AKP Corporate & Compliance Digest December 29, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.             Labour Law

1.1.         Madhya Pradesh tightens inspection controls for small establishments

The Labour Department, Government of Madhya Pradesh, notified that establishments employing less than 20 (twenty) employees will not be inspected without prior permission of the State Government. Inspections of such establishments are not to be carried out by an Inspector without prior approval of the Labour Commissioner or a person authorised by the Labour Commissioner.

1.2.         Ministry of Social Justice and Empowerment published draft amendments to the Rights of Persons with Disabilities Rules, 2017

The Ministry of Social Justice and Empowerment published draft amendments to the Rights of Persons with Disabilities Rules, 2017 under the Rights of Persons with Disabilities Act, 2016, to insert a new clause in Rule 15 providing “Non-negotiable Accessibility Standards for Building and Built Environment”. The draft defines “non-negotiable standards” as standards effective from notification, with non-compliance attracting consequences under the Act, including refusal of building permission/sanction, refusal of completion/occupation certificate, and imposition of penalties, and states that the standards (set out in the Schedule) are derived from and to be read harmoniously with the National Building Code of India and Indian Roads Congress codes as updated from time to time. The standards would apply to buildings and built environment including temporary structures and publicly used spaces within group housing, whether owned/controlled by Government or private establishments, and would require disclosure of accessibility features on websites and on-site in accessible formats, as well as an accessibility audit (with representation of persons with disabilities and accessibility experts) before permissions and completion/occupation certificates are issued.  The draft also provides for immediate enforcement for projects where completion certificate has not been issued or which are not yet occupied, requires responsible establishments to designate officers and processes within 3 (three) months, and provides for review every 3 (three) years, while inviting objections and suggestions within 30 (thirty) days from the date the Official Gazette is made available to the public.

2.             Stamp Duty

2.1.         Tamil Nadu introduces set-off mechanism to avoid double stamp duty on first-sale homes via composite sale deeds

Government of Tamil Nadu approved a set-off mechanism so that homebuyers who had already paid stamp duty and registration fees on registered construction agreements (on or before November 30, 2023) could set off those amounts against the stamp duty and registration fees payable when registering the composite sale deed (land plus building), addressing complaints of double payment after composite registrations were permitted; the direction was stated to take immediate effect across the State and was linked to implementation under the Indian Stamp Act, 1899 and the Registration Act, 1908.

3.             Stock Exchanges

3.1.         NSE reiterates curbs on brokers distributing third-party lending products

National Stock Exchange of India Limited (“NSE”) clarified, via its Inspection Department circular dated December 22, 2025, that stock brokers, even if registered as research analysts, must comply with the NSE framework on distribution of third-party products and are not permitted to engage as distributors in lending products such as home loans, vehicle loans, personal loans, education loans, or loans against securities, except lending products specifically permitted by the Securities and Exchange Board of India (“SEBI”) from time to time (for example, margin trading facility and T+1+5 funding). The clarification follows SEBI’s July 23, 2025, frequently asked questions on research analyst regulatory provisions, and observations that some trading members who are also research analysts were distributing banking loan products.

3.2.         BSE extends deadline for trading members to upload client KYC records to KRAs

Bombay Stock Exchange (“BSE”) extended the timeline for Trading Members to upload clients’ Know Your Customer (“KYC”) records to KYC Registration Agencies (“KRAs”) for validations up to January 30, 2026, after receiving extension requests from multiple members. This follows SEBI requirements that KYC details be uploaded to KRAs within 3 (three) working days from completion of the KYC process (revised from 10 (ten) working days) and reiterates that only clients whose KRA status is “KYC Registered” or “KYC Validated” are permitted to trade. BSE stated that documents not validated by KRAs will neither be permitted to trade nor be allowed to square up open positions and directed members to monitor such clients’ open positions and take measures to ensure compliance.

