Weekly Threat Advisory – 4 to 10 August 2025

From critical zero-click exploits to mass-scale cybercrime campaigns, this week’s threat landscape highlights the increasing sophistication of cyberattacks targeting enterprises and individuals worldwide.

Vulnerability Highlights

• Trend Micro Apex One (On-Premise) Critical RCE Flaws
  Two command injection vulnerabilities (CVE-2025-54948, CVE-2025-54987, CVSS 9.4) in Apex One’s on-premise management console could let unauthenticated attackers upload malicious code and execute OS commands. The issue stems from insufficient input validation and affects multiple CPU architectures. Trend Micro has released a mitigation tool and urges immediate implementation. Read more: https://success.trendmicro.com/en-US/solution/KA-0020652

• Android Zero-Click RCE

A critical flaw (CVE-2025-48530, CVSS 8.6) in the Android System component allows remote code execution without user interaction when combined with other bugs. Affecting Android versions prior to the 2025-08-05 patch level, it poses high risks despite no confirmed active exploitation. Google has patched the issue, urging all users to update immediately, verify their patch level, and enable Google Play Protect. Read more: https://source.android.com/docs/security/bulletin/2025-08-01

• Axis Camera Server Vulnerabilities 

Four flaws (CVE-2025-30023 to CVE-2025-30026) in Axis surveillance products impact over 6,500 servers worldwide, including a critical RCE (CVSS 9.0) that could enable camera feed hijacking and network compromise. Other issues include MITM attacks, privilege escalation, and authentication bypass. No active exploitation is reported. Security updates are available, and mitigations include patching, restricting ports 55752–55754, enforcing firewall rules, and monitoring NTLM traffic. Read more: https://claroty.com/team82/research/turning-camera-surveillance-on-its-axis

• Linux Kernel / CodeIgniter Exploit Path

A high-severity flaw (CVE-2025-38236, CVSS 7.8) in the Linux kernel’s AF_UNIX MSG_OOB feature can let attackers escape Chrome’s Linux renderer sandbox and gain full kernel control. The bug, present since kernel 5.15, is exploited via unfiltered syscalls and kernel memory manipulation. Patches for the Linux kernel and Chrome sandbox have been released. Users should update both, restrict risky syscalls, and disable MSG_OOB where possible. No active exploitation is confirmed. Read more: https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html

Notable Attack Campaigns

• GreedyBear Cybercrime Operation – The largest recorded campaign of its kind, stealing over $1M in cryptocurrency via 650+ malicious tools, including trojanized browser extensions and ransomware payloads. Read more: https://blog.koi.security/greedy-bear-massive-crypto-wallet-attack-spans-across-multiple-vectors-3e8628831a05

• ClickTok Phishing Network – Over 10,000 fake TikTok Shop domains distributing spyware via trojanized apps, targeting credentials, crypto wallets, and session tokens in multiple countries. Read more: https://cdn.prod.website-files.com/66fbdb04ee8bb0436308fc15/68906c27437cf47518aba368_ClickTok-SparkKitty-TikTok-Shop-Scam-Report.pdf.pdf

Emerging Security Threats

• Active Directory Lateral Movement – New techniques revealed at Black Hat USA 2025 bypass authentication in hybrid AD environments, allowing stealthy data exfiltration. Read more: https://www.blackhat.com/us-25/briefings/schedule/#advanced-active-directory-to-entra-id-lateral-movement-techniques-46500
• Akira Ransomware & BYOVD Attacks – Threat actors are exploiting vulnerable Windows drivers to bypass AV/EDR defenses in SonicWall VPN intrusions. Read more: https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/
• CastleBot MaaS Expansion – A malware-as-a-service platform distributing ransomware-linked payloads via SEO poisoning and fake installers. Read more: https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation
• HTTP/1.1 Desync Flaw – A protocol-level weakness allows request smuggling and site takeover, impacting millions of websites despite previous mitigations. Read more: https://http1mustdie.com/

Security Recommendations

• Patch Promptly – Apply all relevant vendor updates, including Android August 2025 security patches, Trend Micro Apex One fixes, and Linux kernel updates.
• Harden Network & Application Security – Restrict unnecessary ports, enforce MFA, monitor for anomalous API calls, and block suspicious outbound traffic.
• Educate End Users – Raise awareness about phishing, fake domains, and malicious browser extensions.
• Adopt Modern Protocols – Move from HTTP/1.1 to HTTP/2 where possible to eliminate certain desynchronization attacks.

Cybercriminals are increasingly blending advanced techniques with mass-distribution tactics, making proactive defense, timely patching, and user vigilance more critical than ever.

For industry-specific threat assessments, contact Crowe Cyber Threat Management team at Crowe UAE, +971 55 343 8693, [email protected]