IIS Servers being exploited, warning for Windows 11 22H2, Papercut and VMWare exploits and the latest vulnerabilities...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. We’ve also got the latest CVE information to help you stay ahead of vulnerabilities. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
News & Articles
Hackers Exploit IIS Servers with New Web Shell Script for Full Remote Control
Security researchers have examined a complex online shell script called UpdateChecker.aspx that was installed on compromised Internet Information Services (IIS) servers in response to a notable increase in cyberthreats directed at Microsoft Windows installations.
This analysis stems from a follow-up investigation by FortiGuard’s Incident Response Team into a prolonged intrusion at a Middle East critical national infrastructure (CNI) site, where attackers installed multiple web shells to maintain persistent access. The web shell enables full remote control of affected systems, posing a high-severity risk to Windows users by allowing unauthorised command execution, file manipulation, and data exfiltration. Operating under the guise of a legitimate ASPX page, the script leverages heavy obfuscation in its C# code, with randomly generated method, variable, and class names encoded in Unicode, alongside encrypted strings, and numeric constants.
This obfuscation thwarts initial reverse-engineering efforts, but de-obfuscation reveals the core functionality centred around the Page_Load() entry point, which processes incoming HTTP requests exclusively on the server side. The web shell demands commands via HTTP POST requests with an application/octet-stream content type; any deviation triggers an error response. Command payloads are encrypted, Base64-encoded, and structured as JSON objects, beginning with a 16-byte header decrypted using a hardcoded key to yield a 15-byte session key for the remaining data. Essential JSON keys include ProtocolVersion (fixed at 1.0), ModuleName, and RequestName, with optional parameters dictating specific actions. Failure to include these results in error messages, ensuring robust command validation.
Traffic analysis, simulated through tools like Wireshark, shows encrypted binaries in POST bodies, decrypted to reveal JSON-formatted instructions and responses, facilitating seamless attacker-victim interactions without raising immediate alarms. Organisations suspecting compromise should engage incident response teams and bolster awareness through security training to mitigate phishing vectors that often precede such intrusions.
Microsoft will stop supporting Windows 11 22H2 in October
Microsoft has reminded customers that the last supported editions of Windows 11 22H2 will reach their end of servicing on October 14.
This announcement applies to Windows 11 22H2 Enterprise, Education, and IoT Enterprise editions, released on September 20, 2022, and follows the end of service for the Home and Pro editions, which occurred last October. “The October 2025 monthly security update will be the last update available for this version. After this date, devices running this version will no longer receive monthly security and preview updates containing protections from the latest security threats,” Microsoft said. “To help keep you protected and productive, Windows Update will automatically initiate a feature update for Windows 11 consumer devices and non-managed business devices as they have reached end of servicing. This keeps your device supported and receiving monthly updates that are critical to security and ecosystem health”.
However, according to the company, customers will be able to choose a convenient time outside active hours for the device to reboot and complete the Windows 24H2 feature update. You can also find further information about the end-of-service dates of other Windows releases on the Windows Lifecycle FAQ page or using the Lifecycle Policy search tool.
Microsoft also provides a list of all products that will reach the end of support or will be retired over the coming months. Windows 11, version 24H2 (also known as the Windows 11 2024 Update), the latest version of Windows 11, began rolling out in May 2024 to enterprise customers enrolled in the Windows Insider Release Preview Channel and was released to eligible Windows 11 22H2/23H2 devices in October. To receive the latest feature updates as soon as possible, go to Settings > Windows Update and enable the “Get the latest updates as soon as they’re available” option. However, it’s important to note that Redmond has added several Windows 11 24H2 safeguard holds for devices with incompatible drivers and software.
CISA Adds PaperCut NG/MF CSRF Vulnerability to KEV Catalog Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security vulnerability impacting PaperCutNG/MF print management software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability, tracked as CVE-2023-2533 (CVSS score: 8.4), is a cross-site request forgery (CSRF) bug that could result in remote code execution.
“PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code,” CISA said in an alert.
PaperCut NG/MF is commonly used by schools, businesses, and government offices to manage print jobs and control network printers. Because the admin console typically runs on internal web servers, an exploited vulnerability here could give attackers an easy foothold into broader systems if overlooked. In a potential attack scenario, a threat actor could leverage the flaw to target an admin user with a current login session and deceive them into clicking on a specially crafted link that leads to unauthorised changes.
It’s currently not known how the vulnerability is being exploited in real-world attacks. But given that shortcomings in the software solution have been abused by Iranian nation-state actors as well as e-crime groups like Bl00dy, Cl0p, and LockBit ransomware for initial access, it’s essential that users apply necessary updates, if not already.
Scattered Spider Exploiting VMware vSphere
The financially motivated hacking group Scattered Spider has been observed targeting VMware vSphere environments, taking full control of hypervisors, Google’s Threat Intelligence Group (GTIG) warns.
Active since early 2022 and known as Muddled Libra, Scatter Swine, Starfraud, and UNC3944, the hacking group has been blamed for multiple high-profile attacks, including such as MGM Resorts’ infection with BlackCat (Alphv) ransomware, and the 0ktapus campaign that hit over 130 organisations.
A fresh report from GTIG focuses on the group’s vSphere-centric attacks, showing how the hackers are pivoting from Active Directory to vSphere to steal data and deploy ransomware directly from the hypervisor, bypassing security tools that have limited or no visibility into the ESXi hypervisor and vCenter Server Appliance (VCSA). According to Google, the threat actors move from a low-level foothold to complete hypervisor control methodically, across five phases: initial access, reconnaissance, and privilege escalation; vCenter control pane compromise; hypervisor heist; backup sabotage; and ransomware execution.
Impersonating an organisation’s employee, Scattered Spider members call the IT help desk and rely on social engineering to reset the employee’s Active Directory password. Using this access, they harvest information to identify administrators and weak access controls, and then call the help desk again, to reset the password for the admin account.
Armed with harvested Active Directory to vSphere credentials, the attackers gain virtual physical access to the VCSA, change the root password, enable SSH access, and deploy the open-source remote access tool Teleport to create a persistent, encrypted reverse shell. With SSH enabled on the ESXi hosts and their root passwords reset, the attackers then target a Domain Controller VM, power it off and detach its virtual disk, which they attach to a VM they control to extract the Active Directory database, and then reattach. Next, the attackers use their Active Directory access to delete backup jobs, snapshots, and repositories, to prevent recovery, and then use SSH access to the ESXi hosts to deploy ransomware. Before executing the malware to encrypt VM files, they power off every VM on the host.
Latest Vulnerabilities & Exploits
CVE-2025-8286
Critical - Güralp FMUS
Güralp FMUS series seismic monitoring devices expose an unauthenticated Telnet-based command line interface that could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.
CVE-2025-50572
High - Archer
An issue was discovered in Archer Technology RSA Archer 6.11.00204.10014 allowing attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications.
CVE-2025-23289
Medium - nVIDIA Omniverse Launcher
NVIDIA Omniverse Launcher for Windows and Linux contains a vulnerability in the launcher logs, where a user could cause sensitive information to be written to the log files through proxy servers. A successful exploit of this vulnerability might lead to information disclosure.
CVE-2023-32251
Low - Linux KSMBD Component
A vulnerability has been identified in the Linux kernel’s ksmbd component (kernel SMB/CIFS server). A security control designed to prevent dictionary attacks, which introduces a 5-second delay during session setup, can be bypassed through the use of asynchronous requests. This bypass negates the intended anti-brute-force protection, potentially allowing attackers to conduct dictionary attacks more efficiently against user credentials or other authentication mechanisms.