Cyber Threat Intelligence Report

This week, we briefed our clients on a fake "Recipe" app that is being advertised on legitimate websites, but in reality is malicious malware.

 KEY TAKEAWAYS 

• Widespread malvertising campaign pushing fake Recipe Lister application, distributing malware. Learn how to protect your organization from these malvertising threats.

• Critical and high severity vulnerabilities in Microsoft, Roundcube, SAP, HPE, Cisco, Ivanti, and SecureBoot, plus updates to CISA KEV, patch now!

Malvertising Campaign Delivers Fake Recipe Lister

Over the last couple weeks, PacketWatch has observed a malvertising campaign pushing a fake "Recipe" application. The malicious app goes by "Recipe Lister", and has been observed being pushed in sidebar advertisements on legitimate websites. The user is tricked into clicking and downloading the app thinking it is a benign food-related application, when in reality the app attempts to harvest credentials and establish command and control connections.

Fig. 1: RecipeLister site w/ malicious “Download App”

How to Protect Your Organization

Protection from threats like this goes beyond this specific example. Malicious advertisements, whether through ad space on legitimate websites or ads on popular search engines, are becoming increasingly common. There are several steps users and organizations can take to protect from these threats:

• Ad Blockers - Popular browser extensions such as uBlock Origin are very effective at blocking ads and pop-ups when visiting websites. By reducing the amount of ads viewed on a webpage, there is less chance for users to click them.
• User Awareness Training - Users should be taught to never click ads when using a work computer. There are few, if any, legitimate work-related use cases for ever clicking on an advertisement. Workstations should be used for work purposes only.
• Content Filtering - Most next-generation firewalls allow administrators to filter web traffic based on content category. Administrators should only allow traffic content that relates to business use cases.
• Application Allow-listing - Ideally, only pre-approved software should be allowed to execute on a workstation. This can be achieved through Software Restriction Policies via GPO.
• Endpoint Detection and Response - Ensure fully up-to-date EDR tools are deployed to all workstations.

PacketWatch can also be used to monitor for traffic to known domains hosting this "Recipe Lister" application:

http.host:(recipelister.com OR ahegazedatthewond.org OR manahegazeda.org OR sappointedmanah.org OR fast-forks.com)

Resources:

• https://layer8security.com/malicious-recipe-app-campaign-targets-healthcare-industry/
  
• https://www.blumira.com/blog/suspicious-code-spike-fraudulent-recipe-application
  
• https://x.com/luke92881/status/1933127976956174546

Vulnerability Roundup

Windows SMB Privilege Escalation CVE-2025-33073

As part of Microsoft's June Patch Tuesday, they disclosed a high-severity privilege escalation flaw in the Microsoft SMB client, tracked as CVE-2025-33037. This vulnerability affects all supported Windows versions with SMB client functionality. An attacker needs to have access to a valid account and can then exploit this vulnerability to achieve SYSTEM privileges. Administrators are urged to apply the Patch Tuesday updates as soon as possible.

• https://windowsforum.com/threads/cve-2025-33073-critical-windows-smb-privilege-escalation-vulnerability-explained.369790/
  

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073

WebDAV 0-Day CVE-2025-33053

Researchers at CheckPoint recently discovered a 0-day vulnerability in WebDAV that was being exploited by the APT group Stealth Falcon against targets in the Middle East, now tracked as CVE-2025-33053. To successfully exploit this vulnerability, threat actors send the target a specially crafted .url file. Once this file is opened, a connection is made to a threat actor-controlled WebDAV server, where abuse of the vulnerability tricks the victim machine into downloading a malicious payload. This vulnerability affects all versions of Windows. A patch for this vulnerability is part of Microsoft's June Patch Tuesday. Administrators are urged to apply these updates as soon as possible. 

• https://research.checkpoint.com/2025/stealth-falcon-zero-day/
  

• https://www.tenable.com/blog/microsofts-june-2025-patch-tuesday-addresses-65-cves-cve-2025-33053
  

• https://nvd.nist.gov/vuln/detail/CVE-2025-33053
  

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33053

Roundcube Webmail RCE CVE-2025-49113

A critical remote code execution vulnerability was disclosed for Roundcube webmail servers. Tracked as CVE-2025-49113, the vulnerability allows for an authenticated attacker to execute arbitrary commands on affected systems. The flaw affects Roundcube versions before 1.5.10, and 1.6.x up to 1.6.10. The vulnerability is present in default deployments of hosting environments such as cPanel, Plesk, and ISPConfig. Approximately 53 million hosts were found to be vulnerable at the time of disclosure. Proof-of-concept exploit code is in the wild. Administrators are urged to patch to versions 1.5.10 (LTS) or 1.6.11 as soon as possible.

