July 19, 2025

Header image for the Red Dot Weekly Cyber Security News https://reddotsecurity.news

Hello all,

What started out as a somewhat quiet week, with only one nasty item early on from Google Chrome, escalated slowly with the last few days bringing reveals of multiple critical and high-severity vulnerabilities in products by Cisco, CrushFTP, HPE, Microsoft, Sophos, Symantec and more. To offset some of the constant sky-is-falling reports, in our Ransomware, Malware, and Vulnerabilities News section, we do have several links to good news of arrests and takedowns by US and International authorities, scoring some nice wins for the good guys!

This video commentary is from the RedDotSecurity.news website that contains a plethora of links to other items, not mentioned here, that are worth skimming to see if they interest you or pertain to your particular environment or of those you support. There is a lot more than what is provided in these opening comments. So, on to the headline news.

Headline NEWS:

  • Cisco Identity Services Engine (ISE) scored a perfect 10 on the Common Vulnerabilities and Exposure (CVE) scale for a defect that can allow an unauthenticated attacker to take over the system, gaining root permission. Didn’t we just patch for this two weeks ago? Hopefully, they get it right this time.
  • CrushFTP emailed their clients late in the week about a zero-day vulnerability that they’d found to be under active exploitation. In a serendipitous twist, CrushFTP had released an updated version just a few days earlier that was patching something else, and they found that the new version also mitigates this new flaw. Users are urged to immediately upgrade to the latest available version.
  • Google Chrome had yet another zero-day show up this past week. Actually, six different flaws were patched via the update. Naturally, one was in the V8 JavaScript engine. If you haven’t updated or restarted your Google Chrome within the past week, do so quickly.
  • Microsoft SharePoint On-Premises has a zero-day codenamed “ToolShell”, which is under active exploitation that enables Remote Code Execution (RCE). Dozens of servers managed by corporations and governments around the world already show Indications of Compromise (IOC). The July Patch Tuesday release contained a fix for this defect. Unfortunately, a second vector has been found that is also under active exploitation, and a full patch is not available yet, Microsoft has shared mitigating guidance recommending the use of the Antimalware Scan Interface, stating, “Customers who have enabled the AMSI integration feature and use Microsoft Defender across their SharePoint Server farm(s) are protected from this vulnerability”. Microsoft further advises that if you cannot enable AMSI, disconnect your SharePoint server from the internet until a patch is available.
  • Sophos Intercept X for Windows has been revealed to have three defects related to permissions. The most severe, in my opinion, is a flaw which allows a threat actor to use the installer to elevate permission, running their malicious payload as SYSTEM. Sophos has released updates to address all of the flaws across their currently supported Windows Intercept X versions. If you use this, update soon.
  • Symantec Endpoint Management Suite has a defect that enables unauthenticated remote code execution (RCE). The specific flaw is in Symantec Altiris Inventory Rule Management (IRM) and is dependent upon port 4011 being open to network access. Symantec says that the port is not needed for normal operation, and it should be blocked via firewall rules. The article link contains further mitigating guidance.
  • VMware ESXi and VMware Workstation have vulnerabilities that need patching. If you have support for your ESXi servers, then check with Broadcom for updates immediately since these defects allow threat actors to execute malicious code on the hosts. If you don’t have support, it is against their EULA to obtain them. No patch for you. Since Workstation and Workstation Fusion are free for personal use, you’ll need to log into your Broadcom account to download the patched version since Broadcom still hasn’t fixed the auto-updating mechanism.

In Ransomware, Malware, and Vulnerabilities News:

  • Oracle unleashed their Quarter 2 vulnerability and defect updates, with a whopping 165 CVEs being addressed. Unfortunately, like Broadcom, updates are behind a paywall. If you use Oracle products, and have an active subscription, be sure to check for updates quickly. I’m sure that threat actors are already examining the patches to see what they’re able to exploit.
  • Microsoft Teams is being abused by crafty dirtbags to vish unsuspecting employees into giving up access, enabling Matanbuchus malware to be installed. This is made possible by misconfigurations in Teams, allowing for unauthorized external organizations to initiate meetings, joint chats, and falsify internal support calls to the victims.

In Other News Events of Note and Interest:

  • Rise of the Machines is inevitable. Several articles this week highlight advances in robotics and AI. One describes how a gallbladder procedure at John’s Hopkins University was completely performed via autonomous robotic surgery with zero errors. Another predicts the eventual replacement of humans on farms as robots and drones take over most of the tedious work of growing and harvesting. The third, in a bit of macabre science reality – not fiction, shows that robots will soon be capable of repairing themselves by harvesting parts from others, and even building entirely new robots. Thankfully when Grok 4 went live last week, Skynet wasn’t born – yet. So, we may still have some time.

Musings:

Ugh! It happened! A user on my network got a nasty virus this past week. Due to legal and other reasons, it wasn’t possible to restore from a backup or erase the affected unit. So, containment and deliberate eradication of the virus was initiated. Unfortunately, full containment wasn’t achieved. And due to sharing the same network and imperfect isolation, I’ve found that I too am now infected. You’d think that I’d know better! For me, it started with a slowdown in processing, something I mistakenly attributed to an increase in my daily workload this past week. I then noticed that searches were often turning up incorrect or empty results. There were extended pauses when my system seemed to just zone-out. That’s when my system started overheating and sputtering. I knew that I was in trouble when liquid started seeping from the area around the CPU. I performed a virus scan, and sure enough my wife had passed her COVID on to me. Thankfully, my isolation is quite solid, my wife is doing significantly better now, and I think that I’m still making sense, despite my processor being rather compromised at the moment and still at the cusp of this horrible thing.

Visc. Jan Broucinek

Keep the shields up, even the biohazard one.

 Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

 

Tags
Share this with: