Weekly Report: New Hacking Techniques and Critical CVEs 11 Aug – 18 Aug, 2025

The week of August 11-18, 2025 witnessed an unprecedented surge in critical cybersecurity incidents, with multiple zero-day vulnerabilities actively exploited by both nation-state actors and cybercriminal groups. This period marked one of the most volatile weeks in enterprise security, featuring critical vulnerabilities across major security platforms, unprecedented collaboration between notorious threat groups, and significant disruption to the global cybercrime ecosystem.

Key developments include the active exploitation of a critical FortiSIEM command injection vulnerability allowing unauthenticated remote code execution, continued nation-state campaigns targeting SharePoint infrastructure leading to ransomware deployment, and the emergence of a criminal supergroup combining ShinyHunters and Scattered Spider capabilities. The cybercrime landscape also experienced major disruption with law enforcement takedowns of prominent forums, forcing threat actors to rapidly adapt their operational infrastructure.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Emerging Hacking Techniques

Delegated Managed Service Account (dMSA) Exploitation

The BadSuccessor technique targeting Windows Server 2025 Kerberos implementations represents a sophisticated privilege escalation method that exploits the dMSA feature designed to prevent credential harvesting. Attackers manipulate Active Directory attributes to link low-privileged accounts to high-value principals, effectively inheriting domain administrator privileges through Kerberos authentication flows.

Hybrid Cloud Identity Bridging Attacks

Nation-state actors have refined techniques for pivoting from on-premises SharePoint compromises to cloud environments, exploiting hybrid Exchange configurations to maintain persistence across both infrastructures. This technique transforms localized breaches into comprehensive cloud compromise scenarios that are difficult to detect.

Social Engineering as Initial Access for Technical Exploitation

The ShinyHunters-Scattered Spider collaboration demonstrates the evolution of vishing techniques combined with sophisticated technical exploitation, using Okta-themed phishing pages during voice calls to trick victims into credential disclosure, followed by immediate technical exploitation of cloud management platforms.

Critical Attack Techniques and CVEs

CVE-2025-25256: FortiSIEM Unauthenticated Command Injection

Overview

A critical OS command injection vulnerability in Fortinet FortiSIEM allows unauthenticated attackers to execute arbitrary commands through the phMonitor service on TCP port 7900.

Technical Explanation

The vulnerability stems from improper neutralization of special elements in OS commands within FortiSIEM’s architecture. Attackers craft malicious CLI requests that bypass input validation, leading to direct command execution on the underlying system. The exploitation requires no user interaction and produces no distinctive indicators of compromise, making detection extremely challenging.

Impact/Risk

FortiSIEM serves as the central security monitoring platform for organizations, making successful exploitation particularly devastating. Attackers gain complete control over the SIEM infrastructure, potentially disabling security monitoring, accessing all collected security data, and using the platform as a pivot point for lateral movement throughout the network.

Takeaway for CISO

Immediately prioritize FortiSIEM patching to versions 6.7.10+, 7.0.4+, 7.1.8+, 7.2.6+, or 7.3.2+. If immediate patching is impossible, restrict network access to TCP port 7900 to trusted internal sources only and implement additional monitoring for anomalous CLI usage patterns.

CVE-2025-53770 & CVE-2025-53771: SharePoint ToolShell Zero-Days

Overview

Critical vulnerabilities in on-premises Microsoft SharePoint servers enabling unauthenticated remote code execution through advanced deserialization and ViewState abuse techniques, actively exploited by Chinese nation-state actors.

Technical Explanation

The attack chain leverages two complementary vulnerabilities: CVE-2025-53770 exploits deserialization of untrusted data, while CVE-2025-53771 bypasses authentication through path traversal. Attackers send crafted HTTP requests with forged Referer headers to /layouts/15/ToolPane.aspx, uploading malicious ASPX files that extract cryptographic secrets. These stolen keys enable creation of valid ViewState payloads for persistent, undetected access.

Impact/Risk

Successful exploitation provides complete SharePoint compromise with ability to access all content, execute arbitrary code, and deploy ransomware. The theft of ASP.NET machine keys enables persistent access even after initial remediation, as attackers can forge legitimate-appearing authentication tokens. Multiple industries including finance, education, healthcare, and government have been targeted.

Takeaway for CISO

Apply emergency SharePoint patches immediately, rotate ASP.NET machine keys both before and after patching, enable AMSI integration in Full Mode, and deploy comprehensive EDR on all SharePoint servers. Consider disconnecting internet-facing SharePoint servers until full remediation is complete.

CVE-2025-8875 & CVE-2025-8876: N-able N-central RMM Vulnerabilities

Overview

Critical insecure deserialization and command injection vulnerabilities in N-able N-central RMM platform, actively exploited to compromise managed service provider infrastructures.

Technical Explanation

CVE-2025-8875 exploits insecure deserialization allowing authenticated attackers to execute malicious commands through crafted serialized objects. CVE-2025-8876 involves command injection via improper input sanitization. Both vulnerabilities require authentication but enable privilege escalation and lateral movement across managed client environments.

