Top 10 Best External Penetration Testing Companies in 2025

9/9/2025

·

cyber security, Cyber Security News, Top 10

External penetration testing is a crucial practice for any organization aiming to validate its security posture against real-world threats.

In 2025, with the proliferation of cloud services, SaaS applications, and remote work, an organization’s external attack surface is larger and more complex than ever.

An external penetration test simulates a real-world cyber attack, targeting public-facing assets like websites, firewalls, and mail servers, to find and exploit vulnerabilities before attackers do.

The best companies in this field combine the expertise of highly skilled human testers with advanced, scalable technology to provide actionable, continuous security insights.

Why We Choose It

External penetration testing is not a “check-the-box” compliance exercise. It’s a proactive security measure that directly addresses the most common initial access vectors for attackers: publicly accessible vulnerabilities and misconfigurations.

By simulating an attack from the perspective of an external adversary, these tests provide a realistic view of an organization’s most critical weaknesses.

A successful test can uncover gaps in a company’s defenses that automated scanners miss, such as a logical flaw in an application or an exploitable misconfiguration in a cloud service.

How We Choose It

To select the top 10 external penetration testing companies, we evaluated them based on the following criteria:

Experience & Expertise (E-E): We looked for companies with a proven track record, a team of highly certified and respected testers, and a deep understanding of modern attack techniques.
Authoritativeness & Trustworthiness (A-T): We considered market leadership, industry recognition, and the reputation of their proprietary research teams (e.g., X-Force Red, SpiderLabs).
Feature-Richness: We assessed the breadth of their offerings, looking for core capabilities in:
Human-Led Testing: The ability to perform manual, creative exploitation beyond automated scanning.
Platform/PtaaS Model: The use of a platform to provide real-time reporting, collaboration, and continuous testing.
Reconnaissance & Scoping: A robust methodology for discovering and mapping an organization’s entire external attack surface.
Reporting & Remediation: Clear, actionable reports with detailed remediation guidance and re-testing options.

Comparison Of Key Features in 2025

Company	Human-Led Testing	Platform/PtaaS Model	Reconnaissance	Reporting & Remediation
IBM Security	Yes	Yes	Yes	Yes
NetSPI	Yes	Yes	Yes	Yes
Synack	Yes	Yes	Yes	Yes
Rapid7	Yes	Yes	Yes	Yes
CrowdStrike	Yes	Yes	Yes	Yes
Offensive Security	Yes	No	Yes	Yes
Trustwave	Yes	Yes	Yes	Yes
Coalfire	Yes	No	Yes	Yes
Bishop Fox	Yes	Yes	Yes	Yes
HackerOne	Yes	Yes	Yes	Yes

1. IBM Security

external penetration testing — **IBM Security**

IBM Security’s X-Force Red team is one of the most respected offensive security teams in the world. Composed of seasoned hackers and researchers, X-Force Red goes beyond standard testing by conducting advanced, objective-based engagements.

Their expertise is leveraged for high-stakes targets, including critical infrastructure and financial services. The team’s deep integration with IBM’s extensive threat intelligence and a centralized platform for real-time collaboration ensures a highly effective and data-driven approach to external testing.

Why You Want to Buy It:

IBM’s X-Force Red combines decades of real-world experience with top-tier threat intelligence. This allows them to simulate highly sophisticated, targeted attacks that go far beyond a typical vulnerability scan, providing a true measure of an organization’s resilience.

Feature	Yes/No	Specification
Human-Led Testing	Yes	Team of elite, full-time security experts.
Platform/PtaaS	Yes	Real-time collaboration and findings dashboard.
Reconnaissance	Yes	Advanced external asset discovery and mapping.
Reporting	Yes	Actionable reports with strategic recommendations.

Best For: Large, high-profile enterprises in regulated industries that require a strategic, objective-based approach to testing from a globally recognized and trusted security leader.

Try IBM Security (X-Force Red) here → IBM Security X-Force Red Official Website

2. NetSPI

NetSPI is a top player in penetration testing, known for its innovative Penetration Testing as a Service (PTaaS) platform. The company’s platform provides continuous, on-demand testing, real-time results, and advanced analytics.

NetSPI’s team of dedicated pentesters is known for its rigorous, methodical approach and ability to uncover complex vulnerabilities.

The combination of expert human talent and a scalable, data-driven platform makes them a leader in the industry.

Why You Want to Buy It:

NetSPI’s PTaaS platform streamlines the entire testing process, from scoping to remediation. The ability to see and collaborate on findings in real-time dramatically reduces the time to fix vulnerabilities, making it a highly efficient solution.

