Weekly Top 10: 09.08.2025: ViewState Zero-Day in Sitecore (CVE-2025-53690); Debunking Microsoft 365 & Identity Myths; New AI-Powered HexStrike-AI Tool Exploits Citrix Flaws, and More.

WEEKLY TOP TEN: September 01, 2025, 16:00 GMT

1. ViewState Zero-Day in Sitecore (CVE-2025-53690)
   
   Mandiant details active exploitation of a ViewState deserialization weakness in Sitecore environments that reused an ASP.NET machine key sample from old deployment guides. Attackers achieved RCE, dropped a reconnaissance payload dubbed WEEPSTEEL, staged tools (EARTHWORM, DWAgent, SharpHound), created local admin accounts, and attempted credential harvesting and lateral movement over RDP. Guidance: rotate machine keys, enable ViewState MAC, secure secrets in web.config, and follow Sitecore’s advisory; Mandiant also provides IOCs and detections. The vulnerability is a configuration exposure tracked as CVE-2025-53690; updated Sitecore deployments randomize keys by default.
2. WhatsApp Zero-Day Exploited Against Apple Users
   
   Researchers report a WhatsApp vulnerability was exploited in targeted attacks against iOS/macOS users, chained with an Apple zero-day, and tracked as CVE-2025-55177. The campaign appears spyware-oriented and underscores continued interest in messaging-app attack surfaces. Users should update WhatsApp immediately and apply the latest Apple patches. Limited public indicators are available; vendors emphasize rapid patching and device monitoring for unusual messaging behavior.
3. Google Fixes Two Actively Exploited Android Flaws
   
   The September 2025 Android patches 84 Android issues (111 total including vendor bulletins). Google confirms in-the-wild exploitation of two elevation-of-privilege bugs: CVE-2025-38352 (Linux kernel POSIX timers race) and CVE-2025-48543 (Android Runtime). Four critical issues also landed, including an RCE in the Android System (CVE-2025-48539), and multiple critical Qualcomm component flaws. Users should update to patch level 2025-09-01/05; device makers (Samsung, etc.) ship their own advisories.
4. Critical SAP S/4HANA Flaw Under Active Attack (CVE-2025-42957)
   
   A 9.9 CVSS code-injection bug in SAP S/4HANA allows low-privileged users to inject ABAP and potentially take over both the SAP system and host OS. SecurityBridge and other vendors observed exploitation attempts post-patch, suggesting attackers reverse-engineered fixes. SAP addressed it in August updates; defenders should patch urgently, restrict RFCs using UCON, and monitor for suspicious RFC calls and new admin accounts.
5. Chess.com Limited Breach via 3rd-Party File Transfer Tool
   
   Chess.com disclosed a breach impacting just over 4,500 users after two June intrusions (June 5 & 18) against a third-party file transfer tool—not core systems. No passwords or payment data were exposed; notifications began Sept 3. The platform engaged law enforcement and external responders and is offering identity protection to affected users. While limited in scope relative to 150M accounts, the incident shows how supplier tools can become high-leverage ingress points.
6. Debunking Microsoft 365 & Identity Myths
   
   Huntress tackles recurring Microsoft 365 / Entra ID identity misconceptions that lead to weak access control, brittle Conditional Access policies, and overconfidence in default settings. The piece emphasizes grounding identity posture in least privilege, strong MFA choices, continuous monitoring, and validated assumptions (e.g., what telemetry your stack truly provides). It’s a practical myth-busting reference for MSPs and mid-market teams modernizing identity strategy without introducing blind spots.
7. Phishing Triage Agent in Defender XDR
   
   Microsoft unveils an AI-powered Phishing Triage Agent for Defender XDR/Security Copilot that classifies user-reported emails, filters false positives, enriches incidents with TI, and provides understandable verdicts. Aimed at reducing analyst fatigue, it integrates with existing workflows and requires Defender for Office 365 Plan 2 and Security Copilot licensing. Microsoft outlines prerequisites, enablement steps, and usage patterns for SOCs to automate triage while retaining human oversight.
8. A Shared Vision of SBOM for Cybersecurity (Joint Guidance)
   
   CISA and NSA, along with 19 international organizations, have released joint guidance that supports a shared global approach to SBOM, aiming for widespread use, consistent implementations, and inclusion in security processes The document describes SBOMs as essential “ingredient lists” that help manage risks in the supply chain, enhance responses to vulnerabilities, and promote secure design practices in various It includes a downloadable PDF and links to statements of support.
9. Hackers Weaponizing AI with Vibe-Code Malware
   
   Trend Micro research reveals cybercriminals are now using AI, especially large language models, to dissect detailed threat-intelligence reports and even auto-generate malware—that’s referred to as “vibe coding.” By feeding technical write-ups into AI tools, attackers can reconstruct partial code and TTPs, lowering the barrier to creating sophisticated threats. This accelerates malware development, blurs attribution lines, and lets even low-skilled actors harness advanced tools. Trend Micro urges security teams to strike a balance between technical transparency and not inadvertently arming adversaries—suggesting more cautious presentation of detail in public reports to limit misuse.
10. New AI-Powered HexStrike-AI Tool Exploits Citrix Flaws
    
    A cutting-edge AI tool named HexStrike-AI is being leveraged by threat actors to rapidly identify and exploit vulnerabilities in Citrix systems. The tool uses advanced language models (like GPT and Claude) along with a built-in toolkit to automatically scan for problems, make decisions, and carry out attacks.
    
    Notably, it targets Citrix NetScaler ADC and Gateway flaws (CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424), enabling remote code execution and webshell (persistence) installs—all in record time. While exploitation reports are preliminary, security researchers warn that such tools dramatically shrink patching windows, elevating the need for rapid patching and automated vulnerability management.