Cyber Threat Intel – Monday Briefing
Your weekly intelligence update on top threats, vulnerabilities, and emerging actors.
August 18, 2025
Executive Summary
Last week’s cyber landscape underscored urgent patching and heightened vigilance for SMBs. Microsoft’s August Patch Tuesday (Aug 12) addressed over 107 vulnerabilities, including a Windows Kerberos zero-day (CVE-2025-53779), with 13 flaws rated Critical—prompting immediate updates to domain controllers and core infrastructure (BleepingComputer, Krebs on Security).
At the same time, a WinRAR zero-day (CVE-2025-8088) came under active exploitation by the RomCom/Storm-0978 threat group in spear-phishing campaigns, pushing malware via weaponized archives; users are urged to update to WinRAR 7.13 without delay (BleepingComputer, The Hacker News, ESET).
Adding to the pressure, active exploitation warnings emerged for both N-able N-central (CVE-2025-8875/8876) and Citrix NetScaler (CVE-2025-6543), with confirmed breaches reported—an especially severe risk to MSPs and the SMBs that depend on them.
Microsoft August Patch Tuesday
Severity – Critical
Potential domain compromise via Kerberos EoP; numerous RCEs across Windows stack. Kerberos zero-day & 13 Critical CVEs
Remediation: Apply August updates now; prioritize DCs.
WinRAR CVE-2025-8088 (active)
Severity – Critical
Path traversal lets archives drop files outside intended folders; used by RomCom to deploy backdoors (SnipBot, RustyClaw, Mythic)
Remediation: Upgrade to 7.13; disable auto-extract; block .rar in
N-able N-central RMM zero-days
Severity – Critical
Active attacks against MSP RMM platforms could cascade to many SMB tenants. Patch immediately
Remediation: audit RMM accounts & tokens; monitor for anomalous push jobs
Vulnerability Spotlight
CVE-2025-53779 — Windows Kerberos Elevation of Privilege (0-day)
Affected Systems: Windows Server / Domain environments (Kerberos)
Details: Publicly disclosed; attackers with specific attribute write access can escalate to Domain Admin. Fixed in Aug 2025 patches.
Action:
-
Patch Domain Controllers immediately
-
Review
msds-groupMSAMembership/msds-ManagedAccountPreceededByLinkACLs -
Monitor for abnormal TGS/TGT activity
Tom's Guide CVE-2025-8088 — WinRAR Path Traversal (active exploit)
Affected Systems: WinRAR < 7.13 on Windows.
Details: Publicly disclosed; attackers with specific attribute write access can escalate to Domain Admin. Fixed in Aug 2025 patches.
Action:
-
Update to 7.13, block inbound .rar attachments, open archives in sandbox/VM, enable application allow-listing
Threat Actor Activity
-
RomCom / Storm-0978 (Russia-linked) leveraging CVE-2025-8088 via phishing themes (job apps, official docs); payloads include SnipBot, RustyClaw, Mythic. Targeting finance, manufacturing, defense, logistics in EU/Canada. BleepingComputereset.com
-
Ransomware landscape:
-
BlackSuit infrastructure dismantled by law enforcement (servers, domains, ~$1M seized); expect rebrand/regroup (reports of Chaos spinoff). AxiosIT Pro
-
Akira activity remains elevated; MSP-focused claims and SonicWall-adjacent intrusion vectors reported. IT ProThe Hacker News
-
SMB Recommendations
-
Patch with urgency: Deploy Microsoft Aug 2025 updates, prioritizing Domain Controllers; reboot and verify Kerberos. BleepingComputer
-
Eliminate WinRAR exposure: Upgrade to 7.13; temporarily block .rar at email gateway; detonate archives in sandbox before opening. The Hacker News
-
Secure MSP/RMM stack: Patch N-central; enforce MFA, least-privilege for RMM users, and IP-allowlist to management consoles; review automated jobs for tampering. BleepingComputer
-
Harden edge appliances: Patch/mitigate Citrix NetScaler; restrict admin interfaces; enable WAF/geo-blocking where appropriate; inspect for IOCs. BleepingComputer
-
Backups & recovery: Verify offline/immutable backups and test restores; ensure EDR covers servers and RMM endpoints. (General best practice aligned to current ransomware activity.) IT Pro
-
Phishing resilience: Refresh user training; flag archive attachments; disable macros and risky file associations.
About SOClogix
SOClogix specializes in providing cyber threat intelligence, 24/7 monitoring, and managed detection and response (MDR) tailored for SMBs and mid-market organizations. Our mission is to help businesses stay ahead of evolving threats with actionable intel, proactive defense, and rapid incident response. If you have questions about this week’s report—or need support addressing any of the highlighted vulnerabilities—contact the SOClogix team at 443-409-5426 or visit www.soclogix.com/contact-us.
Schedule a threat assessment with our team today!