Feature	Yes/No	Specification
Human-Led Testing	Yes	300+ in-house pentesters with deep expertise.
Platform/PtaaS	Yes	The NetSPI Platform offers continuous, on-demand testing.
Reconnaissance	Yes	Includes comprehensive external attack surface mapping.
Reporting	Yes	Real-time findings, integrations with Jira/ServiceNow, and clear reports.

Best For: Organizations that need a scalable, continuous approach to penetration testing and want a platform that provides real-time visibility and collaboration on findings.

Try NetSPI here → NetSPI Official Website

3. Synack

Synack pioneered the Penetration Testing as a Service (PTaaS) model, blending the power of a global, vetted community of ethical hackers with a secure, on-demand platform.

Unlike traditional firms, Synack can deploy multiple researchers on a single engagement, providing broader coverage and finding more vulnerabilities in less time.

The platform provides a transparent view of findings and progress, with real-time patch verification and on-demand testing.

Why You Want to Buy It:

Synack’s model offers unmatched scalability and speed. The ability to engage a diverse team of researchers provides a more comprehensive test, and the platform simplifies management, allowing teams to quickly address vulnerabilities.

Feature	Yes/No	Specification
Human-Led Testing	Yes	A vetted community of 1,500+ ethical hackers.
Platform/PtaaS	Yes	On-demand PTaaS platform with continuous testing.
Reconnaissance	Yes	Continuous asset discovery and AI-powered risk validation.
Reporting	Yes	Real-time reporting, collaboration, and patch verification.

Best For: Organizations that need continuous, on-demand external testing and want to leverage the power of a crowdsourced community of elite ethical hackers.

Try Synack here → Synack Official Website

4. Rapid7

Rapid7 offers a comprehensive suite of security services, including expert-led external penetration testing.

Leveraging its deep expertise in vulnerability management (via the InsightVM platform) and its contributions to the Metasploit project, Rapid7’s testing team is well-versed in the latest exploits.

Their tests are designed to find and validate vulnerabilities, providing clear, actionable insights to reduce risk and improve security posture.

Why You Want to Buy It:

Rapid7’s penetration testing services are tightly integrated with its threat intelligence and vulnerability management solutions.

This ensures that findings are not only discovered but also prioritized and managed effectively, providing a seamless path to remediation.

Feature	Yes/No	Specification
Human-Led Testing	Yes	A team of experienced pentesters.
Platform/PtaaS	Yes	Findings are managed within the Insight Platform.
Reconnaissance	Yes	Includes external asset and open-source intelligence (OSINT) gathering.
Reporting	Yes	Clear, prioritized reports with remediation advice.

Best For: Organizations that already use Rapid7’s security products and want to leverage the company’s in-house expertise for a holistic approach to vulnerability management and testing.

Try Rapid7 here → Rapid7 Official Website

5. CrowdStrike

manual external penetration testing — **CrowdStrike**

CrowdStrike, a leader in endpoint security, provides expert-led penetration testing services as part of its broader Falcon platform.

Their testing goes beyond traditional methods, focusing on simulating real-world adversary tactics, techniques, and procedures (TTPs).

The team, backed by CrowdStrike’s renowned threat intelligence, provides a realistic assessment of an organization’s defenses against today’s most sophisticated attackers.

Why You Want to Buy It:

CrowdStrike’s deep understanding of adversary behavior, derived from its Falcon platform, allows its testers to replicate the most current and dangerous attack techniques.

This provides a truly realistic and valuable assessment of an organization’s external defenses.

Feature	Yes/No	Specification
Human-Led Testing	Yes	A team with extensive experience in red teaming and incident response.
Platform/PtaaS	Yes	Findings are managed within the Falcon platform.
Reconnaissance	Yes	Focus on external system identification and enumeration.
Reporting	Yes	Detailed reports with strategic and technical recommendations.

Best For: Organizations that want a penetration test from a company with unrivaled threat intelligence and a focus on simulating modern, targeted attacks.

Try CrowdStrike here → CrowdStrike Official Website

6. Offensive Security

Offensive Security is the premier provider of hands-on, professional penetration testing training and certifications (OSCP, OSEP, etc.).

While primarily known for its educational offerings, its professional services division applies the same rigorous, hacker-minded methodology to client engagements.

The Offensive Security team is revered for its ability to find the most deeply hidden and creative vulnerabilities, a skill honed by its world-class training programs.

Why You Want to Buy It:

The caliber of Offensive Security’s testers is arguably the highest in the industry.

Their engagements are not about checking boxes; they are about proving a security posture through creative, persistent hacking. This provides an unmatched level of assurance and discovery.

Feature	Yes/No	Specification
Human-Led Testing	Yes	A team of highly certified and skilled hackers.
Platform/PtaaS	No	Focus is on traditional, deep-dive engagements.
Reconnaissance	Yes	Uses advanced, manual reconnaissance techniques.
Reporting	Yes	Detailed reports with reproduction steps and proof-of-concept exploits.

Best For: Organizations seeking a highly technical, deep-dive penetration test from a firm whose brand is synonymous with elite ethical hacking skills.

Try Offensive Security here → Offensive Security Official Website

7. Trustwave

Trustwave, now a LevelBlue company, is a global cybersecurity firm with a renowned team of ethical hackers and researchers known as SpiderLabs.

Trustwave’s external penetration testing services leverage this team’s extensive threat intelligence and a systematic, multi-phase methodology to uncover and exploit vulnerabilities.

Their services are designed for organizations of all sizes, from small businesses to large enterprises, and are known for their thoroughness and detail.

Why You Want to Buy It:

Trustwave’s SpiderLabs is a highly respected group that combines real-world attack expertise with proactive threat research.

This allows their testers to simulate attacks that are not just theoretical but are based on actual, emerging threats.

Feature	Yes/No	Specification
Human-Led Testing	Yes	The expert Trustwave SpiderLabs team.
Platform/PtaaS	Yes	Findings are managed within the Trustwave Fusion platform.
Reconnaissance	Yes	Includes OSINT and automated scanning for initial discovery.
Reporting	Yes	Clear, prioritized reports with remediation guidance.

Best For: Companies that want a comprehensive, end-to-end security solution from a specialized MSSP with a dedicated, world-class research team.

Try Trustwave here → Trustwave Official Website

8. Coalfire

external network security testing — **Coalfire**

Coalfire is a cybersecurity services firm with a strong focus on compliance and advisory services.

Its external penetration testing services are particularly well-regarded for their alignment with major security frameworks such as FedRAMP and PCI.

Coalfire’s expert teams conduct rigorous, compliance-driven tests to ensure that organizations not only meet regulatory requirements but also strengthen their security posture against real-world threats.

Why You Want to Buy It:

Coalfire’s dual expertise in technical security and compliance makes them an ideal partner for organizations navigating complex regulatory environments.

Their tests are designed to provide both the technical findings needed for remediation and the documentation required for audits.

Feature	Yes/No	Specification
Human-Led Testing	Yes	A team of experienced pentesters.
Platform/PtaaS	No	Focus is on traditional, project-based engagements.
Reconnaissance	Yes	In-depth asset discovery and enumeration.
Reporting	Yes	Detailed reports with a strong focus on compliance.

Best For: Regulated businesses in industries like financial services and healthcare that need a penetration test that is both technically robust and fully compliant with industry standards.

Try Coalfire here → Coalfire Official Website

9. Bishop Fox

Bishop Fox is a pure-play offensive security firm renowned for its elite team of hackers and a creative, objective-based approach to testing. The company’s services range from standard penetration tests to full-scale red team exercises.

Bishop Fox’s team, known as the “Fox,” is highly respected for its ability to find and exploit the most obscure and complex vulnerabilities. The company also offers a hybrid PTaaS model called Continuous Attack Surface Testing (CAST).

Why You Want to Buy It:

Bishop Fox’s reputation for technical excellence is unmatched. Their testers are not only technically proficient but also creative, using innovative methods to breach defenses.

This provides a deep and thorough assessment that few other firms can replicate.

Feature	Yes/No	Specification
Human-Led Testing	Yes	The elite “Fox” team of security professionals.
Platform/PtaaS	Yes	Hybrid PTaaS model for continuous testing.
Reconnaissance	Yes	Comprehensive external asset discovery.
Reporting	Yes	Actionable, high-quality reports with clear findings.

Best For: Organizations that want a top-tier, white-glove security assessment from one of the most respected offensive security firms in the world.

Try Bishop Fox here → Bishop Fox Official Website

10. HackerOne

threat intelligence penetration testing — **HackerOne**

HackerOne is the leading bug bounty platform, but it has expanded its offerings to include managed penetration testing services.

HackerOne’s platform provides a unique combination of a curated community of ethical hackers and a managed service that scopes, manages, and reports on the engagement.

This model offers the best of both worlds: the targeted, focused scope of a traditional pen test with the flexibility and scale of a bug bounty program.

Why You Want to Buy It:

HackerOne’s unique model allows a test to be launched quickly with a hand-picked team of specialists.

The platform provides continuous visibility into findings, and the company’s reputation as a bug bounty leader ensures the quality of the ethical hackers involved.

Feature	Yes/No	Specification
Human-Led Testing	Yes	A curated community of ethical hackers.
Platform/PtaaS	Yes	Managed penetration testing service on the HackerOne platform.
Reconnaissance	Yes	Scope-based asset discovery and management.
Reporting	Yes	Real-time reporting on the platform with re-testing.

Best For: Organizations that want to combine the benefits of a focused penetration test with the scale and flexibility of a crowdsourced bug bounty platform.

Try HackerOne here → HackerOne Official Website

Conclusion

The best external penetration testing companies in 2025 are those that blend human expertise with a scalable, technology-driven platform.

While automated scanners can find common vulnerabilities, it is the creative, methodical work of human testers that uncovers the true, exploitable weaknesses.

For enterprises that prioritize a strategic and data-driven approach, firms like IBM Security and Rapid7 are excellent choices.

For those who value the flexibility and scale of a crowdsourced model, Synack and HackerOne offer compelling, modern alternatives.

And for a deep, technical dive into a system’s defenses, pure-play offensive firms like NetSPI, Bishop Fox, and Offensive Security stand out.

The right choice depends on your organization’s specific needs, but any of these top-tier companies will provide the insight needed to stay ahead of today’s most persistent cyber threats.

The post Top 10 Best External Penetration Testing Companies in 2025 appeared first on Cyber Security News.

¶¶¶¶¶

New Malware Attack Leveraging Exposed Docker APIs to Maintain Persistent SSH Root Access

9/9/2025

·

cyber security, Cyber Security News, Threats

A sophisticated malware strain targeting exposed Docker APIs has emerged with enhanced infection capabilities that go beyond traditional cryptomining operations.

The threat, discovered in August 2025, demonstrates evolved tactics designed to establish persistent root access while denying other attackers access to compromised systems.

The malware represents a significant evolution from a variant originally reported by Trend Micro in June 2025.

While the initial strain focused primarily on cryptocurrency mining operations hidden behind Tor infrastructure, this new iteration exhibits more complex behavior patterns.

The attack begins by exploiting misconfigured Docker APIs accessible from the internet, specifically targeting port 2375 where administrators have inadvertently exposed their Docker daemon without proper authentication.

The infection process starts when attackers create malicious containers based on Alpine Linux images, mounting the host filesystem to gain privileged access.

Through a Base64-encoded payload, the malware downloads and executes a shell script from a Tor hidden service, establishing multiple persistence mechanisms across the compromised system.

Akamai analysts identified this variant during routine honeypot monitoring, noting distinct behavioral differences from previously documented attacks.

The researchers observed that unlike its predecessors, this strain implements superiority tactics designed to lock out competing threat actors from the same vulnerable systems.

Advanced Persistence and Defense Evasion Mechanisms

The malware’s most notable advancement lies in its comprehensive approach to maintaining exclusive access to compromised infrastructure.

After initial compromise, the attack deploys a script called docker-init.sh that implements multiple layers of persistence and defensive measures.

The persistence mechanism operates through several coordinated actions. First, the malware appends an attacker-controlled SSH public key to /root/.ssh/authorized_keys, enabling direct root access bypass normal authentication procedures.

Subsequently, it establishes a cron job that executes every minute, systematically blocking access to port 2375 across multiple firewall platforms including iptables, ufw, firewall-cmd, pfctl, and nft.

PORT=2375
PROTOCOL=tcp
for fw in firewall-cmd ufw pfctl iptables nft; do
  if command -v "$fw" >/dev/null 2>&1; then
    case "$fw" in
      firewall-cmd)
        firewall-cmd --permanent --zone=public --add-rich-rule="rule family='ipv4' port protocol='tcp' port='2375' reject"
        firewall-cmd --reload

This defensive blocking represents a territorial approach rarely seen in container-based attacks.

By systematically closing the Docker API port that enabled their initial access, the attackers prevent other malicious actors from exploiting the same vulnerability while maintaining their established foothold through SSH access.

Binary initiating masscan (Source -Akamai)

The malware also installs reconnaissance tools including masscan for network scanning, along with torsocks for anonymous communications.

These components enable the malware to identify and compromise additional vulnerable Docker instances across the network, creating potential for large-scale botnet operations.

