July 12, 2025

Hello all,

Wow, another Patch Tuesday for the records! Microsoft offered up fixes for 137 flaws, with at least one zero-day in the mix. Adobe patched 58 vulnerabilities across multiple products, Ivanti plugged more holes, Fortinet patched just about everything they make. Splunk released fixes, and the list goes on. Basically, if your software or hardware item can receive updates, you should check if yours has any pending.

This email and video commentary is from the RedDotSecurity.news website that contains a plethora of links to other items, not mentioned here, that are worth skimming to see if they interest you or pertain to your particular environment or of those you support. There is a lot more than what is provided in these opening comments. So, on to the headline news.

Headline NEWS:

• Citrix NetScaler has a defect that’s been named “CitrixBleed 2”, after a similar defect from 2023 that saw widespread compromise. This one allows for attackers to steal information from the device’s memory, allowing sessions to be hijacked without the victim’s knowledge. Proof of Concept (PoC) code is out in the wild already and these devices have been under active exploitation for weeks. If you have a NetScaler and haven’t patched it for this vulnerability yet, you’re likely compromised. Contact your support vendor for help.
• Fortinet patched just about everything this week. Their PSIRT alert lists at least 9 different products affected by this round of notifications. As I’ve mentioned before, Fortinet products are very popular with threat actors, so patch quickly.
• Microsoft has unleashed updates for a whopping 137 defects, including one zero-day in SQL Server. As usual, vet the updates quickly so that you can roll them out to your devices. Threat actors are already decompiling code, looking for what was fixed so that they can exploit unpatched systems. The race is on.
• Palo Alto Global Protect VPN has been found to have a Local Privilege Escalation (LPE) defect. If a threat actor manages to get low-level access to a system, they can then escalate to root on Mac or Linux, and System on Windows. Once a threat actor has that level of access it is usually only a matter of time until they compromise the entire network. Update to the latest version of Global Protect quickly.
• Ruckus Networks has ignored requests for comments and has not responded to reports of vulnerabilities in their Ruckus Wireless Virtual SmartZone (vSZ) and Ruckus Network Director (RND). Nine separate CVEs were issued, yet still no response or patches from the vendor. The CERT Coordination Center recommends, “To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.” If the silence continues, you should seriously consider replacing any Ruckus products.
• Wing FTP Server is one that I’m unfamiliar with, but there are at least 8,000 of these out there on the internet, with at least 5,000 of them vulnerable to a defect that allows for complete takeover via the web interface. As reported by Huntress Labs, this is under active exploitation, readers are urged to immediately update their Wing FTP Server to version of 7.4.4 or higher to mitigate this defect, and then search of evidence of compromise.

In Ransomware, Malware, and Vulnerabilities News:

• McFail from the world’s favorite fast food burger place. McDonalds, taking advantage of the amazing capability of artificial intelligence, created an AI hiring platform named McHire. Catchy, right? It seems that the firm that used an AI to create the site for Mickey D’s might need a bit of remedial security instruction. Security researchers Ian Carroll and Sam Curry found that an account with the password of “123456” had full access to the database of over 64 million applicants. Yep, the same password that was found 3 million times in a massive password database of leaks and cyber incidents. In fact, it is the number one bad password out there, followed closely by “123456789”. If you’re using that for your password, sorry to break the news to you, but it is time to change it.
• macOS SMBClient Flaw Enables Remote Code Execution and Kernel Crashes. This affects all recent versions of the operating system and requires little to no user interaction to execute. It can be triggered remotely via a URL in a message, email or poisoned webpage. All it takes is for the recipient to click the link to trigger the defect, among other methods of exploitation. Users are urged to check for and update their macOS to the latest available version as soon as possible.

In Other News Events of Note and Interest:

• Alphabet’s Isomorphic Labs wants to “solve all diseases”. In 2021, DeepMind was used to create AlphaFold, an AI that was able to save months, if not years, off of determining how proteins interact with other molecules. It was a very well documented process, with exacting steps that took extensive time to run through. By utilizing AI, that time was cut down to nearly instantaneous results in predicting protein structures. In 2024 Isomorphic Labs began in earnest and are now on the cusp of human trials of radical new drugs that can be tailor designed to target the exact variant, strain, and mutation of disease to efficiently eradicate it, leaving other cells untouched. This is a very cool application of AI technology!

Musings:

When did EULA’s (End User License Agreements) begin requiring opt-out from various information siphoning schemes? Was I just asleep at that wheel and didn’t notice that subtle shift, or has it always been that way? Have developers, corporations, and online marketplaces always wanted access to everything that you’ve ever created or even thought about?

It seems that now with AI voraciously gobbling up anything available, content creators have begun fighting back. Cloudflare has announced that they’re blocking AI bot scraping, unless there is an agreement allowing it. Many content creators are resorting to putting their works behind paywalls, and some are eschewing digital altogether and going back to distribution of content via print medium. I wonder though, is it a case of the horse already being out of the barn and it being too late to close the doors? We’ll have to wait and see. For now, I think I’ll continue to store my most important notes on my trusty paper composition book.

Keep the shields up.

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

• Critical CitrixBleed 2 vulnerability has been under active exploit for weeks
• “CitrixBleed 2” Vulnerability PoC Released – Warns of Potential Widespread Exploitation
• FortiOS Buffer Overflow Vulnerability Allows Attackers to Execute Arbitrary Code
• FortiWeb SQL injection Vulnerability Allows Attackers to Execute Malicious SQL Commands
• Microsoft July 2025 Patch Tuesday fixes one zero-day, 137 flaws
• July 2025 Patch Tuesday: Updates and Analysis
• Palo Alto GlobalProtect App: Privilege Escalation (PE) Vulnerability
• Ruckus Networks leaves severe flaws unpatched in management devices
• Ruckus Virtual SmartZone (vSZ) and Ruckus Network Director (RND) contain multiple vulnerabilities
• Critical Wing FTP Server Vulnerability Actively Being Exploited in the Wild 

Ransomware, Malware, and Vulnerabilities News

• Impostor Uses AI to Impersonate Rubio and Contact Foreign and US Officials
• CISA Adds Four Critical Vulnerabilities to KEV Catalog Due to Active Exploitation
• FBI Data: The Most Costly Financial Crimes in 2024
• FBI Seizes Major Nintendo Switch Piracy Website
• Justice Department Announces Arrest of Prolific Chinese State-Sponsored Contract Hacker
• US Sanctions North Korea IT Worker Crypto Fraud Ring
• The Czech Republic bans DeepSeek in state administration over cybersecurity concerns
• Deepseek faces ban in Germany as privacy watchdog reports the app to Google and Apple as “illegal content”
• Cybersecurity’s global alarm system is breaking down
• CA/Browser Forum passes ballot to reduce SSL/TLS certificates to 47 day maximum term
• 4 Critical Steps in Advance of 47-Day SSL/TLS Certificates
• Crooks posing as ATF agents target US smartphone users
• CMS Notifies 103,000 Medicare Beneficiaries About Unauthorized Account Creation
• Facing AI-powered threats, CISOs consolidate around single-vendor SASE
• Is your password ecosystem ready for the regulators?
• Browser Exploits Wane as Users Become the Attack Surface
• Google Gemini flaw hijacks email summaries for phishing
• Security vulnerability on U.S. trains that let anyone activate the brakes on the rear car, was known for 13 years — operators refused to fix the issue until now
• This new Android attack could trick you into compromising your own phone
• Adobe Patches Critical Code Execution Bugs among release of fixes for 58 vulnerabilities
• AMD finally clarifies Windows TPM & BitLocker bug that still affects Ryzen CPUs
• Splunk released fixes for quite a few defects, one that has been lingering since 2013
• Ivanti released updates for vulnerabilities in Ivanti Connect Secure and Policy Secure, Ivanti EPM, and Ivanti EPMM
• Microsoft Remote Desktop Client Vulnerability Let Attackers Execute Remote Code
• Microsoft SQL Server 0-Day Vulnerability Exposes Sensitive Data Over Network
• Microsoft fixes critical wormable Windows flaw
• Microsoft 365 PDF Export LFI Vulnerability Allows Access to Sensitive Server Data
• 13-year-old hacks Teams, forces Microsoft to change bug bounty
• Windows BitLocker Vulnerability Lets Attackers Bypass Security Protections
• New AI Malware PoC Reliably Evades Microsoft Defender
• New ServiceNow flaw lets attackers enumerate restricted data
• Linux Boot Vulnerability Allows Bypass of Secure Boot Protections on Modern Linux Systems
• Several major Linux distros hit by serious Sudo security flaws
• macOS SMBClient Flaw Enables Remote Code Execution and Kernel Crashes
• Thousands of critical vulnerabilities found in EU border system
• Hackers abuse leaked Shellter red team tool to deploy infostealers
• Call of Duty takes PC game offline after multiple reports of RCE attacks on players
• Hijacking Amazon EventBridge for launching Cross-Account attacks
• How I almost fell for a Microsoft 365 Calendar invite scam
• PoC Released for Linux Privilege Escalation Vulnerability via udisksd and libblockdev
• Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting 437,000+ Downloads
• New PerfektBlue Attack Exposes Millions of Cars to Remote Hacking
• Atomic macOS infostealer adds backdoor for persistent attacks
• Identity attacks surge 156% as phishermen get craftier
• Phishing platforms, infostealers blamed as identity attacks soar
• Inside a 30,000 phone bot farm stealing crypto airdrops from real users
• That’s not your insurance company messaging you, FBI warns
• The MFA You Trust Is Lying to You – and Here’s How Attackers Exploit It
• NordDragonScan Attacking Windows Users to Steal Login Credentials
• Mamona attacks without internet, erases itself, and fools your antivirus: here’s what makes it terrifyingly effective
• SEO Poisoning Campaign Targets 8,500+ SMB Users with Malware Disguised as AI Tools
• Chrome Store Features Extension Poisoned With Sophisticated Spyware
• Browser extensions turn nearly 1 million browsers into website-scraping bots
• Browser hijacking campaign infects 2.3M Chrome, Edge users
• Ballad: Third-party vendor experienced data breach
• McDonald’s AI Hiring Bot With Password ‘123456’ Leaks Millions of Job-Seekers Data
• A Threat Actor Claimed McDonald’s Data Leak on the Dark Web
• Provider of covert surveillance app spills passwords for 62,000 users
• Recruiting software maker exposes nearly 26M resumes
• Virginia county says April ransomware attack exposed employee SSNs
• City of Abilene still picking up the pieces after cyberattack
• Columbia data stolen in cyberattack that caused dayslong IT outage
• Ransomware Attack Stops Nova Scotia Power Meter Readings
• “No honor among thieves”: M&S hacking group starts turf war
• Marks & Spencer chair refuses to say if retailer paid hackers after ransomware attack
• M&S confirms social engineering led to massive ransomware attack
• Four arrested in connection with M&S and Co-op cyber attacks
• Nippon Steel Subsidiary Blames Data Breach on Zero-Day Attack
• Employee gets $920 for credentials used in $140 million bank heist
• Bitcoin Depot breach exposes data of nearly 27,000 crypto users
• Qantas is being extorted in recent data-theft cyberattack
• Qantas data breach exposes millions of customer records
• BERT Ransomware Forcibly Shut Down ESXi Virtual Machines to Disrupt Recovery
• Iranian ransomware crew reemerges, promises big bucks for attacks on US or Israel
• Ingram Micro Ransomware Attack: Partners Show Loyalty As Firm Makes ‘Important Progress’ On Restoring Systems
• Ingram Micro Attack Did Not Involve GlobalProtect VPN: Palo Alto Networks
• Suspected Scattered Spider domains target everyone from manufacturers to Chipotle
• Scattered Spider: The hacking group wrecking havoc on corporate America
• Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation
• China-linked group Houken hit French organizations using zero-days
• Chinese hackers suspected in breach of powerful DC law firm
• SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked
• North American APT Uses Exchange Zero-Day to Attack China 

