It’s been a busy seven days for safety alerts. Google is addressing one other actively exploited zero-day in Chrome, and VMware has rolled out key patches for its personal set of vulnerabilities.
We’ll additionally break down the strategies behind a brand new FortiWeb hack and focus on the rising development of attackers abusing Microsoft Groups for his or her campaigns. Stand up to hurry on the most recent threats and defenses proper right here.
Vulnerabilities
Google Chrome Zero-Day Underneath Lively Exploitation
Google has issued an emergency safety replace for its Chrome browser to handle a vital zero-day vulnerability, CVE-2025-6558, that’s being actively exploited within the wild. The flaw, which stems from incorrect enter validation within the ANGLE and GPU parts, was reported by Google’s personal Menace Evaluation Group.
The replace brings Chrome to model 138.0.7204.157/.158 for Home windows and Mac, and 138.0.7204.157 for Linux. It additionally patches two different high-severity vulnerabilities: an integer overflow within the V8 JavaScript engine (CVE-2025-7656) and a use-after-free vulnerability in WebRTC (CVE-2025-7657). As a result of energetic exploitation, customers are strongly urged to replace their browsers instantly.
Learn extra at:
Vital Vulnerabilities Present in VMware Merchandise
On July 15, 2025, Broadcom disclosed 4 important vulnerabilities affecting a spread of VMware merchandise, together with ESXi, Workstation, Fusion, and Instruments. These flaws, found through the Pwn2Own hacking competitors, may permit attackers to flee from digital machines and execute code on the host system.
Essentially the most extreme of those, CVE-2025-41236, is an integer-overflow vulnerability within the VMXNET3 digital community adapter with a CVSS rating of 9.3. Different vital flaws embody an integer underflow within the Digital Machine Communication Interface (VMCI) and a heap overflow within the PVSCSI controller. VMware has launched patches to handle the vulnerabilities, and directors are suggested to use them promptly.
Learn extra at:
Node.js Patches Excessive-Severity Flaws on Home windows
The Node.js undertaking launched safety updates on July 15, 2025, to repair two high-severity vulnerabilities impacting variations 20.x, 22.x, and 24.x78. Essentially the most notable flaw, CVE-2025-27210, is a path traversal vulnerability that impacts Home windows-based functions. It permits attackers to make use of reserved gadget names like ‘CON’ or ‘PRN’ to bypass path safety mechanisms79. The second vulnerability, CVE-2025-27209, is a Hash Denial of Service (HashDoS) danger within the V8 engine89. Builders are suggested to replace their Node.js environments to mitigate these risks7.
Learn extra at:
Oracle’s July Replace Fixes Over 300 Vulnerabilities
Oracle has launched its quarterly Vital Patch Replace for July 2025, addressing 309 vulnerabilities throughout its product suite. A good portion of those flaws, 127, will be exploited remotely with out requiring consumer credentials. The replace consists of patches for 9 critical-severity flaws. Key merchandise affected are Oracle Database Server, MySQL, Java SE, and Fusion Middleware. Given the big variety of high-severity and remotely exploitable bugs, Oracle strongly recommends that prospects apply the safety patches at once.
Learn extra at:
Vim Textual content Editor Susceptible to File Overwriting
A path traversal vulnerability, CVE-2025-53906, has been found within the zip.vim plugin bundled with the Vim textual content editor. This medium-severity flaw permits an attacker to overwrite delicate recordsdata on a consumer’s system. The assault happens when a consumer opens a specifically crafted ZIP archive inside Vim. The vulnerability impacts all variations previous to 9.1.1551. Vim has launched a patched model, and customers are suggested to improve to guard their techniques.
Learn extra at:
Google AI Discovers and Foils SQLite Zero-Day
In a notable improvement, Google introduced that its AI framework, “Massive Sleep,” recognized a vital reminiscence corruption flaw within the extensively used SQLite database engine earlier than it may very well be exploited. The vulnerability, CVE-2025-6965, may permit an attacker to set off an integer overflow by injecting malicious SQL statements. Google acknowledged that the flaw was recognized to risk actors and was at imminent danger of being utilized in assaults. This marks what Google believes is the primary occasion of an AI agent predicting and serving to to forestall the exploitation of a zero-day vulnerability within the wild. The flaw impacts SQLite variations prior to three.50.2.
Learn extra at:
Cisco Warns of Vital Flaw in Identification Providers Engine
Cisco has issued a safety advisory for a vital vulnerability, CVE-2025-20337, in its Identification Providers Engine (ISE) and ISE Passive Identification Connector (ISE-PIC). The flaw carries the utmost attainable CVSS rating of 10.0, because it permits an unauthenticated, distant attacker to execute arbitrary code with the best degree of privileges (root) on an affected gadget. The vulnerability is in a particular API and is because of inadequate enter validation. It impacts ISE variations 3.3 and three.4. Cisco has launched software program updates and advises directors to patch their techniques instantly, as there are not any workarounds.
