“`html
The past week has been bustling with security notifications. Google is tackling yet another actively exploited zero-day in Chrome, while VMware has deployed crucial patches for its own array of vulnerabilities.
Furthermore, we will dissect the techniques behind a recent FortiWeb breach and examine the growing trend of intruders misusing Microsoft Teams for their operations. Stay informed on the most recent threats and countermeasures right here.
Vulnerabilities
Google Chrome Zero-Day Actively Exploited
Google has rolled out an urgent security update for its Chrome browser to remediate a critical zero-day vulnerability, CVE-2025-6558, that is currently being actively exploited. The flaw arises from erroneous input validation in the ANGLE and GPU components, as reported by Google’s own Threat Analysis Group.
The update elevates Chrome to version 138.0.7204.157/.158 for Windows and Mac, and 138.0.7204.157 for Linux. It also addresses two additional high-severity vulnerabilities: an integer overflow in the V8 JavaScript engine (CVE-2025-7656) and a use-after-free flaw in WebRTC (CVE-2025-7657). Due to the ongoing exploitation, users are firmly urged to update their browsers without delay.
Read more at: https://cybersecuritynews.com/chrome-0-day-vulnerability-exploited-wild/
Serious Vulnerabilities Discovered in VMware Products
On July 15, 2025, Broadcom revealed four major vulnerabilities impacting various VMware products, such as ESXi, Workstation, Fusion, and Tools. These defects, identified during the Pwn2Own hacking competition, could enable attackers to escape from virtual machines and execute code on the host system.
The most critical of these, CVE-2025-41236, represents an integer-overflow vulnerability in the VMXNET3 virtual network adapter, boasting a CVSS score of 9.3. Other severe flaws comprise an integer underflow in the Virtual Machine Communication Interface (VMCI) and a heap overflow in the PVSCSI controller. VMware has released patches to remedy these vulnerabilities, and administrators are encouraged to implement them swiftly.
Read more at: https://cybersecuritynews.com/vmware-esxi-and-workstation-vulnerabilities/
Node.js Addresses High-Severity Vulnerabilities on Windows
On July 15, 2025, the Node.js project announced security updates to rectify two high-severity vulnerabilities afflicting versions 20.x, 22.x, and 24.x78. The most significant flaw, CVE-2025-27210, represents a path traversal vulnerability affecting Windows applications. It enables attackers to utilize reserved device names such as ‘CON’ or ‘PRN’ to circumvent path protection mechanisms79. The second flaw, CVE-2025-27209, comprises a Hash Denial of Service (HashDoS) threat in the V8 engine89. Developers are urged to upgrade their Node.js environments to mitigate these dangers7.
Read more at: https://cybersecuritynews.com/windows-node-js-vulnerabilities/
Oracle’s July Update Resolves Over 300 Vulnerabilities
Oracle has launched its quarterly Critical Patch Update for July 2025, addressing 309 vulnerabilities throughout its product range. A substantial portion of these flaws, 127, can be exploited remotely without the need for user credentials. The update encompasses patches for nine critical-severity vulnerabilities. Key products affected include Oracle Database Server, MySQL, Java SE, and Fusion Middleware. Given the considerable quantity of high-severity and remotely exploitable issues, Oracle strongly advocates that customers implement the security patches without hesitation.
Read more at: https://cybersecuritynews.com/oracle-critical-security-update-july2025/
Vim Text Editor Prone to File Overwriting
A path traversal flaw, CVE-2025-53906, has been detected in the zip.vim plugin included with the Vim text editor. This medium-severity vulnerability permits an attacker to overwrite crucial files on a user’s system. The attack takes place when a user opens a specially crafted ZIP archive within Vim. The vulnerability impacts all versions prior to 9.1.1551. Vim has released a corrected version, and users are encouraged to upgrade to safeguard their systems.
Read more at: https://cybersecuritynews.com/vim-text-editor-vulnerability/
Google AI Uncovers and Prevents SQLite Zero-Day
In a significant development, Google revealed that its AI framework, “Big Sleep,” pinpointed a critical memory corruption flaw in the widely utilized SQLite database engine before it was able to be exploited. The vulnerability, CVE-2025-6965, could enable an attacker to induce an integer overflow by injecting malicious SQL commands. Google affirmed that the flaw was recognized by threat actors and was at immediate risk of being utilized in attacks. This event marks what Google considers the first instance of an AI agent forecasting and assisting in thwarting the exploitation of a zero-day vulnerability in the wild. The
“““html
Flaw impacts SQLite editions prior to 3.50.2.
Read further at: https://cybersecuritynews.com/sqlite-0-day-vulnerability/
Cisco Alerts about Significant Vulnerability in Identity Services Engine
Cisco has released a security notice concerning a severe vulnerability, CVE-2025-20337, in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). This flaw has the highest CVSS score of 10.0, as it enables an unauthorized, remote attacker to run arbitrary code with root-level privileges on an affected device. The vulnerability is associated with a specific API and arises from inadequate input validation. It affects ISE versions 3.3 and 3.4. Cisco has made software updates available and urges administrators to update their systems without delay, as no workarounds exist.
