Threat advisories

Top Middle East Cyber Threats – June 03nd, 2025 

By helpag

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

Chrome-php Releases Fix for XSS Vulnerability

Chrome-php has released a security update addressing a Medium-severity vulnerability (CVE-2025-48883). The issue affects chrome-php, a tool that enables interaction with Chrome/Chromium in headless mode using PHP. In versions prior to 1.14.0, CSS selector expressions were not properly encoded, potentially allowing for Cross-Site Scripting (XSS) attacks. This vulnerability has been fixed in version 1.14.0. As a workaround, users who cannot upgrade are advised to manually encode their selectors to mitigate the risk.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

VMware Releases Fix for Spring Cloud Gateway Flaw

VMware has released a security update addressing a High-severity vulnerability (CVE-2025-41235) affecting Spring Cloud Gateway and Spring Cloud Gateway Server MVC. The vulnerability stems from the improper forwarding of X-Forwarded-For and Forwarded headers from untrusted proxies by the Spring Cloud Gateway Server.

  RECOMMENDATIONS    

Ensure all systems are patched and updated.

Threat Actors Impersonate Recruiters to Launch Targeted Spear-Phishing Attacks

A highly targeted spear-phishing operation has been observed targeting CFOs and finance executives across Europe, Africa, North America, the Middle East, and South Asia. Disguised as a recruitment offer from Rothschild & Co, the campaign used social engineering tactics and a CAPTCHA-protected Firebase page to lure victims into downloading a malicious ZIP file. Upon execution, the file deployed NetBird (a legitimate WireGuard-based remote access tool) and OpenSSH, while also creating a hidden admin account and enabling Remote Desktop Protocol (RDP) to establish persistent, encrypted remote access.

RECOMMENDATIONS    

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to mitigate known vulnerability exploits.

Conduct awareness programs to educate users about phishing attacks and social engineering tactics.

Monitor network activity for abnormal behavior and known Indicators of Compromise (IOCs).

Threat Group Exploits Government Site to Deploy Malware

Researchers have uncovered a sophisticated cyber-espionage campaign attributed to the state-sponsored group APT41 (HOODOO). The operation leveraged a compromised government website to distribute malware. Named “TOUGHPROGRESS,” the campaign used spear-phishing emails with malicious LNK files disguised as PDFs to target victims. Uniquely, it employed Google Calendar for command-and-control communications, helping malicious traffic blend with normal activity. The attackers primarily targeted organizations across regions including Asia, Europe, North America, and the Middle East focusing on sectors such as logistics, technology, media, and automotive.

RECOMMENDATIONS 

Apply the principle of least privilege to minimize access to sensitive systems and data.

Enforce Multi-Factor Authentication (MFA) on all accounts, especially administrative ones.

Regularly patch and update internet-facing systems to reduce vulnerability risks.

Conduct user awareness training on phishing and social engineering threats.

Monitor your network for abnormal activity and known Indicators of Compromise (IOCs).

Fortinet Addresses Critical and Low-Severity Vulnerabilities

Fortinet has released two security updates, including one critical and one low-severity fix. The low-severity update addresses CVE-2024-54020, a missing authorization vulnerability in FortiManager versions 7.2.0 through 7.2.1 and 7.0.0 through 7.0.7. This flaw could allow an authenticated attacker to overwrite global threat feeds using crafted update requests.

Additionally, CVE-2025-22252, a critical vulnerability affecting FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager version 7.2.5, and FortiOS versions 7.4.4 through 7.4.6 and 7.6.0, involves missing authentication for a critical function that could let an attacker with knowledge of an existing admin account bypass authentication and gain valid admin access to the device.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Google Releases Update Fixing Chrome Vulnerabilities

Google has released a security update to address 8 vulnerabilities in the Chrome browser, which will be fixed in the latest Chrome release (137.0.7151.55 for Linux and 137.0.7151.55/56 for Windows and Mac).

Among the eight security issues addressed, two are classified as high severity, five as medium, and one as low.

High severity vulnerabilities:

CVE-2025-5063: Use-after-free in Compositing.

CVE-2025-5280: Out-of-bounds write in V8.

RECOMMENDATIONS    

Ensure all systems are patched and updated.

Microsoft Patches Critical Vulnerability Elevating Privileges

Microsoft has released one security fix with a high severity rating. This addresses CVE-2025-47181, which affects the Microsoft Edge (Chromium-based) Updater. The vulnerability involves improper link resolution before file access (“link following”), allowing an authorized attacker to locally elevate privileges.

RECOMMENDATIONS    