This report analyzes the cybersecurity threat landscape observed between September 8 – 15, 2025. During this reporting week, defenders faced a mix of supply-chain compromises, SaaS token abuse, actively exploited enterprise software flaws, and high-impact platform patch cycles.
Key Highlights:
Salesloft/Drift OAuth-token abuse + Salesforce data access: FBI released a FLASH alert detailing tactics, infrastructure, and indicators for activity tracked as UNC6040 and UNC6395 that stole OAuth tokens and accessed Salesforce data at scale. Salesloft’s investigation attributes initial access to a GitHub account compromise months prior.
Mass npm supply-chain compromise: A maintainer phishing incident led to malicious versions of high-profile npm packages being pushed; downloads briefly reached ~10% of cloud environments, but the payload’s monetization failed.
CISA KEV addition (active exploitation): CVE-2025-5086 (Dassault Systèmes DELMIA Apriso, deserialization) was added to KEV, mandating federal remediation and signaling high priority for all enterprises.
Actively exploited perimeter risk (SonicWall): Global advisories warn continuing exploitation of CVE-2024-40766 SSLVPN weakness (CVSS 9.3) by Akira ransomware operators, often combined with misconfigurations.
Dominant Trends:
Token-based SaaS abuse (OAuth) and developer-ecosystem supply-chain vectors surged, with short dwell-times between compromise and mass propagation.
Rapid exploitation of already-patched edge devices and ERP platforms (SonicWall, SAP) continues where organizations lag patching.
II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW
The global cybersecurity scene is constantly changing, with threats becoming more intense and attackers using new methods. Understanding these trends is key to building strong defenses.
Key Observations:
Enterprise SaaS (Salesforce/GWS) targeted via OAuth abuse; credentialless token replay and delegated access misuse featured prominently. Mapped ATT&CK: T1528 Steal Application Access Token, T1566 Phishing, T1078 Valid Accounts.
Open-source supply chain: npm incident underscores blast radius via popular dependencies with minute-scale exposure windows.
Critical enterprise apps: SAP NetWeaver (CVE-2025-42944, CVSS 10) and S/4HANA (CVE-2025-42957) under active targeting; patch priority emphasized.
Perimeter devices: Continued exploitation of SonicWall SSLVPN (CVE-2024-40766) especially in environments with legacy/migrated accounts.
III. NOTABLE INCIDENTS AND DATA BREACHES
This week saw several major security incidents and data breaches, showing ongoing weaknesses and the varied tactics attackers use.
Salesloft / Drift supply-chain incident: GitHub account compromise led to OAuth token theft, enabling access to Salesforce and limited Google Workspace email for some targets. A reported 22 companies affected via Drift.
npm ecosystem compromise: Maintainer phishing enabled malicious package versions; widespread but low financial yield; rapid community response removed packages in ~2 hours.
Vietnam National Credit Information Center (CIC): Government confirms investigation into data-theft attempt; ShinyHunters suspected.
Kering (Gucci/Balenciaga/McQueen): Public reporting this week on a customer-data breach disclosed earlier in the year; reinforces luxury retail exposure.
IV. COMPREHENSIVE INCIDENT SUMMARY TABLE
This table provides a concise overview of notable security incidents and data breaches observed during the reporting period, or with significant ongoing implications for the period.
Date (2025)
Incident
Affected Org(s)
Impact / Notes
Sep 8
Salesloft/Drift supply-chain, OAuth token abuse
22 companies; Salesforce/GWS users
Access to CRM data via stolen OAuth tokens after GitHub compromise.
Known issue breaks SMBv1 shares over NetBT; workaround published.
V. CURRENT THREAT LANDSCAPE ANALYSIS
Analyze the broader trends shaping the threat environment this week.
Emerging Trends We’re Seeing:
OAuth and API-driven intrusion chains: Phishing → token theft → SaaS data access without password reuse. (ATT&CK: T1566, T1528).
“Patch-gap” exploitation: SonicWall SSLVPN and SAP platforms targeted where patches lag or configurations remain risky.
Supply-chain reflex: npm shows that even short-lived malicious updates propagate quickly; detections must focus on build/CI, SCA, and anomalous dependency drift.
VI. Critical Vulnerabilities and CVEs (prioritized)
The timely identification and remediation of critical vulnerabilities are paramount to maintaining a strong cybersecurity posture. This week’s disclosures and updates highlight several high-priority CVEs that demand immediate attention.
CVE
Product / Component
Severity
Status
Why it matters
Immediate mitigation
CVE-2025-5086
Dassault Systèmes DELMIA Apriso (deserialization)
–
Actively exploited (CISA KEV)
KEV entry drives urgency across sectors using Apriso MES.
Apply vendor fixes; isolate exposed Apriso services; increase WAF deserialization rule coverage; monitor for suspicious process spawns.
CVE-2025-42944
SAP NetWeaver (deserialization RCE)
CVSS 10.0
Exploitation reported
Full RCE; business-critical ERP middleware impact.
Apply SAP Sep 2025 notes; restrict access to vulnerable services; harden SAPRouter.
CVE-2025-42957
SAP S/4HANA
CVSS 9.9 (vendor)
Exploitation reported
High-impact ERP data/process exposure.
Apply SAP security notes; network-segment SAP components.
CVE-2025-55234
Windows SMB Elevation of Privilege
Important
Publicly disclosed / fixed Sep 9
Hardening may affect legacy SMBv1; requires attention to audit & compatibility.
Deploy Sept updates; enable SMB signing and EPA; audit compatibility; plan SMBv1 removal.
CVE-2024-21907
Newtonsoft.Json in SQL Server
–
Publicly disclosed; fixed in Sept updates
DoS via crafted JSON; library widely used.