Read further at: https://cybersecuritynews.com/cisco-ise-vulnerability/
Unpatched SharePoint Zero-Day Exploited in Attacks
A pressing zero-day remote code execution (RCE) vulnerability in Microsoft SharePoint, CVE-2025-53770, is actively being exploited in attacks against on-premises servers. Microsoft has acknowledged the ongoing attacks, which started around July 18, 2025, and have reportedly compromised numerous servers. This flaw is a variant of a vulnerability showcased at the Pwn2Own hacking competition19. As of now, no patch is available, but Microsoft is working on a security update. The vulnerability does not impact SharePoint Online clients1921.
Read further at: https://cybersecuritynews.com/sharepoint-0-day-rce-vulnerability-exploited/
CrushFTP Zero-Day Enables Server Takeover
A zero-day vulnerability in the CrushFTP enterprise file transfer server is currently being exploited, enabling attackers to obtain administrative privileges on servers. The vulnerability, CVE-2025-54309, is an insecure alternate channel flaw that can be exploited by a remote, unauthorized attacker. Exploitation was initially identified on July 18, 20252224. CrushFTP suspects that the attackers discovered the vulnerability by reverse-engineering recent updates. The company has indicated that the latest versions of their software already incorporate a fix for this issue2223.
Read further at: https://cybersecuritynews.com/crushftp-0-day-vulnerability/
Threats
Ransomware Groups Broaden Attacks to Linux and VMware Platforms
Ransomware groups are strategically redirecting their focus from Windows to target Linux and VMware environments, which are common in enterprise and cloud setups. Linux supports the majority of public cloud workloads as well as leading web servers, prompting cybercriminals to design specialized ransomware aimed at these systems.
Organizations such as Pay2Key and Helldown are upgrading their tools to focus on Linux, while others are employing advanced “fileless” strategies that are difficult to detect. These techniques use authorized system tools to run malicious code directly in memory, circumventing traditional antivirus measures that often lack efficacy on non-Windows systems. This shift in tactics underscores a significant vulnerability in the security of cloud and DevOps frameworks. Read more
New “Dark 101” Ransomware Disables Restoration Tools
A recently identified ransomware variant called “Dark 101” features a weaponized .NET binary designed to undermine system recovery options. This malware encrypts user files and subsequently takes actions to hinder system restoration by disabling Windows recovery modes and restricting access to the Task Manager. To evade detection, Dark 101 employs tactics such as imitating legitimate system processes and delaying execution to mislead automated sandbox evaluations. Typically, the attackers demand a ransom of approximately $1500 in Bitcoin for file decryption. Read more
Albemarle County Faces Severe Ransomware Attack
A ransomware incident in Albemarle County, Virginia, has compromised sensitive personal data regarding county residents, local government employees, and public school personnel. The breach has exposed information including names, Social Security numbers, driver’s license numbers, and passport information. This attack, which occurred in June, also led to substantial disruptions in the county’s phone and IT systems. In response, officials have informed the FBI and are providing affected individuals with 12 months of complimentary identity monitoring services. Read more
“Dark Partners” Hacking Group Drains Cryptocurrency Wallets via Fraudulent Sites
A cybercrime operation named Dark Partners is utilizing an extensive network of over 250 malicious websites to pilfer cryptocurrency. These sites masquerade as authentic AI tools, VPN services, and software brands, deceiving users into downloading infostealer malware. The group deploys various malware types for different operating systems, utilizing Poseidon Stealer on macOS and PayDay Loader on Windows systems to exfiltrate crypto wallet data and other sensitive credentials. Read more
Chinese State-Sponsored Hackers Infiltrate US National Guard
The U.S. Department of Homeland Security has confirmed that a Chinese state-sponsored hacking collective, known as Salt Typhoon, remained undetected within the network of the U.S. Army National Guard for nine months. Throughout this period, the attackers obtained sensitive data, including administrator credentials, network diagrams, and personally identifiable information (PII) of service members. The group is part of a broader coalition tasked with infiltrating U.S. critical infrastructure to establish positions for potential future conflicts. Read more
Infostealers Distributed via Cracked Software
Cybercriminals are often disseminating information-stealing malware by bundling it with pirated software and key generators (“cracks”). Individuals attempting to utilize this software are frequently advised to disable their antivirus systems, thereby creating an opportunity for malware such as RedLine Stealer and RisePro to infiltrate their devices undetected. Once installed, these infostealers are devised to collect sensitive information such as passwords, financial data, and cryptocurrency wallet credentials. Read more
Hackers Weaponize SVG Files to Bypass Security
“““html
Malicious actors are progressively utilizing Scalable Vector Graphics (SVG) files as a conduit for cyber offenses. Since SVG files may encompass scripts and are frequently regarded as mere images, they can circumvent email security filters that block more dubious file types. Perpetrators embed harmful JavaScript within these files, a method termed “HTML smuggling,” to deliver malware such as the Agent Tesla Keylogger and XWorm RAT. When a target opens the compromised SVG file in a web browser, the embedded script activates, usually initiating a download of the harmful payload. Read More
Cyber Offenses
North Korean Cybercriminals Employ Counterfeit Zoom Invitations to Target Cryptocurrency Firms
Cybercriminals associated with North Korea are employing intricate social engineering strategies, including fraudulent Zoom meeting invitations and AI-generated deepfakes, to infiltrate employees at cryptocurrency and Web3 enterprises. The aim is to mislead victims into installing malware, such as the “NimDoor” backdoor for macOS, crafted to seize cryptocurrency and other confidential information3. The attack sequence often initiates with a deceptive message on platforms like Telegram or a phony Calendly invitation, which directs the target to a fake Zoom meeting where they are coerced into installing a malicious “update” or “extension.”
