TP-Link Router Vulnerabilities Exploited by Quad7 Botnet

A new Rowhammer attack variant, called Phoenix, bypasses the latest protection mechanisms on DDR5 memory chips from SK Hynix. This attack exploits vulnerabilities in the Target Row Refresh (TRR) mechanism to flip bits in memory, enabling privilege escalation and unauthorized access. The attack was developed by researchers at ETH Zurich University and Google, and it affects all DDR5 DIMM RAM modules produced between January 2021 and December 2024. The Phoenix attack can corrupt data, increase privileges, execute malicious code, or access sensitive data. It works by repeatedly accessing specific rows of memory cells to cause electrical interference, altering nearby bits. The attack is tracked as CVE-2025-6202 and has been assigned a high-severity score. The researchers demonstrated the attack's effectiveness by successfully flipping bits on all 15 DDR5 memory chips in their test pool, achieving root privileges in under two minutes. They also showed that the attack can break SSH authentication and alter system binaries to escalate local privileges. The researchers recommend increasing the refresh rate to 3x to mitigate the Phoenix attack.

The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.

Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.

SAP has fixed 21 vulnerabilities, including three critical flaws in its NetWeaver software. The most severe, CVE-2025-42944, is an insecure deserialization flaw allowing unauthenticated remote code execution. The second critical flaw, CVE-2025-42922, enables arbitrary file uploads by authenticated users. The third, CVE-2025-42958, allows unauthorized access to sensitive data and administrative functions. The vulnerabilities affect various SAP products, including ERP, CRM, SRM, and SCM, which are widely used in large enterprise networks. The flaws could lead to full system compromise and unauthorized data manipulation. SAP products are frequently targeted by threat actors due to their handling of mission-critical data. A high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) could allow an attacker with high privilege access to delete the content of arbitrary database tables. A critical security defect in SAP S/4HANA (CVE-2025-42957) has come under active exploitation in the wild.

A critical command injection vulnerability in SAP S/4HANA (CVE-2025-42957) is being actively exploited in the wild. The flaw, with a CVSS score of 9.9, allows attackers with low-privileged user access to execute arbitrary ABAP code, bypass authorization checks, and fully compromise the SAP environment. This can lead to data theft, fraud, or ransomware installation. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA, as well as several other SAP products and versions. SecurityBridge Threat Research Labs discovered the vulnerability and reported it to SAP on June 27, 2025. The vendor fixed the vulnerability on August 11, 2025, but several systems have not applied the available security updates and are now being targeted by hackers. Exploitation activity surged dramatically after the patch was released. Organizations are advised to apply patches immediately, monitor logs for suspicious activity, and implement additional security measures.