3.3.         NSDL shifts DIS image storage and uploads to e-PASS DMS module

National Securities Depository Limited (“NSDL”) has migrated the Delivery Instruction Slip (“DIS”) scanning and tamper-proof storage workflow from the DIS Image Validation System (DIVS) and the DIS Management System (“DMS”) to the DMS module on the NSDL e-PASS portal, which will go live from January 1, 2026. Participants using DMS on NSDL’s cloud will have DIS and annexure images for the last 8 (eight) years, from January 1, 2018, to December 31, 2025, migrated to the e-PASS DMS module. Participants using on-premises DMS must migrate the same 8 (eight) years’ data to e-PASS with NSDL helpdesk support. Participants not subscribed to DMS must upload e-signed scanned DIS and annexure images for the same 8 (eight) years from their own tamper-proof storage to e-PASS from January 1, 2026. NSDL will also provide DIS serial numbers and daily DIS processing data on e-PASS to help identify pending scans, and participants must upload scanned DIS and annexures on a T+1 basis for DIS processed from January 1, 2026.

3.4.         NSDL directs waiver of AMC for demat accounts pending closure with suspended, illiquid or delisted holdings

NSDL modified point 35 (thirty-five) of Chapter 8 (eight) (Fees and Charges) of the NSDL Master Circular for Participants – 2025, based on an advisory from SEBI, to require Participants to not levy Annual Maintenance Charges (AMC) on demat accounts where the client has requested account closure, the account holds only securities that are in suspended status or illiquid or delisted for trading (and/or have pending rematerialisation requests), and the client authorises removal of the standing instruction to receive credits, in which case Participants also need not provide transaction and holding statements. NSDL further directed Participants to update such accounts to “To Be Closed” status after verifying conditions including that the account is not frozen for regulatory reasons (such as Know Your Customer deficiency), the client is not debarred, the holdings are not pledged / held / encumbered, the issuer is not under insolvency or liquidation under the Insolvency and Bankruptcy Code, 2016, and there are no outstanding dues, and it stated that it will share month-end International Securities Identification Number (ISIN) status details received from exchanges through the NSDL e-PASS Portal starting January 5, 2026, with the related system change planned for end of day January 2, 2026 and an interim process to auto-mark certain rejected closure requests as “To Be Closed”.

3.5.         NSE extends timeline for trading members’ Cyber Security and Cyber Resilience Audit submissions

NSE extended the submission timelines for the preliminary Cyber Security and Cyber Resilience Audit report for eligible trading members, following representations from market participants and in consultation with the SEBI.  The circular refers to NSE’s earlier circular dated November 10, 2025, on the SEBI Cyber Security and Cyber Resilience Framework (SEBI-CSCRF), under which qualified regulated entities and mid-size or small-size regulated entities providing internet-based trading or algorithmic trading facility were required to conduct half-yearly audits for the period ending September 30, 2025.  For the half-yearly audit period April 2025 to September 2025, the revised due dates are January 31, 2026, for submission of the preliminary audit report and April 30, 2026, for the action taken report.

3.6.         NSE permits broker app referrals for bank/NBFC products under third-party distribution rules

NSE, through an Inspection Department circular dated December 24, 2025, clarified that references on stockbrokers’ apps or platforms to banking products offered by banks or Non-Banking Financial Companies (NBFC) will be permitted where such references are structured as referral arrangements and are compliant with NSE’s third-party product distribution guidelines.

3.7.         NCL mandates new portal for Penalty Review Requests

NSE Clearing Limited (“NCL”) directed members and custodians to submit all new penalty review requests only through its new member portal and noted that the facility on the earlier portal will be disabled shortly, while existing review requests lodged on the old portal will continue to be processed there. NCL reiterated that penalty review requests must be raised via the portal (email requests will not be considered) and that discrepancies should ordinarily be reported within 7 (seven) working days of the penalty being made available, with delays requiring justification. NCL also set out submission requirements, including uploading a single comma-separated values (CSV) file in a single zip folder for each request (maximum 200 (two hundred) MB) and supporting documents as a single portable document format (PDF) file in a single zip folder (maximum 15 (fifteen) MB), and stated that communications and comments on review requests will be provided through the portal.

4.             Information Technology

4.1.         CERT-In flags high-severity authentication bypass in Linksys E9450-SG router

Indian Computer Emergency Response Team (“CERT-In”) issued Vulnerability Note CIVN-2025-0386 on December 26, 2025, rating as “High” an authentication bypass vulnerability affecting Linksys E9450-SG routers running version 1.2.00.052. The issue arises due to missing authentication for a critical function, allowing a remote attacker to send a specially crafted URL to access certain administration functions without login credentials. CERT-In assessed the risk as potentially enabling unrestricted access to sensitive system and configuration files, impacting confidentiality, integrity and availability, and advised users and administrators to apply appropriate vendor updates.

4.2.         CERT-In flags high-severity early-boot DMA flaws across multiple motherboard vendors

CERT-In issued Vulnerability Note CIVN-2025-0385 on December 24, 2025, rating as “High” multiple vulnerabilities affecting certain ASRock, ASUS, GIGABYTE, MSI and AMD platform motherboards across various Intel 500/600/700/800 series and other listed chipsets. CERT-In states the issue arises from improper enforcement of Direct Memory Access (DMA) protections during the early boot phase, which could allow a local attacker with physical access to use a malicious PCIe device to access system memory before the operating system loads, resulting in potential elevation of privilege and compromise of system integrity.  CERT-In advised applying security updates released by the respective vendors and referenced CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, and CVE-2025-14304.

4.3.         CERT-In flags critical remote code execution vulnerability in HPE OneView

CERT-In issued Vulnerability Note CIVN-2025-0384 on December 24, 2025, rating as “Critical”, for a remote code execution vulnerability affecting all Hewlett Packard Enterprise (HPE) OneView Software versions through v10.20.  CERT-In states the issue arises due to improper input validation, enabling a remote unauthenticated attacker to send specially crafted network requests and execute arbitrary code on the targeted system, with potential system compromise, service disruption, and sensitive data exposure.  CERT-In advised applying the vendor’s software updates and referenced CVE-2025-37164.

4.4.         CERT-In flags high-severity vulnerabilities in React Server Components

CERT-In issued Vulnerability Note CIVN-2025-0383 on December 24, 2025, rating as “High” on multiple vulnerabilities in React Server Components (RSC) affecting react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack versions prior to 19.0.3, 19.1.4 and 19.2.3.  CERT-In stated that improper handling of stringified arguments in HTTP requests sent to Server Function (Server Action) endpoints could be exploited through specially crafted HTTP requests, leading to denial-of-service (DoS) conditions and exposure of sensitive source code and application data.  CERT-In advised applying vendor updates, and referenced CVE-2025-55184, CVE-2025-67779 and CVE-2025-55183.

4.5.         CERT-In flags high-severity information disclosure vulnerability in MongoDB

CERT-In issued Vulnerability Note CIVN-2025-0382 on December 23, 2025, rating as “High” an information disclosure vulnerability affecting multiple MongoDB server versions, including MongoDB 8.2.0 to 8.2.3, 8.0.0 to 8.0.16, 7.0.0 to 7.0.26, 6.0.0 to 6.0.26, 5.0.0 to 5.0.31, 4.4.0 to 4.4.29, and all MongoDB Server v4.2, v4.0 and v3.6 versions.  CERT-In stated that mismatched length fields in zlib-compressed protocol headers can cause an out-of-bounds read of uninitialised heap memory, which could allow a remote attacker to access sensitive information on the targeted system, and advised users and administrators to apply vendor updates.

4.6.         CERT-In flags high-severity remote code execution flaw in WatchGuard Fireware and urges patching

CERT-In issued Vulnerability Note CIVN-2025-0381 on December 22, 2025, rating as “High” a remote code execution vulnerability affecting WatchGuard Firebox Fireware OS (including Fireware OS 2025.1 versions prior to 2025.1.4, Fireware OS 12.0 versions prior to 12.11.6, and Fireware OS 11.x versions from 11.10.2 through 11.12.4_Update1).  CERT-In stated the issue arises from an out-of-bounds write flaw in the IKEv2 (iked) process that could be exploited by a remote unauthenticated attacker via specially crafted IKEv2 traffic, potentially resulting in complete system compromise, and noted that the vulnerability is being exploited in the wild, advising urgent patching by upgrading to the latest vendor versions.