The combination of persistent access, competitive exclusion, and propagation capabilities positions this malware as a significant threat to containerized environments.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New Malware Attack Leveraging Exposed Docker APIs to Maintain Persistent SSH Root Access appeared first on Cyber Security News.

¶¶¶¶¶

U.S. Cracks Down on Scam Networks in Southeast Asia Draining Billions

9/9/2025

·

cyber security, Cyber Security News

In a sweeping effort to curb transnational cybercrime and human rights abuses, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) today imposed sanctions on a sprawling network of scam centers operating in Southeast Asia. These centers, which exploit forced labor and violence, defrauded Americans of more than $10 billion in 2024. […]

The post U.S. Cracks Down on Scam Networks in Southeast Asia Draining Billions appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

How a Single Faulty Windows Driver Can Crash Your System and Cause Blue Screen of Death

9/9/2025

·

cyber security, Cyber Security News, Windows

Windows devices rely on a complex ecosystem of drivers to manage hardware and software interactions. When one driver fails to complete a critical task, the entire operating system can halt in a fatal error known as the Blue Screen of Death (BSOD). Understanding how a single faulty driver triggers a system-wide crash helps users and […]

The post How a Single Faulty Windows Driver Can Crash Your System and Cause Blue Screen of Death appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities

9/9/2025

·

A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud. “RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat,” the Dutch mobile

¶¶¶¶¶

SessionReaper Vulnerability Puts Magento & Adobe Commerce Sites in Hacker Crosshairs

9/9/2025

·

cyber security, Cyber Security News, SessionReaper, vulnerability

Adobe has broken its regular patch schedule to address CVE-2025-54236, a critical vulnerability in Magento Commerce and open-source Magento installations. Dubbed “SessionReaper,” this vulnerability allows attackers to bypass input validation in the Magento Web API, enabling automated account takeover, data theft, and fraudulent orders without requiring valid session tokens. Adobe will release an emergency fix […]

The post SessionReaper Vulnerability Puts Magento & Adobe Commerce Sites in Hacker Crosshairs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

SAP Security Patch Day September 2025 – 21 Vulnerabilities and 4 Critical One’s Patched

9/9/2025

·

Cyber Security News, Vulnerabilities, Vulnerability News

As part of its scheduled security maintenance, SAP released its September 2025 Patch Day notes, addressing a total of 21 new vulnerabilities and providing updates to four previously released security advisories.

Among the newly addressed flaws are four critical vulnerabilities that could expose SAP systems to significant risk, including remote code execution and complete system compromise.

Organizations are strongly urged to apply these patches to safeguard their enterprise environments.

Critical Vulnerabilities Patched

This month’s most severe vulnerability, identified as CVE-2025-42944, carries a CVSS score of 10.0, the highest possible rating.

This flaw is an Insecure Deserialization vulnerability in SAP NetWeaver’s Remote Method Invocation (RMI-P4) component.

A successful exploit could allow an unauthenticated remote attacker to execute arbitrary code, potentially leading to a full compromise of the affected system’s confidentiality, integrity, and availability.

Another critical issue, CVE-2025-42922, affects the SAP NetWeaver Application Server (AS) Java. This Insecure File Operations vulnerability, with a CVSS score of 9.9, allows a low-privileged attacker to perform unauthorized file operations.

This could enable the attacker to read, modify, or delete sensitive system files, leading to a significant impact on the system’s security.

An update was issued for a previously disclosed critical vulnerability, CVE-2023-27500, a Directory Traversal flaw in SAP NetWeaver AS for ABAP and ABAP Platform.

With a CVSS score of 9.6, this vulnerability could be exploited by an attacker with low privileges to overwrite critical system files, potentially causing system-wide disruption and data corruption.

The fourth critical vulnerability, CVE-2025-42958, is a Missing Authentication check in SAP NetWeaver, rated with a CVSS score of 9.1.

This vulnerability could be exploited by a highly privileged attacker to bypass authentication mechanisms, granting them unauthorized access to critical functionalities and data.

High-Priority Flaws And Other Patches

In addition to the critical issues, SAP patched several high-priority vulnerabilities. These include:

CVE-2025-42933: An Insecure Storage of Sensitive Information flaw in SAP Business One (SLD) with a CVSS score of 8.8.
CVE-2025-42929: A Missing Input Validation vulnerability in SAP Landscape Transformation Replication Server, rated 8.1.
CVE-2025-42916: A similar Missing Input Validation flaw in SAP S/4HANA, also with a CVSS of 8.1.
An update to CVE-2025-27428, a Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform, carrying a CVSS score of 7.7.

