- within Corporate/Commercial Law topic(s)
- in United States
- with readers working within the Law Firm industries
- within Corporate/Commercial Law, Employment and HR, Litigation and Mediation & Arbitration topic(s)
We are delighted to share this week's AKP Corporate & Compliance Weekly Digest. Please feel free to write to us with your feedback at info@akandpartners.in.
1. Labour Law
1.1. Shram Shakti Niti sets NCS-DPI and universal social security roadmap
India's new labour policy repositions the Ministry of Labour & Employment (MoLE) as an Employment Facilitator and makes the National Career Service (NCS) a Digital Public Infrastructure (DPI) for job matching, credential verification and skill alignment, backed by a unified Labour & Employment Stack and District Labour Resource Centres (DLRCs) as single-window hubs; the framework targets 7 (seven) objectives: universal and portable social security via a Universal Social Security Account (USSA) integrating Employees' Provident Fund Organisation (EPFO), Employees' State Insurance Corporation (ESIC), Pradhan Mantri Jan Arogya Yojana (PM-JAY) and e-Shram; stronger Occupational Safety and Health (OSH) with risk-based inspections; employment readiness and women-youth empowerment; easier compliance and formalisation; technology and green transitions; and convergence with cooperative federalism, delivered through 3 (three) phases (2025–27 setup and pilots, 2027–30 nationwide rollout, beyond 2030 consolidation) and monitored by real-time dashboards, a national evaluation index and an Annual National Labour Report to Parliament.
1.2. Odisha: Women permitted to work night shifts
The Odisha cabinet approved two ordinances: amendment to Shops & Establishments, and amendment to the Factories Act of Odisha. The amendments to Shops and Establishment and Factories Acts include allowing women to work night shifts in all factory types and simplifying compliance burdens.
2. Stock Exchanges
2.1. CDSL flags UNSC update on Terror Sanction List
Central Depository Services (India) Limited ("CDSL") informed Depository Participants ("DPs") that the United Nations Security Council (UNSC) Sanctions Committee updated the lists to include ISIL (Da'esh) and Al-Qaida entries (QDi.065 Abd El Kader Mahmoud Mohamed El Sayed and QDi.187 Aris Sumarsono), and directed compliance with the Central Government Order under the Unlawful Activities (Prevention) Act, 1967, including immediate screening of existing and new accounts against updated lists, adherence to Securities and Exchange Board of India ("SEBI") Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) norms, electronic routing of delisting requests to the Ministry of Home Affairs (MHA) with a copy to the Ministry of External Affairs (MEA), and use of the United Nations Ombudsperson mechanism, while advising stakeholders to monitor the "UNSC Sanctions Committee List" tab on SEBI's website for further updates.
2.2. NSE deletes retrospective rule on treating missing pre-order evidence as unauthorised trades
National Stock Exchange of India Limited ("NSE") issued Inspection Circular Ref. 61/2025 deleting, with retrospective effect, the Schedule I(B) 63 observation in Exchange Circular dated July 5, 2024 that had deemed non-maintenance or non-production of pre-order placement evidence as unauthorised trades subject to penalty, while stating that all other provisions remain unchanged and advising Trading Members to take note.
2.3. NSE revises penalty review and appeals process
NSE set a dual review pathway for penalty review, appeal or waiver requests, retaining Member Committee ("MC") review for actions taken by the Exchange and routing challenges to MC decisions from meetings held after September 19, 2025 to a Governing Board mechanism for Market Infrastructure Institutions (MII) comprising Public Interest Directors (PIDs) and independent external professionals, with filings due within 45 (forty-five) days of the Original Order or Action Letter via the Member Portal and subject to a non-refundable fee of INR 10,000 (Indian Rupees Ten Thousand only) plus Goods and Services Tax (GST), while incomplete or late requests will not be considered.
2.4. BSE sets SOP for penalty reviews, appeals and waivers
Bombay Stock Exchange Limited ("BSE") issued a Standard Operating Procedure (SOP) for review, appeal or waiver of penalties arising from decisions of the MC; the SOP applies to actions decided from September 19, 2025 and requires a non-refundable fee of INR 10,000 (Indian Rupees Ten Thousand only) per request, with filings to be emailed to [Waiver-Review@bseindia.com] along with complete evidence, and any submissions to other addresses not considered, with Enforcement contacts provided for queries.