Impact/Risk

N-central manages endpoints across multiple client organizations, making compromise particularly severe for MSPs. Successful exploitation enables attackers to access multiple client networks simultaneously, deploy ransomware across managed infrastructures, and steal credentials from numerous organizations through a single compromise point.

Takeaway for CISO

Upgrade N-central to versions 2025.3.1 or 2024.6 HF2 before August 20, 2025 CISA deadline. Ensure multi-factor authentication is enabled for all administrative accounts and implement additional monitoring for privilege escalation activities across managed environments.

CVE-2025-54948 & CVE-2025-54987: Trend Micro Apex One Zero-Days

Overview

Critical command injection vulnerabilities in Trend Micro Apex One on-premises installations, exploited in the wild with no available patch during initial disclosure.

Technical Explanation

The vulnerabilities exist in the Apex One management console listening on TCP ports 8080 and 4343. Improper validation of user-supplied strings before system call execution allows unauthenticated attackers to upload malicious code and execute commands with IUSR privileges. The two CVEs represent the same vulnerability affecting different CPU architectures.

Impact/Risk

Apex One serves as the primary endpoint security solution for many organizations. Successful exploitation compromises the security infrastructure itself, potentially disabling protection across all managed endpoints and providing attackers with detailed visibility into organizational security configurations.

Takeaway for CISO

Apply emergency fix tool immediately as interim mitigation while awaiting full patches expected mid-August 2025. The fix tool will disable Remote Install Agent function but maintains protection against known exploits. Consider additional endpoint monitoring solutions during the interim period.

Underground Intelligence: Cybercriminal Ecosystem Disruption

XSS Forum Takedown and Ecosystem Fragmentation

Overview

On July 22, 2025, Ukrainian authorities arrested the suspected administrator of XSS, one of the world’s most influential Russian-speaking cybercrime forums, leading to its seizure by French authorities and significant disruption to the cybercrime ecosystem.

Technical Details

The takedown operation involved coordinated efforts between French police, Ukrainian Security Service (SBU), and Europol. While forum administrators attempted to maintain operations by redirecting to new domains and .onion sites, the sustained law enforcement pressure ultimately forced the platform offline. Former XSS moderators established DamageLib as a potential successor, warning users that XSS had been compromised and converted to a law enforcement honeypot.

Impact/Risk

XSS served as a critical hub for ransomware affiliates, initial access brokers, malware developers, and money laundering services. The forum’s disruption temporarily eliminated a key coordination point for high-tier cybercriminal activities, though threat actors are rapidly migrating to alternative platforms including RAMP and Duty-Free forums.

Takeaway for CISO

Monitor for increased activity on alternative cybercrime forums as displaced XSS users migrate. Expect potential operational disruption among established threat groups as they rebuild trust networks and coordination mechanisms on new platforms.

DarkForums: The New Cybercrime Nexus

Overview

DarkForums experienced a 600% surge in activity between April and June 2025, rapidly filling the void left by BreachForums’ takedown and establishing itself as a major hub for data leaks, malware distribution, and hacking tools.

Technical Details

Originally launched as “DARK4RMY Forums” in 2022, the platform adopted BreachForums’ design and acquired its Telegram user group following the latter’s disappearance. Currently operated by administrators AnonOne and Knox, the forum implements a tiered membership model with VIP, MVP, and GOD ranks providing access to exclusive content and private Telegram channels.

Impact/Risk

The forum’s rapid growth and adoption of BreachForums’ operational model indicates successful consolidation of the English-language cybercrime community. The platform facilitates data breach monetization, credential trading, and malware distribution, serving as a critical intelligence source for emerging threats.

Takeaway for CISO

Establish monitoring capabilities for DarkForums activities, particularly data leak announcements that may affect your organization. The forum’s growth trajectory suggests it will become a primary platform for threat intelligence gathering and early warning of data breaches.

ShinyHunters-Scattered Spider Criminal Supergroup

Overview

ShinyHunters announced collaboration with Scattered Spider and Lapsus$ in August 2025, forming a “criminal supergroup” that combines advanced social engineering capabilities with sophisticated technical exploitation skills.

Technical Details

The collaboration involves Scattered Spider providing initial access through vishing and social engineering attacks, while ShinyHunters conducts data exfiltration from compromised Salesforce CRM instances. The groups established a joint Telegram channel “ScatteredLapsuSp1d3rHunters” and advertised a new ransomware-as-a-service called “SHINYSP1D3R” claiming superior capabilities to LockBit and DragonForce.

Impact/Risk

This collaboration represents a concerning evolution in threat actor cooperation, combining Scattered Spider’s proven social engineering capabilities with ShinyHunters’ data monetization expertise. The alliance has already targeted major organizations including Cartier, Chanel, Gucci, Qantas, and Coinbase, with claims of 91 total victims.

Takeaway for CISO

Enhance social engineering awareness training focusing on vishing attacks targeting IT help desk personnel. Implement additional verification procedures for cloud platform access requests and monitor for suspicious Salesforce CRM activities.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial