🚨 Critical CrushFTP zero-day (CVE-2025-54309) allows attackers to gain admin access without credentials. Patch to v10.8.4 or v11.3.1 immediately—active exploitation confirmed. Technical breakdown: https://redteamnews.com/red-team/cve/crushftp-zero-day-exploited-for-unauthenticated-admin-access-technical-breakdown/

🚨CrushFTP has an active 0-Day with a CVSS score of 9.0

CVE-2025-54309: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.

https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025

Critical Zero-Day Exploit in CrushFTP Puts Enterprises at Risk: Here’s What You Must Know

A New Wave of Cyber Exploits Hits Managed File Transfer Systems In a fresh cybersecurity shockwave, enterprise-grade file transfer platform CrushFTP is at the center of a critical zero-day vulnerability actively exploited by hackers. Tracked as CVE-2025-54309, this flaw gives unauthorized attackers administrative access through the web interface of unpatched servers. This isn't a…

https://undercodenews.com/critical-zero-day-exploit-in-crushftp-puts-enterprises-at-risk-heres-what-you-must-know/

CrushFTP Zero-Day Under Attack: Hackers Exploiting Unpatched Servers Worldwide

Dangerous Exploit Exposes Thousands of Enterprise File Transfer Systems A critical zero-day vulnerability has rocked the enterprise tech world as CrushFTP confirms active exploitation of CVE-2025-54309. This newly discovered flaw allows cybercriminals to gain full administrative access via the web interface of outdated CrushFTP servers. First detected on July 18th, the exploit appears to…

https://undercodenews.com/crushftp-zero-day-under-attack-hackers-exploiting-unpatched-servers-worldwide/

🚨 new zero day affecting crushFTP instances (CVE-2025-54309) being exploited in the wild:
~291,903 exposed devices running crushFTP (as of 19.07.25) according to @shodanhq:
`http.html:"crushftp"`

Patch now:
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025

0-day (cve-2025-54309) in CrushFTP - wird angegriffen - deutsche Firmen wohl schon betroffen

https://www.borncity.com/blog/2025/07/19/crushftp-mit-0-day-schwachstelle-cve-2025-54309/

Alright team, a busy 24 hours in the cyber world! We've got some significant updates on nation-state activity, a couple of actively exploited vulnerabilities, a new ransomware decryptor, and a reminder about the ever-evolving privacy landscape. Let's dive in.

Russian Alcohol Retailer Hit by Ransomware ⚠️

- WineLab, a major Russian alcohol retailer and part of Novabev Group, has shut down its stores and online operations following a cyberattack.
- The company confirmed a ransom demand was made but stated they would not comply, indicating potential data theft or system encryption.
- While most major Russian-origin ransomware groups typically avoid targeting entities within Russia or CIS, this incident highlights a growing trend of smaller RaaS operations or non-Russian actors breaching such targets.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/russian-alcohol-retailer-winelab-closes-stores-after-ransomware-attack/

Actively Exploited Vulnerabilities

CrushFTP Zero-Day Under Active Exploitation 🛡️

- CrushFTP is warning customers about a zero-day vulnerability, CVE-2025-54309, actively exploited to gain administrative access via the web interface.
- The flaw affects versions prior to CrushFTP v10.8.5 and v11.3.4_23, with exploitation detected since July 18th, potentially earlier.
- Indicators of compromise include unexpected entries in MainUsers/default/user.XML and new, unrecognised admin-level usernames like "7a0d26089ac528941bf8cb998d97f408m". Admins should review logs and consider IP whitelisting or DMZ instances.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-to-gain-admin-access-on-servers/

Hackers Scanning for TeleMessage Signal Clone Flaw 🔒

- Researchers are observing active exploitation attempts for CVE-2025-48927 in the TeleMessage SGNL app, a Signal clone, which can expose usernames, passwords, and other sensitive data.
- The vulnerability stems from exposing the '/heapdump' endpoint from Spring Boot Actuator without authentication, allowing attackers to download a full Java heap memory dump.
- Organisations using on-premise installations of TeleMessage SGNL should immediately disable or restrict access to the '/heapdump' endpoint and limit exposure of all Actuator endpoints.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-scanning-for-telemessage-signal-clone-flaw-exposing-passwords/

Nation-State Activity, Malware, and Ransomware Updates

UK Sanctions Russian GRU for Cyber Operations and Murders 🚨

- The UK government has sanctioned 18 Russian military intelligence officers and three GRU units (26165, 29155, 74455) for cyber reconnaissance operations linked to civilian targeting in Ukraine and destabilisation efforts in Europe.
- Unit 26165 (Fancy Bear/APT28) is specifically attributed to deploying 'Authentic Antics' malware, a sophisticated credential stealer for Microsoft 365 accounts that exfiltrates data by sending emails from the victim's own account without appearing in the sent folder.
- This action underscores the UK's commitment to exposing and countering hybrid threats, with international allies like the EU and NATO issuing solidarity statements.