Read more at: https://cybersecuritynews.com/north-korean-hackers-using-fake-zoom-invites/
Harmful NPM Packages Associated with North Korean “Contagious Interview” Initiative
North Korean threat actors have broadened their “Contagious Interview” initiative by releasing numerous harmful packages on the npm (Node Package Manager) registry. Recently, 67 new packages were uncovered, engineered to compromise developer systems and siphon data, with a particular emphasis on cryptocurrency wallets. These supply chain attacks often exploit social engineering, with hackers masquerading as recruiters on professional networking platforms like LinkedIn to engage with software developers. The harmful packages utilize multi-layered, obfuscated JavaScript to download and execute additional damaging payloads from remote servers.
Read more at: https://cybersecuritynews.com/north-korean-hackers-weaponized-67-malicious-npm-packages/
Japanese Corporations Under Assault in Extensive Cyberattacks
Japanese companies have recently become targets of major cyber assaults. In one operation, 46 companies and organizations, including prominent entities like Japan Airlines and MUFG Bank, suffered from distributed denial-of-service (DDoS) attacks. In another extensive incident, the “WannaCry” ransomware affected approximately 600 Japanese firms, compromising around 2,000 computers at establishments such as Hitachi and Nissan.
Read more at: https://cybersecuritynews.com/new-attack-targeting-japanese-companies/
Severe Fortinet FortiWeb Vulnerability Under Active Exploitation
A critical SQL injection weakness in Fortinet’s FortiWeb web application firewall (WAF) is being actively exploited by attackers. The flaw, marked as CVE-2025-25257, carries a severity rating of 9.6 out of 10 and allows an unauthenticated attacker to execute unauthorized code or commands remotely. Following its discovery, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, highlighting the immediate necessity for patching. The public release of proof-of-concept (PoC) code has hastened the weaponization of this exploit.
Read more at: https://cybersecuritynews.com/fortinet-fortiweb-instances-hacked/ and https://cybersecuritynews.com/cisa-fortinet-fortiweb-vulnerability/
Microsoft Teams Calls Manipulated to Distribute Ransomware
Cybercriminals are now exploiting Microsoft Teams calls as a pathway to deliver the Matanbuchus ransomware loader. In these incidents, threat actors impersonate IT support staff during Teams video calls and utilize social engineering to convince victims to run harmful PowerShell scripts via the Quick Assist feature. This tactic cleverly evades traditional email security filters by taking advantage of the inherent trust users have in business collaboration tools. The latest version, Matanbuchus 3.0, functions as an advanced Malware-as-a-Service (MaaS) platform.
Read more at: https://cybersecuritynews.com/teams-call-weaponized-to-deploy-matanbuchus-ransomware/
CitrixBleed 2 Vulnerability Actively Exploited
A significant memory disclosure vulnerability known as “CitrixBleed 2” (CVE-2025-5777) is impacting Citrix NetScaler ADC and Gateway systems and is actively being exploited in the field. The flaw enables cybercriminals to seize active user sessions and steal credentials without authentication. Signs indicate exploitation commenced in mid-June, with at least 100 organizations already compromised while thousands of additional instances remain vulnerable. CISA has added this flaw to its KEV catalog, necessitating immediate patching for federal agencies.
Read more at: https://cybersecuritynews.com/citrixbleed-2-vulnerability-exploited-2/
DNS Vulnerabilities Pose “Nation-State Level Spying” Threats
Security analysts have uncovered a new class of vulnerabilities among prominent DNS-as-a-Service (DNSaaS) providers that could allow attackers to carry out “nation-state level spying” on corporate networks. By merely registering a domain, attackers can take control of a provider’s nameserver to intercept internal dynamic DNS traffic from thousands of entities, including Fortune 500 firms and government bodies. The intercepted information contains sensitive data such as computer names, employee details, and internal IP addresses, which could be exploited to map and breach networks.
Read more at: https://cybersecuritynews.com/dns-blind-spots-exploited/
Microsoft Entra ID Vulnerability Enables Privilege Escalation
A significant flaw has been identified in Microsoft Entra ID (formerly known as Azure Active Directory) that allows a user with existing privileged access to escalate their permissions, becoming a Global Administrator. This would provide the attacker with complete control over an organization’s entire cloud infrastructure, including access to emails and all applications connected to Azure. The vulnerability arises from shortcomings in the platform’s authentication systems and role-based access control (RBAC), which can be exploited by manipulating API requests to bypass security measures.
Read more at: https://cybersecuritynews.com/microsoft-entra-id-vulnerability-escalate-privileges/
“`