AKP Corporate & Compliance Digest December 01, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.             Labour Law

1.1.         ESIC Implements Code on Social Security 2020 with Expanded Family Benefits

The Employees’ State Insurance Corporation ("ESIC") has notified the implementation of the Code on Social Security, 2020, effective from November 21, 2025, following the Ministry of Labour and Employment's Gazette Notification. Key changes expand the definition of "dependant" under Section 2(24)(c) to include widowers and grandparents, entitling them to Dependent Benefit, and "family" under Section 2(33)(e) to encompass a woman employee's father-in-law and mother-in-law for Medical Benefit eligibility. Regional Directors, ESIC Medical College Deans, and Hospital Superintendents must apply these revised definitions when extending benefits, replacing prior Employees’ State Insurance Act 1948 provisions.​

1.2.         ESIC Designates New Email for On-Account Payment Queries

ESIC Headquarters has issued an Office Memorandum dated November 27, 2025, designating a dedicated email ID exclusively for 'On Account' payment (OAP) matters, requiring all related issues to be emailed solely to oap-hq@esic.gov.in. The notification, circulated to state secretaries, divisional heads, zonal commissioners, regional directors, and all ESIC users, streamlines OAP communications previously handled via fa9-hq@esic.nic.in.

1.3.         Chhattisgarh Fire Safety Rules Introduce Third-Party Auditor Framework

The Chhattisgarh government has amended the Fire and Emergency Service Rules, 2021, effective 24 November 2025, by introducing Third-Party Auditors (TPAs) accredited by the Director General to conduct fire safety audits and certify compliance under Section 59 of the 2018 Act. TPAs, licensed for two years based on qualifications like National Fire Service College diplomas, engineering degrees with three years' experience, or fire engineering fellowships, must meet solvency criteria graded A-D (e.g., fifteen point zero zero lakh rupees (15.00 lakh) for Grade-A) and submit biannual certificates in January and July for building owners/occupiers. The framework includes application forms (Form-N), licensing (Form-O), compliance certificates (Form-Q/R), random departmental verification of thirty per cent (30%) audits, and enforcement powers for suspension/cancellation with show-cause notices, ensuring adherence to National Building Code, BIS standards, and state bye-laws.

2.             Tax

2.1.  Government of Gujarat has issued Gujarat Goods and Services Tax (Fourth Amendment) Rules, 2025 effective from 1st November, 2025

The Government of Gujarat has issued the Gujarat Goods and Services Tax (Fourth Amendment) Rules, 2025, effective from 1st November 2025, introducing provisions for electronic registration and withdrawal for taxpayers whose monthly output tax liability does not exceed INR 2,50,000 (Indian Rupees Two Lakh Fifty Thousand only). Under new Rule 9A, such applicants will be granted registration electronically within three working days upon Aadhaar authentication and risk analysis on the common portal. The amendment also outlines conditions and procedures for withdrawal from this option, including mandatory return filing and verification processes. Several GST application forms (REG-01 to REG-33) have been updated or introduced to reflect these changes, ensuring streamlined compliance and interaction with GST authorities.

2.2. Government of Haryana has issued Haryana Goods and Services Tax (Fourth Amendment) Rules, 2025 effective from 1st November, 2025

The Haryana Government has notified the Haryana Goods and Services Tax (Fourth Amendment) Rules, 2025, effective from 1st November 2025, introducing electronic registration via new Rule 9A for applicants identified through data analysis and risk parameters on the common portal within three working days. Rule 14A provides an option for taxpayers with monthly output tax liability not exceeding INR 2,50,000 (Indian Rupees Two Lakh Fifty Thousand only) on supplies to registered persons to obtain registration electronically post Aadhaar authentication, excluding those notified under Section 25(6D) or without Aadhaar opt-in. Withdrawal from this option requires filing FORM GST REG-32 after furnishing minimum three months' returns (pre-April 2026) or one tax period thereafter, with no pending Section 29 proceedings, leading to updated forms like REG-01, REG-03, REG-05, REG-32, and REG-33 for streamlined processing.

3.             Stock Exchanges

3.1.         NSE reminder on submission of half-yearly net worth certificate via ENIT

National Stock Exchange of India Limited (NSE) has issued a reminder circular advising all trading members to submit their Half Yearly Networth Certificate as on September 30, 2025 through the ENIT portal by November 30, 2025, in continuation of its earlier circular dated October 16, 2025. Members have been asked to follow the detailed ENIT user manual provided in that circular and have been cautioned that non-submission or delayed submission may attract penal or disciplinary action in terms of the Exchange’s inspection circular dated October 10, 2025, while operational support is available through the designated helpdesk phone number and e-mail address.

3.2.      BSE extends timelines for system audit submissions by algorithmic trading members

Bombay Stock Exchange (BSE) Limited has extended the timelines for trading members classified as Type-III, i.e., stockbrokers that use algorithmic trading or offer algorithmic trading facilities to clients, to complete their half-yearly system audit for the period from April 1, 2025, to September 30, 2025 and submit the required reports to the Exchange. The revised schedule now requires completion of the system auditor’s appointment and submission of the audit plan by December 10, 2025, filing of the preliminary audit report by December 31, 2025 and, where applicable, submission of the Action Taken Report by March 31, 2026, for all eligible members including those identified as qualified stockbrokers, with BSE advising all trading members to take note of the extension and ensure compliance with the new deadlines.

4.             Information Technology

4.1.     CERT-In flags high-risk vulnerabilities in SolarWinds Observability and Serv-U products

Indian Computer Emergency Response Team (“CERT-In”) has issued Vulnerability Note CIVN-2025-0337 on multiple high-severity flaws in SolarWinds Observability Self-Hosted version 2025.4 and earlier and SolarWinds Serv-U version 15.5.2.2.102, warning that insufficient sanitisation of user-supplied data in Uniform Resource Locator (URL) fields, missing validation checks, logic errors, restriction-bypass issues and open redirection weaknesses could allow a remote attacker to execute cross-site scripting (XSS) attacks, manipulate strings to redirect users to malicious websites, inject malicious code, gain unauthorised access to sensitive data, escalate privileges and ultimately trigger remote code execution leading to complete system compromise and service unavailability. All organisations and individuals using these SolarWinds products have been advised to treat the risk of data theft and full system compromise as high and to urgently apply the vendor’s security updates, review configuration settings and limit exposure of management interfaces to reduce the attack surface.

4.2.         CERT-In flags arbitrary file read flaw in WordPress anti-malware plugin

CERT-In has issued Vulnerability Note CIVN-2025-0339 on a medium-severity arbitrary file read vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, affecting versions 4.23.81 and earlier, which could allow an authenticated attacker with at least subscriber-level access to read sensitive information from arbitrary files on the server. The flaw arises from missing capability checks and improper handling of data in multiple GOTMLS_* Asynchronous JavaScript and XML (AJAX) actions, creating a risk of unauthorised data exposure that could in turn enable privilege escalation and full compromise of affected websites. Site owners using the impacted plugin have been advised to apply the patched version and other security updates supplied by the vendor and to review access rights and logs for signs of misuse.

4.3.         CERT-In issues high-risk advisory on multiple vulnerabilities in NVIDIA products

CERT-In has released Advisory CIAD-2025-0046 highlighting multiple high-severity vulnerabilities in several NVIDIA products, including NVIDIA AIStore’s AuthN component (versions prior to 3.31), NVIDIA Triton Inference Server (versions prior to 25.09), NVIDIA NeMo Framework (versions prior to 2.5.0) and NVIDIA Megatron LM (versions prior to 0.14.0), which could enable remote attackers to execute arbitrary code, gain elevated privileges, access sensitive information or cause denial-of-service conditions on affected systems. The advisory notes that successful exploitation may result in full system compromise, data tampering or prolonged service outages, and urges all organisations and individuals using these products to apply the security fixes published in the NVIDIA Security Advisories without delay.

4.4.         CERT-In warns of multiple high-risk vulnerabilities in SonicWall security products

CERT-In has issued Vulnerability Note CIVN-2025-0343 highlighting multiple high-severity flaws in SonicWall Email Security appliances, Generation 7 (Gen7) hardware and virtual firewalls and Generation 8 (Gen8) firewalls, where inadequate integrity checks during code download, crafted directory-traversal sequences and a stack-based buffer overflow in the SonicOS Secure Sockets Layer Virtual Private Network (SSLVPN) component could allow remote attackers to execute arbitrary code, access and manipulate sensitive data or cause denial-of-service conditions on affected systems. CERT-In has assessed the risk of unauthorised data access, manipulation and service disruption as high and has urged all organisations and individuals using impacted SonicWall products to apply the vendor’s security updates referenced in the advisory without delay.

4.5.         CERT-In flags high-risk privilege escalation flaw in ASUS System Control Interface

CERT-In has issued Vulnerability Note CIVN-2025-0344 on a high-severity privilege escalation flaw in the ASUS System Control Interface (ASCI) component used on ASUS laptops and desktops, warning that insufficient validation in its restore mechanism could allow a low-privileged local user to copy files into protected system paths and have them executed with SYSTEM-level permissions, effectively taking full control of the affected device. The advisory notes that successful exploitation poses serious confidentiality, integrity and availability risks for enterprise and individual users alike and urges network and security administrators, information technology operations teams and managed service providers to apply ASUS’s security updates without delay and review their fleets for vulnerable ASCI versions.

4.6.         CERT-In warns of remote code execution flaw in Oracle Identity Manager

Indian Computer Emergency Response Team (CERT-In) has issued Vulnerability Note CIVN-2025-0345 on a high-severity remote code execution vulnerability in Oracle Identity Manager (OIM) versions 12.2.1.4.0 and 14.1.2.1.0, where an authentication bypass in OIM’s Representational State Transfer (REST) application programming interfaces could allow an unauthenticated remote attacker to execute arbitrary code on affected systems, leading to sensitive data disclosure and full system compromise. The flaw, tracked as CVE-2025-61757, is reported as being actively exploited in the wild, and all organisations and individuals using Oracle Identity Manager have been urged to treat the risk as high and immediately apply the security updates provided in Oracle’s October 2025 Critical Patch Update advisory.

4.7.         CERT-In alerts on medium-severity vulnerabilities in GitLab

CERT-In has issued Vulnerability Note CIVN-2025-0338 on multiple medium-severity security flaws in GitLab, affecting versions prior to 18.5.2, 18.4.4 and 18.3.6 of both GitLab Community Edition (CE) and Enterprise Edition (EE), which together could allow attackers to bypass security controls, execute Cross-Site Scripting (XSS) attacks, cause denial-of-service conditions and hijack user sessions. The weaknesses arise from improper input validation, incorrect authorisation checks and inadequate filtering or access control in the web-based DevOps platform, creating risks of unauthorised data access, data theft, sensitive information disclosure, system instability and crashes. Organisations and individuals using GitLab have been advised to treat the advisory as a priority, apply the latest vendor security updates and review their deployment configurations to reduce exposure.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in