Patch Now: Privilege Escalation in MS Exchange Hybrid Deployments; RCE in ControlVault Firmware on Dell Laptops; Zero-Day RCE in Adobe Experience Manager on Java Enterprise Edition

On Wednesday, August 6, 2025, The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert concurrently with a Microsoft security advisory, both strongly recommending organizations implement Microsoft's mitigation guidance to protect on-premises Microsoft Exchange hybrid deployments from a high-severity vulnerability allowing undetected privilege escalation that could lead to "hybrid cloud and on-premises total domain compromise." CVE-2025-53786, CVSS score 8.0, "allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations." Before the flaw was discovered, Microsoft had released a non-security hotfix update (HU) in April 2025 that was later understood to have already addressed the issue, though many systems may remain unpatched. On August 7, CISA issued Emergency Directive 25-02, requiring by August 11 that all US federal agencies fully update eligible on-premises servers and apply the April 2025 HU, transition to a dedicated Exchange hybrid application, perform credential cleanup, prepare for Microsoft Graph API transition, and disconnect any servers not eligible for the April 2025 HU. Dirk-jan Mollema of Outsider Security, who notified Microsoft of the flaw and coordinated disclosure, presented on it at Black Hat USA 2025 in an August 6 session titled "Advanced Active Directory to Entra ID Lateral Movement Techniques." Hybrid deployment means the Exchange platform is set up to integrate on-premises services with cloud-based services, and Microsoft states, "risk [of privilege escalation] arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations." Microsoft has also announced a phased strategy to drive adoption of the dedicated Exchange hybrid app by "temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal," a change that will be permanent by October 2025. No active exploitation of this vulnerability has yet been observed.

On August 5, 2025, Cisco Talos published an overview of five flaws in the drivers and firmware for Broadcom's ControVault3 and ControlVault3 Plus chips, which are in use as hardware-based secure "vaults" of "passwords, biometric templates, and security codes within the firmware" on Dell laptops. Dell patched the flaws and published a notice about the vulnerabilities on June 13, 2025, indicating over 100 affected Dell models; Cisco Talos notes that these machines are "widely used in the cybersecurity industry, government settings and challenging environments in their Rugged version." Cisco Talos's overview identifies two possible attack scenarios exploiting these flaws: The first is "Post-compromise Pivot," in which a non-administrative user may use CV's Windows APIs to execute arbitrary code on the CV firmware, leaking key security information, potentially modifying the firmware, or leaving an "implant" allowing backdoor access to the system in the future even across Windows reinstalls. The second is a physical attack, in which an attacker pries open the laptop and connects directly to the to the board, bypassing the need for a system login or full-disk encryption password. There is not yet evidence of exploitation in the wild, but these attacks may concern industries requiring a ControlVault chip's functionality for extra login security, such as a fingerprint, smart card, or NFC token. Cisco Talos recommends users ensure CV firmware is kept up to date, disable the CV services and/or the device itself if no security peripherals are in use, potentially disable fingerprint login when the machine is unattended, and consider implementing Windows Enhanced Sign-in Security. For detecting attacks, chassis intrusion detection can be enabled in BIOS, and unexpected crashes of Windows Biometric Service or Credential Vault services found in the Windows logs might be a sign of compromise.

Adobe has released emergency updates to address a pair of zero-day vulnerabilities (CVE-2025-54253 and CVE-2025-54254) in Adobe Experience Manager (AEM) on Java Enterprise Edition (JEE). The flaws can be chained to achieve unauthenticated remote code execution on vulnerable instances of the content management / digital asset management system. Researchers from Searchlight Cyber detected the vulnerabilities, along with a third issue, and reported them to Adobe in April 2025. The third vulnerability was fixed in Adobe's July updates, but the other two were not. The researchers released proof-of-concept code for all three flaws on July 29, 90 days after their initial disclosure, as explained in their disclosure policy. Adobe urges users to update AEM on JEE to the newest version available.