Learn extra at:
Unpatched SharePoint Zero-Day Exploited in Assaults
A vital zero-day distant code execution (RCE) vulnerability in Microsoft SharePoint, CVE-2025-53770, is being actively exploited in assaults in opposition to on-premises servers. Microsoft has confirmed the energetic assaults, which started round July 18, 2025, and have reportedly compromised dozens of servers. The flaw is a variant of a bug demonstrated on the Pwn2Own hacking contest19. At present, no patch is offered, however Microsoft is growing a safety replace. The vulnerability doesn’t have an effect on SharePoint On-line customers1921.
Learn extra at:
CrushFTP Zero-Day Permits Server Hijacking
A zero-day vulnerability within the CrushFTP enterprise file switch server is being actively exploited, permitting attackers to realize administrative entry to servers. The vulnerability, CVE-2025-54309, is an unprotected alternate channel flaw that may be leveraged by a distant, unauthenticated attacker. Exploitation was first detected on July 18, 20252224. CrushFTP believes attackers found the bug by reverse-engineering latest patches. The corporate has acknowledged that the most recent variations of its software program already include a repair for the issue2223.
Learn extra at:
Threats
Ransomware Operators Develop Assaults to Linux and VMware Techniques
Ransomware gangs are strategically shifting their focus from Home windows to focus on Linux and VMware environments, that are prevalent in enterprise and cloud infrastructures1. With Linux powering the overwhelming majority of public cloud workloads and high internet servers, cybercriminals are growing specialised ransomware to use these techniques.
Teams like Pay2Key and Helldown are updating their instruments to focus on Linux, whereas others use superior “fileless” strategies which might be tough to detect1. These strategies leverage legit system instruments to execute malicious code immediately in reminiscence, bypassing conventional antivirus options which might be typically not as sturdy on non-Home windows techniques. This evolution in techniques highlights a vital blind spot within the safety of cloud and DevOps environments. Learn Extra
New “Darkish 101” Ransomware Disables Restoration Instruments
A brand new ransomware variant named “Darkish 101” has been recognized, that includes a weaponized .NET binary designed to cripple system restoration efforts. This malware encrypts consumer recordsdata after which takes steps to forestall system restoration by disabling Home windows restoration modes and blocking entry to the Process Supervisor. To evade detection, Darkish 101 makes use of techniques like impersonating legit system processes and delaying its execution to idiot automated sandbox evaluation. The attackers usually demand a ransom of round $1500 in Bitcoin to decrypt the recordsdata. Learn Extra
Albemarle County Suffers Main Ransomware Assault
A ransomware assault on Albemarle County, Virginia, has compromised the delicate private info of county residents, native authorities staff, and public college workers. The breach uncovered information similar to names, Social Safety numbers, driver’s license numbers, and passport particulars. The assault, which came about in June, additionally brought on important disruptions to the county’s cellphone and IT techniques. In response, officers have notified the FBI and are providing affected people 12 months of free identification monitoring providers. Learn Extra
“Darkish Companions” Hacking Group Drains Crypto Wallets with Pretend Websites
A cybercrime operation generally known as Darkish Companions is utilizing a big community of over 250 malicious web sites to steal cryptocurrency. These websites impersonate legit AI instruments, VPN providers, and software program manufacturers to trick customers into downloading infostealer malware. The group makes use of totally different malware for various working techniques, deploying Poseidon Stealer on macOS and PayDay Loader on Home windows techniques to exfiltrate crypto pockets information and different delicate credentials. Learn Extra
Chinese language State-Sponsored Hackers Breached US Nationwide Guard
The U.S. Division of Homeland Safety confirmed {that a} Chinese language state-sponsored hacking group, generally known as Salt Storm, remained undetected throughout the U.S. Military Nationwide Guard’s community for 9 months. Throughout this time, the attackers stole delicate information, together with administrator credentials, community diagrams, and the personally identifiable info (PII) of service members. The group is a component of a bigger collective tasked with infiltrating U.S. vital infrastructure to ascertain footholds for potential future conflicts. Learn Extra
Infostealers Unfold Via Cracked Software program
Cybercriminals are generally distributing information-stealing malware by bundling it with pirated software program and key mills (“cracks”). Customers searching for to make use of this software program are sometimes instructed to disable their antivirus packages, creating a chance for malware like RedLine Stealer and RisePro to contaminate their techniques with out being detected. As soon as put in, these infostealers are designed to steal delicate info similar to passwords, monetary particulars, and cryptocurrency pockets credentials. Learn Extra
Hackers Weaponize SVG Recordsdata to Bypass Safety
Menace actors are more and more utilizing Scalable Vector Graphics (SVG) recordsdata as a vector for cyberattacks. As a result of SVG recordsdata can include scripts and are sometimes handled as easy photographs, they will bypass e-mail safety filters that block extra suspicious file varieties. Attackers embed malicious JavaScript inside these recordsdata, a way generally known as “HTML smuggling,” to ship malware just like the Agent Tesla Keylogger and XWorm RAT. When a sufferer opens the weaponized SVG file in an internet browser, the embedded script executes, usually prompting a obtain of the malicious payload. Learn Extra
Cyber Assaults
North Korean Hackers Use Pretend Zoom Invitations to Goal Crypto Corporations
Hackers linked to North Korea are utilizing refined social engineering techniques, together with pretend Zoom assembly invites and AI-generated deepfakes, to compromise staff at cryptocurrency and Web3 corporations. The target is to deceive victims into putting in malware, such because the “NimDoor” backdoor for macOS, designed to steal cryptocurrency and different delicate information3. The assault chain typically begins with a fraudulent message on platforms like Telegram or a pretend Calendly invitation, which directs the goal to a counterfeit Zoom assembly the place they’re prompted to put in a malicious “replace” or “extension”.
