Weekly Threat Landscape Digest – Week 29

1. Microsoft SharePoint Server Zero‑Day Exploited in Targeted Attacks 

A critical vulnerability (CVE-2025-53770) in Microsoft SharePoint Server is being actively exploited in the wild. The flaw arises from the deserialization of untrusted data, allowing unauthenticated remote attackers to execute arbitrary code and gain full administrative privileges on unpatched on-premises SharePoint instances. SharePoint Online (Microsoft 365) is not affected.

Exploit Details

• CVE ID: CVE-2025-53770
• Type: Remote Code Execution via Deserialization
• CVSS Score: 9.8 (Critical)
• Attack Vector: Network (Unauthenticated)
• Affected Products: SharePoint Server 2016, 2019, Subscription Edition
• Exploitation: Confirmed active in the wild
• Impact: Arbitrary code execution, admin access, web shell installation, persistent backdoor access

Patch Status

• SharePoint Server Subscription Edition – Patch available (KB5002768)
• SharePoint Server 2019 – Patch available (KB5002754, Build 16.0.10417.20027)
• SharePoint Server 2016 – Patch pending; mitigations required

Detection Guidance

• Microsoft Defender AV:
  • Exploit:Script/SuspSignoutReq.A
  • Trojan:Win32/HijackSharePointServer.A
• Microsoft Defender for Endpoint Alerts:
  • Suspicious IIS worker process behavior
  • Web shell installation activity
  • HijackSharePointServer and SuspSignoutReq malware detections
• IOC: spinstall0.aspx (SHA-256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514)

Recommended Actions

1. Enable AMSI (Antimalware Scan Interface)
2. Ensure Microsoft Defender Antivirus is installed and real-time protection is active
3. If AMSI is not available, disconnect SharePoint Server from the internet
4. Monitor for indicators such as spinstall0.aspx and unusual outbound connections
5. Block external access to SharePoint servers at firewall level
6. Enable detailed SharePoint and process execution logging
7. Isolate any compromised systems and retain forensic evidence
8. Immediately rotate credentials for SharePoint, prioritizing service accounts

References
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770

2. HPE Products Vulnerabilities – Multiple High-Severity Flaws Disclosed
   Hewlett Packard Enterprise (HPE) has released critical security updates addressing several high-severity vulnerabilities in its software components. The flaws affect Telco Service Orchestrator and AutoPass License Server, potentially allowing authentication bypass, SQL injection, remote code execution, information disclosure, and denial of service.

Exploit Summary

• Multiple CVEs with base scores ranging from 7.1 to 7.5 (High severity)
• Attackers could gain unauthorized access to databases, exfiltrate data, and disrupt services
• Remote exploitation possible in unpatched deployments

Key CVEs and Impact

• CVE-2025-37104
  • Affected: Telco Service Orchestrator < v5.2.1
  • Fixed: v5.2.1+
  • Impact: SQL Injection, Unauthorized Access
  • Score: 7.1 (High)
• CVE-2022-34917
  • Affected: Telco Service Orchestrator < v4.2.4
  • Fixed: v4.2.4+
  • Impact: Denial of Service (DoS)
  • Score: 7.5 (High)
• CVE-2022-37105 to CVE-2022-37107
  • Affected: AutoPass License Server < v9.18
  • Fixed: v9.18
  • Impact: Authentication Bypass, Remote Code Execution, Information Disclosure
  • Scores: 7.5, 7.3, 7.3 respectively

Recommended Actions

1. Apply HPE’s latest security updates for all impacted versions
2. Validate system configurations to eliminate exposure to known attack vectors
3. Monitor environments for abnormal access patterns or resource spikes
4. Review logs for indicators of SQL injection or service interruption
5. Isolate and patch legacy instances that may still be vulnerable

References
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04875en_us
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04900en_us
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04877en_us

3. Cisco Unified Intelligence Center – Arbitrary File Upload Vulnerability (CVE-2025-20274)

Cisco has released a security advisory addressing a vulnerability in the web-based management interface of Cisco Unified Intelligence Center. The flaw allows an authenticated remote attacker to upload and execute arbitrary files on the affected system, potentially achieving root-level privileges.

Vulnerability Details:

• CVE ID: CVE-2025-20274
• Severity: Medium (CVSS 6.3)
• Impact: Arbitrary File Upload → Command Execution → Potential Privilege Escalation (to root)
• Cause: Improper validation of uploaded files
• Precondition: Attacker must have valid credentials with at least Report Designer privileges
• Workaround: None available

Affected Products:

• Cisco Unified Intelligence Center (used in: Packaged CCE, Unified CCE, Unified CCX)
• Cisco Unified CCX (due to bundled Unified Intelligence Center)

Fixed Versions:

• Unified Intelligence Center:
  • 12.5 → Fixed in 12.5(1) SU ES05
  • 12.6 → Fixed in 12.6(2) ES05
  • 15 → Not vulnerable
• Unified CCX:
  • 12.5(1) SU3 and earlier → Migrate to fixed release
  • 15 → Not vulnerable

Recommended Actions:

• Upgrade to the fixed software versions as listed above
• Review access control policies to limit privileges to trusted accounts
• Monitor file system changes and command execution logs for anomalies

Reference:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuis-file-upload-UhNEtStm 

4. Cisco Identity Services Engine – Critical Unauthenticated RCE Vulnerabilities (CVE-2025-20281, CVE-2025-20282, CVE-2025-20337)

Cisco has disclosed multiple critical remote code execution (RCE) vulnerabilities affecting Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). These flaws allow unauthenticated attackers to execute arbitrary commands with root privileges on affected systems.

Vulnerability Overview:

• CVE-2025-20281: RCE via crafted API request exploiting insufficient input validation
• CVE-2025-20282: RCE via internal API allowing unauthorized file uploads
• CVE-2025-20337: Unauthenticated API RCE resulting in root-level command execution
• CVSS Score: 10.0 (Critical)
• Impact: Full system compromise, network control bypass, persistent access
• Exploitation: No chaining required; can be exploited independently
• Workaround: None available

Affected Versions:

• CVE-2025-20281 & CVE-2025-20337: Cisco ISE and ISE-PIC versions 3.3 and 3.4
• CVE-2025-20282: Cisco ISE and ISE-PIC version 3.4 only
• Not Affected: Cisco ISE/ISE-PIC 3.2 and earlier

Fixed Versions:

• 3.3: Patch 7 (fully remediates all 3 CVEs)
• 3.4: Patch 2
• 3.2 and earlier: Not vulnerable

Note: Previous hot patches (e.g., ise-apply-CSCwo99449) do not fully mitigate all vulnerabilities and should be replaced with full patch upgrades.

Recommended Actions:

• Immediately upgrade Cisco ISE/ISE-PIC to Patch 2 (v3.4) or Patch 7 (v3.3)
• Verify patch levels across all deployments
• Remove any reliance on outdated or incomplete hot patches

Reference:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 

5. Atlassian Products – July 2025 Security Bulletin (20 High-Severity Vulnerabilities)

Atlassian has released its July 2025 security bulletin disclosing 20 high-severity vulnerabilities across multiple products, including Jira, Confluence, Bitbucket, Bamboo, Crowd, and Jira Service Management. These flaws stem from vulnerable third-party components and internal libraries.

The vulnerabilities impact key security areas such as Remote Code Execution (RCE), Denial of Service (DoS), Man-in-the-Middle (MITM) attacks, Cross-Site Scripting (XSS), and Broken Authentication and Session Management (BASM). Although these flaws are not part of Atlassian’s Critical Security Advisories, some reach CVSS scores up to 8.8, demanding immediate attention.

Affected Products and Highlights:

• Bamboo Data Center and Server
  • CVEs: CVE-2025-48734 (RCE, CVSS 8.8), CVE-2025-49146, CVE-2025-48976, CVE-2025-27820, CVE-2024-13009
  • Fixed Versions: 11.0.3, 10.2.6 (LTS), 9.6.15 (LTS)
• Bitbucket Data Center and Server
  • CVE: CVE-2025-46701 (Improper Authorization in tomcat-embed-core, CVSS 7.3)
  • Fixed Versions: 9.6.4, 9.4.8 (LTS), 8.19.20 (LTS)
• Confluence Data Center and Server
  • CVE: CVE-2025-27820 (MITM in httpclient5, CVSS 7.5)
  • Fixed Versions: 9.5.2, 9.2.6 (LTS)
• Crowd Data Center and Server
  • CVE: CVE-2017-1000034 (RCE in akka-actor, CVSS 8.1)
  • Fixed Version: 5.2.11
• Jira Data Center and Server
  • CVEs: CVE-2024-45801 (XSS), CVE-2025-27820 (MITM), CVE-2025-48988, CVE-2025-49125, CVE-2025-22228, CVE-2025-46701
  • Fixed Versions: 10.7.2, 10.3.8 (LTS), 9.12.25 (LTS)
• Jira Service Management Data Center and Server
  • CVEs: CVE-2025-48988, CVE-2025-49125, CVE-2025-22228, CVE-2025-46701
  • Fixed Versions: 10.7.2, 10.3.8 (LTS), 5.12.25 (LTS)

