Weaponizing Trust: Management Consoles, Exchange Hybrid Flaws, and the WinRAR Zero-Day

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Active exploitation – Trend Micro Apex One Management Console RCE

Trend Micro disclosed pre-authentication command-injection flaws in the Apex One on-prem Management Console that allow remote code execution without authentication. Attacks observed in the wild target exposed consoles; at least one exploitation attempt has been reported and national CERTs have issued urgent advisories. The flaw is weaponised to run arbitrary commands with the service’s privileges.

Mitigations: Apply Trend Micro’s Fix Tool immediately to all affected Apex One on-prem (2019) instances; the tool temporarily mitigates exploitation by disabling the Remote Install Agent, though administrators will lose remote deployment capability until the official patch is applied. In parallel, ensure the Management Console is not exposed to the public internet by implementing IP allow-lists or restricting access to a VPN or jump hosts, and enforce strong access controls such as MFA and just-in-time/admin bastions for administrative logins. Increase monitoring and hunting for anomalous console commands, unexpected service launches, or unusual process trees on Apex One servers so exploitation attempts can be detected quickly. Finally, prepare to deploy Trend Micro’s permanent critical patch when released (mid-August 2025) and validate related Trend products (Apex Central / Trend Vision One) are either mitigated or patched.

2. Over 29,000 Exchange servers exposed – CVE-2025-53786 (Hybrid compromise risk)

CVE-2025-53786 is a high-severity privilege-escalation flaw in Exchange hybrid configurations that enables an attacker with on-prem admin access to forge tokens or API calls and pivot into Microsoft 365/Azure tenants. Public reporting shows ~29,098 unpatched Exchange servers (top counts: USA, Germany, Russia). CISA issued Emergency Directive 25-02 for immediate patching because exploitation can lead to full domain compromise.

Mitigations: Organizations must immediately apply Microsoft’s April 2025 hotfix and relevant cumulative updates (update Exchange Server 2016 to CU23 and Exchange 2019 to CU14/CU15) to remediate CVE-2025-53786. Any internet-facing or unsupported Exchange instances should be isolated or removed from public access until patched. Follow Microsoft’s guidance to replace insecure shared identity setups with the dedicated hybrid app to remove the insecure trust constructs exploited by this vulnerability. Restrict and harden administrative access with MFA and conditional access, audit and clean up stale service principals (following Microsoft’s Service Principal Clean-Up Mode guidance), and actively monitor for forged token creation or unusual API activity across on-prem and cloud tenants. After remediation, run the Microsoft Exchange Health Checker to confirm configuration integrity and address any remaining issues.

3. RomCom exploitation of WinRAR zero-day – CVE-2025-8088 (Path traversal via ADS)

ESET traced RomCom APT activity exploiting CVE-2025-8088 – a WinRAR path-traversal vulnerability leveraging NTFS Alternate Data Streams (ADS) to place payloads into autorun/system directories. Attack chains observed dropped multiple malware families (Mythic Agent, SnipBot, MeltingClaw) and used LNK autorun shortcuts for persistence. The flaw was actively exploited before a patch (WinRAR 7.13) was released on 30 July 2025.

Mitigations: Update all endpoints to WinRAR 7.13 (or later) immediately; because WinRAR lacks auto-update, deploy the update centrally or instruct users to manually upgrade from the official RarLab distribution. Treat RAR archives from untrusted sources as hostile—quarantine or block such attachments at the gateway and train users not to open unexpected archives that trigger extraction warnings. Implement monitoring to detect new or modified LNK files in startup folders and suspicious file creations in %TEMP% and %LOCALAPPDATA%, and restrict write permissions to system and autorun directories for non-privileged accounts to reduce the ability of an attacker to persist. Ensure EDR rules cover ADS usage and suspicious archive extraction patterns, and run targeted hunts for COM hijacking or loader behaviors associated with the observed malware families.

Core Weakness – Trusted management & common utilities as attack vectors

This set of incidents exposes a recurring theme: attackers focus on trusted management planes and widely used utilities (security consoles, Exchange hybrid flows, archive tools) that organizations implicitly trust. By weaponising administrative workflows or common developer/end-user tools, adversaries achieve high-impact outcomes while often bypassing standard detection heuristics.

Proactive steps for the week

1. Trend Micro – Immediate: Deploy Trend Micro fix tool to all Apex One on-prem (2019) consoles and block console access from the internet.
2. Exchange – Immediate: Patch all Exchange hybrid servers with the April 2025 hotfix and relevant CUs (CU23 / CU14/CU15). Isolate any unpatched public servers.
3. WinRAR – Immediate: Push WinRAR 7.13 to endpoints and quarantine inbound RAR attachments from unknown senders.
4. Access hardening: Enforce MFA, IP allow-lists, and callback verification for all security management consoles and identity flows.
5. Monitoring & hunting: Create focused hunts for remote command execution attempts on Apex One hosts, forged token/API anomalies in Azure/M365, and new LNK/ADS activity on endpoints.
6. Network segmentation: Segment management consoles, Exchange admin interfaces, and GPU/ML infrastructure into separate, monitored zones.
7. Containment playbooks: Verify playbooks for management console compromise, hybrid compromise scenarios, and archive-based persistence are current and practiced.
8. User & admin briefing: Push a targeted comms blast to admins and desktop users on these threats (don’t open unknown archives; report console oddities).
9. Post-remediation validation: After fixes, run configuration health checks (Exchange Health Checker, Apex One sanity checks) and ensure disabled functionality is safely restored via vendor patching.
10. Executive summary: Prepare a short-risk brief for leadership summarising exposure, patch status, and any required outages to complete remediation.