Cyberdudebivash

Executive Summary

Today’s patch-now list spans an Apple ImageIO zero-day (CVE-2025-43300), a WinRAR path-traversal zero-day (CVE-2025-8088), Trend Micro Apex One console RCE (CVE-2025-54948/54987), Windows Kerberos EoP “BadSuccessor” (CVE-2025-53779), a critical Docker Desktop container-escape (CVE-2025-9074), and Android/Qualcomm Adreno flaws (CVE-2025-21479 & 27038). Apple and Trend Micro items are in CISA’s KEV stream, indicating confirmed exploitation and federal patching mandates. Microsoft’s Kerberos bug requires specific AD attribute abuse but can lead to domain compromise if prerequisites exist. Docker Desktop’s issue enables container-to-daemon access on default subnets. Prioritize patching endpoints, developer laptops, and any exposed admin consoles.

---

1) Apple ImageIO Zero-Day — CVE-2025-43300 (Active Exploitation)

• Impact & scope: Out-of-bounds write in ImageIO triggered by malicious images; exploited in targeted attacks against individuals. Affects iOS/iPadOS/macOS; Apple shipped fixes (iOS/iPadOS 18.6.2/17.7.10, macOS Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8). TechRadarDark Reading
• Government urgency: CISA added it to KEV and set an agency patch deadline (federal). CISA

Mitigation & patching: Update all Apple devices to the latest available builds today; block unknown image renderers on high-risk fleets until patched. Mobile-first rollout for execs/journalists/field staff.

Hunting ideas (macOS/iOS MDM/EDR):

• Flag processes invoking ImageIO just before crashes or abnormal memory faults from untrusted image sources.
• Look for repeated opens of rare image types from iMessage/WhatsApp/Signal sandboxes.

---

2) Docker Desktop Container Escape — CVE-2025-9074 (Critical)

• Impact & scope: Locally running Linux containers on Docker Desktop can reach the Docker Engine API via the default subnet 192.168.65.7:2375, even with ECI enabled and without exposing the daemon on localhost. Lets a malicious container launch new containers and access host files. Fixed in Docker Desktop ≥ 4.44.3. NVDDocker Documentationheise online

Mitigation & patching: Upgrade Docker Desktop to 4.44.3+ immediately. Restrict container egress to host-only subnets in developer fleets; audit for unexpected API calls to :2375.

Hunting ideas (dev laptops/WSL):

• Network detections for traffic to 192.168.65.7:2375 from containers.
• File-system monitoring for sudden mounts of host drives initiated by Docker Engine events post-container start.

---

3) WinRAR Zero-Day — CVE-2025-8088 (Path Traversal → RCE)

• Impact & scope: Crafted archives can place executables into Startup or other paths, leading to RCE. Observed in-the-wild exploitation (RomCom campaigns). Patch available via WinRAR 7.13; CISA KEV lists the issue. NVDNHS England Digitalwin-rar.comCISA

Mitigation & patching: Update WinRAR/UnRAR tools to 7.13 across all Windows endpoints and servers where CLI tools are present. Block execution from %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup and user Startup folders.

Hunting ideas (Windows):

• File creation alerts for executables dropped during archive extraction into Startup paths.
• Process lineage: WinRAR.exe → cmd.exe/powershell.exe in rapid succession.

---

4) Trend Micro Apex One (On-Prem) Console RCE — CVE-2025-54948 / 54987 (Pre-auth, Actively Exploited)

• Impact & scope: Pre-authentication OS command injection in on-prem management console (ports 8080/4343). At least one exploitation attempt observed; CISA added CVE-2025-54948 to KEV. Temporary mitigations and later fixes released by Trend Micro. success.trendmicro.comCISAthreatprotect.qualys.com

Mitigation & patching:

• Apply Trend Micro’s latest patches or mitigation tool; if internet-exposed, remove exposure immediately or apply strict IP allowlists. success.trendmicro.comTenable®
• Rotate console credentials and review server integrity if compromises suspected.

Hunting ideas (network & server):

• Look for suspicious POSTs to admin endpoints on 8080/4343 followed by script/child process spawns (e.g., cmd.exe, sh, powershell).
• Retro hunt web logs for anomalous parameters indicative of command injection.

---

5) Windows Kerberos “BadSuccessor” EoP — CVE-2025-53779 (Patch Tuesday)

• Impact & scope: Relative path traversal in Kerberos; with specific AD attribute control (e.g., msds-groupMSAMembership, msds-ManagedAccountPrecededByLink), an authenticated adversary can escalate to domain admin/forest compromise. Patched on Aug 12, 2025. NVDQualysRapid7

Mitigation & patching: Deploy August cumulative updates across Windows Server 2025 and supported DCs/clients. Validate dMSA delegations and restrict who can write the two attributes above. Qualys

Hunting ideas (AD/SIEM):

• Change-monitoring for writes to msds-groupMSAMembership and msds-ManagedAccountPrecededByLink.
• Detect abnormal service account usage patterns tied to managed service accounts post-patch Tuesday.