Recommended Actions:

• Upgrade all affected Atlassian products to the respective fixed versions immediately.
• Prioritize patching products with RCE and MITM vulnerabilities.
• Review dependencies for vulnerable libraries like httpclient5, akka-actor, and spring-security.

Reference:
https://confluence.atlassian.com/security/security-bulletin-july-15-2025-1590658642.html

6. VMware Products – Critical Privilege Escalation & RCE Vulnerabilities (VMSA-2025-0013)

Broadcom has issued a critical security advisory (VMSA-2025-0013) addressing four high-impact vulnerabilities in VMware ESXi, Workstation, Fusion, VMware Tools, and Cloud/Telco platforms. These flaws allow privilege escalation or arbitrary code execution on the host machine from within a guest virtual machine, affecting a wide range of VMware infrastructure.

Three vulnerabilities are rated CVSS 9.3 (Critical) and require immediate patching. No workarounds are available.

Key Vulnerabilities:

• CVE-2025-41236 – VMXNET3 Integer Overflow
  • Affects: VMXNET3 network adapter
  • Impact: Code execution on host from guest VM
  • Patched in: ESXi 7/8, Workstation 17.6.4, Fusion 13.6.4
• CVE-2025-41237 – VMCI Integer Underflow
  • Affects: Virtual Machine Communication Interface
  • Impact: Out-of-bounds write, sandbox escape
  • Patched in: All major platforms
• CVE-2025-41238 – PVSCSI Heap Overflow
  • Affects: PVSCSI controller
  • Impact: Code execution in host VMX process
  • Notes: Exploitable in unsupported VM configs
  • Patch available
• CVE-2025-41239 – vSockets Memory Leak
  • Affects: VMware Tools, ESXi, Fusion, Workstation
  • Impact: Info disclosure via uninitialized memory
  • Patched in: VMware Tools 13.0.1.0 / 12.5.3 (Windows)

Recommended Actions:

• Patch Immediately:
  • ESXi 8.0 → ESXi80U3f-24784735 / ESXi80U2e-24789317
  • ESXi 7.0 → ESXi70U3w-24784741
  • Workstation 17.x → 17.6.4
  • Fusion 13.x → 13.6.4
  • VMware Tools (Windows) → 13.0.1.0 or 12.5.3
  • Cloud Foundation → Apply async patches (KB88287)
• Restrict VM Admin Access: Exploitation requires local admin privileges.
• Test Before Rollout: Validate patches in staging before production deployment.

Reference:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877 

7. Grafana – High-Severity XSS and Open Redirect Vulnerabilities (CVE-2025-6023 & CVE-2025-6197)

Grafana Labs has released urgent security patches addressing two significant vulnerabilities impacting its observability platform. These flaws allow attackers to exploit Cross-Site Scripting (XSS) and Open Redirect weaknesses, potentially compromising user sessions and redirecting users to malicious websites.

Key Vulnerabilities:

• CVE-2025-6023 – XSS via Path Traversal & Open Redirect
  • Severity: High (CVSS 7.6)
  • Impact: Arbitrary JavaScript execution in a user’s browser through crafted URLs
  • Technique: Attackers trick users into clicking modified dashboard links that redirect to attacker-controlled domains
• CVE-2025-6197 – Open Redirect in Organization Switching
  • Severity: Medium (CVSS 4.2)
  • Impact: Redirects authenticated users to malicious domains
  • Note: Can be chained with CVE-2025-6023 in multi-tenant deployments

Affected Versions:

• Grafana 11.5.0 and above

Fixed Versions:

• 12.0.2+security-01
• 11.6.3+security-01
• 11.5.6+security-01
• 11.4.6+security-01
• 11.3.8+security-01

Recommended Actions:

• Upgrade immediately to one of the fixed versions listed above
• Warn users about potential phishing attempts using crafted Grafana dashboard links
• Monitor for suspicious redirect behavior in logs if running impacted versions

Reference:
https://grafana.com/blog/2025/07/17/grafana-security-release-medium-and-highseverity-fixes-for-cve-2025-6197-and-cve-2025-6023/

8. 7-Zip – Memory Corruption and Denial of Service Vulnerabilities (CVE-2025-53816 & CVE-2025-53817)

Two medium-severity vulnerabilities have been disclosed in 7-Zip versions prior to 25.0.0, posing stability and reliability concerns when processing specially crafted archive files. These issues, while not enabling remote code execution, can disrupt services and lead to crashes in automated environments.

Key Vulnerabilities:

• CVE-2025-53816 – Heap Memory Corruption via RAR5 Handler
  • Severity: Medium (CVSSv4 5.5)
  • Component: RAR5 archive handler
  • Issue: Improper memory zeroing due to arithmetic flaws in _lzEnd
  • Impact: Memory corruption and potential denial of service
• CVE-2025-53817 – Crash via Compound Document Format
  • Severity: Medium (CVSSv4 5.5)
  • Component: Compound Document handler
  • Issue: Crafted document files can crash the application
  • Impact: Denial of service and process disruption

Affected Versions:

• All versions prior to 7-Zip 25.0.0

Fixed Version:

• 7-Zip 25.0.0

Recommended Actions:

• Upgrade immediately to 7-Zip v25.0.0
• Avoid processing untrusted or externally sourced archive files with older versions
• Monitor systems for crashes or instability when handling RAR or compound formats

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-53816
https://nvd.nist.gov/vuln/detail/CVE-2025-53817

9. BIND 9 – Cache Poisoning & DNS Resolver Crash Vulnerabilities (CVE-2025-40776 & CVE-2025-40777)

Multiple high-severity vulnerabilities have been disclosed in BIND 9, a critical DNS component maintained by the Internet Systems Consortium (ISC). These flaws expose DNS resolvers to cache poisoning and service crashes under specific conditions.

Key Vulnerabilities:

• CVE-2025-40776 – ECS Birthday Attack Cache Poisoning
  • Severity: High (CVSS 8.6)
  • Affected Versions: BIND-S 9.11.3-S1 to 9.20.10-S1
  • Impact: Remote attackers can bypass cache protections and inject spoofed DNS responses
  • Mitigation: Disable ECS (EDNS Client Subnet) or upgrade to a fixed version
• CVE-2025-40777 – Assertion Failure in Serve-Stale Configuration
  • Severity: High (CVSS 7.5)
  • Affected Versions: BIND 9.20.0 to 9.20.10 and 9.21.0 to 9.21.9
  • Impact: Crafted queries can crash the DNS server if serve-stale-enable yes and stale-answer-client-timeout 0 are set
  • Mitigation: Adjust stale-answer configurations or upgrade to the latest secure release

Recommended Actions:

• Upgrade to latest patched versions of BIND 9
• If upgrade is not immediately possible:
  • Disable ECS for CVE-2025-40776
  • Reconfigure stale-answer settings for CVE-2025-40777

References:
https://kb.isc.org/docs/cve-2025-40776
https://kb.isc.org/docs/cve-2025-40777

10. Lenovo Vantage – Local Privilege Escalation Vulnerabilities (CVE-2025-6230, CVE-2025-6231, CVE-2025-6232)

Three high-severity local privilege escalation (LPE) vulnerabilities have been discovered in Lenovo Vantage, a device management tool pre-installed on many Lenovo systems. These flaws allow a local attacker to gain SYSTEM-level privileges, enabling complete system compromise.

Key Vulnerabilities:

• CVE-2025-6230 – SQLite SQL Injection
  • Exploitable flaw in local SQLite usage allows attackers to inject and manipulate database content, leading to code execution with elevated privileges.
• CVE-2025-6231 – Configuration File Tampering
  • Improper input validation in Lenovo Vantage configuration file handling can be exploited to trigger execution of malicious code.
• CVE-2025-6232 – Registry Key Abuse
  • Weak validation of Windows registry entries enables local attackers to modify keys and elevate privileges.

Impact:
Local attackers can gain full system access by exploiting these vulnerabilities, posing serious security and operational risks in enterprise environments using Lenovo systems.

