FileFix 2.0 Exploit Bypasses Windows MOTW via HTML-to-HTA Rename
- SISA Weekly Threat Watch -

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include:
- Critical sudo Flaws Enable Root Privilege Escalation on Linux/macOS Systems
- Grafana Image Renderer & Synthetic Agent Vulnerable to Chromium RCE Flaws
- FileFix 2.0 Exploit Bypasses Windows MOTW via HTML-to-HTA Rename
- Chrome Zero-Day (CVE-2025-6554) Exploits V8 Type Confusion for Drive-By Attacks
- INC Ransomware (Gold Ionic) Deploys Double Extortion via Citrix Exploits & Data Leaks
These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Airoha Bluetooth Chipset Flaws Enable Eavesdropping and Call Hijacking
Critical flaws in Airoha Bluetooth chipsets (CVE-2025-20700/20701/20702) expose 29 audio devices from Sony, Bose, JBL, and others to eavesdropping, call hijacking, and data theft. Attackers within Bluetooth range can abuse missing authentication in GATT/BR/EDR protocols to extract link keys, intercept calls via Hands-Free Profile (HFP), and even rewrite firmware for wormable malware propagation. The high-severity CVE-2025-20702 enables memory access to steal call logs/contacts and execute remote code. Exploitation requires proximity and technical skill but poses extreme risks to high-value targets like executives or diplomats.
Recommendations to mitigate this threat include applying vendor-released firmware updates immediately (post-May 27, 2025 SDK patch). Users should disable Bluetooth in public spaces, re-pair devices frequently to refresh encryption keys, and monitor for abnormal connection prompts. High-risk individuals must use wired audio for sensitive discussions, while vendors should accelerate patch deployment and transparently communicate risks to customers.
2. Grafana Image Renderer & Synthetic Agent Vulnerable to Chromium RCE Flaws
Four critical Chromium vulnerabilities (CVE-2025-5959/6554/6191/6192) in Grafana Image Renderer (<3.12.9) and Synthetic Monitoring Agent (<0.38.3) enable remote code execution via malicious HTML. Attackers exploit type confusion, integer overflow, and use-after-free flaws in the embedded headless Chromium engine to escape sandboxes, corrupt memory, or hijack dashboard rendering/synthetic testing processes.
Recommendations to mitigate this threat include updating to Grafana Image Renderer 3.12.9+ and Synthetic Agent 0.38.3+. Restrict internet access for rendering components via firewalls, run services under least-privileged accounts, and deploy AppArmor/SELinux policies to sandbox Chromium. Segment rendering infrastructure, audit dashboard inputs for untrusted HTML, and automate patch deployment.
3. FileFix 2.0 Exploit Bypasses Windows MOTW via HTML-to-HTA Rename
A new FileFix variant evades Windows Mark-of-the-Web (MoTW) protections by tricking users into saving malicious webpages as “Complete HTML” files and renaming them to .HTA. Execution via mshta.exe runs embedded scripts (e.g., JScript) silently without security prompts, enabling ransomware deployment or data theft. Social engineering lures (e.g., fake “MFA backup codes”) critical to success.
Recommendations to mitigate this threat include disabling or renaming mshta.exe in System32/SysWOW64 directories and enforcing visible file extensions in Windows Explorer. Block .HTA/.HTML email attachments, implement application allow-listing, and train users to recognize “save-and-rename” phishing lures involving Ctrl+S.
4. Chrome Zero-Day (CVE-2025-6554) Exploits V8 Type Confusion for Drive-By Attacks
Actively exploited zero-day (CVE-2025-6554) in Chrome’s V8 JavaScript engine enables arbitrary code execution via malicious HTML pages. Attackers leverage type confusion flaws to read/write memory, deploy spyware, or initiate drive-by downloads. Linked to state-sponsored campaigns, impacting Chrome versions prior to 138.0.7204.96 (Windows/macOS/Linux).
Recommendations to mitigate this threat include immediately updating Chrome/Chromium browsers to patched versions and enforcing enterprise-wide auto-updates. Monitor endpoints for abnormal browser memory usage or script execution, restrict unsigned scripts via policy controls, and update Edge/Brave/Vivaldi browsers promptly.
5. INC Ransomware Deploys Double Extortion via Citrix Exploits & Data Leaks
INC Ransomware (a.k.a Gold Ionic) breaches networks via Citrix NetScaler exploits (CVE-2023-3519) and stolen credentials, deploying double-extortion attacks. After lateral movement using PsExec/RDP, the group exfiltrates data to cloud storage (e.g., Mega.nz) and encrypts files with AES-256, appending .INC extensions. Victims like Ahold Delhaize face public data leaks on Tor sites if ransoms are unpaid.
Recommendations to mitigate this threat include patching public-facing services (especially Citrix) and enforcing MFA for all privileged accounts. Segment networks to limit lateral movement, deploy EDR tools to detect ransomware behaviors (e.g., mass file encryption), and maintain offline immutable backups. Train staff to recognize phishing lures and establish an incident response plan for extortion events.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.