🗞️ The Record | https://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine
🤫 CyberScoop | https://cyberscoop.com/uk-sanctions-russian-hackers-spies-as-us-weighs-its-own-punishments-for-russia/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/uk-ties-russian-gru-to-authentic-antics-credential-stealing-malware/

Singapore Accuses Chinese APT of Critical Infrastructure Attacks 🇨🇳

- Singapore's Minister for National Security, K. Shanmugam, has publicly accused Chinese espionage group UNC3886 of actively targeting the nation's critical infrastructure.
- UNC3886 is known for exploiting routers and network security devices (like Juniper, Fortinet, VMware) to deploy custom backdoors, focusing on stealth and long-term persistence in defence, technology, and telecommunication sectors.
- This ongoing threat highlights the potential for cascading impacts on business operations and supply chains, urging a re-evaluation of vendor trust and system security.

🗞️ The Record | https://therecord.media/singapore-accuses-chinese-backed-hackers-critical-infrastructure-attacks

Free Decryptor Released for Phobos and 8Base Ransomware 🔓

- The Japanese National Police Agency, in collaboration with Europol and the FBI, has released a free decryptor for victims of Phobos and its spin-off, 8Base ransomware.
- This tool supports files encrypted with extensions like ".phobos", ".8base", ".elbie", ".faust", and ".LIZARD", and is believed to be possible due to information obtained during recent law enforcement disruptions and arrests of key operators.
- Victims are strongly encouraged to try the decryptor, available on the Japanese police website and NoMoreRansom platform, even if their file extensions aren't explicitly listed, as it has been confirmed to successfully decrypt files from recent variants.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryptor-lets-victims-recover-files-for-free/
🗞️ The Record | https://therecord.media/decryptor-phobos-8base-ransomware-japan-national-police

Arch Linux AUR Packages Spread Chaos RAT Malware 🐧

- Arch Linux has removed three malicious packages ("librewolf-fix-bin", "firefox-patch-bin", "zen-browser-patched-bin") from its Arch User Repository (AUR) that were installing the CHAOS remote access trojan (RAT).
- The packages, uploaded by user "danikpapas", contained a source entry pointing to a GitHub repository with malicious code executed during the build/installation phase.
- Users who installed these packages should immediately check for and delete a suspicious "systemd-initd" executable, potentially located in the /tmp folder, and take further measures to ensure their systems are not compromised.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/arch-linux-pulls-aur-packages-that-installed-chaos-rat-malware/

Social Engineering and AI: The New Zero-Day? 🧠

- Former IDF cyber chief Ariel Parnes highlights that social engineering, rather than zero-days, is increasingly the primary concern for cyber defenders, as demonstrated by groups like Scattered Spider and Iranian APTs.
- Generative AI significantly enhances social engineering capabilities by automating reconnaissance and enabling the creation of highly convincing phishing emails, fake documents, and spoofed websites at scale.
- This shift means attackers don't need advanced cyber weapons; they just need to understand target organisations, people, language, and culture, making the threat more scalable and effective.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/19/idf_cyber_chief_iran/

Data Privacy and AI Terms of Service

AI and Terms of Service: A Privacy Minefield ⚖️

- Companies integrating AI are updating their Terms of Service (ToS), causing user backlash over data usage for AI model training, as seen with WeTransfer.
- WeTransfer faced significant user anger after a ToS change granted broad licensing permissions for content, including for "improving performance of machine learning models," despite denying intent to use files for AI training.
- This incident highlights the "AI trust crisis" where users are wary of how their data is used, underscoring the need for clear, transparent communication from companies regarding AI features and data handling.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/18/llm_products_terms_of_service/

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #SocialEngineering #AI #DataPrivacy #InfoSec #CyberAttack #Malware #IncidentResponse

