AKP Corporate & Compliance Digest September 29, 2025

We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.

1.  Labour Law

1.1.  EPFO launches revamped ECR for wage month September 2025

Employees’ Provident Fund Organisation (EPFO) issued a Circular launching a revamped Electronic Challan-cum-Return (ECR) for employers, effective for wage month September 2025 onwards; employers are directed to file using the new module and may refer to the user manual available on the For Employers portal.

1.2. Delhi Labour Dept advisory: ensure statutory bonus for outsourced workers before Deepawali

The Labour Department, Government of National Capital Territory of Delhi (GNCTD) issued an advisory reminding principal employers to ensure contractors pay statutory bonus to outsourced workers under the Payment of Bonus Act, 1965, which mandates a minimum 8.33 per cent (eight point three three per cent) of basic pay plus dearness allowance and payment within 8 (eight) months of the close of the accounting year, with customary payout before Deepawali; establishments employing 20 (twenty) or more workers on any day during the year are covered, non-payment can attract prosecution and recovery as arrears, and principal employers are reminded of their oversight duties.

2. Stamp Duty

2.1. West Bengal: Circle-rate rationalisation impacts stamp base values

The state government has rationalised circle rates in some localities in Kolkata and neighbouring Salt Lake and New Town, where a recent 80 per cent (eighty per cent) to 90 per cent (ninety per cent) rate revision had sharply increased the burden of stamp duty and registration fee payout of homebuyers. In places like Bonhoogly on BT road, the upward revision has been rationalised from 88 per cent (eighty-eight per cent) to 53 per cent (fifty-three per cent). At Mahishnathan, the circle rate has been revised from 87 per cent (eighty-seven per cent) to 54 per cent (fifty-four per cent).

2.2.  Rajasthan: Senior Jt. Legal Remembrancer named State Stamp Collector

The Finance Department designated the Senior Joint Legal Remembrancer as the “Collector” for the whole state under the Rajasthan stamp framework, conferring statewide jurisdiction for stamp adjudication and recovery functions.

3. Stock Exchanges

3.1. NSDL reiterates October 31 deadline for DPs’ net worth certificate and audited financials

National Securities Depository Limited (“NSDL”) issued a guidance note directing Depository Participants (DPs) to submit, annually by October 31, a Chartered Accountant–certified net worth certificate prepared as per the enclosed computation format and their audited financial statements, via the e-PASS filing system; the note references NSDL Bye-laws on annual submissions and standardises calculation and documentation to reduce deficiencies observed in prior filings.

3.2. BSE extends KRA KYC upload deadline to January 2, 2026; non-validated PANs barred

BSE extended to January 2, 2026 the deadline for Trading Members to upload Know Your Customer (“KYC”) records to KYC Registration Agencies (“KRAs”) and validate client statuses, after finding gaps between Permanent Account Numbers (PANs) in the Uniform Client Code (UCC) database and KRA records; under SEBI rules, intermediaries must upload KYC within 3 (three) working days (earlier 10 (ten) working days), clients may transact upon KYC completion but must stop if attributes remain unverified, and from the extended cut-off only clients with KRA status “KYC Registered” or “KYC Validated” may trade, while PANs not validated by KRAs will be blocked from trading and from squaring off open positions, with members told to monitor such exposures and liaise with KRAs.

3.3.  BSE updates retail algo-trading modalities: API-only access, ISO 27001, VAPT proofs

BSE updated its “Safer participation of retail investors in Algorithmic trading” modalities, clarifying that Algorithm Providers (APs) may access the exchange only via Trading Member application programming interfaces (APIs) and not directly to BoltPro or other exchange software; undertakings are recast to ensure product compatibility and distinct identifiability, provisional empanelment requires ISO/IEC 27001:2022 with completion within 3 (three) months, declarations must cover cyber incidents and half-yearly Vulnerability Assessment and Penetration Testing (“VAPT”) with Action Taken Reports from Computer Emergency Response Team-India (“CERT-In”) empanelled auditors, the form changes “IT Business” to Fintech Business and deletes a legacy auditor-certificate clause, and any court-ordered interim deposit to BSE is capped at the provider’s average annual algo revenue over the last 3 (three) audited years unless mutually agreed higher.

3.4. NSE sets FY 2025–26 VAPT timelines; QSBs retain half-yearly cycle

National Stock Exchange of India Limited (“NSE”) directed trading members to comply with SEBI Cybersecurity and Cyber Resilience Framework (“CSCRF”) timelines for VAPT: Self certification/Small/Mid/Qualified Regulated Entities (“REs") must conduct VAPT via a Computer Emergency Response Team-India (“CERT-In”) auditor by June 30, 2026, submit the report by July 31, 2026, and file an Action Taken Report or revalidation by November 30, 2026; Qualified Stock Brokers (“QSBs”) and REs designated as ‘protected systems’ or Critical Information Infrastructure follow half-yearly submissions by December 31, 2025 for April–September 2025 and by June 30, 2026 for October 2025–March 2026, with closure reports due March 31, 2026 and September 30, 2026 respectively; scope must cover all critical assets per Annexure-L of the CSCRF, explicit vulnerability details should not be filed unless sought under SEBI’s August 28, 2025 clarification, firms must retain detailed reports and proofs-of-concept for 3 (three) years, and auditor selection requires CERT-In empanelment and conflict-free engagement.

4. Information Technology

4.1.  CERT-In flags critical command injection in Fortra GoAnywhere MFT

In a vulnerability note the CERT-In reported a critical command-injection flaw in Fortra GoAnywhere Managed File Transfer (MFT) affecting versions prior to 7.8.4 (seven point eight point four) and the Sustain release prior to 7.6.3 (seven point six point three); the issue in the License Servlet’s handling of untrusted licence responses can enable remote arbitrary code execution and full server compromise, with high risk of operational disruption and data exposure; organisations should apply the vendor’s security updates referenced in Fortra advisory FI-2025-012 and track Common Vulnerabilities and Exposures (CVE) identifier CVE-2025-10035.

