Executive summary (today)

• Microsoft Patch Tuesday (Aug 2025): ~100+ CVEs fixed, incl. 1 publicly disclosed zero-day in Windows Kerberos (CVE-2025-53779) and ~13 Critical issues. Numbers vary by methodology (107 per BleepingComputer; >100 per SecurityWeek/CrowdStrike). Prioritize domain controllers and Exchange/NTLM/GDI+ fixes. BleepingComputerSecurityWeekCrowdStrike

• Exchange hybrid risk (CVE-2025-53786): Misconfigured/legacy hybrid trust can let an on-prem Exchange admin pivot into M365 with limited cloud logs. CISA issued guidance/Emergency Directive; Microsoft’s Aug updates include support for the Dedicated Hybrid App—config still required. cisa.gov+1TECHCOMMUNITY.MICROSOFT.COM

• WinRAR zero-day (CVE-2025-8088) actively exploited: Path traversal used by RomCom and at least one other actor; patch to WinRAR 7.13 (manual update). CISA added it to KEV on Aug 12. welivesecurity.comHelp Net Securitycisa.gov

• Trend Micro Apex One (on-prem) under active exploitation: Critical RCE (CVE-2025-54948/-54987). Vendor provides a temporary fix tool that disables Remote Install Agent; patch ETA mid-Aug. National CERTs advise urgent mitigation. success.trendmicro.comThe Hacker Newsccb.belgium.be

• Browsers & mobile: Chrome fifth 0-day of 2025 (CVE-2025-6558); Android August update fixes actively exploited Qualcomm flaws—update endpoints. SecurityWeekTechRadar

• OT/ICS Patch Tuesday: Siemens, Schneider, ABB, Honeywell, Aveva, Phoenix Contact ship advisories; several RCEs and auth bypass issues—schedule plant-side maintenance windows. SecurityWeek

• Exploitation in the wild: Citrix NetScaler CVE-2025-6543 actively exploited in NL critical sectors—patch and kill sessions. The Hacker News

• Campaigns & incidents:

  • Charon ransomware hits Middle East public sector & aviation, using DLL side-loading, process injection, BYOVD-style EDR evasion. The Hacker News

  • Interlock gang publishes 43 GB stolen from City of Saint Paul after ransom refusal. The Register

  • Law enforcement: BlackSuit/Royal infrastructure disrupted; ~$1.09M crypto seized; multi-agency action. Department of JusticeBleepingComputerICE

• Macro trend: AI is accelerating both attack and defense; concerns raised at Black Hat/DEF CON about the pace of attacker adoption. Axios

Priority patch & mitigation queue (0–24h)

1. Microsoft August 2025

   • Install latest cumulative updates across DCs, file servers, and workstations.

   • CVE-2025-53779 (Kerberos EoP): affects dMSA in Windows Server 2025; patch DCs first; audit dMSA attributes. BleepingComputer

   • High-risk components noted by Krebs: GDI+ RCE (CVE-2025-53766), Word RCE via Preview (CVE-2025-53733), NTLM elevation (CVE-2025-53778). Krebs on Security

2. Exchange hybrid (CVE-2025-53786)

   • Apply Aug 2025 SUs (they include support needed for the Dedicated Exchange Hybrid App).

   • Reconfigure hybrid trust per Microsoft guidance; rotate credentials for the shared service principal; run Exchange Health Checker; validate with Service Principal Clean-Up Mode. TECHCOMMUNITY.MICROSOFT.COMcisa.gov

3. WinRAR (CVE-2025-8088)

   • Update to 7.13 (manual). Hunt for suspicious extractions placing files into Startup/ProgramData or other autorun paths post-RAR extraction; block legacy UnRAR.dll usage. welivesecurity.comBleepingComputer

4. Trend Micro Apex One (on-prem)

   • Deploy the vendor “fix tool” immediately (accepts loss of Remote Install Agent) and restrict console exposure; apply the full patch when released. success.trendmicro.com

5. Chrome/Edge/Firefox & Android

   • Update Chrome beyond 138.0.7204.157 (fixes CVE-2025-6558). Roll out Android Aug 2025 patch level for Qualcomm GPU bugs reported as exploited. NVDTechRadar

6. Citrix NetScaler (CVE-2025-6543)

   • Patch appliances; end active sessions, check for web shells, and review AAA/Gateway configs per vendor/NCSC. support.citrix.comThe Hacker News

7. OT/ICS vendors

   • Siemens CVE-2025-40746 (Simatic RTLS) and others—triage per asset criticality, plan controlled downtime. SecurityWeek

8. Adobe

   • >60 vulns across 13 products (Commerce, Substance, InDesign, FrameMaker, etc.). Patch creative/marketing workstations. SecurityWeek

Active campaigns & TTPs to watch

• Charon ransomware (Middle East)

  • Initial access: under investigation; targeted (not spray-and-pray).

  • Execution/Evasion: DLL side-loading via a renamed browser executable to load msedge.dll (SWORDLDR); process injection; EDR disablement with a BYOVD-derived driver (Dark-Kill).

  • Impact: partial encryption, shadow copy deletion, service/process kills.