• https://socradar.io/cve-2025-49113-roundcube-vulnerability-rce/
  

• https://github.com/rasool13x/exploit-CVE-2025-49113

Critical Authorization Bypass in SAP NetWeaver

As part of their own June "Security Patch Day", SAP disclosed 14 vulnerabilities across a range of their products, including a critical authorization bypass vulnerability in SAP NetWeaver Application Server for ABAP (the programming language for SAP), tracked as CVE-2025-42989. This vulnerability requires the threat actor to be authenticated and effectively acts as a privilege escalation flaw. Administrators are urged to review the SAP security notes, and apply all applicable updates.

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2025.html
  

• https://www.securityweek.com/critical-vulnerability-patched-in-sap-netweaver/

HPE StoreOnce Authentication Bypass CVE-2025-37093

Earlier this month, Hewlett Packard Enterprise disclosed 8 vulnerabilities in their StoreOnce data backup solution. Among the vulnerabilities is a critical authentication bypass flaw tracked as CVE-2025-37093. These vulnerabilities affect HPE StoreOnce G4/4+ systems prior to version 4.3.11. Administrators are urged to patch to version 4.3.11 or later as soon as possible.

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US
  
• https://www.zerodayinitiative.com/advisories/ZDI-25-316/
  
• https://thehackernews.com/2025/06/hpe-issues-security-patch-for-storeonce.html 

Cisco ISE Static Credential Vulnerability

Cisco recently disclosed a critical vulnerability in AWS, Azure, and Oracle Cloud Infrastructure cloud deployments of their Cisco Identity Services Engine (ISE). Tracked as CVE-2025-20286, the flaw exists due to different ISE deployments sharing the same credentials. Attackers can use these known credentials to remotely access sensitive data, execute limited administrative operations, modify system configurations, and disrupt services. The versions listed below are affected by the vulnerability: 

Fig. 2: Source: Cisco.com

It is important to note the following versions are not vulnerable:

• All on-premises deployments with any form factors where artifacts are installed from Cisco Software Download Center (ISO or OVA). This includes appliances and virtual machines with different form factors.
• ISE on Azure VMware Solution (AVS)
• ISE on Google Cloud VMware Engine
• ISE on VMware cloud in AWS
• ISE hybrid deployments with all ISE Administrator personas (Primary and Secondary Administration) on-premises with other personas in the cloud.

Administrators are urged to patch as soon as possible, as proof-of-concept exploit code is available in the wild. If patches cannot be applied, additional workarounds are listed in the Cisco advisory.

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7
  
• https://nvd.nist.gov/vuln/detail/CVE-2025-20286
  
• https://www.bleepingcomputer.com/news/security/cisco-warns-of-ise-and-ccp-flaws-with-public-exploit-code/

Ivanti IWC Vulnerabilities

Ivanti released security updates to address several high-severity flaws in their Workspace Control (IWC) solution, resulting from hardcoded cryptographic keys. Two of the vulnerabilities, tracked as CVE-2025-5353 and CVE-2025-22455 allow local authenticated attackers to decrypt stored SQL credentials. A third vulnerability, tracked as CVE-2025-22463, enables local authenticated attackers to decrypt the stored environment password. The vulnerabilities affect IWC versions 10.19.0.0 and prior. Administrators are urged to patch to version 10.19.10.0 or higher.

• https://www.bleepingcomputer.com/news/security/ivanti-workspace-control-hardcoded-key-flaws-expose-sql-credentials/

SecureBoot Bypass

Security researchers from Binarly discovered CVE-2025-3052, a memory corruption vulnerability in a module digitally signed with Microsoft's third-party UEFI certificate that can allow attackers to bypass Secure Boot and install bootkit malware. This type of malware executes before the operating system loads, bypassing endpoint defenses. Due to the widespread use of the Microsoft certificate, effectively all devices running UEFI Secure Boot are vulnerable. A fix for this vulnerability was released as part of Microsoft's June Patch Tuesday, where Microsoft added this affected module along with 13 others to its DBX revocation list.

• https://www.binarly.io/blog/another-crack-in-the-chain-of-trust
  
• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-3052
  
• https://www.bleepingcomputer.com/news/security/new-secure-boot-flaw-lets-attackers-install-bootkit-malware-patch-now/

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2025-24016 – Wazuh Server Deserialization of Untrusted Data Vulnerability
• CVE-2025-33053 – Web Distributed Authoring and Versioning (WebDAV) External Control of File Name or Path Vulnerability
• CVE-2025-32433 – Elang/OTP SSH Server Missing Authentication for Critical Function Vulnerability
• CVE-2024-42009 – RoundCube Webmail Cross-Site Scripting Vulnerability
• CVE-2025-5419 – Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
• CVE-2025-27038 – Qualcomm Multiple Chipsets Use-After-Free Vulnerability
• CVE-2025-21480 – Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
• CVE-2025-21479 – Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
• CVE-2023-39780 – ASUS RT-AX55 Routers OS Command Injection Vulnerability
• CVE-2024-56145 – Craft CMS Code Injection Vulnerability
• CVE-2025-35939 – Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
• CVE-2025-3935 – ConnectWise ScreenConnect Improper Authentication Vulnerability
• CVE-2021-32030 – ASUS Routers Improper Authentication Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.