Executive summary

• Act now: A newly disclosed WinRAR zero-day (CVE-2025-8088) is under active exploitation by the RomCom group via weaponized archives (job-application lures). Update WinRAR/UnRAR immediately and hunt for archive-driven execution chains. The Hacker NewsWe Live Security+1Infosecurity Magazine

• Microsoft Exchange (Hybrid): CISA Emergency Directive ED-25-02 mandates rapid mitigations for CVE-2025-53786 across hybrid deployments; enterprises should mirror federal urgency. CISA+2CISA+2

• Education sector hit: UWA (Australia) forced a mass password reset after a breach; IIT Roorkee (India) exposed >30k records (including financial and demographic data). Expect credential replay and targeted phishing against affected communities. ABCCyber Daily9NewsETGovernment.comThe Economic TimesNavbharat Times

1) WinRAR zero-day (CVE-2025-8088) — in the wild

What’s happening: ESET and multiple outlets confirm active exploitation; lures mimic HR/finance docs. Sectors targeted include financial, defense, manufacturing, logistics in Europe/Canada.
Why it matters: Opening a booby-trapped archive can lead to code execution and quick post-exploitation pivots.
Immediate actions

• Patch to the latest WinRAR build across endpoints (include UnRAR.dll, CLI/portable installs).

• Email gateway: temporarily quarantine .rar attachments and detonate archives in sandbox.

• Hunt: parent = Outlook/Teams/Chrome ⇒ child = rar/unrar; file bursts in %TEMP%; unsigned DLL loads; rapid network egress within 60s. The Hacker NewsWe Live Security+1

2) Exchange Hybrid — CVE-2025-53786

Status: CISA’s ED-25-02 sets strict steps & timelines for US agencies; enterprises with hybrid Exchange should apply the same playbook.
Risk: Post-auth paths in legacy/hybrid configurations can lead to domain compromise.
Actions

• Apply vendor mitigations/patches; verify hybrid trust; reduce legacy auth.

• Rotate service principal secrets, OAuth certs, and privileged creds.

• Monitor for spikes in Exchange Online PowerShell app ID, role/transport rule changes, and anomalous OAuth flows. CISA+2CISA+2

3) Higher-ed incidents: UWA & IIT Roorkee

UWA (Australia): Unauthorized access to password information → forced resets; students/staff temporarily locked out. Expect phishing leveraging reset notices. ABCCyber Daily9News
IIT Roorkee (India): >30,000 students/alumni records (including contact, finance, caste data) reportedly exposed for years; investigation open. High risk of targeted fraud. ETGovernment.comThe Economic TimesNavbharat Times
Actions (both): Enforce MFA, dark-web credential monitoring, domain-typosquat takedowns, and breach-specific awareness campaigns.

Detection & hunting quick hits (copy to SOC)

• Archive exploitation chain: alert when email client/browser ⇒ rar/unrar ⇒ script/LOLBin; look for rclone, PowerShell download-exec, or AMSI bypass attempts.

• Exchange hybrid:

  • New/modified ManagementRoleAssignment, mailbox forwarding rules to external domains.

  • Service principal anomalies; unusual consent grants; AAD sign-in geo-impossibles.

• Edu breaches: sudden spikes in SSPR, VPN lockouts, or mass device enrolments after password resets.

Mitigation checklist (today)

1. Patch WinRAR/UnRAR everywhere; confirm via software inventory. The Hacker News

2. Quarantine .rar in mail for 1–2 weeks; sandbox detonation.

3. Identity hardening: enforce FIDO2/WebAuthn, enable Continuous Access Evaluation in M365, and bind tokens to device posture.

4. Exchange: execute ED-25-02 steps (disable legacy, rotate secrets, validate Graph migration plan). CISA

5. Backups: test restore; protect with immutability/offline copies.

6. Comms: user advisories on archive lures and fake password-reset scams (UWA/IIT themes).