---

6) Android/Qualcomm Adreno — CVE-2025-21479 & 27038 (Exploited in the Wild)

• Impact & scope: Graphics/Adreno GPU issues (incorrect authorization & use-after-free) with confirmed exploitation; addressed in the August 2025 Android Security Bulletin (patch levels 2025-08-01 / 08-05). Rollouts vary by OEM; Pixels first. Android Open Source ProjectBleepingComputer

Mitigation & patching: Update Android devices to 2025-08-05 patch level. For MDM fleets, enforce minimum patch levels and block sideloading until updates are applied. Android Open Source Project

---

Patch-Now Priority Matrix (today)

1. Critical – Internet-exposed / common user workflows
   • Apple CVE-2025-43300 (all iOS/iPadOS/macOS users) — active exploitation & KEV. CISA
   • WinRAR CVE-2025-8088 (widespread on Windows endpoints; phishing delivery vector). NVD
   • Docker Desktop CVE-2025-9074 (developer fleets; leads to host access). Docker Documentation
2. High – Admin/infra
   • Trend Micro Apex One CVE-2025-54948/54987 (admin console RCE; KEV). CISA
   • Windows Kerberos CVE-2025-53779 (pre-reqs needed but high blast radius in AD). NVD
3. High – Mobile fleets
   • Android/Qualcomm CVE-2025-21479 & 27038 (confirmed exploitation; OEM rollouts ongoing). BleepingComputer

---

Blue-Team Playbook: Quick Detections (drop-in ideas)

Adapt to your SIEM/EDR syntax; these are starting points.

• WinRAR startup-drop: Alert on file creations in any Startup directory by WinRAR.exe or unarchivers within ±2 minutes of archive extraction. (Maps to ATT&CK T1204/T1059/T1547.) NVD
• Apex One console probing: Spike in POSTs to /officescan/console or equivalent admin paths on :8080/:4343, followed by shell/PowerShell child processes. (T1190/T1059.) success.trendmicro.com
• Kerberos dMSA abuse: Audit writes to msds-groupMSAMembership and msds-ManagedAccountPrecededByLink plus privilege escalations from managed service accounts. (T1098/T1068.) Rapid7
• Docker Desktop escape: Any container initiating TCP to 192.168.65.7:2375; alert on Docker Engine spawning unexpected containers soon after. (T1611/T1610.) Docker Documentation
• Apple ImageIO exploitation: Crash clusters tied to image parsing followed by persistence attempts (profiles/launch agents). (T1203/T1543.) Dark Reading

---

Tactical Remediation Checklist (today)

• Apple: Push iOS/iPadOS/macOS updates org-wide; re-check high-risk users (journalists, execs). TechRadar
• WinRAR: Upgrade to 7.13 and disable legacy unarchivers; block execution in Startup folders via AppLocker/WDAC. win-rar.com
• Trend Micro Apex One: Patch or apply official mitigation; remove consoles from the internet; rotate credentials; review logs from Aug 1 onward. success.trendmicro.com
• Windows/AD: Roll out Aug Patch Tuesday; verify DC health; harden dMSA attribute permissions. Qualys
• Docker Desktop: Update to 4.44.3+; alert on traffic to 192.168.65.7:2375; review dev laptops for unauthorized containers. Docker Documentation
• Android: Enforce 2025-08-05 patch level on corporate Android fleet; prioritize Pixel devices first, then OEMs. Android Open Source Project

---

References & Further Reading

• Apple ImageIO CVE-2025-43300 zero-day & CISA KEV addition. TechRadarDark ReadingCISA
• WinRAR CVE-2025-8088 (NVD, ESET/NHS advisory, vendor patch). NVDNHS England Digitalwin-rar.com
• Trend Micro Apex One CVE-2025-54948/54987 (Trend advisory, KEV, exploitation notes). success.trendmicro.comCISAthreatprotect.qualys.com
• Windows Kerberos CVE-2025-53779 (“BadSuccessor”) details and Patch Tuesday context. NVDQualysRapid7
• Docker Desktop CVE-2025-9074 (NVD + Docker security announcement). NVDDocker Documentation
• Android Security Bulletin Aug 2025 + Qualcomm exploitation reports. Android Open Source ProjectBleepingComputer

---

Call-to-Action (brand)

This report is part of our CyberDudeBivash Daily Threat Intel initiative. For tailored patch plans, SOC hunts, and high-signal detections, stay tuned on CyberDudeBivash (site + LinkedIn) and subscribe to our newsletter.