Fixed Versions:

• Lenovo Vantage: 10.2501.20.0 or later
• Lenovo Commercial Vantage: 20.2506.39.0 or later

Recommended Actions:

• Update Lenovo Vantage and Commercial Vantage to the latest fixed versions immediately.
• Monitor systems for signs of unauthorized local access or tampering of SQLite, configuration, or registry files.

Reference:
https://support.lenovo.com/us/en/product_security/LEN-196648

11. Broadcom Symantec Endpoint Management – Critical Remote Code Execution (CVE-2025-5333)

A critical remote code execution (RCE) vulnerability has been discovered in Broadcom’s Symantec Endpoint Management Suite (Altiris). Tracked as CVE-2025-5333, the flaw affects the Inventory Rule Management (IRM) component, exposing a legacy .NET Remoting endpoint that allows unauthenticated remote attackers to execute arbitrary code.

Key Details:

• CVE: CVE-2025-5333
• CVSS v4.0 Base Score: 9.5 (Critical)
• Affected Versions: 8.6.x, 8.7.x, 8.8
• Attack Vector: Remote – unauthenticated
• Impact: Full system compromise via RCE
• Exploit Status: Confirmed exploitable in lab conditions

Root Cause:
The vulnerability is due to insecure deserialization in a legacy .NET Remoting endpoint (tcp://<host>:4011/IRM/HostedService), which attackers can target to gain SYSTEM-level access.

Vendor Guidance:

• Port 4011 is unnecessary – should be restricted.
• Access control: Limit endpoint access to localhost only.
• Upcoming releases: Future versions will deprecate/remediate .NET Remoting usage.

Recommended Actions:

• Block TCP port 4011 on host and network firewalls.
• Ensure port 4011 is not exposed to public or untrusted networks.
• Monitor Broadcom PSIRT for upcoming patches and apply updates immediately upon release.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-5333

12. Google Chrome – Actively Exploited Zero-Day (CVE-2025-6558)

Google has released a critical security update for Chrome Desktop (v138.0.7204.157/.158) to address six vulnerabilities, including a zero-day (CVE-2025-6558) that is being actively exploited in the wild.

Key Details:

• CVE: CVE-2025-6558
• Severity: High
• Component: ANGLE (Almost Native Graphics Layer Engine)
• Type: Improper input validation in GPU rendering
• Impact: Allows GPU-based code execution
• Exploit Status: Actively exploited in the wild
• Other Related CVEs:
  • CVE-2025-7656 – Integer overflow in V8
  • CVE-2025-7657 – Use-after-free in WebRTC

Fixed Versions:

• Windows & Mac: 138.0.7204.157/.158
• Linux: 138.0.7204.157

Impact:
Attackers can craft malicious rendering input to trigger arbitrary code execution via GPU processes, exploiting weaknesses in Chrome’s ANGLE component. When chained with other vulnerabilities, this poses a significant risk to user security.

Recommended Actions:

• Update Google Chrome to the latest secure version immediately on all platforms.
• Ensure Chrome auto-updates are enabled in enterprise environments.
• Monitor system behavior for signs of anomalous rendering or GPU-related crashes.

Reference:
https://chromereleases.googleblog.com/2025/07/stable-channel-update-fordesktop_15.html

13. NVIDIA – Multiple Vulnerabilities in Jetson, Container Toolkit, and DOCA (CVE-2025-23266, CVE-2025-23263, CVE-2025-23267, CVE-2025-23270, CVE-2025-23269)

NVIDIA has released security updates addressing multiple vulnerabilities, including one critical privilege escalation flaw (CVE-2025-23266). These flaws impact various products including the NVIDIA Container Toolkit, Jetson Linux, and DOCA/Mellanox OFED.

Key Vulnerabilities:

• CVE-2025-23266 – Critical flaw in NVIDIA Container Toolkit (CDI mode)
  • CVSS: 9.0 (Critical)
  • Impact: Privilege escalation, data tampering, information disclosure, DoS
  • Fixed in: Version 1.17.8
• CVE-2025-23263 – Flaw in DOCA Host/Mellanox OFED (VGT+ feature)
  • CVSS: 7.6 (High)
  • Impact: Escalation of privileges, VLAN DoS
  • Fixed in: DOCA 2.5.3/2.9.2/3.0.0 and OFED 5.8+, 23.10+, 24.10+
• CVE-2025-23267 – Vulnerability in updateldcache hook
  • CVSS: 8.5 (High)
  • Impact: Data tampering, denial of service
  • Fixed in: GPU Operator v25.3.1
• CVE-2025-23270 – Jetson UEFI side-channel exposure
  • CVSS: 7.1 (High)
  • Impact: Code execution, data tampering, info disclosure
  • Fixed in: JP6.x: v36.4.4
• CVE-2025-23269 – Kernel flaw in Jetson (transient execution side channel)
  • CVSS: 4.7 (Medium)
  • Impact: Information disclosure
  • Fixed in: JP5.x: v35.6.2