2.5. BSE mandates RBS submissions; penalties for delay
BSE directed Trading Members ("TMs") to file Risk Based Supervision (RBS) data for April 1, 2025 to September 30, 2025 by November 30, 2025 through the BSE Electronic Filing System (BEFS) under "Risk Based Supervision" only, with the portal opening on October 15, 2025; filing is mandatory for any TM that executed at least 1 (one) trade in the period and will be shared with SEBI, and delays attract graded action, within 5 (five) days after due date: INR 10,000 (Indian Rupees Ten Thousand only); after 5 (five) but within 15 (fifteen) days: INR 10,000 (Indian Rupees Ten Thousand only) plus INR 2,000 (Indian Rupees Two Thousand only) per day from the 6th (sixth) to 15th (fifteenth) day; after 15 (fifteen) days: a bar on registering new clients until submission to all exchanges; after 45 (forty-five) days: disablement of trading terminals across exchanges after 2 (two) weeks' notice, with highest risk ratings applied where data is not submitted.
2.6. NSDL updates Auto-Pledge flow for MTF/CUSPA
National Securities Depository Limited (NSDL) revised the Auto-Pledge process so securities received from a clearing or trading member pool for margin trading facility (MTF) and client unpaid securities pledge account (CUSPA) now move directly into the client's demat account as pledge-transit and then pledge balance, eliminating the interim credit as free balance; the circular, effective from close of business on the same date, also introduces new booking-narration codes mapped to International Organization for Standardization (ISO) tags and instructs participants to implement corresponding back-office changes, alongside a reminder of forthcoming compliance deadlines.
2.7. NSDL caps successive cyber audits at 3 with 1-year cooling-off
NSDL issued a corrigendum to its cyber-audit circular clarifying that an auditor or audit firm may conduct a maximum of 3 (three) successive audits of a Participant, may be re-appointed only after a cooling-off period of 1 (one) year, and must not have undertaken any consulting engagement with any departments or units of the Participant in the preceding 3 (three) years; the update references the SEBI cyber framework and reminds Participants to note forthcoming compliance timelines.
2.8. CDSL clarifies KYC uploads to KRA
CDSL reminded DPs to upload scanned Know Your Client ("KYC") documents to KYC Registration Agency ("KRA") systems in accordance with the SEBI KYC Registration Agency} (Amendment) Regulations, 2013, reiterating that Regulation 15 (fifteen) and Regulation 16 (sixteen) remain applicable, intermediaries must perform initial KYC and due diligence, upload authenticated KYC information with scanned images, retain physical KYC documents, and furnish physical documents or authenticated copies to the KRA on request, while directing DPs to ensure compliance.
3. Information Technology
3.1. CERT-In flags critical Sudo privilege escalation
Indian Computer Emergency Response Team ("CERT-In") issued Vulnerability Note CIVN-2025-0238 on a CRITICAL flaw in Sudo prior to version 1.9.17p1 that lets a local user with limited Sudo rights gain root by abusing the chroot (-R) option, risking full system compromise; CERT-In notes active exploitation and advises immediate vendor patches via the official Sudo advisories.
3.2. CERT-In warns of Ivanti EPMM RCE exploited in the wild
CERT-In issued Vulnerability Note CIVN-2025-0240 on a High-severity Remote Code Execution (RCE) flaw in Ivanti Endpoint Manager Mobile (EPMM) due to improper input validation and unsafe handling of Java Expression Language in certain application programming interface endpoints, affecting versions 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior; the issue, tracked as Common Vulnerabilities and Exposures ("CVE") CVE-2025-4428, is being exploited in the wild and risks system compromise and service disruption, with CERT-In advising immediate updates per Ivanti's security advisory.
3.3. CERT-In flags high-severity Microsoft Edge (Chromium) flaws
CERT-In issued Vulnerability Note CIVN-2025-0241 warning that Microsoft Edge (Chromium-based) versions prior to 140.0.7339.208 contain multiple bugs in the V8 engine that could enable sensitive data disclosure and arbitrary code execution via integer overflow and side-channel leakage; the severity is High, affected users include all end-user organisations and individuals, and the advisory cites Microsoft's security updates and CVE-2025-10890, CVE-2025-10891 and CVE-2025-10892, with remediation by applying the vendor's latest release.
3.4. CERT-In warns of XSS in Zimbra Collaboration Suite
CERT-In issued Vulnerability Note CIVN-2025-0242 on a High-severity cross-site scripting (XSS) flaw in Zimbra Collaboration Suite (ZCS) where insufficient sanitisation of iCalendar (ICS) content lets malicious JavaScript run in a user's session, risking account takeover and data exfiltration; affected builds include Kepler before 9.0.0 P44 and Daffodil before 10.0.13 and 10.1.5, the issue is tracked as CVE-2025-27915 and is being exploited in the wild, and administrators should apply the vendor's security fixes without delay.
3.5. CERT-In warns of critical Oracle E-Business Suite RCE
CERT-In issued Vulnerability Note CIVN-2025-0243 on an unauthenticated remote code execution flaw in Oracle E-Business Suite versions 12.2.3–12.2.14, noting active exploitation and advising urgent patching per Oracle's security alert.
