Overview
Axion Core Technologies is issuing this advisory to all Nigerian financial institutions following confirmed reports of cyber actors actively targeting misconfigured and outdated process flow applications — specifically ProcessMaker — in banking environments. Exploitation of these vulnerabilities could allow attackers to gain unauthorised access to internal banking workflows, manipulate financial transactions, and move laterally within the institution’s network.
This advisory aligns with guidance recently issued by the Committee of CISOs of Nigerian financial institutions and is being shared to ensure broad awareness across the sector.
Affected Systems
ProcessMaker versions earlier than 3.9.3 (released September 2025) are confirmed to carry significantly higher risk. However, any version deployed with external internet exposure, default credentials, or without proper access controls is considered vulnerable regardless of version.
Recommended Immediate Actions
1. Remove External Exposure
Ensure ProcessMaker is not accessible from the public internet. Restrict access to internal networks only, enforced via VPN or a zero-trust network access (ZTNA) gateway.
2. Change Default Credentials
Review and immediately rotate the password for the default admin account. Disable interactive logins for all service accounts and enforce principle of least privilege across all ProcessMaker user accounts.
3. Upgrade to Latest Version
Update to ProcessMaker 3.9.3 or later. Organisations running version 3.9.3 or higher have significantly reduced exposure to the vulnerabilities currently being exploited.
4. Implement SSO and MFA
Configure Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for all ProcessMaker access, regardless of the version deployed.
5. SIEM and File Integrity Monitoring
Integrate all ProcessMaker application servers and associated database servers with your Security Information and Event Management (SIEM) and File Integrity Monitoring (FIM) solutions.
6. Review File Upload and Script Execution Controls
Implement strict validation of file uploads within workflows and disable execution of unauthorised scripts on the ProcessMaker server to prevent remote code execution.
7. Transaction Monitoring Integration
Ensure all transactions initiated through ProcessMaker are routed through the institution’s fraud monitoring systems to flag and contain suspicious financial activity in real time.
8. Privileged Access Management (PAM)
Onboard all generic, local, and domain accounts associated with ProcessMaker into a PAM solution to enforce controlled, audited access to privileged functions.
Architectural Review
Conduct an immediate review of your architectural diagram for all in-branch applications, identifying all points of connection, APIs, and integration with external systems. Any unnecessary external touchpoints should be removed or hardened.
- ProcessMaker versions earlier than 3.9.3
- All Nigerian financial institutions using ProcessMaker for workflow management
- Branch banking systems integrated with ProcessMaker
- Immediately restrict ProcessMaker access to internal networks — remove all public internet exposure.
- Rotate all default and service account credentials.
- Upgrade to ProcessMaker 3.9.3 or later.
- Enable SSO and MFA for all ProcessMaker users.
- Integrate with SIEM and FIM for continuous monitoring.
- Onboard all associated accounts into a PAM solution.
- Review and restrict all ProcessMaker APIs and external integrations.
- Route all workflow-triggered transactions through fraud monitoring.