The remaining patches address vulnerabilities of medium and low severity, including Cross-Site Scripting (XSS), Denial of Service (DoS), and Missing Authorization checks across a range of SAP products such as SAP Commerce Cloud, SAP BusinessObjects, and several Fiori applications.

Of the 25 security notes released on SAP’s September 2025 Patch Day, 21 were new. Here is a table detailing these vulnerabilities:

SAP Note #	CVE ID	Vulnerability Title	Affected Product	Priority	CVSS 3.0 Score
3634501	CVE-2025-42944	Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)	SAP Netweaver (RMI-P4)	Critical	10.0
3643865	CVE-2025-42922	Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service)	SAP NetWeaver AS Java (Deploy Web Service)	Critical	9.9
3627373	CVE-2025-42958	Missing Authentication check in SAP NetWeaver	SAP NetWeaver	Critical	9.1
3642961	CVE-2025-42933	Insecure Storage of Sensitive Information in SAP Business One (SLD)	SAP Business One (SLD)	High	8.8
3633002	CVE-2025-42929	Missing input validation vulnerability in SAP Landscape Transformation Replication Server	SAP Landscape Transformation Replication Server	High	8.1
3635475	CVE-2025-42916	Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise)	SAP S/4HANA (Private Cloud or On-Premise)	High	8.1
3620264	CVE-2025-22228	Security Misconfiguration vulnerability in Spring security within SAP Commerce Cloud and SAP Datahub	SAP Commerce Cloud and SAP Datahub	Medium	6.6
3614067	CVE-2025-42930	Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation	SAP Business Planning and Consolidation	Medium	6.5
3635587	CVE-2025-42912, CVE-2025-42913, CVE-2025-42914	Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application)	SAP HCM (My Timesheet Fiori 2.0 application)	Medium	6.5
3643832	CVE-2025-42917	Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application)	SAP HCM (Approve Timesheets Fiori 2.0 application)	Medium	6.5
3611420	CVE-2023-5072	Denial of Service (DoS) vulnerability due to outdated JSON library used in SAP BusinessObjects Business Intelligence Platform	SAP BusinessObjects Business Intelligence Platform	Medium	6.5
3647098	CVE-2025-42920	Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management	SAP Supplier Relationship Management	Medium	6.1
3629325	CVE-2025-42938	Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform	SAP NetWeaver ABAP Platform	Medium	6.1
3409013	CVE-2025-42915	Missing Authorization Check in Fiori app (Manage Payment Blocks)	Fiori app (Manage Payment Blocks)	Medium	5.4
3619465	CVE-2025-42926	Missing Authentication check in SAP NetWeaver Application Server Java	SAP NetWeaver Application Server Java	Medium	5.3
3627644	CVE-2025-42911	Missing Authorization check in SAP NetWeaver (Service Data Download)	SAP NetWeaver (Service Data Download)	Medium	5.0
3640477	CVE-2025-42925	Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service)	SAP NetWeaver AS Java (IIOP Service)	Medium	4.3
3450692	CVE-2025-42923	Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups)	SAP Fiori App (F4044 Manage Work Center Groups)	Medium	4.3
3623504	CVE-2025-42918	Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)	SAP NetWeaver Application Server for ABAP (Background Processing)	Medium	4.3
3525295	CVE-2025-42927	Information Disclosure due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Service)	SAP NetWeaver AS Java (Adobe Document Service)	Low	3.4
3632154	CVE-2024-13009	Potential Improper Resource Release vulnerability in SAP Commerce Cloud	SAP Commerce Cloud	Low	3.1

SAP administrators are advised to review the complete list of security notes and prioritize the application of patches, starting with the critical vulnerabilities, to protect their systems from potential exploitation.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post SAP Security Patch Day September 2025 – 21 Vulnerabilities and 4 Critical One’s Patched appeared first on Cyber Security News.

¶¶¶¶¶

MostereRAT Attacking Windows Systems With AnyDesk/TightVNC to Enable Remote Access

9/9/2025

·

cyber security, Cyber Security News, Threats

Security researchers have uncovered a sophisticated campaign in recent weeks leveraging a novel Remote Access Trojan (RAT) dubbed MostereRAT that targets Windows systems by deploying legitimate remote access tools such as AnyDesk and TightVNC.

The malware’s emergence represents a significant evolution from earlier banking trojans, combining social engineering with advanced evasion techniques to establish covert full-system control.