3.6. CERT-In flags critical CrushFTP authentication bypass
CERT-In warned of a CRITICAL authentication bypass in CrushFTP affecting version 10 prior to 10.8.5 and version 11 prior to 11.3.4_23, attributed to a Demilitarized Zone (DMZ) proxy failure and improper Applicability Statement 2 (AS2) validation that can be triggered via crafted requests to the Web Interface function endpoint; risks include information disclosure and full system compromise, and administrators should upgrade to the fixed releases immediately and follow the vendor's mitigation guidance listed in the advisory.
3.7. CERT-In warns of CRITICAL Redis RCE
CERT-In issued Vulnerability Note CIVN-2025-0246 on a CRITICAL remote code execution (RCE) flaw dubbed "RediShell" in Redis versions 8.2.1 (eight point two point one) and prior, arising from a use-after-free memory corruption that can be triggered via a crafted Lua script to manipulate the garbage collector, enabling authenticated access and arbitrary code execution; CERT-In assesses high risk of sensitive data disclosure and system compromise and advises immediate updates per the vendor's advisory referenced in the note, which tracks the issue as CVE-2025-49844.
3.8. CERT-In warns of XSS in Cisco Unified CM/SME
CERT-In issued Vulnerability Note CIVN-2025-0248 on a Medium-severity cross-site scripting (XSS) flaw in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) that could let an authenticated remote attacker inject malicious code via the web management interface, risking data manipulation and service disruption; CERT-In references Cisco's advisory, tracks the issue as Common Vulnerabilities and Exposures (CVE) CVE-2025-20361, and advises prompt vendor updates.
3.9. CERT-In warns of High-severity Chrome desktop vulnerabilities
CERT-In issued Vulnerability Note CIVN-2025-0250 on multiple flaws in Google Chrome for Desktop prior to 141.0.7390.65/.66 on Windows and macOS and prior to 141.0.7390.65 on Linux that could enable remote code execution, denial of service (DoS) and information disclosure; the note cites a heap buffer overflow in Sync, a use-after-free in Storage and an out-of-bounds read in WebCodecs, rates severity as High, the CVE identifiers are CVE-2025-11211, CVE-2025-11458 and CVE-2025-11460, and advises immediate update to the fixed Stable Channel build.
3.10. CERT-In warns of SAP NetWeaver Visual Composer vulnerability exploit
CERT-In issued Advisory CICA-2025-3449 on a "Missing authorisation check" flaw in SAP NetWeaver (Visual Composer development server) VCFRAMEWORK 7.50 (seven point five zero) that lets attackers upload malicious binaries, risking complete system compromise; the issue is tracked as Common Vulnerabilities and Exposures (CVE) CVE-2025-31324, is being actively exploited, and administrators should apply the vendor's security updates referenced in SAP's security notes page without delay.
3.11. CERT-In flags high-severity flaws in Red Hat JBoss Middleware
CERT-In issued Vulnerability Note CIVN-2025-0251 warning that multiple vulnerabilities in Red Hat JBoss Middleware could enable HTTP request smuggling or cause Denial-of-Service ("DoS"); attributed to improper buffer-size validation, a flaw in Eclipse Jetty's Hypertext Transfer Protocol ("HTTP") Version 2 implementation, and incorrect parsing of chunk extensions, the advisory assesses high risk of unauthorised access, data exposure, manipulation, and service disruption, and recommends immediate application of vendor fixes per Red Hat security advisory RHSA-2025:17567.
3.12. CERT-In issues Medium-severity OpenSSL advisory
CERT-In issued Vulnerability Note CIVN-2025-0252 on multiple flaws in OpenSSL versions 1.0.2, 1.1.1 and 3.0–3.5 that may enable remote code execution, DoS, or disclosure of sensitive information; the weaknesses include out-of-bounds read and write in RFC 3211 Key Encryption Key (KEK) unwrap, a timing side-channel in the SM2 algorithm on 64-bit ARM, and an out-of-bounds read in HTTP client no proxy handling, with risk rated Medium and impact spanning all user groups, and the note advises prompt application of the vendor's security updates.
3.13. CERT-In warns of critical XXE in SysAid On-Prem
CERT-In issued Vulnerability Note CIVN-2025-0239 on a CRITICAL XML External Entity (XXE) flaw in SysAid On-Premises (On-Prem) versions 23.3.40 and earlier that allows remote attackers to read files and potentially gain administrative privileges; tracked as CVE-2025-2776 and noted as exploited in the wild, the advisory flags risk of sensitive data disclosure, full system compromise and service disruption, and urges immediate patching via the vendor's updates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
