AKP Corporate & Compliance Digest December 22, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.             Labour Law

1.1.         Banking services continued to be declared a public utility service under Industrial Disputes Act

The Ministry of Labour and Employment (“MoLE”) has notified that services engaged in the banking industry (covered under item 2 of the First Schedule to the Industrial Disputes Act, 1947 (“IDA”)) will continue to be treated as a “public utility service” for the purposes of the IDA for a further period of 6 (six) months with effect from December 15, 2025, extending the earlier declaration that was in force for 6 (six) months with effect from June 15, 2025 pursuant to notification S.O. 2519(E) dated June 9, 2025.

1.2.         Lead and zinc mining services continued to be declared a public utility service under Industrial Disputes Act

MoLE through a notification has declared the services of industries engaged in the lead and zinc mining industry, covered under items 14 (fourteen) and 15 (fifteen) of the First Schedule to the IDA to be a “public utility service” for the purposes of the IDA for a period of 6 (six) months with effect from December 17, 2025, thereby extending the earlier declaration made for 6 (six) months with effect from June 17, 2025 (vide S.O. 2715(E) dated June 17, 2025).

2.             Stamp Duty

2.1.         Delhi weighs steep upward revision of agricultural land circle rates

The Delhi government is considering increasing agricultural land circle rates (minimum registration values) by up to 10 (ten) times, its first such revision in 17 (seventeen) years, which would directly raise stamp duty and registration outgo because these are typically computed on the higher of the notified value and the transaction value; the current circle rate for agricultural land is around INR 53,00,000 (Indian Rupees Fifty-Three Lakhs only) per acre, while some farmer representatives have sought levels closer to INR 10,00,00,000 (Indian Rupees Ten Crore only) per acre.

2.2.         Delhi notices on share-issuance stamp duty raise questions over centralised collection regime

Delhi-based companies have begun receiving communications from the Delhi revenue department disputing stamp duty already collected on dematerialised share issuances through depositories, with the department asserting a rate of 0.1 per cent (one-tenth of a per cent) on the value of shares issued (citing the Delhi Stamp Act) versus the nationally-prescribed 0.005 per cent (five-thousandths of a per cent) introduced under amendments to the Indian Stamp Act, 1899 (as amended by the Finance Act, 2019), potentially creating retrospective exposure and compliance ambiguity if such state-level demands persist or spread.

3.             Information Technology

3.1.         CERT-In flags privilege escalation risk in SonicWall SMA1000 appliances

Indian Computer Emergency Response Team (“CERT-In”) flagged a local privilege escalation vulnerability in SonicWall SMA1000 secure remote access appliances, stating that insufficient authorisation checks in the Appliance Management Console could allow a low-privileged user to perform actions beyond assigned permissions and potentially gain elevated privileges, leading to unauthorised administrative access, configuration changes and compromise of appliance security. Affected versions include SonicWall SMA1000 releases prior to 12.4.3-03245 (platform-hotfix) and prior to 12.5.0-02283 (platform-hotfix), and CERT-In has advised applying the vendor updates referenced for CVE-2025-40602.

3.2.         CERT-In warns of multiple high-severity vulnerabilities in Google Chrome for Desktop

CERT-In reported multiple vulnerabilities in Google Chrome for Desktop that could be exploited by a remote attacker to execute arbitrary code on a targeted system, with a high risk assessment and potential memory corruption impacts. The issues affect Google Chrome versions prior to 143.0.7499.146/.147 for Windows and Mac, and prior to 143.0.7499.146 for Linux, and arise due to out-of-bounds read/write in V8 and a use-after-free flaw in WebGPU, which may be triggered if a user visits a specially crafted or malicious webpage. CERT-In has advised users and organisations to apply the relevant vendor updates and has referenced CVE-2025-14765 and CVE-2025-14766.

3.3.         CERT-In flags remote code execution risk in Microsoft Edge

CERT-In reported multiple vulnerabilities in Microsoft Edge (versions prior to 143.0.3650.96) that could allow a remote attacker to execute arbitrary code on a targeted system if a user is persuaded to visit a specially crafted webpage. The note attributes the issues to an out-of-bounds read/write in V8 and a use-after-free flaw in WebGPU, assesses a high risk of full system compromise or data theft, and advises users and organisations to apply the vendor updates referenced in Microsoft’s security release notes and vulnerability guide, including CVE-2025-14765 and CVE-2025-14766.

3.4.       CERT-In flags critical RCE vulnerability in Cisco AsyncOS for Secure Email appliances

CERT-In reported a critical remote code execution vulnerability in Cisco AsyncOS Software affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances where the Spam Quarantine feature is enabled and internet-reachable, stating that improper input validation could allow an unauthenticated remote attacker to send crafted network requests and execute arbitrary commands with root privileges, potentially taking complete control of the appliance. CERT-In noted that the vulnerability is being exploited in the wild, assessed the impact across confidentiality, integrity and availability, and advised interim risk-reduction measures such as restricting external access to the web management interface, disabling or limiting access to Spam Quarantine if not required, disabling HTTP access to administrative interfaces where feasible, monitoring logs for unusual activity including unauthorised HTTP POST requests, and isolating and rebuilding affected appliances if compromise is suspected, pending vendor updates.

