AKP Corporate & Compliance Digest October 27, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.  Labour Law

1.1.  Pension Fund Regulatory and Development Authority issues consultation paper on alignment of valuation guidelines with the core objectives of long-only funds

Pension Fund Regulatory and Development Authority (PFRDA) issued a consultation proposing a dual valuation framework for Government Securities (G-Secs) held in the National Pension System (NPS) and Atal Pension Yojana (APY). It would place long-dated, less-liquid G-Secs in Held to Maturity (HTM) on an accrual basis and keep the remainder Mark to Market (MTM) for daily Net Asset Value (NAV) computation to reduce short-term interest-rate volatility. The paper defines two buckets, HTM and Available for Sale (AFS), and seeks views on the portion valued on accrual, indicating 10 to 60 per cent (ten to sixty per cent), and on criteria such as residual maturity or modified duration and guardrails for switching. Comments are due by November 30, 2025, via email or post.

2.  Stock Exchanges

2.1. CDSL amends BO upload and UDiFF for Nomination Phase III

Central Depository Services (India) Limited (CDSL) issued Communiqué revising the Beneficial Owner (BO) upload file format for Nomination Phase III and updating the Uniform Depository Interface File Format (UDiFF) catalogue to version v2.0.0.4. The update resolves a duplicate ISO tag by renaming the field “Absolute Limit For Incapacitation Utilized” from “AbsLimitForIncap” to “AbsLimitForIncapUtil”. It consolidates standard values introduced on an interim basis, refreshes the change log, and provides revised Annexures A (BO Upload), B (DPZ5 and DPZ6 – Client Master Report), and C (DPB9 – Client Master Report). Depository Participants (DPs) are instructed to implement back-office changes, with the functionality scheduled to go live on December 12, 2025, end-of-day.

2.2.  BSE mandates BEFS submission of half-yearly internal audit report

Bombay Stock Exchange (“BSE”) issued a notice requiring all trading members to complete the internal audit for the half-year ended September 30, 2025, and submit the report through the BSE Electronic Filing System (BEFS) by November 30, 2025. The audit must be conducted only by independent practising Chartered Accountants, Company Secretaries or Cost and Management Accountants with no conflict, and from this cycle the Exchange will accept reports certified by an empanelled auditor only, with appointment and rotation per the Securities and Exchange Board of India (SEBI) circular dated September 26, 2016. Auditors must follow revised sampling guidance, quantify each “not complied” observation with instances and value, include a Unique Document Identification Number (UDIN), and retain working papers. Members must also file the half-yearly undertaking that penalties for short or non-collection of upfront margins are not passed to clients, and note submission is complete only on receipt of the Exchange’s acknowledgement email; late or incomplete reports attract action under the Exchange’s penalty circular.

2.3.  NSE sets deadline on client collateral segregation portal

National Stock Exchange (NSE) notified members that the “Segregation and Monitoring of Collateral at Client Level” new portal will remain available only until 10:00 PM on October 28, 2025 due to system enhancements, and instructed submission of the client-collateral segregation report by that time; the circular also recalls the earlier requirement, dated August 26, 2025, to use the new portal for uploads.

3. Information Technology

3.1.  CERT-In issues high-severity advisory on multiple vulnerabilities in Oracle products

Indian Computer Emergency Response Team (“CERT-In”) issued Advisory CIAD-2025-0039 warning of multiple flaws across 5 (five) Oracle product families—Oracle MySQL, Java Standard Edition (Java SE), Oracle Database Server, Oracle WebLogic Server, and VirtualBox. The vulnerabilities could enable remote code execution, elevation of privilege, denial of service, data manipulation, sensitive information disclosure, and security restriction bypass, resulting in unauthorised access, system instability, or complete compromise. Organisations using the affected products should review Oracle’s October 2025 security update and apply vendor fixes without delay.

3.2. CERT-In warns of high-severity vulnerabilities across Ivanti products

CERT-In issued Vulnerability Note CIVN-2025-0276 on multiple flaws in Ivanti Endpoint Manager (EPM) 2024 SU3 SR1 and prior, EPM 2022 SU8 SR2 and prior, Ivanti Endpoint Manager Mobile (EPMM) before 12.6.0.2, 12.5.0.4 and 12.4.0.4, and Ivanti Neurons for Mobile Device Management (MDM) before R118 and R119. The issues include insecure deserialization, path traversal, Structured Query Language (SQL) injection, operating system command injection, missing authorisation, multi-factor authentication (MFA) bypass, and missing authentication. Successful exploitation could enable privilege escalation, arbitrary code execution, authentication bypass, data theft, and system compromise. Users should review vendor advisories and apply patches without delay.

