OT Systems: Erlang/OTP RCE Exploitation, CISA Security Guidance, and Dragos Financial Risk Report; Patch Tuesday: Microsoft, Adobe, SAP, Intel, and Google

On August 11, 2025, Researchers from Palo Alto Networks (PAN) published a blog post on their observation of attacks exploiting a maximum-severity flaw discovered and patched in April 2025, which affects the Erlang programming language's Open Telecom Platform (OTP) libraries before versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. CVE-2025-32433, CVSS score 10.0, allows a malicious actor to gain unauthorized access to a system and execute arbitrary commands without valid credentials, by exploiting improper state enforcement by the secure shell (SSH) daemon. PAN notes, "OT and 5G environments use Erlang/OTP due to its fault-tolerance and scalability for high availability systems with minimal downtime," and remote commands are often executed through the native SSH implementation. While the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog on June 9, PAN's observation of attacks beginning May 1 is the first public report of exploitation attempts. PAN saw that the education industry was hit hardest, and OT firewalls in healthcare, agriculture, media and entertainment, and high technology were "disproportionately affected." While utilities and energy, mining and aerospace, and defense sectors did not return detections, PAN analyzes this not as safety but "as potential evidence of detection weakness or delayed targeting." PAN provides analysis of the payloads, vulnerable attack surface, and distribution of exploitation attempts by geography, timing, industry, and correlation with OT firewalls, noting that "a significant number of OT firewalls are exposed to the internet." The researchers recommend applying current security patches, updating signatures in intrusion prevention systems, and monitoring environments closely, possibly also disabling the SSH server or restricting access with firewall rules if patching is not immediately possible.

The US Cybersecurity and Infrastructure Security Agency (CISA), along with several other US federal agencies and cybersecurity agencies in Australia, Canada, Germany, the Netherlands, and New Zealand, has published Operational Technology (OT) asset cybersecurity guidance for owners and operators. CISA writes, "This guidance ... provide[s] ... a systematic approach for creating and maintaining an OT asset inventory and supplemental taxonomy—essential for identifying and securing critical assets, reducing the risk of cybersecurity incidents, and ensuring the continuity of the organization's mission and services." Attacks against OT systems have been on the rise: in 2024, Dragos observed an 87 percent increase in "ransomware attacks against industrial organizations" over the previous year. And a new report from Dragos and the Marsh McLennan’s Cyber Risk Intelligence Center estimates "that indirect losses — often unaccounted for in traditional models — impact up to 70% of OT-related breaches, with worst-case scenarios estimating as much as $329.5 billion in global financial risk."

On Tuesday, August 12, Microsoft released updates to address more than 100 vulnerabilities across their product lines. Of those, more than a dozen are rated critical. A moderate-severity privilege elevation vulnerability in the Windows Kerberos network authentication protocol (CVE-2025-53779) was previously publicly known. Adobe also released multiple updates this week to address nearly 70 vulnerabilities in Adobe Commerce, Illustrator, Photoshop, Animate, InDesign, InCopy and other products. Other vendors issuing updates this week include SAP (19 security notes, including three critical flaws affecting the SAP S/4 HANA ERP system); Intel (34 advisories addressing more than 60 vulnerabilities); and Google (updates for Android to address a pair of actively exploited Qualcomm vulnerabilities).

The State of New York's Attorney General is suing Zelle parent company Early Warning Services, LLC (EWS), over alleged poor cybersecurity in the electronic payment app that led to fraud. Over the last decade, electronic payment apps began to take a noticeable bite out of consumer transactions that had once been the purview of banks. According to the complaint, "Defendant Early Warning Services, LLC, or EWS, an entity created by a group of the largest banks in the United States, was called upon to address this competitive threat. EWS developed Zelle, a service that provided banks’ customers with access to a new, instant-payment network, referred to herein as the Zelle network. EWS hurried Zelle to market in an effort to fend off increasing competition from Venmo, Paypal, and newer entrants like Cash App." Zelle was launched in June 2017. Access to the Zelle network was easy, requiring only an email address or mobile number and a bank account or debit card number. Zelle allowed users to sign up multiple times, and to link multiple mobile numbers and email addresses to accounts. At some financial institutions, Zelle was automatically integrated into offered mobile and online banking services. By the beginning of 2019, it was evident that Zelle fraud was a problem. In mid 2019, "EWS ... developed and proposed a suite of modest, yet critical, security enhancements and changes to the rules governing the Zelle network that, working in combination, would reduce fraud over the Zelle network," but these were abandoned. This decision, combined with lax enforcement and knowing violations of banks' network rules, "caused catastrophic harm to millions of consumers." EWS finally adopted the security measures in 2023, and the effect was "immediate and immense": a significant decrease in fraudulent transactions on the Zelle network. The complaint alleges that EWS adopted the measures in 2023 "in response to outside pressure from the Senate and the Consumer Financial Protection Bureau." The lawsuit seeks restitution and damages for six years of EWS failing to take adequate steps to prevent fraudulent transactions on Zelle. During that time, more than $1 billion was stolen from consumers through the app.

