SOCshare August 2025: cyber threat landscape updates

Icon

SOCshare August 2025: cyber threat landscape updates

August 2025 ranged from “invisible” exploits in the common archival tool WinRAR to massive supply chain ripples affecting Salesforce and SharePoint. 

WinRAR Gets Weaponized 

On August 8, ESET researchers reported that Russia-linked threat actor RomCom exploited WinRAR CVE-2025-8088 as a zero-day in spearphishing attacks to deploy various backdoors. 

The path traversal flaw, fixed in version 7.13, allowed crafted archives to place executables in autorun paths for remote code execution. So the attack was straightforward: send someone a malicious RAR file that looks legitimate (for example, a CV being sent, and viewing the archive in WinRAR, it would show only PDF), they extract it, and a backdoor gets installed automatically. 

It was the second time a path traversal vulnerability was exploited in WinRAR (the first being in June, CVE-2025-6218). Now the exploit relied on the ADS trick – hiding executables in NTFS alternate data streams, making it virtually invisible to the victim. 

Users must manually update WinRAR, which lacks auto-update. If you’re still running version 7.12, you’ve got a vulnerability on your system and probably don’t realize it. By the time ESET went public, RomCom had already been using this in active spearphishing campaigns for weeks. 

What Else Happened in August 2025? 

The rest of August saw attackers moving upstream to exploit the very platforms we trust to manage our data. It was a month of massive supply chain ripples and high-stakes statecraft. 

  • The Salesforce “Cascade”: Between August 8 and 18, threat actor UNC6395 orchestrated a data theft campaign by compromising OAuth tokens linked to the Salesloft Drift integration. By abusing this trusted “side door,” the attackers bypassed CRM-level MFA to exfiltrate sensitive credentials (including AWS keys and Snowflake tokens) from hundreds of Salesforce instances. This incident proved that even a hardened core system remains vulnerable if its third-party integrations possess over-privileged permissions. 
  • SharePoint “ToolShell” Attacks: unknown threat actors exploited a zero-day SharePoint vulnerability (exact vulnerability wasn’t disclosed, but likely linked to CVE-2025-53770) to breach the Canadian House of Commons. There were multiple attacks like this (dubbed “ToolShell” by researchers) using SharePoint zero-days that allowed the exfiltration of sensitive employee data and device management databases. 
  • The “Regional Cyber Alliance”: On August 1, Ukraine, Romania, and Moldova officially formed a Regional Cyber Alliance. It was a direct response to coordinated Russian-linked activity. To strengthen cooperation and their cyber defenses by exchanging information on cyber threats, joint development and implementation of artificial intelligence-based solutions, and training of specialists. 

Looking ahead

Audit your integrations
Audit your integrations
Don’t just secure your login; secure your OAuth permissions. Most companies have "zombie" apps with high-level access to their CRM or HR data. If an app doesn't need to read your entire customer database, revoke its tokens.
Regulatory compliance
Regulatory compliance
As of August 1, 2025, the EU Radio Equipment Directive (RED) requirements for internet-connected devices took effect. If you’re a manufacturer or enterprise buyer, ensure your hardware meets these new requirements

Stay vigilant and automate your hygiene

Other news and stories

The 3rd edition of the Guide for developing a National Cybersecurity Strategy
The 3rd edition of the Guide for developing a National Cybersecurity Strategy
SOCshare May 2026: News in cyber threat landscape
SOCshare May 2026: News in cyber threat landscape
SOCshare April 2026 review : Adobe Acrobat Reader, Claude and phishing
SOCshare April 2026 review : Adobe Acrobat Reader, Claude and phishing
SOCcare March 2026: A “Little Gift” from the photo shop
SOCcare March 2026: A “Little Gift” from the photo shop
Safe4SOC updates: enhancing CyberSOC efficiency through unified alert sharing
Safe4SOC updates: enhancing CyberSOC efficiency through unified alert sharing
SOCshare: cybersecurity landscape in February 2026
SOCshare: cybersecurity landscape in February 2026
SOCshare January 2026: cybersecurity landscape review
SOCshare January 2026: cybersecurity landscape review
SOCshare: cybersecurity landscape in December 2025
SOCshare: cybersecurity landscape in December 2025