Signal Clone App Under Attack: TeleMessage SGNL Vulnerability Exposes Sensitive Data in Massive Cybersecurity Breach

Hidden Dangers in Secure Messaging: The TeleMessage SGNL Vulnerability Unmasked In a world increasingly reliant on encrypted messaging, the discovery of a serious vulnerability in TeleMessage SGNL — a clone of the widely used Signal platform — is raising alarms across the cybersecurity landscape. Known officially as CVE-2025-48927, this flaw allows…

https://undercodenews.com/signal-clone-app-under-attack-telemessage-sgnl-vulnerability-exposes-sensitive-data-in-massive-cybersecurity-breach/

🚨 CVE-2025-48927 hits Signal-clone TeleMessage SGNL— used in secure gov comms. A misconfigured /heapdump endpoint left passwords and usernames exposed.

Exploits are already active, per GreyNoise.
Audit your Spring Boot instances NOW.
Full Article Link ⬇️
https://www.technadu.com/signal-app-clone-telemessage-vulnerability-exploit-could-expose-passwords/603241/

#CVE202548927 #InfoSec

Alright team, a busy 24 hours in the cyber world! We've got some significant updates on nation-state activity, a couple of actively exploited vulnerabilities, a new ransomware decryptor, and a reminder about the ever-evolving privacy landscape. Let's dive in.

Russian Alcohol Retailer Hit by Ransomware ⚠️

- WineLab, a major Russian alcohol retailer and part of Novabev Group, has shut down its stores and online operations following a cyberattack.
- The company confirmed a ransom demand was made but stated they would not comply, indicating potential data theft or system encryption.
- While most major Russian-origin ransomware groups typically avoid targeting entities within Russia or CIS, this incident highlights a growing trend of smaller RaaS operations or non-Russian actors breaching such targets.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/russian-alcohol-retailer-winelab-closes-stores-after-ransomware-attack/

Actively Exploited Vulnerabilities

CrushFTP Zero-Day Under Active Exploitation 🛡️

- CrushFTP is warning customers about a zero-day vulnerability, CVE-2025-54309, actively exploited to gain administrative access via the web interface.
- The flaw affects versions prior to CrushFTP v10.8.5 and v11.3.4_23, with exploitation detected since July 18th, potentially earlier.
- Indicators of compromise include unexpected entries in MainUsers/default/user.XML and new, unrecognised admin-level usernames like "7a0d26089ac528941bf8cb998d97f408m". Admins should review logs and consider IP whitelisting or DMZ instances.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-to-gain-admin-access-on-servers/

Hackers Scanning for TeleMessage Signal Clone Flaw 🔒

- Researchers are observing active exploitation attempts for CVE-2025-48927 in the TeleMessage SGNL app, a Signal clone, which can expose usernames, passwords, and other sensitive data.
- The vulnerability stems from exposing the '/heapdump' endpoint from Spring Boot Actuator without authentication, allowing attackers to download a full Java heap memory dump.
- Organisations using on-premise installations of TeleMessage SGNL should immediately disable or restrict access to the '/heapdump' endpoint and limit exposure of all Actuator endpoints.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-scanning-for-telemessage-signal-clone-flaw-exposing-passwords/

Nation-State Activity, Malware, and Ransomware Updates

UK Sanctions Russian GRU for Cyber Operations and Murders 🚨

- The UK government has sanctioned 18 Russian military intelligence officers and three GRU units (26165, 29155, 74455) for cyber reconnaissance operations linked to civilian targeting in Ukraine and destabilisation efforts in Europe.
- Unit 26165 (Fancy Bear/APT28) is specifically attributed to deploying 'Authentic Antics' malware, a sophisticated credential stealer for Microsoft 365 accounts that exfiltrates data by sending emails from the victim's own account without appearing in the sent folder.
- This action underscores the UK's commitment to exposing and countering hybrid threats, with international allies like the EU and NATO issuing solidarity statements.

🗞️ The Record | https://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine
🤫 CyberScoop | https://cyberscoop.com/uk-sanctions-russian-hackers-spies-as-us-weighs-its-own-punishments-for-russia/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/uk-ties-russian-gru-to-authentic-antics-credential-stealing-malware/

Singapore Accuses Chinese APT of Critical Infrastructure Attacks 🇨🇳

- Singapore's Minister for National Security, K. Shanmugam, has publicly accused Chinese espionage group UNC3886 of actively targeting the nation's critical infrastructure.
- UNC3886 is known for exploiting routers and network security devices (like Juniper, Fortinet, VMware) to deploy custom backdoors, focusing on stealth and long-term persistence in defence, technology, and telecommunication sectors.
- This ongoing threat highlights the potential for cascading impacts on business operations and supply chains, urging a re-evaluation of vendor trust and system security.

