CyberDudeBivash ThreatWire – Breaking Cyber Incidents & Zero-Day Alerts
1) WinRAR 0-day used in phishing to deploy RomCom (CVE-2025-8088)
-
What’s new: A directory traversal bug in WinRAR was exploited as a zero-day in email campaigns to drop RomCom malware; fixed in v7.13. Attackers weaponize archives so extraction writes files outside the intended path.
-
Action: Update to 7.13+ immediately; block archive extraction from unknown senders; EDR rule for suspicious
unrar.exe/WinRAR.exespawning PowerShell/cmd. Hunt for RomCom IOCs. Security Affairs
2) Trend Micro Apex One (on-prem) actively exploited RCE
-
CVE: CVE-2025-54948/54987 — command injection → RCE on the Apex One management console; exploitation confirmed. Public facing consoles are prime targets.
-
Action: Apply vendor hotfix/patch; disable Remote Install Agent, keep console off the internet, monitor for console-spawned shells and suspicious child processes. TechRadar
3) ShinyHunters breach Google’s Salesforce instance
-
What happened: Threat group ShinyHunters (UNC6040) accessed a Google-managed Salesforce org and exfiltrated corporate customer data—part of a broader wave of Salesforce data-theft ops.
-
Risk: Follow-on phishing/extortion using CRM data; API access may have been scripted (SOQL) for bulk exfil.
-
Action: Enforce MFA and IP allowlists on CRM; review Event Monitoring for large SOQL queries; rotate connected-app secrets and audit user perms. BleepingComputerThe Times of India
4) Bouygues Telecom breach – 6.4M customers impacted
-
Data exposed: contact details, contractual info, civil status/company info, IBANs (no card numbers).
-
Risk: High-quality phishing & account-takeover against French/EU customers; regulatory exposure (CNIL) for the operator.
-
Action: Notify users, enable banking alerts, change portal creds, enforce DMARC/DKIM/SPF tightening to blunt phishing waves. BleepingComputerIT ProTechCrunch
5) Axis video estates: 6,500 servers expose Axis.Remoting (multi-CVE)
-
CVEs: CVE-2025-30023 (RCE), 30024 (AitM), 30025/30026 (priv-esc/auth issues). Internet-wide scans find thousands of exposed servers; chained bugs enable camera takeover and internal pivot.
-
Action: Patch (Camera Station 5.58+/Pro 6.9, Device Manager 5.32+), remove Axis.Remoting from the internet, restrict via VPN, alert on protocol traffic, segment OT/physical security networks. The Hacker NewsClarotyInfosecurity Magazine
6) SonicWall VPN wave tied to old patched bug + password reuse (not a 0-day)
-
What: Recent attacks on Gen7 SSL-VPN appliances traced to previously disclosed flaw and credential reuse during Gen6→Gen7 migrations.
-
Action: Enforce unique creds + MFA, disable legacy accounts, update to latest firmware, and monitor SSL-VPN auth anomalies. Cybersecurity DiveThe Hacker News
Watchlist: Apache Camel header-filter bypass (CVE-2025-29891)
-
Issue: Default filter lets Camel-specific headers/params alter component behavior—risking method/command exec in some routes (e.g., camel-bean / camel-exec).
-
Action: Upgrade to 4.10.2 / 4.8.5 / 3.22.4, strip
Camel*headers at ingress, prefer allowlists, and audit routes that call beans/exec. Apache CamelUnit 42Akamai
Defender Playbook (copy/paste)
-
Email Gateways: detonate archives; block nested archives; pattern for WinRAR writing outside extraction path. Security Affairs
-
EDR Hunts: parent
httpd/w3wp/java→cmd/powershell/bash; console services spawning shells on Apex One hosts. TechRadar -
SaaS/CRM: enable MFA + IP restrictions, alert on large SOQL/bulk exports, review connected apps and OAuth grants. BleepingComputer
-
Edge: geofence and rate-limit
/owa/admin panes; put security consoles and Axis servers behind VPN only. The Hacker News