Suggested hashtags:

Executive Summary

Today’s patch-now list spans an Apple ImageIO zero-day (CVE-2025-43300), a WinRAR path-traversal zero-day (CVE-2025-8088), Trend Micro Apex One console RCE (CVE-2025-54948/54987), Windows Kerberos EoP “BadSuccessor” (CVE-2025-53779), a critical Docker Desktop container-escape (CVE-2025-9074), and Android/Qualcomm Adreno flaws (CVE-2025-21479 & 27038). Apple and Trend Micro items are in CISA’s KEV stream, indicating confirmed exploitation and federal patching mandates. Microsoft’s Kerberos bug requires specific AD attribute abuse but can lead to domain compromise if prerequisites exist. Docker Desktop’s issue enables container-to-daemon access on default subnets. Prioritize patching endpoints, developer laptops, and any exposed admin consoles.

---

1) Apple ImageIO Zero-Day — CVE-2025-43300 (Active Exploitation)

• Impact & scope: Out-of-bounds write in ImageIO triggered by malicious images; exploited in targeted attacks against individuals. Affects iOS/iPadOS/macOS; Apple shipped fixes (iOS/iPadOS 18.6.2/17.7.10, macOS Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8). TechRadarDark Reading
• Government urgency: CISA added it to KEV and set an agency patch deadline (federal). CISA

Mitigation & patching: Update all Apple devices to the latest available builds today; block unknown image renderers on high-risk fleets until patched. Mobile-first rollout for execs/journalists/field staff.

Hunting ideas (macOS/iOS MDM/EDR):

• Flag processes invoking ImageIO just before crashes or abnormal memory faults from untrusted image sources.
• Look for repeated opens of rare image types from iMessage/WhatsApp/Signal sandboxes.

---

2) Docker Desktop Container Escape — CVE-2025-9074 (Critical)

• Impact & scope: Locally running Linux containers on Docker Desktop can reach the Docker Engine API via the default subnet 192.168.65.7:2375, even with ECI enabled and without exposing the daemon on localhost. Lets a malicious container launch new containers and access host files. Fixed in Docker Desktop ≥ 4.44.3. NVDDocker Documentationheise online

Mitigation & patching: Upgrade Docker Desktop to 4.44.3+ immediately. Restrict container egress to host-only subnets in developer fleets; audit for unexpected API calls to :2375.

Hunting ideas (dev laptops/WSL):

• Network detections for traffic to 192.168.65.7:2375 from containers.
• File-system monitoring for sudden mounts of host drives initiated by Docker Engine events post-container start.

---

3) WinRAR Zero-Day — CVE-2025-8088 (Path Traversal → RCE)

• Impact & scope: Crafted archives can place executables into Startup or other paths, leading to RCE. Observed in-the-wild exploitation (RomCom campaigns). Patch available via WinRAR 7.13; CISA KEV lists the issue. NVDNHS England Digitalwin-rar.comCISA

Mitigation & patching: Update WinRAR/UnRAR tools to 7.13 across all Windows endpoints and servers where CLI tools are present. Block execution from %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup and user Startup folders.

Hunting ideas (Windows):

• File creation alerts for executables dropped during archive extraction into Startup paths.
• Process lineage: WinRAR.exe → cmd.exe/powershell.exe in rapid succession.

---

4) Trend Micro Apex One (On-Prem) Console RCE — CVE-2025-54948 / 54987 (Pre-auth, Actively Exploited)

• Impact & scope: Pre-authentication OS command injection in on-prem management console (ports 8080/4343). At least one exploitation attempt observed; CISA added CVE-2025-54948 to KEV. Temporary mitigations and later fixes released by Trend Micro. success.trendmicro.comCISAthreatprotect.qualys.com

Mitigation & patching:

• Apply Trend Micro’s latest patches or mitigation tool; if internet-exposed, remove exposure immediately or apply strict IP allowlists. success.trendmicro.comTenable®
• Rotate console credentials and review server integrity if compromises suspected.

Hunting ideas (network & server):

• Look for suspicious POSTs to admin endpoints on 8080/4343 followed by script/child process spawns (e.g., cmd.exe, sh, powershell).
• Retro hunt web logs for anomalous parameters indicative of command injection.

---

5) Windows Kerberos “BadSuccessor” EoP — CVE-2025-53779 (Patch Tuesday)

• Impact & scope: Relative path traversal in Kerberos; with specific AD attribute control (e.g., msds-groupMSAMembership, msds-ManagedAccountPrecededByLink), an authenticated adversary can escalate to domain admin/forest compromise. Patched on Aug 12, 2025. NVDQualysRapid7

Mitigation & patching: Deploy August cumulative updates across Windows Server 2025 and supported DCs/clients. Validate dMSA delegations and restrict who can write the two attributes above. Qualys

Hunting ideas (AD/SIEM):

• Change-monitoring for writes to msds-groupMSAMembership and msds-ManagedAccountPrecededByLink.
• Detect abnormal service account usage patterns tied to managed service accounts post-patch Tuesday.