On August 12, 2025, Fortinet published a security advisory urging users to patch FortiSIEM (Security Information and Event Management) to fix a critical vulnerability affecting FortiSIEM versions 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3, and before 6.7.9. CVE-2025-25256, CVSS score 9.8, allows an unauthenticated attacker to execute unauthorized code or commands using crafted command-line interface requests, due to improper neutralization of special elements used in an OS command. Practical exploit code that does not appear to produce distinctive indicators of compromise has been found in the wild, but Fortinet does not mention active exploitation. Researchers at GreyNoise observed a sudden high volume of brute-force traffic targeting Fortinet SSL VPNs on August 3, 2025, noting that research shows "spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor." Fortinet customers must upgrade to a fixed version, with a possible workaround of limiting access to the phMonitor port (7900).

Both Zoom and Xerox have released security bulletins addressing vulnerabilities in their products, with one critical flaw each. Zoom's flaws affect Zoom clients for Windows including versions of Zoom Workplace, Zoom Workplace VDI, Zoom Rooms, Zoom Rooms Controller, and Zoom Meeting SDK. CVE-2025-49457, CVSS score 9.6, allows an unauthenticated user to escalate privileges via network access due to an untrusted search path. CVE-2025-49456, CVSS score 6.2, allows an unauthenticated user to impact application integrity via local access due to a race condition in the installer. The former was reported by Zoom Offensive Security, and the latter by sim0nsecurity. Xerox's flaws affect FreeFlow Core before version 8.05. CVE-2025-8356, CVSS score 9.8, allows an unauthorized attacker to run arbitrary commands on the system due to a path traversal vulnerability that allows unauthorized access to files on the server. CVE-2025-8355, CVSS score 7.5, allows an attacker to cause a Server-Side Request Forgery (SSRF) by crafting a malicious XML containing references to internal URLS, due to improper handling of XML input that allows external entity injection. Both Xerox flaws were discovered and disclosed to Xerox by Jim Sebree from Horizon3.ai in late June 2025, and patches were released on August 8. Users of both companies' products should update to the latest available software versions.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, both in N-able's network management platform N-central before version 2025.3.1. Both flaws carry CVSS score 9.4: CVE-2025-8875 allows local execution of code due to deserialization of untrusted data, and CVE-2025-8876 allows OS command injection due to improper input validation. N-able's security update, published the same day as CISA's alert, notes that the vulnerabilities require authentication to exploit. In statements to news sources, N-able confirmed that exploitation took place "in a limited number of on-premises environments," with no evidence of exploitation in cloud environments. CISA requires Federal Civilian Executive Branch (FCEB) agencies to update to N-central 2025.3.1 by August 20, and urges all organizations to patch immediately, warning that "these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."

Italy's Agenzia per l'Italia Digitale (AGID) says cyber threat actors have been targeting hotels in that country through their booking systems, stealing data and offering it for sale. At least 10 hotels have been affected by the campaign; the compromised data are high-resolution scans of documents, such as passports, which were provided to prove identity when checking in to the hotels. CERT-AgID "intercepted an illegal sale of identity documents stolen from hotels operating in Italy." The cache of data is believed to contain information belonging to tens of thousands of individuals. The data were stolen between June and August 2025. Italy's Data Protection Authority has launched an investigation.

CBC News obtained an internal memo indicating that Canada's House of Commons experienced a cybersecurity breach late last week. According to the communication, "a malicious actor was able to exploit a recent Microsoft vulnerability to gain unauthorized access to a database containing information used to manage computers and mobile devices." The threat actor stole or accessed non-publicly available information, including data related to House of Commons employees' work-related computers and mobile devices.