August Security Roundup

From Kocho’s Security Operations Centre (SOC)

Published: 21 August 2025

From high-risk Microsoft identity flaws to actively exploited WinRAR and 7-Zip vulnerabilities. Our SOC team break down this month’s urgent threats and the actions you need to stay secure.

Headlines:

Windows Kerberos flaw opens path to domain takeover
Exchange hybrid trust abused for Microsoft 365 escalation
WinRAR zero-day exploited in phishing campaigns
RomCom and Paper Werewolf linked to targeted attacks
7-Zip patch closes arbitrary file write loophole

High-risk Microsoft identity & Exchange vulnerabilities

Microsoft’s August 2025 Patch Tuesday addressed over 100 CVEs, with two identity-related flaws posing significant risks:

CVE-2025-53779 – Windows Kerberos Elevation of Privilege (“BadSuccessor”)
CVE-2025-53786 – Exchange Hybrid Elevation of Privilege

Both could allow attackers to escalate privileges in hybrid environments, putting domain assets and Microsoft 365 tenants at risk.

What’s the risk?

CVE-2025-53779 (Kerberos EoP): Exploitable by authenticated attackers to gain domain-level control. CVSS 7.2. Publicly disclosed at release.
CVE-2025-53786 (Exchange Hybrid EoP): Lets attackers pivot from on-prem Exchange admin rights to Exchange Online. CVSS 8.0. Flagged by both Microsoft and CISA as critical for hybrid orgs.

Recommended actions

Apply the August 2025 Windows cumulative update to patch CVE-2025-53779.

Apply the August 2025 Exchange cumulative update to patch CVE-2025-53786.

Action point

Patch Windows and Exchange immediately to close high-risk identity escalation paths.

WinRAR Zero-Day exploited in the wild (CVE-2025-8088)

A high-severity zero day in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in phishing campaigns. The flaw allows malicious RAR archives to overwrite extraction paths, enabling arbitrary code execution.

What’s the risk:

Attackers can force payloads into autorun directories (e.g. Windows Startup folder).
Exploitation delivers persistent backdoors, with confirmed use by the RomCom and Paper Werewolf groups.
Targets include government and energy sectors, with evidence of state-aligned activity.

Recommended action:

Update to WinRAR 7.13 immediately – earlier versions (≤7.12) are vulnerable.

Educate staff on safe handling of archives and phishing awareness.

Enforce least-privilege access to prevent payloads writing to sensitive directories.

Monitor endpoints for suspicious file writes in autorun or system folders.

Action point

Update WinRAR to version 7.13 to block active exploitation.

7-Zip arbitrary file write vulnerability (CVE-2025-55188)

7-Zip patched CVE-2025-55188 (CVSS 2.7), a symbolic link flaw that could lead to arbitrary file writes during archive extraction. Exploitation risk is higher on Linux, but possible on Windows in specific conditions.

What’s the risk:

Attackers can overwrite critical files such as SSH keys or configuration files (e.g. .bashrc) during extraction.
On Linux, exploitation can result in persistent backdoors or compromised authentication.
On Windows, risk is lower but possible if symbolic links are enabled with elevated privileges.

Recommended actions:

Update to 7-Zip v25.01.

Avoid extracting archives from untrusted sources.

Action point

Update to 7-Zip 25.01 to eliminate file write exploitation risk.

In the news: Telecoms company hit by SharePoint exploited ransomware attack

A leading London-based Telecom provider suffered a major cyberattack, with the WarLock ransomware group claiming responsibility.

An actor under the alias cnkjasdfgd is offering 1 million stolen documents for $200,000, including sensitive salary, financial, contract, personnel, network, and email data.

Early indications suggest the breach exploited a Microsoft SharePoint zero-day (CVE-2025-53770, ToolShell), enabling remote code execution. While customer data reportedly wasn’t exposed, internal systems were heavily impacted, forcing its customer portal and API offline. Recovery work is ongoing with external experts, and authorities have been notified.

What this highlights

The Colt breach underlines how fast attackers weaponise newly patched SharePoint flaws and the scale of damage that can result when internal systems are exposed. It’s a reminder that critical infrastructure providers need aggressive patching and robust segmentation to contain such attacks.

This month’s key takeaway

Apply Microsoft patches, upgrade WinRAR and 7-Zip, and reinforce safe archive handling.

Attackers are already exploiting these flaws, with evidence of both cybercriminal and state-aligned groups weaponising them within days of disclosure.

Delayed patching leaves critical identity systems and widely used utilities open to privilege escalation, persistence, and data theft. Risks that can be neutralised quickly with prompt updates and basic operational hygiene.