Apply SQL Server updates containing patched Newtonsoft.Json.
CVE-2025-10200, CVE-2025-10201
Google Chrome (Service Worker UAF; Mojo impl.)
Critical / High
Fixed Sep 9 stable
Browser exploitation surface; endpoint-wide.
Update to Chrome 140.0.7339.127+ (Win/Linux) / .132+ (macOS).
CVE-2024-40766
SonicWall SonicOS/SSLVPN
CVSS 9.3
Actively exploited
Common initial access for Akira; linked to misconfig & legacy accounts.
Patch to fixed SonicOS; reset local LDAP-migrated accounts; restrict Virtual Office; enforce MFA; rotate credentials.
VII. THREAT ACTOR ACTIVITIES
Threat actor activities during this period demonstrate a continued evolution in sophistication, targeting, and operational models, reflecting a highly professionalized cybercrime ecosystem.
Profile active or newly observed threat actors. (TTP-mapped)
UNC6040 / UNC6395 (Salesloft/Drift OAuth campaigns) Objective: Data theft and access to Salesforce/Google Workspace via OAuth tokens. TTPs:T1566 Phishing, T1528 Steal Application Access Token, T1078 Valid Accounts. Sectors: SaaS consumers across tech and enterprise.
Akira ransomware Objective: Ransomware deployment following edge-device access. TTPs: Exploitation of SonicWall CVE-2024-40766; MFA abuse on misconfigured portals; post-exploitation disabling defenses (BYOVD noted in recent analysis). Sectors: Broad enterprise; MSP/MSSE-heavy networks.
Suspected China-nexus espionage operator (“EggStreme”) Objective: Long-term access and exfiltration in defense sector. TTPs: Fileless in-memory execution; DLL sideloading; gRPC C2; proxy tools (Stowaway). Sectors: Defense contractor in the Philippines.
VIII. MALWARE ANALYSIS
This section highlights newly identified or prominent malware strains observed during the reporting period, detailing their functionalities and impact.
Provide a technical summary of new or trending malware.
HybridPetya (Windows, ransomware/bootkit) Capabilities: EFI bootkit bypassing Secure Boot using CVE-2024-7344 path; MFT encryption; staged installer/bootkit; Bitcoin ransom workflow. Delivery: Samples seen in VirusTotal; operational behaviors described by ESET.
RatOn (Android, banking trojan) Capabilities: NFC relay fraud (POS), ATS for automated transfers, overlays, crypto-wallet ATO and seed-phrase theft, device locking. Delivery: Malicious “TikTok 18+”-themed droppers; targets Czech/Slovak users.
IX. RECOMMENDATIONS
For Technical Audiences Immediate (24–48 hours)
OAuth/SaaS response (Salesforce/GWS):
Revoke and rotate all Drift/Salesloft OAuth tokens and any suspicious Salesforce/GWS integrations; validate OAuth consent and scopes.
Query logs for anomalous setup/connect flows, unusual Connected App grants, and mass export/report activity; enable login & API auditing at maximum fidelity.
Patch & mitigation priorities:
Apply Microsoft’s Sep 2025 updates; review SMB hardening (signing, EPA) and plan for SMBv1 deprecation; note known issue and workaround if legacy NetBT is unavoidable.
Update Chrome to 140.0.7339.127/.132 or later across fleets.
Expedite patching for SAP (CVE-2025-42944/42957) and DELMIA Apriso (CVE-2025-5086); monitor for post-patch exploitation attempts.
For SonicWall: Patch for CVE-2024-40766, reset any migrated/legacy local accounts, restrict Virtual Office exposure, verify MFA enrollment, and rotate credentials.
Build/Supply-chain hygiene:
Re-sync and lock dependency versions; run SCA on recent builds; inspect CI credentials, npm tokens, and maintainer trust chains.
Detection/Response Enhancements
Map detections to ATT&CK: T1528/T1566/T1078 in SIEM; alert on sudden OAuth grants, anomalous API usage patterns, and mass read/export jobs in SaaS.
For SonicWall, ingest vendor telemetry and check for abnormal SSLVPN auth and config changes corresponding to SNWLID-2024-0015 guidance.
Strategic (30–90 days)
SaaS trust minimizing: Enforce granular OAuth scopes, short token TTLs, and admin-consent workflows; implement CASB/SSPM monitoring for third-party integrations.
SBOM & provenance: Adopt dependency-pinning, npm provenance, and pre-merge SCA; consider sigstore/attestation for critical build artifacts.
Network posture: Eliminate SMBv1; segment ERP/MES (SAP/Apriso) with strict allow-lists and WAF deserialization rules.
For Non-Technical Audiences
Security awareness:
Treat any “integration approval” prompts (email/Slack/DM) as high risk; verify out-of-band.
Avoid installing “helper apps”/mobile APKs outside official stores.
Incident reporting:
Clear internal channel for suspicious OAuth prompts, unexpected Salesforce report exports, or unusual Windows file-share issues post-patching.
X. ANALYST NOTES
The cyber threat landscape continues to evolve at an unprecedented pace, driven by several underlying dynamics that warrant careful consideration beyond the immediate incidents.
Based on this week’s activity, we anticipate:
Shorter timelines between maintainer compromise and package propagation in open-source ecosystems; enforce rapid automated dependency quarantine in CI when metadata drift is detected.
Token-centric intrusion chains to continue across SaaS due to weaker monitoring of OAuth events relative to password logins; prioritize SaaS audit log retention and analytics.
Opportunistic ERP/MES targeting (SAP/Apriso) in mid-market manufacturers where segmentation and patch cadence are weaker.
XI. CONTACT INFORMATION
For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.
