Weekly Cyber Security Bulletin

Cybersecurity continues to evolve rapidly, with new vulnerabilities, ransomware campaigns, and sophisticated phishing techniques emerging each week. The period from 25th to 31st August 2025 was particularly eventful, marked by critical zero-day exploits, ransomware targeting remote desktop environments, and large-scale security alerts from major tech providers. This bulletin highlights the most significant security developments, including vulnerabilities, attack campaigns, and industry news.

1. Vulnerability Details

i. FreePBX Zero-Day Exploited in the Wild (CVE-2025-57819, CVSS 10.0)

On 28th August 2025, a critical zero-day exploit was discovered in FreePBX versions 15–17, impacting the commercial Endpoint Manager module. The flaw enables unauthenticated remote code execution (RCE) on internet-exposed Administrator Control Panels (ACP). Attackers have been exploiting this vulnerability since 21st August 2025, leaving clear indicators such as missing configuration files, suspicious scripts, and unusual database entries.
Mitigation: Administrators are urged to disable external ACP access, apply the latest fixes, restore from clean backups, and rotate credentials immediately.

Read more: https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203

ii. Linux UDisks Daemon Privilege Escalation (CVE-2025-8067, CVSS 8.5)

A flaw in the Linux UDisks daemon allows local privilege escalation through improper validation of file descriptor lists. This vulnerability could expose sensitive data, including cryptographic keys, or crash system processes. It primarily affects Red Hat Enterprise Linux versions 6–10.
Mitigation: Apply Red Hat patches immediately, restrict loop device creation, and monitor for abnormal D-BUS activity.

Read more: https://access.redhat.com/security/cve/CVE-2025-8067

iii. Kea DHCP Server Denial-of-Service (CVE-2025-40779, CVSS 7.5)

A single crafted DHCPv4 packet can crash vulnerable versions of the Kea DHCP server, leading to a denial-of-service condition. Though no active exploits are reported, the simplicity of the attack makes it highly concerning.
Mitigation: Upgrade immediately to Kea 3.0.1 or 3.1.1 and monitor DHCP logs for anomalies.

Read more: https://kb.isc.org/docs/cve-2025-40779

iv. Multiple Hikvision Vulnerabilities (CVE-2025-39247, CVE-2025-39245, CVE-2025-39246)

HikCentral products were found to contain three separate vulnerabilities, the most critical (CVSS 8.6) enabling unauthenticated attackers to escalate privileges via weak API endpoint authentication. Other flaws include CSV injection and unquoted service path exploitation.
Mitigation: Apply vendor patches, segment networks, and monitor suspicious API usage.

Read more: https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-some-hikcentral-products/

2. Attack Campaigns

i. Cephalus Ransomware Targets RDP

The newly identified Cephalus ransomware leverages weak RDP credentials without MFA to gain access. Once inside, it uses DLL sideloading, PowerShell-based defense evasion, shadow copy deletion, and file encryption with a .sss extension. Ransom notes reference past incidents to pressure victims.
Mitigation: Enforce MFA on RDP, deploy EDR solutions, and maintain offline backups.

Read more: https://www.huntress.com/blog/cephalus-ransomware

ii. Citrix Zero-Day Exploited on 28,000+ Exposed Instances (CVE-2025-7775)

A critical RCE vulnerability in Citrix NetScaler ADC and Gateway has been added to CISA’s Known Exploited Vulnerabilities catalog. Affecting over 28,200 exposed systems, attackers can gain full control of unpatched instances.
Mitigation: Apply security patches immediately, isolate vulnerable servers, deploy WAF rules, and monitor for suspicious nsroot logins.

Read more: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938

3. Security News

i. Google Security Alert: 2.5 billion Gmail Users Notified

Following a Salesforce breach in June 2025 attributed to ShinyHunters, Google alerted 2.5 billion Gmail users to reset their passwords. Although only business contact details were stolen, the data can fuel targeted phishing and vishing campaigns.
Mitigation: Enable two-factor authentication, reset passwords, and remain vigilant for suspicious emails or calls.

Read more: https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion

ii. Nagios XI XSS Vulnerability

A newly disclosed cross-site scripting (XSS) flaw in Nagios XI’s Graph Explorer allows attackers to execute malicious JavaScript via crafted URLs.
Mitigation: Upgrade to Nagios XI 2024R2.1, apply WAF rules, and train users to recognize suspicious links.

Read more: https://www.nagios.com/products/security/

iii. Microsoft Teams Phishing Campaign

A sophisticated social engineering campaign targets Microsoft Teams users by impersonating IT helpdesk staff from malicious tenants. Victims are tricked into enabling screen sharing, potentially granting attackers full access to corporate environments.
Mitigation: Disable external Teams communication, enforce MFA, monitor logs for suspicious foreign tenant activity, and conduct user awareness training.

Read more: https://www.hunters.security/en/blog/microsoft-teams-phishing-fake-it-helpdesk?utm_campaign=21008660-%5BThreat%20research%5D%20Microsoft%20Teams%20Phishing&utm_source=twitter&utm_medium=social

Conclusion

The last week of August 2025 underscores the multi-dimensional nature of today’s cyber risks—from critical software vulnerabilities to advanced ransomware and phishing campaigns. Organizations must maintain robust patching strategies, enforce multi-factor authentication, invest in endpoint detection, and continuously educate employees. Proactive defense remains the best shield against evolving threats.

Looking to strengthen your cybersecurity posture? Reach out to our Cyber Threat Management team at Crowe UAE for consultation, compliance guidance, and tailored solutions across the UAE and GCC.
📞 +971 55 343 8693 | 📧 [email protected]