

For industry-specific threat assessments, contact Crowe UAE’s Cyber Threat Management team:
📞+971 55 343 8693 | 📧[email protected]