CyberDudeBivash | Cybersecurity, AI & Threat Intelligence Network
www.cyberdudebivash.com
Snapshot date: 23 Aug 2025. EPSS values are daily probabilities and can change; KEV reflects active exploitation confirmed by CISA.
Executive Summary (What to fix first)
-
Apple ImageIO zero-day (CVE-2025-43300) is actively exploited; patch iOS/iPadOS/macOS immediately. KEV-listed. EPSS currently very low (targeted campaigns) but impact + exploitation make it a P1. IT ProTechRadarApple SupportCISA
-
WinRAR path traversal (CVE-2025-8088) is being used in phishing to plant autoruns; KEV-listed. Upgrade to v7.13 and filter RAR attachments. EPSS ≈ 6.23%. CISAthreatprotect.qualys.comPC Gamereuvd.enisa.europa.eu
-
Erlang/OTP SSH pre-auth RCE (CVE-2025-32433)—critical in OT/telecom stacks, KEV-listed; EPSS around 61% (very high) in several trackers; restrict SSH & patch. NVDUnit 42CVE Details
-
FortiSIEM command injection (CVE-2025-25256)—exploit code/public PoC; lock down TCP/7900 and patch to fixed trains. EPSS observed around 1–2% in early advisories. NVDThe Hacker NewsTenable®
-
Windows NTFS RCE (CVE-2025-24993)—zero-day earlier this year but still in KEV; block VHD mounting where possible & ensure March updates. EPSS ≈ 3.1%. CISA+1NVDCVE Details
-
Ivanti Connect Secure stack overflow (CVE-2025-22457)—edge device RCE, KEV-listed; EPSS ~33% (high). Confirm 22.7R2.6+ (and equivalent) or rebuild from clean image if compromise suspected. CISA+1Tenable®
Table — Top CVEs, with EPSS & KEV status
| CVE | Product | In CISA KEV? | EPSS† (approx) | Exploitation status | Patch / Guidance |
|---|---|---|---|---|---|
| CVE-2025-43300 | Apple ImageIO (iOS/iPadOS/macOS) | Yes | ~0.00018 (very low)* | Exploited in targeted attacks; zero-click rendering paths | Update to iOS/iPadOS 18.6.2/17.7.10, macOS 15.6.1/14.7.8/13.7.8. Enable Lockdown Mode for high-risk users. IT ProApple SupportTenable® |
| CVE-2025-8088 | WinRAR (≤7.12) | Yes | ~6.23% | Actively used by RomCom/Storm-0978 via spear-phishing | Upgrade to 7.13; quarantine/deny .rar in email; hunt for Startup-folder drops. CISAPC Gamereuvd.enisa.europa.eu |
| CVE-2025-32433 | Erlang/OTP SSH | Yes | ~60–67% | Widespread scanning; OT exposure | Patch to OTP-27.3.3 / 26.2.5.11 / 25.3.2.20; restrict SSH to VPN; monitor pre-auth traffic. NVDTenable®CVE Details |
| CVE-2025-25256 | FortiSIEM (phMonitor/CLI) | (Pending/varies by feed) | ~1.6% | Exploit code available, in-the-wild activity | Patch to fixed trains; block TCP/7900; add network ACLs; review SIEM credentials. NVDTenable® |
| CVE-2025-24993 | Windows NTFS | Yes | ~3.1% | Zero-day (Mar) — still operational risk | Apply March 2025 updates; consider policy to disable VHD mounting in high-risk zones. CISA+1CVE Details |
| CVE-2025-22457 | Ivanti ICS/Policy Secure/ZTA | Yes | ~33% | Exploited (edge VPN devices) | Upgrade (ICS 22.7R2.6+ etc.); run Integrity Checker; rebuild if compromised. CISA+1Tenable® |
†EPSS = FIRST’s Exploit Prediction Scoring System probability of exploitation in the next 30 days; snapshot as of this digest. *Low EPSS with confirmed exploitation often indicates highly targeted campaigns. FIRST Forum
Microsoft focus (Patch Tuesday context)
Microsoft fixed ~107–111 CVEs on Aug 12; the headline was Kerberos “BadSuccessor” (CVE-2025-53779)—publicly disclosed zero-day enabling AD compromise in certain conditions (abuse of dMSA attributes). If you run Windows Server domain controllers, apply August patches and monitor Kerberos/NTLM telemetry. Tom's GuideTechRadarBleepingComputer
A separate NTLM issue (CVE-2025-50154) allows zero-click credential leakage/relay despite earlier fixes—treat as active risk; prioritize mitigations for NTLM relay (EPA, SMB signing, disable NTLM where possible). CymulateIBM X-Force Exchange
CyberDudeBivash Priority Playbook (7-day action plan)
1) Patch & config
-
Apple: Roll out iOS/iPadOS/macOS emergency updates org-wide. Apple Support
-
WinRAR: Enforce v7.13; add mail-gateway block for .rar; flag extraction to Startup paths. threatprotect.qualys.com
-
Erlang/OTP: Patch to fixed versions; geofence SSH; add pre-auth anomaly alerts. NVD
-
FortiSIEM: Patch; isolate port 7900; rotate SIEM creds/tokens. NVD
-
Windows NTFS: Confirm March updates; consider GPO to restrict VHD mounting while verifying coverage. NVD
-
Ivanti ICS: Verify 22.7R2.6+; use ICT to detect tampering; rebuild if indicators present. CISA
2) Hunt & detection (SOC ready)
-
Apple: Look for ImageIO crash logs & unexpected image parsing in Messages/Mail. The Hacker News
-
WinRAR: File creations in
%AppData%\...\Startupand%ProgramData%\...\StartUp; LNK/DLL anomalies. PC Gamer -
Erlang/OTP: SSH post-auth messages before auth (protocol misuse) from internet IPs. Unit 42
-
FortiSIEM: Authentication-less CLI calls to TCP/7900; unusual system commands spawned by SIEM. Arctic Wolf
-
Windows: NTLM relays/odd SMB/HTTP NTLM challenges (CVE-2025-50154). Cymulate
3) Risk-based prioritization
-
Use KEV to force SLAs and elevate exploited CVEs to P1. CISA
-
Use EPSS to move high-probability CVEs earlier in patch queues (e.g., Erlang/OTP). FIRST Forum
Trendlines we’re watching (AUG-2025)
-
Identity layer under siege: Kerberos/NTLM chains continue to dominate enterprise breach paths. The Hacker News
-
Archive & media parsers: WinRAR and ImageIO show how user-supplied content becomes initial access—expect copycat lures. PC GamerIT Pro
-
Edge & OT exposure: FortiSIEM and Erlang/OTP confirm the SIEM/sensor/OT perimeter is a prime target; reduce internet exposure. The Hacker NewsUnit 42
Methodology (how CyberDudeBivash ranks risk)
We merge KEV status (confirmed exploitation), EPSS (30-day exploit probability), exploit code availability, internet exposure, and business criticality to generate our weekly priorities. Sources this week include CISA KEV, NVD/MSRC, Apple security notes, Tenable/Qualys, and research blogs. CISANVDApple SupportTenable®
#CyberDudeBivash #CyberSecurity #AI #ThreatIntelligence #ZeroDay #KEV #EPSS #WinRAR #Apple #ErlangOTP #FortiSIEM #Ivanti #Windows #Kerberos #NTLM #PatchTuesday #Exploit #IncidentResponse #VulnerabilityManagement #CyberDefense