1) Trend Micro Apex One Zero-Days — Console Takeover & RCE

What happened
Active exploitation continues against Trend Micro Apex One (on-prem) Management Console via command-injection flaws (CVE-2025-54948, CVE-2025-54987, plus a closely related variant). Successful attacks enable unauthenticated / low-auth RCE, giving adversaries control over endpoint policy, agent rollout, and tamper settings. Dark Readingsuccess.trendmicro.com

Why you should care
Compromising the security console lets attackers disable EDR, push malicious updates, and move laterally. This is a crown-jewel system for any enterprise Endpoint Protection Platform.

Immediate actions

• Restrict console to VPN / IP allowlist; remove internet exposure.

• Apply vendor fix tools / patches as published; monitor for the official roll-up. success.trendmicro.com

• Hunt for console-spawned shells (e.g., cmd.exe, powershell, bash) and suspicious admin logins.

2) CISA Emergency Directive — Microsoft Exchange Hybrid (CVE-2025-53786)

What happened
CISA issued Emergency Directive ED-25-02, ordering federal agencies to mitigate a high-severity Exchange flaw in hybrid deployments. Risk: an on-prem Exchange web exploit can be leveraged to pivot into Microsoft 365/Entra ID, potentially enabling mailbox access and tenant-level persistence. CISABleepingComputer

Why you should care
Hybrid orgs hold OAuth trust between on-prem and M365. If trust material or app permissions are abused, it becomes a cloud identity problem (IAM/IDP).

Immediate actions

• Patch Exchange; rotate hybrid OAuth certs/trust (re-run HCW).

• Revoke refresh tokens; audit Enterprise Apps / Service Principals for high-privilege scopes.

• Hunt for new Inbox/Transport rules and MailItemsAccessed spikes in Exchange Online. CISA

3) ShinyHunters vs. Google — Salesforce Org Breach via Vishing

What happened
ShinyHunters (UNC6040) breached a Google-managed Salesforce instance via voice phishing (vishing) and social-engineering, stealing SMB customer data. This campaign tracks with broader Salesforce-focused attacks. IT ProBleepingComputerThe Times of India

Why you should care
This isn’t a Salesforce platform zero-day; it’s supply-chain + human. CRM orgs with over-permissioned API apps + weak MFA are prime targets.

Immediate actions

• Enforce MFA / phishing-resistant auth for Salesforce; restrict app installs.

• Turn on Event Monitoring; alert on large SOQL exports and unusual API clients.

• Apply least-privilege sharing rules; review third-party integrations. IT Pro

4) Bouygues Telecom Breach — 6.4M Records Including IBANs

What happened
Bouygues Telecom confirmed a breach impacting ~6.4M customers, with exposed PII, contractual details, and IBAN banking data. Detection occurred Aug 4; disclosure followed within the last day. BleepingComputerSecurity Affairs

Why you should care
Telecom CRMs are high-value targets: PII + financial fields fuel fraud, SIM-swap, and phishing. GDPR exposure is significant.

Immediate actions

• Customers: enable banking alerts, set SIM-change PIN, beware of bouygues-themed phishing.

• Telcos: encrypt sensitive columns at rest; throttle bulk exports; add behavioral analytics on data pulls. BleepingComputer

5) 6,500 Axis Remoting Servers Exposed — AitM & RCE on Surveillance Estates

What happened
Researchers disclosed Axis.Remoting protocol flaws (CVE-2025-30023/24/25/26). Internet scans show 6,500+ exposed servers (≈4,000 U.S.). Chained exploitation can yield pre-auth RCE, camera takeover, and internal pivot from Axis Device Manager / Camera Station. ClarotyThe Hacker NewsSC Media

Why you should care
Video estates are often flat-networked OT/IoT. RCE on the management plane = facility blind spots, espionage, and lateral movement into corporate networks.

Immediate actions

• Patch to Camera Station ≥5.58, Pro ≥6.9, Device Manager ≥5.32; pull management off the internet (VPN/firewall). The Hacker News

• Monitor for AitM attempts and enumerate exposed endpoints for takedown. Claroty

6) HashiCorp Vault — Nine Zero-Days (Lockout/MFA Bypass, Impersonation, RCE Paths)

What happened
At Black Hat USA 2025, researchers disclosed nine zero-days in HashiCorp Vault (and additional issues in Conjur), including MFA bypass, username enumeration, policy escalation, and risky audit-backend behaviors enabling code execution under certain configurations. Fixes are landing; open-source ecosystem projects report parallel patches. Dark ReadingCyataHacker News

Why you should care
Vault is the secrets backbone for CI/CD and multi-cloud. A compromise spirals into token leakage and infrastructure takeover.

Immediate actions

• Upgrade to latest Vault builds; harden auth methods; review policies/tokens.

• Monitor for new plugins/audit backends, unusual auth attempts, and privilege escalations. Dark Reading

Defender’s Playbook (Copy/Paste)

SIEM hunts (HTTP edge)

• Flag query keys/headers like Camel*, CamelExec* (Camel header-injection patterns), and Axis.Remoting service exposure.

• Spike detection on 5xx near /ECP,/Autodiscover,/owa, Apex-One console paths.

Microsoft 365/Entra ID (KQL)

kusto
CopyEdit
SigninLogs
| where ResultType == 0 and AuthenticationRequirement == "multiFactorAuthentication"
| summarize make_set(IPAddress), count() by UserPrincipalName, bin(TimeGenerated, 15m)
| where array_length(set_IPAddress) > 1  // MFA success then new IP

• Monitor AuditLogs for Add service principal, Consent to application (cloud pivot). CISA

Exchange Online (exfil & persistence)

• Alert on New-InboxRule, Set-TransportRule, bulk MailItemsAccessed spikes after suspicious sign-ins. CISA

EDR (host)

• Parent java/jetty/httpd/w3wp spawning shells (bash, cmd, powershell, curl, nc) → high severity (Apex One / Axis / Camel exploit paths).

Executive Summary (Board-Safe)

• Endpoint Security Console RCE (Trend Micro) and Exchange Hybrid cloud pivots are the week’s top enterprise risks. Patch and restrict management planes immediately. Dark ReadingCISA

• Salesforce org social-engineering (ShinyHunters) shows CRM supply-chain exposure—enforce phishing-resistant MFA, least privilege, and API monitoring. IT Pro

• Telecom mega-breach (Bouygues) highlights PII+IBAN fraud risk; expect phishing waves. BleepingComputer

• Axis OT/IoT exposure opens physical security blind spots and lateral movement—patch and remove internet exposure now. The Hacker News

• Secrets management zero-days (Vault) demand urgent upgrades and policy audits to prevent infrastructure takeover. Dark Reading

Managed Detection and Response (MDR), SIEM Platform, Zero Trust Architecture, Identity and Access Management (IAM), Data Loss Prevention (DLP), Cloud Security Posture Management (CSPM), Email Security Gateway, Endpoint Detection and Response (EDR), Vulnerability Management Solutions, Threat Intelligence Platform, Cyber Insurance, Compliance Audit Services.