At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
Researchers Uncover EvilAI Targeting Key Sectors
Researchers have identified EvilAI, a malware campaign masquerading as legitimate AI or productivity tools. By using realistic interfaces and valid digital signatures, it effectively evades detection. Operating globally, with the heaviest impact in Europe, the Americas, and the AMEA region, EvilAI primarily targets sectors such as manufacturing, government, and healthcare. Once installed, EvilAI steals browser data and maintains AES-encrypted communications with command-and-control servers to receive instructions and deliver additional malicious payloads.
RECOMMENDATIONS
- Apply the principle of least privilege to minimize access to sensitive systems and data.
- Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.
- Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
- Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
- Monitor your network for abnormal behaviors and Indicator of Compromise (IOCs).
Microsoft Patches AI Command Injection Flaw in VS Code
Microsoft has released 1 security fix with 1 high severities:
The update addresses the following CVE:
[High] CVE-2025-55319 (Visual Studio Code):
An AI command injection vulnerability in Agentic AI and Visual Studio Code could allow an unauthorized attacker to execute code remotely over a network.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Cisco Fixes High-Severity IOS XR Vulnerability
Cisco has released 3 security fixes: 1 High, 2 Medium.
High – CVE-2025-20340: ARP flaw in IOS XR could allow an adjacent attacker to trigger a DoS via a broadcast storm.
Medium – CVE-2025-20248: Installation process flaw may allow local, privileged attackers to load unsigned software.
Medium – CVE-2025-20159: ACL issue may let remote attackers bypass restrictions on SSH, NetConf, and gRPC.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Google Patches Critical Chrome Vulnerabilities
Google has released security updates for Chrome on Windows, Mac, and Linux, addressing two high-impact vulnerabilities. The updates bring Chrome to versions 140.0.7339.127/.128 (Windows), 140.0.7339.132/.133 (Mac), and 140.0.7339.127 (Linux).
- CVE-2025-10200: A use-after-free vulnerability in the ServiceWorker component could allow arbitrary code execution or privilege escalation.
- CVE-2025-10201: A high-severity flaw in Chrome’s Mojo IPC framework could enable sandbox escape or browser crashes.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Fortinet Addresses Security Flaws in FortiDDoS-F and FortiWeb
Fortinet has released 2 Medium-severity fixes addressing the following CVEs:
- CVE-2024-45325 (FortiDDoS-F): OS command injection vulnerability in versions 7.0.0–7.0.2 and <6.6.3 may allow privileged attackers to execute unauthorized code or commands via crafted CLI requests.
- CVE-2025-53609 (FortiWeb): Path traversal flaw in versions 7.6.0–7.6.4, 7.4.0–7.4.8, 7.2.0–7.2.11, 7.0.2–7.0.11 may allow authenticated attackers to read arbitrary files on the system.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
SAP Resolves Key Security Issues Across Platforms
SAP has released 21 new Security Notes and 4 updates, including 4 critical issues that require urgent patching:
- CVE-2025-42944 (CVSS 10.0): Insecure deserialization in NetWeaver RMI-P4 enables unauthenticated remote code execution (RCE).
- CVE-2025-42922 (CVSS 9.9): Insecure file upload in NetWeaver AS Java allows authenticated users to execute arbitrary files.
- CVE-2023-27500 (CVSS 9.6): Directory traversal in NetWeaver ABAP (Advanced Business Application Programming) allows non-admins to overwrite OS files, causing a denial of service (DoS).
- CVE-2025-42958 (CVSS 9.1): Missing authentication in NetWeaver on IBM i-series allows unauthorized access to sensitive data and functions.
RECOMMENDATIONS
- Ensure all systems are patched and updated.
Security Experts Identify Sophisticated Ransomware Threat
Researchers have uncovered a new ransomware campaign linked to The Gentlemen, a previously unknown and emerging threat group. This group quickly showcased advanced tactics by systematically compromising enterprise networks. During the campaign, the attackers adapted their tools, shifting from generic anti-virus evasion tools to customized variants. They used sophisticated techniques like exploiting legitimate drivers to bypass security, abusing Group Policy Objects (GPO) for wide-scale domain compromise, and deploying custom tools to disable security solutions. Their operational security measures included encrypting stolen data with WinSCP for exfiltration and maintaining persistent access via AnyDesk and modified registry settings.
RECOMMENDATIONS
- Apply the principle of least privilege to minimize access to sensitive systems and data.
- Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.
- Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
- Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
- Monitor your network for abnormal behaviors and Indicator of Compromise (IOCs).
References
https://www.trendmicro.com/en_ae/research/25/i/evilai.html
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrsig-UY4zRUCG
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-arp-storm-EjUU55yM
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-acl-packetio-Swjhhbtz
https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_9.html
https://fortiguard.fortinet.com/psirt/FG-IR-24-344
https://fortiguard.fortinet.com/psirt/FG-IR-25-512
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html
https://www.trendmicro.com/en_ae/research/25/i/unmasking-the-gentlemen-ransomware.html