Recommendations:

• Apply latest patches and updates across affected platforms, including Container Toolkit, GPU Operator, Jetson Linux, DOCA, and Mellanox OFED.
• Follow NVIDIA’s mitigation guidance in case updates cannot be applied immediately.

References:

• https://nvidia.custhelp.com/app/answers/detail/a_id/5654
• https://nvidia.custhelp.com/app/answers/detail/a_id/5659
• https://nvidia.custhelp.com/app/answers/detail/a_id/5662

14. Oracle – July 2025 Critical Patch Update (309 Fixes Across 165 CVEs)

Oracle has released its July 2025 Critical Patch Update (CPU), delivering 309 security patches across 28 product families. This update includes critical and high-severity vulnerabilities, with several flaws allowing unauthenticated remote code execution (RCE).

 Key Highlights:

• Total CVEs: 165
• Patch Count: 309
• Severity Distribution:
  • Critical: 5 CVEs (9 total patches)
  • High: 144
  • Medium: 135
  • Low: 21

 Notable Vulnerabilities:

• Oracle Database, Middleware, Java SE: Multiple RCE vulnerabilities.
• Solaris Third-Party Components: Apache Tomcat (CVE-2025-31651, CVSS 9.8), Firefox, Thunderbird, and Perl vulnerabilities.

 Affected Products (Sample List):

• Oracle Database Server: 19.3–19.27, 21.3–21.18, 23.4–23.8
• Oracle Java SE: 8u451, 11.0.27, 17.0.15, 21.0.7, 24.0.1
• Oracle WebLogic Server: 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
• Oracle Fusion Middleware, E-Business Suite, MySQL, VirtualBox, Siebel Applications, JD Edwards, Primavera, and multiple Oracle Communications products

 Recommendations:

• Review the Oracle CPU Advisory – July 2025
• Apply the latest patches immediately, prioritizing critical and remote-exploitable flaws.
• Share patching timelines and observations across teams and partner entities.

 Reference:

• https://www.oracle.com/security-alerts/cpujul2025.html

16. TrendMicro WFBSS Agent Vulnerabilities
    TrendMicro has issued a security advisory addressing multiple high-severity vulnerabilities in its Worry-Free Business Security Services (WFBSS) agent. These flaws, if left unpatched, may lead to unauthorized code execution, remote takeover, and compromise of system stability.

Vulnerability Details:

• CVE-2025-49154 – Insecure Access Control
  • CVSSv3.1: 8.7 (High)
  • Weakness: CWE-284
  • Impact: Local attackers could overwrite memory-mapped files, jeopardizing security and stability.
• CVE-2025-53378 – Missing Authentication for Critical Function
  • CVSSv3.1: 7.6 (High)
  • Weakness: CWE-306
  • Impact: Unauthenticated remote attackers could gain control over the agent.
  • Note: Only affects SaaS version (WFBSS), resolved in May 2025 release.
• CVE-2025-49487 – Uncontrolled Search Path Element
  • CVSSv3.1: 6.8 (Medium)
  • Weakness: CWE-427
  • Impact: Physical access could allow code execution via manipulated search paths.

Affected Versions:

• WFBS 10.0 SP1
• WFBSS 6.7 (SaaS)

Fixed Versions:

• WFBS: 10 SP1 Patch 2514
• WFBSS: 6.7.3954 / 14.3.1299 (May 2025 Monthly Release)

Recommendation:
Apply the latest available patches immediately. No action is needed for SaaS clients following the scheduled update cycle.

Reference:
TrendMicro Advisory – KA-0019936

17. ChromeOS Long-Term Support (LTS) Security Update
    Google has released a Long-Term Support (LTS) update for ChromeOS — version 132.0.6834.227 (Platform Version: 16093.109.0) — addressing multiple security vulnerabilities. These include a high-severity use-after-free flaw in the Chrome Profiler component and medium-severity issues affecting Blink, BFCache, and the V8 engine.

