Urgent: OT partnership, stealthy C2 attacks and two critical zero‑days put UK organisations on notice

Breaking today: OT tie-up, stealthy state‑grade C2 and two nasty zero‑days — what UK organisations must do now

A cluster of serious developments landed in the last 24 hours that ought to sharpen attention across UK industry and government: Tekgem UK has broadened its industrial cyber security offering in partnership with Mitsubishi Electric UK to bolster OT protections and regulatory compliance, a persistent actor dubbed Tomiris has shifted to using public‑service command‑and‑control implants against government targets, and two high‑severity vulnerabilities — CVE‑2025‑64772 and CVE‑2025‑35028 — were disclosed that enable arbitrary code execution and command injection respectively. If you like your mornings calm, you may want to stop reading now — but seriously, read on.

Tekgem × Mitsubishi Electric UK: OT security gets a nudge (or a push) in the right direction

Tekgem’s strategic agreement with Mitsubishi Electric UK expands the availability of industrial cyber security services across the UK, with a clear nod towards Operational Technology (OT) environments. According to the briefing supplied, the collaboration is intended to help organisations meet emerging regulatory demands such as the Cyber Security and Resilience Bill — a welcome development given the growing regulatory and safety focus on industrial control systems.

Why this matters: OT environments underpin critical services and manufacturing lines; weaknesses here can lead to physical disruption as well as data loss. Partnerships that bring vendor‑specific control system knowledge together with OT cyber expertise can close practical gaps between IT‑style cyber controls and industrial operational needs.

Helpful reads and next steps for risk owners: organisations should treat OT security as part of an integrated risk management programme and consider controls aligned with ISO 27001 for information security and ISO 22301 for business continuity to protect availability and safety. Synergos regularly points to these frameworks when advising clients, and you can find practical certification guidance at our ISO 27001 page: https://synergosconsultancy.co.uk/iso27001/ and ISO 22301 information here: https://synergosconsultancy.co.uk/iso-22301-business-continuity-management-system-bcms/.

Tomiris swaps to public‑service implants for stealthier C2 against government targets

Analysis provided in the brief indicates the Tomiris cluster is using phishing as an initial access vector and has moved to public‑service command‑and‑control (C2) implants to make communications blend in with legitimate traffic when targeting government entities. In plain terms, the actor is masquerading malicious control channels as benign services to evade detection.

Organisations operating in the public sector — and their suppliers — should assume increased sophistication and prepare accordingly. Defences that matter include:

• Strong security awareness training to reduce phishing success rates (for example, see Synergos’ recommended training partner: https://synergosconsultancy.co.uk/usecure).
• Network segmentation and strict egress filtering so impostor C2 traffic cannot easily reach back to attacker infrastructure.
• Enhanced logging and threat hunting focused on anomalous use of legitimate public‑service endpoints and sudden unusual patterns of outbound requests.

Tomiris’s shift emphasises that attackers will exploit trust in commonly used services; visibility and layered detection are your friends. No single control will do it all — think defence in depth.

Two vulnerabilities you need to patch or mitigate immediately

Two disclosed vulnerabilities demand prompt action, each with a different attack surface and mitigation profile:

1. CVE‑2025‑64772 — INZONE Hub DLL search path code execution (Severity: 8.4, HIGH)

   The installer for INZONE Hub versions 1.0.10.3 through 1.0.17.0 contains an insecure DLL search path. When an installer searches insecure locations for DLLs it needs, an attacker with write access to those locations can substitute a malicious DLL and achieve arbitrary code execution under the user’s privileges. In short: don’t run untrusted installers, and ensure installer execution is controlled and monitored.

2. CVE‑2025‑35028 — HexStrike AI MCP server command injection (Severity: 9.1, CRITICAL)

   The HexStrike AI MCP server’s EnhancedCommandExecutor class allows a command‑line argument starting with a semicolon (;) to be concatenated into a composed command that is executed without sanitisation. In the affected configuration, this may run with the MCP server’s normal privileges — typically root — which makes this a critical remote code execution vector if the API is reachable by an attacker. That’s not the sort of command you want executed on a production host.

Immediate recommendations for administrators:

• Check vendor advisories and apply patches or updates as a first priority.
• Until updates are applied, restrict access to installers and to MCP server APIs — treat management interfaces as sensitive and limit exposure to trusted networks only.
• Operate installers with the least privileges necessary and verify digital signatures where provided.
• Deploy host and network‑level detection for suspicious command execution patterns and unexpected DLL loads.

These vulnerabilities illustrate two common themes: supply‑chain and installation hygiene (the DLL search path problem), and input sanitisation plus least privilege for services that accept remote input (the MCP server issue).

Practical steps for UK organisations — what Synergos would flag in a quick health check

While we’re careful not to offer salesy promises, practical, immediate controls are obvious:

• Prioritise patching and inventory: know where affected software is deployed and apply vendor fixes.
• Raise phishing resistance with targeted security awareness and simulated phishing campaigns (see: https://synergosconsultancy.co.uk/usecure and Cyber Essentials guidance at https://synergosconsultancy.co.uk/iasme-certifications/).
• Harden OT and ICS environments by aligning controls with recognised standards and supplier partnerships; vendor collaborations like the Tekgem–Mitsubishi Electric UK announcement can help, but governance and assurance remain essential (ISO 27001: https://synergosconsultancy.co.uk/iso27001/).
• Ensure business continuity and incident response plans are current so that, when inevitable incidents occur, downtime and harm are minimised — for reference, see ISO 22301 guidance: https://synergosconsultancy.co.uk/iso-22301-business-continuity-management-system-bcms/.

And a small, slightly smug tip: treat installers like suspiciously presented biscuits from a stranger — tempting, possibly delicious, but don’t put them in your mouth until you’ve checked the label.

These developments together form a compact lesson: attackers continue to innovate in stealth and in chaining simple weaknesses to achieve big outcomes. The regulatory environment in the UK is tightening, industry partnerships are shifting to close OT gaps, and the technical flaws disclosed today show the perennial importance of patching, configuration hygiene and least‑privilege operation.

Synergos will continue to monitor these stories and advise clients on practical mitigations rooted in standards and sensible risk management. Stay patched, stay segmented, and keep an eye on suspicious outbound traffic — because those ‘public‑service’ connections may not be as civic as they seem.