---

6) Android/Qualcomm Adreno — CVE-2025-21479 & 27038 (Exploited in the Wild)

• Impact & scope: Graphics/Adreno GPU issues (incorrect authorization & use-after-free) with confirmed exploitation; addressed in the August 2025 Android Security Bulletin (patch levels 2025-08-01 / 08-05). Rollouts vary by OEM; Pixels first. Android Open Source ProjectBleepingComputer

Mitigation & patching: Update Android devices to 2025-08-05 patch level. For MDM fleets, enforce minimum patch levels and block sideloading until updates are applied. Android Open Source Project

---

Patch-Now Priority Matrix (today)

1. Critical – Internet-exposed / common user workflows
   • Apple CVE-2025-43300 (all iOS/iPadOS/macOS users) — active exploitation & KEV. CISA
   • WinRAR CVE-2025-8088 (widespread on Windows endpoints; phishing delivery vector). NVD
   • Docker Desktop CVE-2025-9074 (developer fleets; leads to host access). Docker Documentation
2. High – Admin/infra
   • Trend Micro Apex One CVE-2025-54948/54987 (admin console RCE; KEV). CISA
   • Windows Kerberos CVE-2025-53779 (pre-reqs needed but high blast radius in AD). NVD
3. High – Mobile fleets
   • Android/Qualcomm CVE-2025-21479 & 27038 (confirmed exploitation; OEM rollouts ongoing). BleepingComputer

---

Blue-Team Playbook: Quick Detections (drop-in ideas)

Adapt to your SIEM/EDR syntax; these are starting points.

• WinRAR startup-drop: Alert on file creations in any Startup directory by WinRAR.exe or unarchivers within ±2 minutes of archive extraction. (Maps to ATT&CK T1204/T1059/T1547.) NVD
• Apex One console probing: Spike in POSTs to /officescan/console or equivalent admin paths on :8080/:4343, followed by shell/PowerShell child processes. (T1190/T1059.) success.trendmicro.com
• Kerberos dMSA abuse: Audit writes to msds-groupMSAMembership and msds-ManagedAccountPrecededByLink plus privilege escalations from managed service accounts. (T1098/T1068.) Rapid7
• Docker Desktop escape: Any container initiating TCP to 192.168.65.7:2375; alert on Docker Engine spawning unexpected containers soon after. (T1611/T1610.) Docker Documentation
• Apple ImageIO exploitation: Crash clusters tied to image parsing followed by persistence attempts (profiles/launch agents). (T1203/T1543.) Dark Reading

---

Tactical Remediation Checklist (today)

• Apple: Push iOS/iPadOS/macOS updates org-wide; re-check high-risk users (journalists, execs). TechRadar
• WinRAR: Upgrade to 7.13 and disable legacy unarchivers; block execution in Startup folders via AppLocker/WDAC. win-rar.com
• Trend Micro Apex One: Patch or apply official mitigation; remove consoles from the internet; rotate credentials; review logs from Aug 1 onward. success.trendmicro.com
• Windows/AD: Roll out Aug Patch Tuesday; verify DC health; harden dMSA attribute permissions. Qualys
• Docker Desktop: Update to 4.44.3+; alert on traffic to 192.168.65.7:2375; review dev laptops for unauthorized containers. Docker Documentation
• Android: Enforce 2025-08-05 patch level on corporate Android fleet; prioritize Pixel devices first, then OEMs. Android Open Source Project

---

References & Further Reading

• Apple ImageIO CVE-2025-43300 zero-day & CISA KEV addition. TechRadarDark ReadingCISA
• WinRAR CVE-2025-8088 (NVD, ESET/NHS advisory, vendor patch). NVDNHS England Digitalwin-rar.com
• Trend Micro Apex One CVE-2025-54948/54987 (Trend advisory, KEV, exploitation notes). success.trendmicro.comCISAthreatprotect.qualys.com
• Windows Kerberos CVE-2025-53779 (“BadSuccessor”) details and Patch Tuesday context. NVDQualysRapid7
• Docker Desktop CVE-2025-9074 (NVD + Docker security announcement). NVDDocker Documentation
• Android Security Bulletin Aug 2025 + Qualcomm exploitation reports. Android Open Source ProjectBleepingComputer

---

Call-to-Action (brand)

This report is part of our CyberDudeBivash Daily Threat Intel initiative. For tailored patch plans, SOC hunts, and high-signal detections, stay tuned on CyberDudeBivash (site + LinkedIn) and subscribe to our newsletter.

#cyberdudebivash #cybersecurity #CVE #threatintel #infosec #patchtuesday #zeroday #WinRAR #Docker #Kerberos #Apple #Android #EndpointSecurity #BlueTeam #DFIR