AUSCERT Week in Review for 12th September 2025

Greetings,

This week, a major phishing campaign has led to a large supply chain compromise, targeting the npm (node package manager) ecosystem. Npm is a critical registry hosting over two million reusable code packages used worldwide by developers. The incident began when attackers registered a lookalike domain, npmjs.help, and sent out emails designed to mimic official npm security communications. These emails urged developers to update their two-factor authentication (2FA) credentials. At least one prominent developer fell victim to the phishing attempt, allowing attackers to take control of his account.

With access secured, the attackers injected malicious code into at least 18 widely used npm packages, collectively downloaded 2.7 billion times per week. According to security vendor Aikido, the injected code was designed to run on client websites, silently intercepting cryptocurrency and web3 activity. The code manipulated wallet interactions and rewrote payment destinations so that funds and approvals were redirected to attacker-controlled accounts. The attack was particularly insidious because it operated without obvious signs, making detection difficult for end users.

The compromise has since been identified and cleanup efforts are underway, though researchers warn that additional developers are being targeted by the same unknown threat actor. The scale of the incident has raised significant concerns across the development community, given how widely npm packages are integrated into both small projects and large-scale enterprise systems.

Critical SAP S/4HANA vulnerability now exploited in attacks
Date: 2025-09-05
Author: Bleeping Computer

A critical SAP S/4HANA code injection vulnerability is being leveraged in attacks in the wild to breach exposed servers, researchers warn.
The flaw, tracked as CVE-2025-42957, is an ABAP code injection problem in an RFC-exposed function module of SAP S/4HANA, allowing low-privileged authentication users to inject arbitrary code, bypass authorization, and fully take over SAP.

Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts
Date: 2025-09-10
Author: The Hacker News

[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.6320/]
Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts.
The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it's not aware of any exploits in the wild.

More npm packages poisoned, but would-be thieves get little
Date: 2025-09-09
Author: The Register

During the two-hour window on Monday in which hijacked npm versions were available for download, malware-laced packages reached one in 10 cloud environments, according to Wiz researchers. But crypto-craving crims did little more than annoy defenders.

Microsoft Patch Tuesday addresses 81 vulnerabilities, none actively exploited
Date: 2025-09-09
Author: CyberScoop

[AUSCERT has published security bulletins for these Microsoft updates]
The most severe defect disclosed this month — CVE-2025-55232 — is a deserialization of untrusted data vulnerability affecting Microsoft High Performance Compute Pack with a CVSS rating of 9.8. Microsoft said exploitation is less likely, but researchers warned organizations to prioritize patching.

Fortinet, Ivanti, Nvidia Release Security Updates
Date: 2025-09-10
Author: Security Week

[AUSCERT has published security bulletins for these Fortinet updates]
Fortinet, Ivanti, and Nvidia on Tuesday announced security updates that address over a dozen high- and medium-severity vulnerabilities across their product portfolios.
Ivanti resolved two high-severity insufficient filename validation issues in Endpoint Manager (EPM) that could be exploited remotely, without authentication, to execute arbitrary code. The exploitation of both defects, however, require user interaction.

ASB-2025.0158 – Microsoft Azure: CVSS (Max): 9.8

Microsoft has released its monthly security patch update for the month of September 2025, which resolves 3 important vulnerabilities with Azure Connected Machine Agent and HPC Pack 2019. Microsoft recommends updating the software to the latest available version available on the Microsoft Update Catalog.

ESB-2025.6253 – IBM MQ container software: CVSS (Max): 9.8

Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images, such as memory corruption issues, crashes and denial of service. IBM strongly recommends applying the latest container images.

ESB-2025.6435 – kernel: CVSS (Max): 7.8

An update for kernel is now available for Red Hat Enterprise Linux 9.0 Update
Services for SAP Solutions, resolving various security issues and exploited vulnerability as identified on the CISA KEV list.

ESB-2025.6441 – Daikin Security Gateway: CVSS (Max): 9.8

A weak password recovery mechanism for forgotten passwords has been identified in this product. Successful exploitation of this vulnerability could allow an attacker to gain
unauthorized access to the system. Daikin has reported they will not fix this vulnerability and will respond directly to user inquiries.

ESB-2025.6437 – imagemagick: CVSS (Max): 9.8

Multiple memory corruption vulnerbilities were discovered in imagemagick, a software suit used for editing and manipulating digital images, which could lead to information leak, denial of service, and potentially arbitrary code execution. It is recommended that you upgrade your imagemagick packages.

Stay safe, stay patched and have a good weekend!

The AUSCERT team