The initial vector relies on highly localized phishing emails masquerading as business communications, which direct victims to a malicious website hosting a Word document containing a hidden archive.

Upon opening the document, the embedded payload quietly installs most RAT components without alerting standard security tooling.

MostereRAT’s developers have adopted a multi-stage delivery approach to obscure its true nature.

The executable, based on a wxWidgets sample, decrypts additional modules bundled within its resource section using a simple subtraction cipher keyed by the character “A.”

Once extracted to C:\ProgramData\Windows, these components are orchestrated via a custom RPC client that bypasses public SCM APIs to create services running under SYSTEM privileges.

Fortinet analysts identified the use of mutual TLS (mTLS) for C2 communications, ensuring that network traffic remains encrypted and authenticated in both directions, thereby thwarting interception or impersonation attempts.

During execution, MostereRAT installs two services—WpnCoreSvc (auto-start) and WinSvc_32263003 (demand start)—to guarantee persistence across reboots and on-demand operations.

Fortinet researchers noted that the malware disables critical Windows security processes and services, including SecurityHealthService.exe, wuauserv, and UsoSvc, while modifying registry policies to prevent updates and hide notifications.

By terminating or hijacking these security mechanisms, the threat maintains a foothold without triggering alerts from antivirus or EDR solutions.

Infection and Decryption Mechanism

The infection mechanism commences when the victim executes the first-stage executable, document.exe, which unpacks and decrypts the primary modules.

The decryption routine applies a byte-wise subtraction of the value 0x41 (‘A’) to each encrypted byte in the resource blob:-

for (size_t i = 0; i < length; ++i) {
    decrypted[i] = encrypted[i] - 0x41;
}

This trivial yet effective cipher conceals the RAT’s logic from cursory analysis. Once decrypted, the modules maindll.db and elsedll.db are loaded directly into memory.

The maindll.db module interprets parameters ranging from channel-8df91be7c24"a" to channel-8df91be7c24"e" to execute tasks such as persistence, privilege escalation, and task scheduler manipulation.

Conversely, elsedll.db establishes multiple threads to handle keystroke logging, screenshot capture, and RMM tool deployment via TightVNC and AnyDesk.

Upon establishing a secure connection to its C2 servers over ports 9001 and 9002, the RAT periodically retrieves configuration files encrypted with an embedded RSA private key.

After successful decryption and version verification via SHA-256 hash comparison, the malware seamlessly updates itself, ensuring continued functionality and resilience.

This continual upgrade capability exemplifies the threat’s high level of sophistication and underlines the importance of comprehensive monitoring and user education to defend against such multifaceted attacks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post MostereRAT Attacking Windows Systems With AnyDesk/TightVNC to Enable Remote Access appeared first on Cyber Security News.

¶¶¶¶¶

Magento and Adobe SessionReaper Vulnerability Exposes Thousands Of Online Stores to Attacks

9/9/2025

·

cyber security, Cyber Security News, vulnerability

Adobe has issued an emergency security patch for a critical vulnerability in its Magento and Adobe Commerce platforms, dubbed “SessionReaper”.

The vulnerability is considered one of the most severe in Magento’s history, prompting an out-of-band update on Tuesday, September 9th, well ahead of the next scheduled patch release on October 14th.

The vulnerability uncovered by Sansec, tracked as CVE-2025-54236, could expose thousands of online stores to automated attacks.

The severity of SessionReaper is being compared to past significant Magento vulnerabilities, such as

Shoplift (2015)
Ambionics SQLi (2019)
TrojanOrder (2022)
CosmicSting (2024).

Each of these historical flaws led to the compromise of thousands of e-commerce sites, with threat actors often exploiting them within hours of public disclosure, Sansec said.

This history has put the Magento and Adobe Commerce communities on high alert, emphasizing the need for immediate action.

Adobe’s handling of the disclosure has drawn criticism from the open-source community. While paying Adobe Commerce customers received a private, advanced notification of the emergency fix on September 4th, users of the free Magento Open Source platform were not given any prior warning.

This resulted in a large portion of the user base being unprepared for the critical update, leading to frustration over the perceived lack of support between the commercial and open-source ecosystems. Internal discussions at Adobe regarding an emergency fix reportedly began as early as August 22nd.

Mitigations

Merchants are urged to apply the official patch from Adobe without delay. The updates are available on Adobe’s security bulletin webpage.

The leaked patch, titled “MCLOUD-14016 patch for CVE-2025-54236 webapi improvement,” suggests the vulnerability is located in the Webapi/ServiceInputProcessor.php file.

The fix appears to restrict the types of data that can be processed through the API, allowing only simple types or authorized API Data Objects.

However, merchants were cautioned against using this unofficial patch, as its finality and completeness were unconfirmed.

Given the critical nature of SessionReaper, store owners are strongly advised to prioritize the deployment of the official security update to prevent session hijacking and other potential automated attacks.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Magento and Adobe SessionReaper Vulnerability Exposes Thousands Of Online Stores to Attacks appeared first on Cyber Security News.

¶¶¶¶¶

New APT37 Attacking Windows Machines With New Rust and Python Based Malware

9/9/2025

·

cyber security, Cyber Security News, Threats

APT37, the North Korean-aligned threat actor also known as ScarCruft, Ruby Sleet, and Velvet Chollima, has expanded its arsenal with sophisticated new malware targeting Windows systems.

Active since 2012, the group primarily focuses on South Korean individuals connected to the North Korean regime or involved in human rights activism.

The threat actor has now introduced a Rust-based backdoor dubbed Rustonotto and enhanced Python-based injection techniques to deploy their surveillance tool FadeStealer.

The latest campaign demonstrates APT37’s evolution in adopting modern programming languages and advanced injection techniques.

The attack chain begins with spear-phishing emails containing malicious Windows shortcut files or Compiled HTML Help (CHM) files.

These initial vectors lead to the deployment of multiple malware components orchestrated through a single command-and-control server.

The integration of Rust programming language represents a significant shift for the group, potentially enabling multi-platform attacks while maintaining lightweight backdoor functionality.

Zscaler researchers identified this sophisticated malware cluster operating since June 2025, revealing the threat actor’s continued refinement of social engineering tactics and technical capabilities.

The campaign utilizes Transactional NTFS (TxF) for stealthy code injection, demonstrating advanced evasion techniques.

The researchers observed APT37 leveraging vulnerable web servers as C2 infrastructure, employing a unified PHP script to control their entire malware toolkit including Rustonotto, Chinotto, and FadeStealer variants.

The attack methodology involves multiple stages of payload delivery and execution. Initial compromise occurs through either Windows shortcut files embedded with PowerShell scripts or CHM files that establish registry persistence mechanisms.

These vectors subsequently deploy the Rust-compiled Rustonotto backdoor, which serves as a lightweight command executor capable of receiving Base64-encoded Windows commands and returning execution results to the threat actor’s infrastructure.

Advanced Injection Techniques and Payload Deployment

The most sophisticated aspect of this campaign involves the deployment of FadeStealer through a Python-based injection mechanism utilizing Process Doppelgänging.

The threat actor delivers malicious payloads packaged in Microsoft Cabinet files, which contain three critical components: a legitimate Python module renamed as tele_update.exe, a compiled Python module (tele.conf) responsible for decryption and injection, and the encrypted FadeStealer payload (tele.dat).

The Python injection script, internally named TransactedHollowing.py, employs Windows Transactional NTFS APIs to create temporary files within transaction contexts.

The decryption routine extracts XOR keys from the payload and applies custom decryption algorithms to reveal the final executable.

The Process Doppelgänging technique involves creating section objects from transacted files, mapping them into suspended legitimate processes, and manipulating thread contexts to redirect execution flow.

FadeStealer operates as a comprehensive surveillance tool, conducting real-time keylogging, capturing screenshots every 30 seconds, recording 5-minute audio sessions, and monitoring USB devices hourly.

The malware creates timestamped archives with hardcoded password protection, utilizing embedded RAR utilities for data compression and exfiltration through HTTP POST requests with multipart form data.

Malware Component	Programming Language	Primary Function	Persistence Method	Communication
Rustonotto	Rust	Lightweight backdoor	Scheduled Task (MicrosoftUpdate)	HTTP with Base64 encoding
Chinotto	PowerShell	Command execution and file operations	Registry Run key	HTTP POST requests
FadeStealer	Windows PE (via Python injection)	Surveillance and data exfiltration	Registry Run key (TeleUpdate)	HTTP multipart uploads
Python Loader	Python	Process injection and payload deployment	Embedded in legitimate processes	Local file operations

The campaign’s technical sophistication combined with targeted social engineering demonstrates APT37’s continued evolution and persistent threat to individuals and organizations connected to North Korean affairs.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post New APT37 Attacking Windows Machines With New Rust and Python Based Malware appeared first on Cyber Security News.

¶¶¶¶¶