After investigating "recent cyber activity involving Gen 7 and newer firewalls with SSLVPN enabled," SonicWall says with "high confidence" that the activity is not related to a zero-day vulnerability, as some has speculated, but instead is related to a known vulnerability (CVE-2024-40766) that the company addressed in an advisory last year. Researchers from several cybersecurity firms, including Huntress, Arctic Wolf, and Field Effect, began taking note of the suspicious activity in mid-July, reporting that they observed SSL VPN-enabled SonicWall firewalls being targeted with Akira ransomware; at that time, it was unclear what vulnerability was being exploited. SonicWall writes that they "are currently investigating less than 40 incidents related to this cyber activity. Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset." Their recent support notice provides updated guidance for users.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a malware analysis report for four Microsoft SharePoint vulnerabilities, three of which (CVE-2025-49704 [CWE-94: Code Injection], CVE-2025-49706 [CWE-287: Improper Authentication], and CVE-2025-53770 [CWE-502: Deserialization of Trusted Data]) were added to CISA's Known Exploited Vulnerabilities (KEV) catalog last month. The CISA document includes both YARA and SIGMA rules for the ToolShell attacks.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three older D-Link vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog. Two of the flaws (CVE-2020-25078 and CVE-2020-25079) date back to 2020; the third (CVE-2022-40799) dates back to 2022. CISA reports that threat actors are now actively exploiting these vulnerabilities in D-Link Wi-Fi cameras and video recorders. D-Link released patches for the vulnerabilities disclosed in 2020; in 2022, the company said that the affected device was approaching EoL and advised users to replace it with a newer model. In December 2024, the FBI warned that threat actors were exploiting CVE-2020-25078 to deploy the HiatusRAT remote access Trojan (RAT).

Google posted an August 5 update to a blog post originally published June 4, 2025, disclosing that one of Google's own corporate Salesforce instances has suffered a data breach after an attack similar to the one initially described. The original post observed a financially motivated threat cluster's campaign of social engineering attacks focused on IT support personnel via voice phishing, aimed specifically at breaching Salesforce instances, exfiltrating data, and conducting extortion. Google's breached instance contained "contact information and related notes for small and medium businesses," and Google believes any stolen data were limited to "basic and largely publicly available business information, such as business names and contact details." Google has not yet reported any extortion attempts following the breach but suspects the threat actor may be preparing to launch a data leak site. The blog post recommends organizations implement defensive measures against these attacks on Salesforce: adhere to the principle of least privilege, especially for data access tools; rigorously manage access to connected applications; implement IP address restrictions; leverage Salesforce Shield's Advanced Security Monitoring and Policy Enforcement; and universally enforce multifactor authentication. The post also links to Google's Salesforce Security Guide and a June 2025 technical analysis of voice phishing, or "vishing."

Cisco says that in late July, they were "made aware of an incident involving a bad actor targeting a Cisco representative through a voice phishing attack." The successful attack allowed the perpetrator "to access and export a subset of basic profile information from one instance of a third-party, cloud-based Customer Relationship Management (CRM) system that Cisco uses." The threat actor was able to access basic profile information of users who had registered with Cisco.com. Once Cisco became aware of the situation, they terminated the affected CRM instance and launched an investigation. Cisco has not identified the specific CRM system that was compromised.

On Wednesday, August 6, 2025, French telecommunications firm Bouygues Telecom disclosed that they experienced a cyberattack that compromised data associated with 6.4 million customer accounts. Bouygues plans to notify affected individuals by text message or email. The company has filed a report with France's data protection regulator (National Commission for Information Technology and Civil Liberties, or CNIL) and has notified judicial authorities. The attack on Bouygues comes just a week after another French telecommunications provider, Orange, disclosed a cybersecurity incident that targeted one of their internal systems. According to TechCrunch, "At the time of publication, Bouygues’ web page about the cyberattack contained a hidden 'noindex' tag in its source code, which instructs search engines to ignore the page, making it difficult for anyone searching the web to find the page."

DaVita has provided additional information about a cybersecurity incident they initially disclosed in an April 2025 filing with the US Securities and Exchange Commission (SEC). According to documents filed with Attorneys General in five US states, more than one million people are affected by the incident. However, DaVita operates dialysis centers in 43 states, so the actual number of affected individuals could be significantly higher. DaVita says that the incident has cost the company $13.5 million. The intruders had access to their systems between March 24, 2025 and April 12, 2025. The types of data compromised include demographic information, clinical information, and some tax information. The DaVita breach has not yet been listed in the US Department of Health and Human Services Office for Civil Rights (HHS OCR) database.