4.7.         CERT-In flags medium-severity CSRF vulnerability in Acquit Content Hub module for Drupal

CERT-In issued Vulnerability Note CIVN-2025-0380 on December 22, 2025, rating as “Medium” a cross-site request forgery (CSRF) vulnerability affecting the Acquit Content Hub module for Drupal prior to versions 3.6.4 and 3.7.3.  CERT-In stated that improper validation of CSRF tokens in the module’s content export routes could allow an attacker to induce an authenticated administrator to trigger a crafted request, resulting in unauthorised export and potential disclosure of sensitive content, with a moderate risk assessment and potential for data theft.  CERT-In advised upgrading to the fixed versions referenced in the Drupal security advisory SA-CONTRIB-2025-125.

4.8.         CERT-In flags critical hard-coded credential flaws in NVIDIA Isaac Launchable

CERT-In issued Vulnerability Note CIVN-2025-0388 on December 26, 2025, rating as “Critical”, on multiple vulnerabilities in NVIDIA Isaac Launchable affecting all versions prior to 1.1.  CERT-In stated that NVIDIA Isaac (libraries, frameworks and AI models for AI robot development, including autonomous mobile robots) contains hard-coded credentials and runs with unnecessary privileges, enabling unauthorised access and increasing exploitability.  Successful exploitation could allow a remote attacker to execute arbitrary code, escalate privileges, bypass authentication, launch denial-of-service attacks, disclose sensitive information, and tamper with data (including corrupting simulations or underlying datasets), potentially resulting in full system compromise, and CERT-In advised applying vendor patches as per NVIDIA’s security bulletin, referencing CVE-2025-33222, CVE-2025-33223 and CVE-2025-33224.

4.9.         CERT-In flags critical remote code execution flaw in n8n workflow automation platform

CERT-In issued Vulnerability Note CIVN-2025-0387 on December 26, 2025, rating as “Critical” a remote code execution vulnerability in n8n Workflow Automation Platform versions prior to 1.120.4, 1.121.1, and 1.122.0. CERT-In states that an authenticated attacker with workflow creation or modification privileges could exploit improper isolation in workflow expression evaluation by crafting malicious expressions, leading to execution of arbitrary code with the privileges of the n8n service process.  Successful exploitation could result in full compromise of the n8n instance, exposure of sensitive workflow data and credentials, modification of workflows, disruption of services, and potential lateral movement within the environment.  CERT-In advises applying vendor updates and identifies the issue as CVE-2025-68613.

5.             Tax

5.1.         CBDT nudges taxpayers to voluntarily correct potentially ineligible deduction and exemption claims

Central Board of Direct Taxes (“CBDT”) stated that risk analytics under its risk management framework have identified cases for Assessment Year 2025–26 where taxpayers may have claimed ineligible refunds by availing deductions or exemptions they are not entitled to, including instances involving bogus donations to Registered Unrecognised Political Parties (RUPPs), incorrect or invalid Permanent Account Numbers (PANs) of donees, and errors in the extent of deductions/exemptions claimed.  Identified taxpayers are being contacted via SMS and email under the “Non-intrusive Usage of Data to Guide and Enable (NUDGE)” campaign to correct errors, given the due date for filing revised Income-tax Returns (“ITRs”) by December 31, 2025. CBDT reported that during Financial Year 2025–26, more than 21 lakh (twenty-one lakh) taxpayers updated ITRs for Assessment Years 2021–22 to 2024–25 and paid more than INR 2,500 crore (Indian Rupees Two Thousand Five Hundred Crore only) in taxes, and more than 15 lakh (fifteen lakh) ITRs have already been revised for Assessment Year 2025–26. CBDT advised taxpayers to review and revise returns, if required, by December 31, 2025, to avoid further enquiries, clarified that genuine claims require no action, and noted that an updated return may still be filed from January 1, 2026, as permitted under law, subject to additional tax liability.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in