These vulnerabilities may allow attackers to execute arbitrary code, cause data corruption, or crash applications through crafted web content. Organizations using ChromeOS in critical or high-usage environments are advised to apply the update promptly.

Key Vulnerabilities:

• CVE-2025-6192 – Use-after-free in Profiler – High
• CVE-2025-5068 – Use-after-free in Blink – Medium
• CVE-2025-5281 – Inappropriate implementation in BFCache – Medium
• CVE-2025-6554 – Type Confusion in V8 – Medium

Fixed Version:

• ChromeOS: 132.0.6834.227 (Platform: 16093.109.0)

Recommendation:
Update all ChromeOS devices to the latest LTS version to mitigate risk.

Reference:
https://chromereleases.googleblog.com/2025/07/long-term-support-channel-updatefor.html

18. Keycloak Identity Provider (IdP) Login Vulnerability (CVE-2025-7365)
    A moderate severity vulnerability has been disclosed in Keycloak’s account merging process during Identity Provider (IdP) login. An authenticated attacker can exploit the “Review Profile” step to alter their email address to match that of a victim. This triggers a legitimate verification email to the victim without revealing the attacker’s email, creating a phishing scenario. If the victim clicks the link, the attacker can hijack the victim’s account.

Key Details:

• CVE: CVE-2025-7365
• Component: org.keycloak:keycloak-services (Maven)
• Affected Versions: < 26.3.0
• Fixed Version: 26.3.0
• Severity: 5.4 (Moderate)

Recommendation:
Update to Keycloak version 26.3.0 or later to mitigate this risk.

Reference:
https://github.com/advisories/GHSA-gj52-35xm-gxjh

19. Google Gemini Vulnerability Enables Stealth Phishing via Email Summaries
    A newly disclosed vulnerability in Google Gemini for Workspace allows attackers to hijack Gemini-generated email summaries and embed invisible phishing instructions. This method exploits how Gemini parses and summarizes email content by injecting hidden HTML/CSS-based directives into the email body. When Gemini processes the email to generate a summary, it incorporates the attacker’s message — making it appear legitimate and AI-authored.

This indirect prompt injection does not rely on traditional links or attachments, making it stealthy and harder to detect. If users trust and follow Gemini’s AI-generated summaries, they may unknowingly visit phishing sites or fall victim to voice phishing (vishing) attacks.

Attack Technique Highlights:

• Uses HTML/CSS tricks like white-font, zero-font, and off-screen text to inject prompts.
• Triggered when users ask Gemini to summarize unread emails.
• AI-generated summaries include the attacker’s manipulated message.
• Can lead to credential harvesting, voice phishing, or broader supply-chain risk (via newsletters or CRM email vectors).

Severity: Moderate (risk of credential compromise and supply chain spread)
Researcher Insight:

“Prompt injections are the new email macros… until LLMs gain robust context-isolation, every third-party text your model ingests is executable code.” — Marco Figueroa, 0DIN

Recommendations:

• Sanitize or ignore invisible/hidden HTML content before Gemini ingestion.
• Apply post-processing filters to Gemini outputs to flag urgent messages, links, or phone numbers.
• Treat LLM-based tools like Gemini as part of the attack surface — sandbox them and monitor their outputs.

Reference:
https://www.csoonline.com/article/4023032/google-gemini-vulnerability-enables-hidden-phishing-attacks.html

20. “Citrix Bleed 2” – Critical Info Disclosure Vulnerability Exploited in NetScaler Gateway and ADC (CVE-2025-5777)
    A critical out-of-bounds read vulnerability affecting Citrix NetScaler ADC and Gateway has been actively exploited in the wild. Tracked as CVE-2025-5777, this flaw—referred to as “Citrix Bleed 2”—impacts NetScaler devices configured as Gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers.

Exploitation began weeks before public release of proof-of-concept (PoC) code, with Imperva reporting over 11.5 million exploitation attempts, heavily targeting the financial sector (40%). Security researcher Kevin Beaumont notes Citrix’s original mitigation instructions were insufficient, as session cookies from RDP, AAA, and LB services were still exposed post-upgrade.

