Cyber Threat Intelligence Report

This week, we briefed our clients on more FileFix research. This new data reveals how they utilize .hta files to avoid warnings and execute malicious code.

 KEY TAKEAWAYS 

• Another alternative FileFix social engineering technique disclosed that uses HTA files to execute embedded scripts.

• Critical and high severity vulnerabilities in Microsoft, Cisco, Fortinet, and Ivanti, plus updates to CISA KEV, patch now!

FileFix Part 2x

In our previous Intel Report, we highlighted a new ClickFix alternative discovered by 'mrDox' called FileFix. This was yet another social engineering technique that can be leveraged to trick users into executing malicious code on their machines. mrDox has since released additional research expanding on the FileFix technique.

In this research it is shown that in Chrome and Edge browsers, when an HTML page is saved by using 'Ctrl+S' or Right-click -> "Save as" in either "Webpage, Single File" or "Webpage, Complete" file types, the downloaded web page files do not have Mark of the Web (MOTW). MOTW is metadata used by Microsoft Windows to mark files that are downloaded from the internet as potentially unsafe. This is used as an additional security layer, as it is a visual prompt to users that they may not want to trust the file they have just downloaded.

The research also shows that if you create an HTML webpage with embedded scripting and save the page with a .hta file extension, it saves the file with the embedded script properties. These HTA files are executed by mshta.exe by default. Any JavaScript that is included in this file will be run on the system. This JavaScript code can call “ActiveXObjects” that can be used to spawn command shells and effectively run arbitrary commands. Below is an example HTML file with a simple script that calls cmd.exe to ping example.com:

Fig 1: Example HTML Code | Source: mrd0x

And the execution of the file once double-clicked:

Fig. 2: Execution of .hta file | Source: mrd0x

The next step is to craft a social engineering trick in order to entice a user to save the webpage file in this manner. To accomplish this, mrDox created a fake "backup code" page, instructing the user to save the codes as an HTA file:

Fig. 3: Fake Backup Code Webpage | Source: mrd0x

Since prompts like this are extremely common when setting up multi-factor authentication (MFA), most users will be familiar with them and not hesitate to follow the steps outlined. Once the steps are completed, the victim will now have a malicious .hta file in their Downloads folder with no MOTW warnings, and once the file is clicked at any point in the future, the malicious code embedded in the file will execute.

How to Protect Your Organization

As with all social engineering attacks, user awareness and education is paramount. Users must be made aware of these types of attacks so they can avoid downloading or saving files with unusual file types. Additionally, since this specific attack relies on the successful execution of .hta files, administrators can block mshta.exe via GPO or AppLocker. This will prevent .hta files from being able to run on the host. Lastly, ensure all endpoints in the environment have fully up-to-date EDR deployed to block execution of malicious scripts.

Resources:

• https://mrd0x.com/filefix-part-2/
  

• https://mrd0x.com/filefix-clickfix-alternative/
  

• https://www.thedfirspot.com/post/minimizing-malicious-script-execution 

Vulnerability Roundup

Critical Vulnerability in Microsoft SPNEGO Protocol

As part of Microsoft's July Patch Tuesday, they disclosed a critical vulnerability in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) is used by client-server software to negotiate the choice of security technology. The Generic Security Service Application Programming Interface (GSSAPI) is an API for programs to access security services.

The vulnerability, tracked as CVE-2025-47981, is a heap-based buffer overflow in the NEGOEX protocol, which is part of the SPNEGO authentication negotiation mechanism. This mechanism is used widely throughout Microsoft Windows environments, and the vulnerability affects Windows systems from version 10 (1607) onward. Per the Microsoft advisory, an attacker could exploit this vulnerability by sending a malicious message to the server, potentially leading to remote code execution. Among the Windows services that use SPNEGO are SMB, RDP, HTTP/S, and LDAP. Due to the widespread usage across Windows services, administrators are strongly encouraged to patch as soon as possible.

• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-47981
• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-negoex/77c795cf-e522-4678-b0f1-2063c5c0561c
  
• https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-spng/fe1b1adc-07f6-40c0-a36b-b4f75be2695e
  
• https://www.tenable.com/blog/microsofts-july-2025-patch-tuesday-addresses-128-cves-cve-2025-49719
  
• https://zeropath.com/blog/windows-spnego-cve-2025-47981-rce

Maximum-Severity Vulnerability in Cisco Unified CM

A recent advisory from Cisco detailed a maximum severity vulnerability in their Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) products. The vulnerability, tracked as CVE-2025-20309, stems from the presence of static credentials for the root user account, which can allow for a remote unauthenticated attacker to log into vulnerable devices with the root account. Per the advisory, there are no workarounds, the patch must be applied. Affected versions are 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration. Administrators are urged to patch as soon as possible. 

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7
• https://thehackernews.com/2025/07/critical-cisco-vulnerability-in-unified.html

Critical SQL Injection Vulnerability in FortiWeb

Fortinet announced a critical SQL injection vulnerability in their web application firewall, FortiWeb. Tracked as CVE-2025-25257, the vulnerability allows an unauthenticated attacker to execute unauthorized SQL code or commands via HTTP or HTTPs requests. The table below shows affected product versions. Proof-of-concept exploit code is in the wild. Administrators are urged to patch as soon as possible. If immediate patching is not possible, it is recommended to disable the HTTP/HTTPS administrative interface. Affected versions and their respective patches are listed below:

• https://fortiguard.fortinet.com/psirt/FG-IR-25-151

• https://github.com/watchtowrlabs/watchTowr-vs-FortiWeb-CVE-2025-25257

Ivanti July Security Update

In their July Security Update, Ivanti disclosed a series of medium and high severity vulnerabilities across their Ivanti Connect Secure and Policy Secure, Ivanti EPMM, and Ivanti EPM solutions. While these vulnerabilities do not share the same criticality as previous Ivanti vulnerabilities as they require authentication in order to exploit, administrators are urged to patch as soon as possible as Ivanti products have been heavily targeted by threat actors in ransomware campaigns. 

• https://www.ivanti.com/blog/july-security-update-2025

• https://forums.ivanti.com/s/article/July-Security-Advisory-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Multiple-CVEs?language=en_US

• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2025-6770-CVE-2025-6771?language=en_US

• https://forums.ivanti.com/s/article/Security-Advisory-July-2025-for-Ivanti-EPM-2024-SU2-and-EPM-2022-SU8?language=en_US

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2025-5777 - Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
• CVE-2014-3931 - Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability
• CVE-2016-10033 - PHPMailer Command Injection Vulnerability
• CVE-2019-5418 - Rails Ruby on Rails Path Traversal Vulnerability
• CVE-2019-9621 - Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability
• CVE-2025-6554 - Google Chromium V8 Type Confusion Vulnerability
• CVE-2025-48927 - TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability
• CVE-2025-48928 - TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability
• CVE-2025-6543 - Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.