Skip to main content
Back to Blog
August 18, 2025Threat AdvisoryBy Matt Johnson

Cyber Threat Analysis - August 18, 2025

Patch Tuesday brings 107 vulnerabilities including a Kerberos zero-day, WinRAR under active exploitation by RomCom, and critical RMM platform breaches threatening MSP supply chains.

Executive Summary

Last week's cyber landscape underscored urgent patching and heightened vigilance for SMBs. Microsoft's August Patch Tuesday (Aug 12) addressed over 107 vulnerabilities, including a Windows Kerberos zero-day (CVE-2025-53779), with 13 flaws rated Critical - prompting immediate updates to domain controllers and core infrastructure.

At the same time, a WinRAR zero-day (CVE-2025-8088) came under active exploitation by the RomCom/Storm-0978 threat group in spear-phishing campaigns, pushing malware via weaponized archives; users are urged to update to WinRAR 7.13 without delay.

Adding to the pressure, active exploitation warnings emerged for both N-able N-central (CVE-2025-8875/8876) and Citrix NetScaler (CVE-2025-6543), with confirmed breaches reported - an especially severe risk to MSPs and the SMBs that depend on them.

This Week's Critical Alerts

Microsoft August Patch Tuesday

Critical

Potential domain compromise via Kerberos EoP; numerous RCEs across the Windows stack. Kerberos zero-day and 13 Critical CVEs patched in a single update cycle.

Remediation

Apply August 2025 updates now - prioritize Domain Controllers. Reboot and verify Kerberos is functioning normally post-patch.

WinRAR CVE-2025-8088 (active exploitation)

CVE-2025-8088
Critical

Path traversal vulnerability lets archives drop files outside intended folders. Actively used by RomCom threat group to deploy backdoors including SnipBot, RustyClaw, and Mythic.

Remediation

Upgrade to WinRAR 7.13 immediately. Disable auto-extract, block inbound .rar at email gateway, and open untrusted archives only in a sandbox or VM.

N-able N-central RMM Zero-Days

CVE-2025-8875 / CVE-2025-8876
Critical

Active attacks against MSP RMM platforms. A successful compromise could cascade to dozens or hundreds of SMB tenants managed through the platform.

Remediation

Patch N-central immediately. Audit all RMM accounts and API tokens, enforce MFA and least-privilege, IP-allowlist management consoles, and review automated jobs for tampering.

Vulnerability Spotlight

CVE-2025-53779

Windows Kerberos Elevation of Privilege (0-day)

Critical

Affected Systems

Windows Server / Domain environments using Kerberos

Disclosure Status

Publicly disclosed · Actively exploited

Details

Publicly disclosed zero-day. Attackers with specific attribute write access to Active Directory objects can escalate privileges all the way to Domain Admin. Microsoft addressed this in the August 2025 Patch Tuesday release. Active exploitation has been reported in targeted environments.

Required Actions

  • Patch all Domain Controllers immediately - do not delay.
  • Review msds-groupMSAMembership and msds-ManagedAccountPreceededByLink ACLs for unexpected write permissions.
  • Monitor for abnormal TGS/TGT activity in your SIEM or EDR.
  • Audit delegated permissions across your AD environment.

CVE-2025-8088

WinRAR Path Traversal (active exploitation)

Critical

Affected Systems

WinRAR versions prior to 7.13 on Windows

Disclosure Status

Publicly disclosed · Actively exploited

Details

A path traversal flaw in WinRAR allows crafted archive files to write content outside the intended extraction folder. The RomCom/Storm-0978 threat group is actively weaponizing this in spear-phishing campaigns, delivering payloads disguised as job applications, contracts, and official documents. Known payloads include SnipBot, RustyClaw, and the Mythic C2 framework.

Required Actions

  • Update to WinRAR 7.13 on all endpoints - treat this as P1.
  • Block inbound .rar and .zip-wrapped .rar attachments at the email gateway temporarily.
  • Open any archive from an untrusted source in a sandbox or isolated VM.
  • Enable application allow-listing to prevent unsigned binaries from executing.

Threat Actor Activity

RomCom / Storm-0978

Russia-linked

Actively leveraging CVE-2025-8088 via phishing lures themed around job applications and official documents. Confirmed payloads include SnipBot, RustyClaw, and the Mythic C2 framework. Primary targeting: finance, manufacturing, defense, and logistics sectors in the EU and Canada.

BlackSuit Ransomware

Infrastructure Dismantled

Law enforcement action dismantled BlackSuit infrastructure - servers, domains seized, approximately $1M recovered. Expect rebrand and regroup activity; reports indicate a possible Chaos ransomware spinoff. Lull in activity is temporary.

Akira Ransomware

Elevated Activity

Akira activity remains elevated with continued MSP-focused campaigns. Recent claims reference SonicWall-adjacent intrusion vectors. Organizations relying on SonicWall edge appliances should review patching and access configurations immediately.

SMB Recommendations

Patch with urgency

Deploy Microsoft August 2025 updates - prioritize Domain Controllers first. Reboot and verify Kerberos is operating normally post-patch.

BleepingComputer

Eliminate WinRAR exposure

Upgrade all endpoints to WinRAR 7.13. Temporarily block .rar attachments at the email gateway and detonate untrusted archives in a sandbox before opening.

The Hacker News

Secure your MSP/RMM stack

Patch N-central immediately. Enforce MFA and least-privilege for all RMM users. IP-allowlist management consoles and review all automated jobs for signs of tampering.

BleepingComputer

Harden edge appliances

Patch or mitigate Citrix NetScaler. Restrict admin interfaces to internal networks, enable WAF/geo-blocking where appropriate, and inspect for known IOCs.

BleepingComputer

Verify backups and recovery

Confirm that offline or immutable backups are current and test restoration procedures. Ensure EDR coverage extends to servers and RMM endpoints.

General best practice aligned to current ransomware activity

Strengthen phishing resilience

Refresh user awareness training with emphasis on archive attachments. Disable macros and risky file associations (HTA, CHM, SCR) system-wide.

About SOClogix

SOClogix specializes in providing cyber threat intelligence, 24/7 monitoring, and managed detection and response (MDR) tailored for SMBs and mid-market organizations. Our mission is to help businesses stay ahead of evolving threats with actionable intel, proactive defense, and rapid incident response.

If you have questions about this week's report - or need support addressing any of the highlighted vulnerabilities - contact the SOClogix team or visit soclogix.com.

Matt Johnson

Matt Johnson

CEO & Founder, SOClogix

Full bio →
Threat AdvisoryPatch TuesdayCVE-2025-53779CVE-2025-8088WinRARKerberosRomComRansomwareSMB Security