  • MITRE ATT&CK mappings: T1574.002 (DLL side-loading), T1055 (Process Injection), T1562 (Impair Defenses), T1490 (Inhibit System Recovery), T1486 (Data Encrypted for Impact). The Hacker News

• Interlock vs. City of Saint Paul (US)

  • Double-extortion; leak site post on Aug 11; 43 GB sample data includes sensitive docs; city states resident cloud data unaffected. Continue public-sector posture hardening and comms playbooks. The Register

• NetScaler exploitation (NL)

  • CVE-2025-6543 being used against critical orgs; treat as active incident if exposed. The Hacker News

• Law-enforcement pressure on ransomware

  • BlackSuit/Royal takedown: servers/domains seized + ~$1.09M crypto confiscated; expect rebranding/regrouping (historical pattern). Strengthen extortion-resilience (data minimization, staged backups, leak-site monitoring). Department of JusticeBleepingComputer

Detection & hunting tips (practical)

• WinRAR CVE-2025-8088

  • Look for winrar.exe/unrar.exe spawning system utilities and file writes into %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp\ or other autorun locations immediately after archive extraction; anomalous ADS writes on NTFS. SC Media

• Exchange hybrid abuse (CVE-2025-53786)

  • Hunt for unexpected Azure AD service principal activity tied to hybrid app IDs; anomalous EXO admin operations with on-prem correlated timelines but thin cloud audit trails; verify Hybrid Agent app registration drift. cisa.gov

• Charon TTPs

  • Alerts on signed/legit binaries (e.g., mislabeled Edge/“cookie_exporter.exe”) loading non-Microsoft DLLs from writable paths; kernel-mode driver loads from non-standard publishers soon after EDR tamper events. The Hacker News

• NetScaler CVE-2025-6543

  • Review AAA/Gateway logs around crash/restart windows; look for post-auth suspicious uploads, web shell artifacts in /netscaler/ns_gui/ or custom paths; rotate admin creds and invalidate sessions after patch. The Hacker News

Sector impact snapshot

• Public sector/municipal: Ongoing Interlock pressure shows essential-services disruption and data exposure risks; prioritize offline-capable citizen services and MFA for help desks to blunt social engineering. The Register

• Aviation & government (Middle East): Charon adopts APT-grade tradecraft; enforce application control and driver-load policies (WDAC) on ops workstations. The Hacker News

• Industrial/energy: Multiple RCEs in OT stacks—coordinate change windows and verify backup/restore for controllers/HMIs before patching. SecurityWeek

• Healthcare/education: BlackSuit/Royal disruption is good news, but re-emergence likely; keep isolation playbooks warm and E2E ransomware tabletop drills current. ICE

24–72 hour action plan (concise)

1. Roll Patch Tuesday with ringed deployment (DCs → servers → clients), monitoring for auth/NTLM regressions. SecurityWeek

2. Exchange hybrid hardening: move to Dedicated Hybrid App, rotate keys, re-run hybrid configuration wizard, and validate with Health Checker. TECHCOMMUNITY.MICROSOFT.COM

3. Push emergency updates for WinRAR 7.13, Chrome 138+, Android Aug patch level, and Adobe apps on creator fleets. MalwarebytesSecurityWeek+1TechRadar

4. Apex One on-prem: apply fix tool, geo-restrict console, and monitor for suspicious agent package tasks. success.trendmicro.com

5. Citrix/NetScaler: patch CVE-2025-6543, end all sessions, sweep for persistence. The Hacker News

6. OT/ICS: import latest advisories into the maintenance queue; document compensating controls where hot-patching isn’t feasible. SecurityWeek

7. Ransomware readiness: verify immutable backups, EDR tamper protection, and lateral-movement detections (LSASS access, PSExec/WMI). (Context: BlackSuit/Royal disruption.) Department of Justice

Analyst notes

• Patch counts vary (107 vs. 111 vs. 119) because some vendors include Edge/Chromium & out-of-band items in their totals. Treat risk, not raw counts, as the prioritization driver. BleepingComputerRapid7Qualys

• Expect copycat phishing around WinRAR/Exchange “updates.” Gate admin tools behind enclave jump hosts and continuous user confirmation for high-impact actions.

Sources & references (selected)

• Microsoft Patch Tuesday roundups & details: BleepingComputer; Krebs; CrowdStrike; SecurityWeek. BleepingComputerKrebs on SecurityCrowdStrikeSecurityWeek

• CISA: KEV additions (incl. WinRAR CVE-2025-8088); Exchange hybrid CVE-2025-53786 guidance & directive. cisa.gov+2cisa.gov+2

• WinRAR zero-day exploitation: ESET, BleepingComputer, Malwarebytes. welivesecurity.comBleepingComputerMalwarebytes

• Trend Micro Apex One exploitation & mitigations: Trend Micro bulletin; Hacker News; Belgium’s CCB. success.trendmicro.comThe Hacker Newsccb.belgium.be

• Citrix NetScaler active exploitation: Dutch NCSC reporting; vendor advisory/NVD. The Hacker Newssupport.citrix.com

• OT/ICS Patch Tuesday overview: SecurityWeek. SecurityWeek

• Incidents & enforcement: Interlock/Saint Paul (The Register); BlackSuit/Royal disruption (DOJ, ICE, Bleeping). The RegisterDepartment of JusticeICEBleepingComputer

• Macro trend on AI in cyber offense/defense: Axios. Axios