4.2.  CERT-In flags SolarWinds Web Help Desk unauthenticated RCE

CERT-In warned of a Critical remote code execution (RCE) in SolarWinds Web Help Desk due to an unauthenticated AjaxProxy deserialization flaw, tracked as CVE-2025-26399 and affecting versions 12.8.7 and earlier; the vendor has issued Hotfix 1 for 12.8.7, and administrators should patch immediately to prevent complete system compromise.

4.3.  CERT-In flags High-severity GitLab flaws

CERT-In issued Vulnerability Note CIVN-2025-0224 on multiple GitLab Community and Enterprise Edition bugs allowing sensitive data exposure, Server-Side Request Forgery (SSRF), and denial of service; instances running versions prior to 18.3.2 (eighteen point three point two), 18.2.6 (eighteen point two point six) and 18.1.6 (eighteen point one point six) are affected, the severity is High, and administrators should apply GitLab’s September 10, 2025 patch release and review listed CVEs.

4.4.CERT-In flags “Shai-Hulud” npm supply-chain worm; urges immediate dependency and credential hygiene

CERT-In issued Advisory CIAD-2025-0034 a supply-chain attack dubbed the “Shai-Hulud” worm targeting the Node Package Manager (“npm”) ecosystem; parallel analyses report the self-replicating malware has compromised over 500 (five hundred) packages by stealing publisher credentials and republishing trojanised versions, often via malicious GitHub Actions, risking widespread downstream compromise; recommended actions include auditing and pinning dependencies, removing or updating affected packages, revoking and rotating npm and GitHub tokens, and reviewing build pipelines for exfiltration indicators per guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and security researchers.  

4.5. CERT-In warns of unrestricted FTP flaw in Syrotech GPON router

CERT-In reported a High-severity vulnerability in Syrotech SY-GPON-2010-WADONT routers running firmware V2.1.05-210329 that allows remote attackers to access configuration and other sensitive files via improperly controlled File Transfer Protocol (FTP) service using default credentials; users should upgrade to firmware V2.1.08-241213 and note mapping to CVE-2024-10957.

4.6. CERT-In flags critical Microsoft Edge flaws with active exploit

CERT-In issued Vulnerability Note CIVN-2025-0222 warning that multiple vulnerabilities in Microsoft Edge prior to version 140.0.3485.81 allow security bypass and remote code execution, rated CRITICAL, with CVE-2025-10585 confirmed as actively exploited; organisations and users are advised to update promptly per Microsoft’s September 18, 2025, security release notes and linked CVE advisories.

4.7. CERT-In: Cisco Catalyst 9000 IOS XE DoS flaw; patch now

CERT-In issued Vulnerability Note CIVN-2025-0231 on a High-severity denial-of-service in Cisco IOS XE for Catalyst 9000 Series Switches, where crafted Ethernet frames can block an egress port and drop all outbound traffic; tracked as CVE-2025-20311, the issue enables an unauthenticated adjacent attacker to disrupt switching, and administrators should apply Cisco’s September 2025 updates without delay.

4.8. CERT-In warns of high-severity flaws in Red Hat JBoss AMQ Broker and Apache Kafka

CERT-In issued Vulnerability Note CIVN-2025-0220 on multiple flaws in Red Hat JBoss products that could enable remote code execution or denial-of-service, affecting Red Hat JBoss Middleware AMQ Broker prior to version 7.12.5 (seven point twelve point five) and Red Hat JBoss Middleware Apache Kafka prior to version 3.0.1 (three point zero point one); the note flags high risk of unauthorised access and authentication bypass, lists Common Vulnerabilities and Exposures (CVE) identifiers CVE-2025-48734, CVE-2025-49146, CVE-2025-48924 and CVE-2025-55163, and advises immediate patching per Red Hat advisories RHSA-2025:16409 and RHSA-2025:16407.

5.  Tax

5.1. GSTAT launched with e-Courts; staggered appeal filing allowed till June 30, 2026

The Union Minister of Finance launched the Goods and Services Tax Appellate Tribunal (“GSTAT”) in New Delhi, establishing a specialised appellate forum with a Principal Bench in New Delhi and 31 (thirty-one) State Benches across 45 (forty-five) locations to improve consistency and predictability in indirect tax dispute resolution; a GSTAT e-Courts Portal was also unveiled to enable online filing, case tracking and virtual hearings, with staggered filing of appeals permitted up to June 30, 2026.

5.2.  CBDT extends audit-report filing deadline for AY 2025–26 to October 31, 2025

The Central Board of Direct Taxes (CBDT) extended the “specified date” for furnishing tax audit reports under the Income-tax Act, 1961 for Previous Year 2024–25 (Assessment Year 2025–26) from September 30, 2025 to October 31, 2025 for assessees covered by clause (a) of Explanation 2 to Section 139(1); the move follows representations citing flood-related disruptions, with the e-filing portal stated as stable, 4,02,000 (four lakh two thousand) Tax Audit Reports had been uploaded by September 24, 2025, including 60,000 (sixty thousand) that day, and 7.57 (seven point five seven) crore Income Tax Returns filed by September 23, 2025, with a formal order to follow.

Disclaimer

The note is prepared for knowledge dissemination and does not constitute legal, financial or commercial advice. AK & Partners or its associates are not responsible for any action taken based on its contents.

For further queries or details, you may contact:

Mr Anuroop Omkar

Founding Partner, AK & Partners

info@akandpartners.in