Cyber Threat Analysis - August 18, 2025
Patch Tuesday brings 107 vulnerabilities including a Kerberos zero-day, WinRAR under active exploitation by RomCom, and critical RMM platform breaches threatening MSP supply chains.
Executive Summary
Last week's cyber landscape underscored urgent patching and heightened vigilance for SMBs. Microsoft's August Patch Tuesday (Aug 12) addressed over 107 vulnerabilities, including a Windows Kerberos zero-day (CVE-2025-53779), with 13 flaws rated Critical - prompting immediate updates to domain controllers and core infrastructure.
At the same time, a WinRAR zero-day (CVE-2025-8088) came under active exploitation by the RomCom/Storm-0978 threat group in spear-phishing campaigns, pushing malware via weaponized archives; users are urged to update to WinRAR 7.13 without delay.
Adding to the pressure, active exploitation warnings emerged for both N-able N-central (CVE-2025-8875/8876) and Citrix NetScaler (CVE-2025-6543), with confirmed breaches reported - an especially severe risk to MSPs and the SMBs that depend on them.
This Week's Critical Alerts
Microsoft August Patch Tuesday
Potential domain compromise via Kerberos EoP; numerous RCEs across the Windows stack. Kerberos zero-day and 13 Critical CVEs patched in a single update cycle.
Remediation
Apply August 2025 updates now - prioritize Domain Controllers. Reboot and verify Kerberos is functioning normally post-patch.
WinRAR CVE-2025-8088 (active exploitation)
CVE-2025-8088Path traversal vulnerability lets archives drop files outside intended folders. Actively used by RomCom threat group to deploy backdoors including SnipBot, RustyClaw, and Mythic.
Remediation
Upgrade to WinRAR 7.13 immediately. Disable auto-extract, block inbound .rar at email gateway, and open untrusted archives only in a sandbox or VM.
N-able N-central RMM Zero-Days
CVE-2025-8875 / CVE-2025-8876Active attacks against MSP RMM platforms. A successful compromise could cascade to dozens or hundreds of SMB tenants managed through the platform.
Remediation
Patch N-central immediately. Audit all RMM accounts and API tokens, enforce MFA and least-privilege, IP-allowlist management consoles, and review automated jobs for tampering.
Vulnerability Spotlight
CVE-2025-53779
Windows Kerberos Elevation of Privilege (0-day)
Affected Systems
Windows Server / Domain environments using Kerberos
Disclosure Status
Publicly disclosed · Actively exploited
Details
Publicly disclosed zero-day. Attackers with specific attribute write access to Active Directory objects can escalate privileges all the way to Domain Admin. Microsoft addressed this in the August 2025 Patch Tuesday release. Active exploitation has been reported in targeted environments.
Required Actions
- Patch all Domain Controllers immediately - do not delay.
- Review msds-groupMSAMembership and msds-ManagedAccountPreceededByLink ACLs for unexpected write permissions.
- Monitor for abnormal TGS/TGT activity in your SIEM or EDR.
- Audit delegated permissions across your AD environment.
CVE-2025-8088
WinRAR Path Traversal (active exploitation)
Affected Systems
WinRAR versions prior to 7.13 on Windows
Disclosure Status
Publicly disclosed · Actively exploited
Details
A path traversal flaw in WinRAR allows crafted archive files to write content outside the intended extraction folder. The RomCom/Storm-0978 threat group is actively weaponizing this in spear-phishing campaigns, delivering payloads disguised as job applications, contracts, and official documents. Known payloads include SnipBot, RustyClaw, and the Mythic C2 framework.
Required Actions
- Update to WinRAR 7.13 on all endpoints - treat this as P1.
- Block inbound .rar and .zip-wrapped .rar attachments at the email gateway temporarily.
- Open any archive from an untrusted source in a sandbox or isolated VM.
- Enable application allow-listing to prevent unsigned binaries from executing.
Threat Actor Activity
RomCom / Storm-0978
Russia-linkedActively leveraging CVE-2025-8088 via phishing lures themed around job applications and official documents. Confirmed payloads include SnipBot, RustyClaw, and the Mythic C2 framework. Primary targeting: finance, manufacturing, defense, and logistics sectors in the EU and Canada.
BlackSuit Ransomware
Infrastructure DismantledLaw enforcement action dismantled BlackSuit infrastructure - servers, domains seized, approximately $1M recovered. Expect rebrand and regroup activity; reports indicate a possible Chaos ransomware spinoff. Lull in activity is temporary.
Akira Ransomware
Elevated ActivityAkira activity remains elevated with continued MSP-focused campaigns. Recent claims reference SonicWall-adjacent intrusion vectors. Organizations relying on SonicWall edge appliances should review patching and access configurations immediately.
SMB Recommendations
Patch with urgency
Deploy Microsoft August 2025 updates - prioritize Domain Controllers first. Reboot and verify Kerberos is operating normally post-patch.
BleepingComputerEliminate WinRAR exposure
Upgrade all endpoints to WinRAR 7.13. Temporarily block .rar attachments at the email gateway and detonate untrusted archives in a sandbox before opening.
The Hacker NewsSecure your MSP/RMM stack
Patch N-central immediately. Enforce MFA and least-privilege for all RMM users. IP-allowlist management consoles and review all automated jobs for signs of tampering.
BleepingComputerHarden edge appliances
Patch or mitigate Citrix NetScaler. Restrict admin interfaces to internal networks, enable WAF/geo-blocking where appropriate, and inspect for known IOCs.
BleepingComputerVerify backups and recovery
Confirm that offline or immutable backups are current and test restoration procedures. Ensure EDR coverage extends to servers and RMM endpoints.
General best practice aligned to current ransomware activityStrengthen phishing resilience
Refresh user awareness training with emphasis on archive attachments. Disable macros and risky file associations (HTA, CHM, SCR) system-wide.
Related from SOClogix
About SOClogix
SOClogix specializes in providing cyber threat intelligence, 24/7 monitoring, and managed detection and response (MDR) tailored for SMBs and mid-market organizations. Our mission is to help businesses stay ahead of evolving threats with actionable intel, proactive defense, and rapid incident response.
If you have questions about this week's report - or need support addressing any of the highlighted vulnerabilities - contact the SOClogix team or visit soclogix.com.