Learn extra at:
Malicious NPM Packages Linked to North Korean “Contagious Interview” Marketing campaign
North Korean risk actors have expanded their “Contagious Interview” marketing campaign by publishing dozens of malicious packages on the npm (Node Bundle Supervisor) registry. Lately, 67 new packages have been recognized, designed to compromise developer techniques and exfiltrate information, with a selected give attention to cryptocurrency wallets. These provide chain assaults steadily leverage social engineering, with hackers posing as recruiters on skilled networking websites like LinkedIn to have interaction with software program builders. The malicious packages make use of multi-stage, obfuscated JavaScript to obtain and run further dangerous payloads from distant servers.
Learn extra at:
Japanese Firms Focused in Widespread Cyberattacks
Japanese firms have not too long ago been the main target of great cyberattacks. In a single marketing campaign, 46 corporations and organizations, together with main entities like Japan Airways and MUFG Financial institution, have been hit with distributed denial-of-service (DDoS) assaults. In a separate, large-scale incident, the “WannaCry” ransomware impacted about 600 Japanese corporations, compromising round 2,000 computer systems at corporations similar to Hitachi and Nissan.
Learn extra at:
Vital Fortinet FortiWeb Vulnerability Actively Exploited
A vital SQL injection vulnerability in Fortinet’s FortiWeb internet software firewall (WAF) is being actively exploited by attackers. The flaw, recognized as CVE-2025-25257, holds a severity rating of 9.6 out of 10 and permits an unauthenticated attacker to execute unauthorized code or instructions remotely. Following its discovery, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added the vulnerability to its Identified Exploited Vulnerabilities (KEV) catalog, emphasizing the pressing want for patching. The general public launch of proof-of-concept (PoC) code has accelerated the weaponization of this exploit.
Learn extra at: and
Microsoft Groups Calls Weaponized to Deploy Ransomware
Cybercriminals are actually utilizing Microsoft Groups calls as a vector to ship the Matanbuchus ransomware loader. In these assaults, risk actors impersonate IT assist personnel throughout Groups video calls and use social engineering to steer victims to execute malicious PowerShell scripts via the Fast Help function. This methodology cleverly circumvents typical e-mail safety filters by exploiting the inherent belief customers place in enterprise collaboration instruments. The newest model, Matanbuchus 3.0, operates as a complicated Malware-as-a-Service (MaaS) platform.
Learn extra at:
CitrixBleed 2 Flaw Underneath Lively Exploitation
A vital reminiscence disclosure vulnerability generally known as “CitrixBleed 2” (CVE-2025-5777) is affecting Citrix NetScaler ADC and Gateway techniques and is being actively exploited within the wild. The flaw permits attackers to hijack energetic consumer periods and steal credentials with out authentication. Proof suggests exploitation started in mid-June, with no less than 100 organizations already compromised, whereas 1000’s of different cases stay weak. CISA has added this vulnerability to its KEV catalog, mandating fast patching for federal companies.
Learn extra at:
DNS Vulnerabilities Create “Nation-State Degree Spying” Dangers
Safety researchers have uncovered a brand new class of vulnerabilities inside main DNS-as-a-Service (DNSaaS) suppliers that might allow attackers to conduct “nation-state degree spying” on company networks. By merely registering a website, attackers can hijack a supplier’s nameserver to intercept inner dynamic DNS site visitors from 1000’s of organizations, together with Fortune 500 corporations and authorities companies. The intercepted information consists of delicate info similar to laptop names, worker particulars, and inner IP addresses, which can be utilized to map and breach networks.
Learn extra at:
Microsoft Entra ID Flaw Permits Privilege Escalation
A major vulnerability has been present in Microsoft Entra ID (previously Azure Lively Listing) that permits a consumer with current privileged entry to escalate their permissions to turn out to be a World Administrator. This might grant the attacker full management over a company’s whole cloud surroundings, together with entry to emails and all functions linked to Azure. The vulnerability stems from weaknesses within the platform’s authentication mechanisms and role-based entry management (RBAC), which will be exploited by manipulating API calls to bypass safety protocols.
Learn extra at:
