CyberDudeBivash ThreatWire – Breaking Cyber Incidents & Zero-Day Alerts

1) WinRAR 0-day used in phishing to deploy RomCom (CVE-2025-8088)

What’s new: A directory traversal bug in WinRAR was exploited as a zero-day in email campaigns to drop RomCom malware; fixed in v7.13. Attackers weaponize archives so extraction writes files outside the intended path.
Action: Update to 7.13+ immediately; block archive extraction from unknown senders; EDR rule for suspicious unrar.exe/WinRAR.exe spawning PowerShell/cmd. Hunt for RomCom IOCs. Security Affairs

CVE: CVE-2025-54948/54987 — command injection → RCE on the Apex One management console; exploitation confirmed. Public facing consoles are prime targets.
Action: Apply vendor hotfix/patch; disable Remote Install Agent, keep console off the internet, monitor for console-spawned shells and suspicious child processes. TechRadar

What happened: Threat group ShinyHunters (UNC6040) accessed a Google-managed Salesforce org and exfiltrated corporate customer data—part of a broader wave of Salesforce data-theft ops.
Risk: Follow-on phishing/extortion using CRM data; API access may have been scripted (SOQL) for bulk exfil.
Action: Enforce MFA and IP allowlists on CRM; review Event Monitoring for large SOQL queries; rotate connected-app secrets and audit user perms. BleepingComputer The Times of India

Data exposed: contact details, contractual info, civil status/company info, IBANs (no card numbers).
Risk: High-quality phishing & account-takeover against French/EU customers; regulatory exposure (CNIL) for the operator.
Action: Notify users, enable banking alerts, change portal creds, enforce DMARC/DKIM/SPF tightening to blunt phishing waves. BleepingComputer IT Pro TechCrunch

CVEs: CVE-2025-30023 (RCE), 30024 (AitM), 30025/30026 (priv-esc/auth issues). Internet-wide scans find thousands of exposed servers; chained bugs enable camera takeover and internal pivot.
Action: Patch (Camera Station 5.58+/Pro 6.9, Device Manager 5.32+), remove Axis.Remoting from the internet, restrict via VPN, alert on protocol traffic, segment OT/physical security networks. The Hacker News Claroty Infosecurity Magazine

What: Recent attacks on Gen7 SSL-VPN appliances traced to previously disclosed flaw and credential reuse during Gen6→Gen7 migrations.
Action: Enforce unique creds + MFA, disable legacy accounts, update to latest firmware, and monitor SSL-VPN auth anomalies. Cybersecurity Dive The Hacker News

Issue: Default filter lets Camel-specific headers/params alter component behavior—risking method/command exec in some routes (e.g., camel-bean / camel-exec).
Action: Upgrade to 4.10.2 / 4.8.5 / 3.22.4, strip Camel* headers at ingress, prefer allowlists, and audit routes that call beans/exec. Apache Camel Unit 42 Akamai

Email Gateways: detonate archives; block nested archives; pattern for WinRAR writing outside extraction path. Security Affairs
EDR Hunts: parent httpd/w3wp/java → cmd/powershell/bash; console services spawning shells on Apex One hosts. TechRadar
SaaS/CRM: enable MFA + IP restrictions, alert on large SOQL/bulk exports, review connected apps and OAuth grants. BleepingComputer
Edge: geofence and rate-limit /owa/admin panes; put security consoles and Axis servers behind VPN only. The Hacker News