Key Highlights:

• CVE-2025-5777 affects customer-managed NetScaler ADC and Gateway instances
• Initial exploitation detected by GreyNoise prior to PoC release
• Similar in nature to CVE-2023-4966 (Citrix Bleed)
• Expanded session termination is required beyond ICA and PCoIP

Affected Versions:

• NetScaler ADC and Gateway:
  • < 14.1-43.56
  • < 13.1-58.32
  • FIPS & NDcPP variants before 13.1-37.235 & 12.1-55.328

Fixed Versions:

• NetScaler Gateway: 14.1-43.56, 13.1-58.32
• NetScaler ADC: 14.1-43.56, 13.1-58.32, 13.1-37.235 (FIPS), 12.1-55.328 (FIPS)

Mitigation Steps:

• Upgrade all affected appliances to the latest fixed version
• Terminate all session types after upgrade:

Notes:

• Versions 12.1 and 13.0 are End-of-Life (EOL) and remain vulnerable
• Citrix-managed cloud services are not affected

References:

• https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_5349_and_CVE_2025_5777
• https://arcticwolf.com/resources/blog-uk/follow-up-updates-on-actively-exploited-information-disclosure-vulnerability-citrix-bleed-2-in-citrix-netscaler-adc-and-gateway/

21. North Korean “Contagious Interview” Campaign Evolves with XORIndex Malware Loader
    Researchers from Socket have uncovered a major expansion of the Contagious Interview campaign, attributed to North Korean threat actors, introducing a new multi-stage malware loader dubbed XORIndex. The campaign continues to target developers, crypto holders, and job seekers under the guise of legitimate job opportunities.

Key Observations:

• XORIndex has been downloaded over 9,000 times between June and July 2025.
• The loader is used to collect host telemetry, exfiltrate system data, and load second-stage malware (BeaverTail).
• BeaverTail targets cryptocurrency wallets by scanning wallet directories, Solana IDs, keychain credentials, and browser extension data.
• A third-stage backdoor, InvisibleFerret, is deployed in some infections for persistent access.
• XORIndex was found in 28 malicious npm packages, while others carried the previously known HexEval loader (8,000+ downloads).
• In total, 67 new malicious npm packages were identified, with 27 still live as of discovery.
• The packages were distributed through 18 npm accounts using 15 unique email addresses.

Attack Tactics:

• The campaign uses job platforms like LinkedIn to lure developers with fake offers.
• Malware is disguised as open-source dev tools and distributed via npm and GitHub.
• Packages are typically disguised as utility libraries to evade detection.
• Post-exfiltration, malware cleans up local traces to avoid forensic detection.

Attribution and Threat Context:

• Activity is attributed to Lazarus Group, a North Korean state-sponsored actor.
• The campaign reflects continued investment in software supply chain compromise and advanced obfuscation techniques.

Reference:
https://www.infosecurity-magazine.com/news/north-korean-contagious-interview/

22. Matanbuchus 3.0 Malware Delivered via Microsoft Teams Impersonation Attacks
    A new campaign has been uncovered leveraging Microsoft Teams impersonation to deliver the updated Matanbuchus 3.0 malware loader, a sophisticated Malware-as-a-Service (MaaS) platform. The loader, known for deploying Cobalt Strike, DanaBot, QakBot, and ransomware payloads, now includes stealth upgrades and remote execution capabilities.

Key Observations:

• Initial Access Vector: Attackers pose as IT helpdesk via Teams calls, urging victims to launch Quick Assist and run a malicious PowerShell script.
• The archive dropped includes:
  • A renamed Notepad++ updater (GUP)
  • A modified configuration XML
  • A malicious DLL (Matanbuchus loader)
• New Features in Version 3.0:
  • Enhanced in-memory execution, obfuscation, and C2 communication
  • Reverse shell support (CMD, PowerShell)
  • Ability to run DLL, EXE, and shellcode payloads
  • LOLBins support (regsvr32, rundll32, msiexec, process hollowing)
  • Advanced COM-based task scheduling and shellcode injection
  • Remote enumeration of processes, services, and installed applications
• Advertised pricing:
  • $10,000/month (HTTPS C2 version)
  • $15,000/month (DNS C2 version)

Tactics & Techniques:

• Social engineering via enterprise tools (Teams)
• Living-off-the-land binaries (LOLBins)
• COM hijacking & stealthy persistence
• Defense evasion & anti-analysis via in-memory execution and obfuscated shellcode

Attribution:

• Although not directly attributed, Black Basta-style tactics were noted.
• Fits the trend of MaaS groups expanding delivery via collaboration platforms like Teams and Zoom.

Reference:
https://thehackernews.com/2025/07/hackers-leverage-microsoft-teams-to.html