Other News Events of Note and Interest

• Cool Tool: OBS Studio 31.1 Released With Explicit Sync For PipeWire Screen Capture
• Hugging Face opens up orders for its Reachy Mini desktop robots
• Everything tech giants will hate about the EU’s new AI rules
• Jack Dorsey says his ‘secure’ new Bitchat app has not been tested for security
• Citrix signals return to the mainstream hypervisor market with a product it says isn’t quite ready for the job
• Telefónica Germany offloads VMware support to Spinnaker due to high renewal costs
• Researcher tricks ChatGPT into revealing security keys – by saying “I give up”
• Employees are quietly bringing AI to work and leaving security behind
• OpenAI is reportedly releasing an AI browser in the coming weeks
• AWS is launching an AI agent marketplace next week with Anthropic as a partner
• Alphabet’s Isomorphic Labs has grand ambitions to ‘solve all diseases’ with AI. Now, it’s gearing up for its first human trials
• Your Roku has secret menus and settings – here’s how to access them
• Big Tech’s Court Wins in AI Copyright Cases Could Upend the Internet
• The Seven Kinds of AI Agents
• Cursor apologizes for unclear pricing changes that upset users
• What is AGI? Nobody agrees, and it’s tearing Microsoft and OpenAI apart
• Unless users take action, Android will let Gemini access third-party apps
• Instagram uses expiring certificates as single day TLS certificates
• Ranked: The World’s Most Common Passwords
• Passkeys: How they work, how to use them
• How passkeys work: The complete guide to your inevitable passwordless future
• ‘Cyber security’ behind decision to end defense satellite sharing of hurricane data
• Manufacturing Security: Why Default Passwords Must Go
• TikTok’s ‘ban’ problem could end soon with a new app and a sale
• VMware’s rivals ramp up their efforts to create alternative stacks
• Google faces EU antitrust complaint over AI Overviews
• Microsoft’s Edge browser now loads sites even faster
• Microsoft shares detailed guide to meet Windows 11 TPM requirements when moving VMs
• Microsoft confirms Windows Server Update Services (WSUS) sync is broken
• Microsoft temporarily removes one Edge change to fix unexpected issues
• Microsoft Edge will soon warn you about compromised passwords
• Windows 11 now uses JScript9Legacy engine for improved security
• Windows 11 25H2 has a new option to remove all unwanted Microsoft apps
• 7 new Windows 11 features in the July 2025 Security Update
• Microsoft’s July Patch Tuesday Update for Windows 11 Adds PC Migration Tool
• Windows Update Gets Smarter: New Interface Puts Users in Control of Security Notifications
• Windows 10 KB5062554 cumulative update released with 13 changes, fixes
• Windows 11 KB5062553 & KB5062552 cumulative updates released
• ReFS memory hog, networking, and stability issues are fixed in Windows 11 (KB5062663)
• Windows 11 KB5062553 install fails, issues cause Firewall error (July 2025 Update)
• Latest Windows 11 Patch Tuesday fixes Firewall issue