3.5.         CERT-In flags authentication flaw enabling security restriction bypass in Synology DSM

CERT-In reported a high-severity security restriction bypass vulnerability in Synology DiskStation Manager (DSM) that could allow a remote attacker to gain unauthorised access and disclose sensitive information. The issue stems from a flaw in DSM’s authentication logic, where knowledge of a valid LDAP distinguished name (DN) may cause the system to incorrectly treat an unauthenticated request as authenticated, enabling bypass of intended security restrictions. Affected versions include DSM releases prior to 7.3.1-86003-1 and prior to 7.2.2-72806-5, and CERT-In has advised applying the fixes referenced in Synology’s security advisory for CVE-2025-13392.

3.6.         CERT-In flags multiple vulnerabilities in Apache HTTP Server

CERT-In issued a vulnerability note (CIVN-2025-0373) on multiple vulnerabilities in Apache HTTP Server versions prior to 2.4.66. The issues could be exploited by a remote attacker to bypass security restrictions, disclose sensitive information, and cause a denial-of-service condition, with CERT-In assessing the severity as medium but the practical risk as high. The note attributes the vulnerabilities to issues including an integer overflow, Server Side Includes behaviour that adds a query string to `#exec cmd="..."` directives, configuration-related flaws when `AllowEncodedSlashes` is enabled and `MergeSlashes` is disabled, improper neutralisation of escape/meta/control sequences, and a `mod_userdir` plus `suexec` bypass, and it references CVE-2025-55753, CVE-2025-58098, CVE-2025-59775, CVE-2025-65082 and CVE-2025-66200. CERT-In has advised administrators to apply the relevant vendor updates referenced by Apache.

3.7.         CERT-In flags critical Fortinet auth bypass flaw tied to FortiCloud SSO SAML verification

CERT-In reported a critical authentication bypass vulnerability in Fortinet products, stating that improper verification of cryptographic signatures in a Security Assertion Markup Language (SAML) response used by the FortiCloud single sign-on (SSO) mechanism could allow a remote attacker to bypass authentication and gain unauthorised access by sending a specially crafted SAML assertion. The advisory lists affected versions across FortiOS (7.6.0–7.6.3, 7.4.0–7.4.8, 7.2.0–7.2.11, 7.0.0–7.0.17), FortiProxy (7.6.0–7.6.3, 7.4.0–7.4.10, 7.2.0–7.2.14, 7.0.0–7.0.21), FortiSwitchManager (7.2.0–7.2.6, 7.0.0–7.0.5) and FortiWeb (8.0.0, 7.6.0–7.6.4, 7.4.0–7.4.9), and notes that exploitation requires FortiCloud SSO to be enabled (not the default), but may be automatically activated when devices are registered via the FortiCare user interface unless explicitly disabled. CERT-In has advised applying vendor updates referenced for CVE-2025-59718 and CVE-2025-59719.

3.8.         CERT-In flags multiple high-severity vulnerabilities in GitLab

CERT-In reported multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 18.6.2, 18.5.4 and 18.4.6, which could be exploited to disclose sensitive information, bypass authentication, perform cross-site scripting, and cause denial-of-service on the targeted system. The issues are attributed to weaknesses including improper input validation across components such as GraphQL endpoints, Commit API and ExifTool processing, an authentication bypass affecting WebAuthn users, and HTML injection/improper encoding in merge request titles, and CERT-In has advised organisations to apply the relevant vendor patch releases.

3.9.         CERT-In flags multiple high-severity vulnerabilities in Mozilla Firefox

CERT-In warned of multiple vulnerabilities in Mozilla products, including Mozilla Firefox versions prior to 146.0.1, which could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition if a user is induced to open a specially crafted web request. The note attributes the issues to a use-after-free flaw in the Disability Access APIs component and additional memory-safety bugs and assesses a high risk of unauthorised access to sensitive information with potential impacts including data theft, sensitive information disclosure, and complete compromise of the system. CERT-In has advised users and organisations to apply the vendor updates referenced in Mozilla’s security advisory, and it has listed CVE-2025-14860 and CVE-2025-14861 as the relevant identifiers.

4.             Tax

4.1.         Income Tax Department releases FAQs on section 80G deductions

On December 18, 2025, the Income Tax Department released FAQs relating to section 80G of the Income-tax Act, 1961. The FAQs are intended to clarify practical and procedural aspects around claiming deduction for eligible donations under section 80G, including documentation and compliance-related points.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in