3.3. CERT-In issues critical advisory on HTTP request smuggling in ASP.NET Core

CERT-In released Vulnerability Note CIVN-2025-0277 on a critical flaw in ASP.NET Core’s Kestrel web server. The issue arises from inconsistent parsing of malformed Hypertext Transfer Protocol (HTTP) requests and can enable request smuggling. An attacker could bypass security controls, access unintended resources, tamper requests, or cause denial-of-service. Affected software includes ASP.NET Core versions 2.3, 8.0, and 9.0 and Microsoft Visual Studio 2022 versions 17.10, 17.12, and 17.14. Risk is high for unauthorised access, information disclosure, and service unavailability. Administrators should apply vendor fixes immediately.

3.4. CERT-In warns of critical auth bypass in WordPress Service Finder Bookings plugin

CERT-In issued Vulnerability Note CIVN-2025-0278 on a critical authentication bypass in the WordPress plugin Service Finder Bookings affecting versions prior to 6.1 (six point one). The flaw stems from improper validation of user cookie values before session authentication and can let an unauthenticated attacker log in as any user, including administrators. This creates a high risk of unauthorised access and potential full account compromise. Users of the affected plugin should upgrade to version 6.1 (six point one) or later and review access logs.

3.5. CERT-In flags critical input-validation flaw in Adobe Commerce and Magento

CERT-In issued Vulnerability Note CIVN-2025-0279 on a critical input-validation vulnerability in Adobe Commerce, Adobe Commerce Business-to-Business (B2B) and Magento Open Source, affecting multiple branches including versions prior to 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12 and 2.4.5-p14. The weakness lies in the Representational State Transfer (REST) application programming interface (“API”) and allows an unauthenticated attacker to bypass security features via crafted API requests, creating high risk of unauthorised access, data theft, remote code execution or full system compromise. The note confirms active exploitation and identifies the issue as Common Vulnerabilities and Exposures (CVE)-2025-54236.

3.6.  CERT-In warns of high-severity flaws in ISC BIND

CERT-In issued Vulnerability Note CIVN-2025-0280 on multiple issues in Internet Systems Consortium (ISC) Berkeley Internet Name Domain (BIND) affecting the 9.16.x to 9.21.x release lines, including Supported Preview Edition builds. The weaknesses include malformed Domain Name System Key (DNSKEY) handling that can exhaust Central Processing Unit resources, a pseudo-random number generator weakness exposing source ports and query identifiers, and lenient record acceptance that enables forged-record injection. Successful exploitation can enable Domain Name System (DNS) cache poisoning, traffic redirection, or Denial-of-Service (DoS), creating a high risk of disruption.

3.7. CERT-In flags XSS flaw in Cisco BroadWorks CommPilot

CERT-In issued Vulnerability Note CIVN-2025-0275 on a cross-site scripting (XSS) weakness in the web-based management interface of Cisco BroadWorks CommPilot Application Software. The issue stems from insufficient validation of user input and could let an authenticated remote attacker inject arbitrary scripts against users of the interface. Severity is Medium. Risks include data manipulation, service disruption, and impact on confidentiality, integrity, and availability. Administrators should implement fixes as per the Cisco advisory.

4. Tax

4.1.  Goa extends Goods and Services Tax Return Form 3B deadline for September 2025 monthly and July–September 2025 quarterly returns

Commissioner of State Taxes, Goa, using Section 39(6) read with Section 168 of the Goa Goods and Services Tax Act, 2017, extended the time to furnish Goods and Services Tax Return Form 3B (GSTR-3B) on the common portal: for the month of September 2025 under Section 39(1) until October 25, 2025, and for quarterly filers for July–September 2025 under the proviso to Section 39(1) until October 25, 2025. The notification references Central Board of Indirect Taxes and Customs (CBIC) Notification No. 17/2025-Central Tax dated October 18, 2025, and applies to registered persons in Goa.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in