Home 
The week of August 19–25, 2025, witnessed a surge in high-severity exploits and advanced persistent threat campaigns targeting critical enterprise infrastructure. Notable developments include the active exploitation of CVE-2025-8088 in WinRAR, deployment of DripDropper malware via Apache ActiveMQ vulnerabilities, and the global Warlock ransomware campaign leveraging SharePoint vulnerabilities. Concurrently, Arch Linux endured an ongoing DDoS assault, and Microsoft’s August security updates introduced severe stability issues. These events underscore the escalating sophistication of threat actors and the urgent need for proactive exposure management.
>>Outpace Attackers With AI-Based Automated Penetration Testing
New Hacking Techniques
Voice Phishing for SaaS OAuth Hijacking
Threat actors have refined traditional vishing by targeting cloud applications. Attackers impersonate help-desk personnel to coerce employees into authorizing malicious OAuth applications – specifically exploiting Salesforce’s Data Loader OAuth flow – to obtain long-lived access tokens and bypass multi-factor authentication.
Malicious Post-Exploitation Patching
In the DripDropper campaign, adversaries exploit Apache ActiveMQ, then immediately apply the official patch to close the same vulnerability. This approach prevents rivals from re-exploiting the same hosts and conceals the initial attack vector from defenders.
Hypervisor-Level Persistence
The Fire Ant APT group has demonstrated advanced hypervisor compromise techniques. By exploiting VMware ESXi and vCenter vulnerabilities, attackers harvest vpxuser credentials to maintain stealthy, persistent backdoors at the virtualization layer, evading traditional endpoint defenses.
New Critical CVEs and Attack Vectors
CVE-2025-53786: Microsoft Exchange Hybrid Privilege Escalation
Discovery: April 2025
Disclosure: August 6, 2025
CVSS: 8.0
Overview
This vulnerability allows authenticated administrators on on-premises Exchange servers to forge OAuth tokens and escalate privileges in Exchange Online, compromising entire hybrid environments.
Technical Deep Dive
Hybrid Exchange configurations share a trust between on-premises and cloud components. Attackers with ADMIN permissions manipulate OAuth certificates to generate tokens accepted by Exchange Online. The exploit bypasses Conditional Access and MFA, enabling stealthy lateral movement and persistent cloud access.
Impact/Risk
- Full compromise of Microsoft 365 tenants connected via Exchange Hybrid
- MFA and conditional-access bypass
- Potentially undetected token abuse for 24-hour windows
Takeaway for CISOs
Deploy Microsoft’s April hotfix or newer Exchange updates immediately. Reset hybrid trust certificates, enforce zero-trust segmentation for cloud connectors, and monitor OAuth token issuance patterns.
CVE-2025-8088: WinRAR Zero-Day Path Traversal
Discovery: July 18, 2025
Patch: July 30, 2025 (WinRAR 7.13)
CVSS: 8.4
Overview
A path traversal flaw in WinRAR versions ≤ 7.12 allows crafted archives to extract malicious files into arbitrary system directories, leading to remote code execution and persistence via NTFS alternate data streams.
Technical Deep Dive
Attackers craft RAR archives with manipulated file paths exploiting NTFS ADS. Upon extraction, WinRAR places hidden DLLs and LNK launchers into Startup folders. These artifacts activate on reboot, establishing backdoors and loader payloads without user awareness.
Impact/Risk
- Active exploitation by RomCom actors targeting Europe and Canada
- Deployment of custom backdoors (e.g., Mythic, SnipBot)
- Affects 500 million+ WinRAR installations
Takeaway for CISOs
Upgrade to WinRAR 7.13+ immediately. Enforce application whitelisting to block EXE/LNK execution from temporary or Startup directories. Monitor for unauthorized LNK file creation and ADS usage.
CVE-2023-46604: Apache ActiveMQ RCE & DripDropper Campaign
Initial Disclosure: October 2023
Exploit Date: August 2025
CVSS: 10.0
Overview
Critical RCE in Apache ActiveMQ persists in exploitation, delivering DripDropper malware. Uniquely, attackers patch the vulnerability post-exploit to maintain exclusivity and hinder detection.
Technical Deep Dive
Unpatched ActiveMQ brokers grant unauthenticated shell access. Operators modify SSH configs to enable root login, deploy password-protected ELF binaries that beacon to Dropbox hosts, and then apply the vendor patch to obfuscate the initial intrusion. Malware includes credential theft scripts, process hollowing, and AMSI/ETW tampering for stealth.
Impact/Risk
- Global Linux hosts running ActiveMQ at risk
- Sustained persistence via SSH backdoors and cron jobs
- Complicated forensics due to post-exploit patching
Takeaway for CISOs
Patch ActiveMQ to latest supported versions. Isolate message brokers behind zero-trust gateways. Alert on SSH configuration changes and unusual Dropbox API traffic. Harden cron-job permissions.
Threat Campaigns & Activity
Warlock Ransomware: SharePoint ToolShell Exploitation
Active: June 2025–Present
Attribution: Black Basta–linked
Regions: North America, Europe, Asia, Africa
Overview
Warlock operators exploit SharePoint on-premises ToolShell flaws to upload web shells and gain footholds. They elevate privileges via Group Policy abuse, dump credentials with Mimikatz, and deploy ransomware while exfiltrating data in parallel.
Technical Deep Dive
After initial shell upload, they create malicious GPO objects to activate guest accounts, terminate security processes, and move laterally via SMB admin shares. Encrypted payloads use a unique “.x2anylock” extension, and data is exfiltrated via RClone to cloud storage before encryption.
Impact/Risk
- 16 victims named within days after ransomware banning forum announcement
- Targeting governments, finance, manufacturing
- Double-extortion model hindering recovery
Takeaway for CISOs
Patch on-prem SharePoint servers urgently. Segment SharePoint away from core AD. Hunt for unauthorized GPO changes and web-shell artifacts. Ensure immutable, off-network backups.
Fire Ant APT: VMware & Hypervisor Espionage
Active: Early 2025–Present
Attribution: UNC3886 (China-linked)
Overview
Fire Ant targets VMware vCenter/ESXi using CVE-2023-34048 and CVE-2023-20867. By harvesting vpxuser credentials, they deploy backdoors in hypervisors, extract VM memory snapshots for credentials, and bypass network segmentation.
Technical Deep Dive
Exploits enable host-to-guest code execution and unauthorized file read/write. The “ksmd” backdoor listens on port 7475 for C2. Lateral movement leverages virtual network misconfigurations, granting access to tenant VMs and domain controllers.
Impact/Risk
- Stealthy hypervisor-level persistence
- High-value credential exfiltration from AD controllers
- Traditional endpoint controls ineffective
Takeaway for CISOs
Enhance hypervisor logging, deploy microsegmentation for virtualization networks, and monitor vpxuser account and unusual vCenter API calls. Integrate hardware security modules for credential protection.
Operational Security Implications
The convergence of supply-chain targeting (Exchange, SharePoint, WinRAR, ActiveMQ), advanced social engineering for cloud-based platforms, and hypervisor-level persistence underscores the need for a holistic, continuous validation approach. Traditional patch-and-monitor strategies must be augmented by continuous exposure management and proactive attack-path simulations.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
