Weekly Cybersecurity Brief — Week Ending: 2025-08-21

Introduction

This week’s cybersecurity landscape highlighted critical vulnerabilities and active exploits targeting widely used software, with a focus on N-able N-central, SAP NetWeaver, and Apache ActiveMQ. Notable incidents included ransomware attacks and espionage campaigns leveraging zero-day flaws. Regulatory efforts and industry responses underscored the urgency of timely patching and robust vulnerability management. Organisations must prioritise updates and enhance detection to mitigate escalating threats, particularly in critical infrastructure and managed service environments.

TL;DR – Weekly Cybersecurity Brief

N-able N-central: Two vulnerabilities (CVE-2025-8875 & CVE-2025-8876) are under active exploitation; CISA added them to KEV. Patches released 13 Aug; agencies must remediate by 20 Aug.
SAP NetWeaver: Ransomware and espionage actors chaining CVE-2025-31324 & CVE-2025-42999 for remote code execution; exploited since March, patched in Apr/May.
WinRAR: Zero-day (CVE-2025-8088) used by ‘RomCom’ group, patched in 7.13. Exploit enables code execution via malicious archives.
RapperBot Botnet: DOJ charged operator linked to 370,000+ DDoS attacks worldwide, dismantling infrastructure.
Exploitation Trends: Active campaigns against Apache ActiveMQ (CVE-2023-46604) and North Korean spear-phishing using GitHub as C2.
Security Best Practices: Immediate patching (N-central, SAP, Chrome, ActiveMQ), phishing defence (DMARC, staff awareness), and network monitoring are emphasised.
Regulatory & Industry:
- ENISA’s EU Vulnerability Database (EUVD) expanding with KEV/CVE integration.
- CISA pushing Secure by Design to eliminate recurring vuln classes.
- CodeSecCon 2025 spotlighted DevSecOps adoption.

1. Major News

CISA Warns of N-able N-central Exploits – Two vulnerabilities (CVE-2025-8875, CVE-2025-8876) in N-able N-central were added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue due to active exploitation, affecting managed service providers and IT teams. Patches were released on 13 August 2025. Federal agencies must update by 20 August 2025 to secure networks. SecurityWeek
SAP NetWeaver Flaws Chained for System Takeover – Hackers are exploiting CVE-2025-31324 and CVE-2025-42999 in SAP NetWeaver to bypass authentication and achieve remote code execution. These zero-day flaws, patched in April/May 2025, have been used by ransomware groups and China-linked espionage actors since March. Organisations must verify patches and monitor for compromise. The Hacker News
WinRAR Zero-Day Exploited in the Wild – A path traversal vulnerability (CVE-2025-8088) in WinRAR was exploited by the Russian ‘RomCom’ group to deliver malware. Patched in version 7.13 on 30 July 2025, the flaw allowed arbitrary code execution via malicious archives. Users must update to mitigate risks. The Hacker News
RapperBot Botnet Operator Charged – The US Department of Justice charged 22-year-old Ethan Foltz for operating the RapperBot botnet, responsible for over 370,000 DDoS attacks across 80+ countries. The takedown highlights ongoing efforts to combat distributed cyber threats. Organisations should enhance DDoS protections. SecurityWeek

2. New Vulnerabilities

CVE ID	Affected Product	CVSS Score	Summary	Reference Link
CVE-2025-8875	N-able N-central	N/A	Insecure deserialisation allowing command execution; actively exploited. Patch to 2025.3.1 or 2024.6 HF2.	NVD
CVE-2025-8876	N-able N-central	N/A	Command injection via improper input sanitisation; actively exploited. Patch to 2025.3.1 or 2024.6 HF2.	NVD
CVE-2025-8901	Google Chrome	8.8 (v3.1)	Out-of-bounds write in ANGLE; fixed in Chrome 139.0.7258.127+. Update immediately.	NVD
CVE-2025-31324	SAP NetWeaver	10.0	Missing authorisation check in Visual Composer server; exploited as zero-day.	NVD
CVE-2025-42999	SAP NetWeaver	9.1	Insecure deserialisation in Visual Composer server; commonly chained with CVE-2025-31324.	NVD

3. Exploits & Attacks

N-able N-central Exploits Target MSPs – Attackers exploited CVE-2025-8875 and CVE-2025-8876 (T1190) to gain unauthorised access to N-central instances, impacting on-premises environments. Over 870 unpatched instances remain vulnerable. Apply patches and monitor for unauthorised command execution. SecurityWeek
SAP NetWeaver Zero-Day Attacks – Ransomware groups (Qilin, BianLian, RansomExx) and China-nexus actors chained CVE-2025-31324 and CVE-2025-42999 (T1190) to deploy Auto-Color Linux malware, targeting critical infrastructure. Patches are available; check for signs of compromise before updating. The Hacker News
Apache ActiveMQ Malware Campaign – A campaign exploiting CVE-2023-46604 (CVSS: 9.8, T1190) deploys DripDropper Linux malware on ActiveMQ servers, primarily targeting telecommunications and manufacturing. Patch to October 2023 updates and use network monitoring to detect persistence. The Hacker News
North Korean Espionage via Spear-Phishing – North Korean actors targeted South Korean diplomatic missions with spear-phishing (T1566.001), using GitHub as a command-and-control channel. Monitor for suspicious emails and implement DMARC to reduce phishing risks. The Hacker News

4. Security Tips

Apply N-able N-central patches (2025.3.1 or 2024.6 HF2) to address CVE-2025-8875/8876, and scan for unauthorised access. N-able Status • CISA KEV
Update Google Chrome to 139.0.7258.127 or later to mitigate CVE-2025-8901 and other high-severity issues. NVD – CVE-2025-8901
Verify SAP NetWeaver patches for April/May 2025 to address CVE-2025-31324 and CVE-2025-42999, and monitor logs for unauthorised access attempts. The Hacker News
Deploy network protocol analysers to detect persistence mechanisms from Apache ActiveMQ exploits (CVE-2023-46604). The Hacker News
Implement DMARC and train staff to recognise spear-phishing attempts, particularly those impersonating trusted contacts. NCSC – Phishing Guidance

5. Industry & Regulatory Updates

ENISA’s EUVD Gains Traction – The European Vulnerability Database (EUVD) continues to integrate with CISA’s KEV and MITRE’s CVE, offering tailored vulnerability data for EU stakeholders. Experts stress the need for real-time updates to ensure relevance. SecurityWeek
CISA’s Secure by Design Push – CISA released a Secure by Design alert urging vendors to eliminate vulnerability classes during development, aligning with NIST’s Cybersecurity Performance Goals. Organisations should prioritise vendors with secure development practices. CISA Alerts (19 Aug 2025)
CodeSecCon Highlights DevSecOps – The virtual CodeSecCon event (12–13 August 2025) focused on integrating security into application development, addressing recent vulnerabilities like those in N-able and SAP. Developers should adopt secure coding frameworks. SecurityWeek – CodeSecCon 2025

Conclusion

This week underscored the critical need for rapid patching, with N-able N-central and SAP NetWeaver vulnerabilities actively exploited by ransomware and espionage actors. Organisations must prioritise updates, enhance phishing defences, and adopt secure-by-design principles to reduce risks. Next week, monitor for updates on Citrix NetScaler exploits and emerging regulatory guidance from ENISA.