🗞️ The Record | https://therecord.media/singapore-accuses-chinese-backed-hackers-critical-infrastructure-attacks

Free Decryptor Released for Phobos and 8Base Ransomware 🔓

- The Japanese National Police Agency, in collaboration with Europol and the FBI, has released a free decryptor for victims of Phobos and its spin-off, 8Base ransomware.
- This tool supports files encrypted with extensions like ".phobos", ".8base", ".elbie", ".faust", and ".LIZARD", and is believed to be possible due to information obtained during recent law enforcement disruptions and arrests of key operators.
- Victims are strongly encouraged to try the decryptor, available on the Japanese police website and NoMoreRansom platform, even if their file extensions aren't explicitly listed, as it has been confirmed to successfully decrypt files from recent variants.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryptor-lets-victims-recover-files-for-free/
🗞️ The Record | https://therecord.media/decryptor-phobos-8base-ransomware-japan-national-police

Arch Linux AUR Packages Spread Chaos RAT Malware 🐧

- Arch Linux has removed three malicious packages ("librewolf-fix-bin", "firefox-patch-bin", "zen-browser-patched-bin") from its Arch User Repository (AUR) that were installing the CHAOS remote access trojan (RAT).
- The packages, uploaded by user "danikpapas", contained a source entry pointing to a GitHub repository with malicious code executed during the build/installation phase.
- Users who installed these packages should immediately check for and delete a suspicious "systemd-initd" executable, potentially located in the /tmp folder, and take further measures to ensure their systems are not compromised.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/arch-linux-pulls-aur-packages-that-installed-chaos-rat-malware/

Social Engineering and AI: The New Zero-Day? 🧠

- Former IDF cyber chief Ariel Parnes highlights that social engineering, rather than zero-days, is increasingly the primary concern for cyber defenders, as demonstrated by groups like Scattered Spider and Iranian APTs.
- Generative AI significantly enhances social engineering capabilities by automating reconnaissance and enabling the creation of highly convincing phishing emails, fake documents, and spoofed websites at scale.
- This shift means attackers don't need advanced cyber weapons; they just need to understand target organisations, people, language, and culture, making the threat more scalable and effective.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/19/idf_cyber_chief_iran/

Data Privacy and AI Terms of Service

AI and Terms of Service: A Privacy Minefield ⚖️

- Companies integrating AI are updating their Terms of Service (ToS), causing user backlash over data usage for AI model training, as seen with WeTransfer.
- WeTransfer faced significant user anger after a ToS change granted broad licensing permissions for content, including for "improving performance of machine learning models," despite denying intent to use files for AI training.
- This incident highlights the "AI trust crisis" where users are wary of how their data is used, underscoring the need for clear, transparent communication from companies regarding AI features and data handling.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/18/llm_products_terms_of_service/

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #SocialEngineering #AI #DataPrivacy #InfoSec #CyberAttack #Malware #IncidentResponse

Updated #CitrixBleed2 scans https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

Fields - IP, SSL certification hostnames, Netscaler firmware, if vulnerable to CVE-2025-5777

I've had a few orgs contest that they're not vulnerable and the scan is wrong. I've assisted each org, and in each case they've been wrong - they'd patched the wrong Netscaler, the passive HA node etc.

🚨 Third critical Cisco ISE flaw in a month. Another perfect 10 CVSS score, another no-workaround RCE. If you’re still running ISE 3.3 or 3.4 without the latest patches, you’re leaving the door wide open for remote root access via a crafted API request.

TL;DR
⚠️ CVE-2025-20337 = unauthenticated RCE
🚨 Exploit = remote root with no workaround
🛠️ Fix = Patch 3.3.7 or 3.4.2
🔍 No active exploitation... yet

https://www.theregister.com/2025/07/17/critical_cisco_bug/
#Cisco #InfoSec #VulnerabilityManagement #ZeroDay #security #privacy #cloud #infosec #cybersecurity

CVE-2025-20337 is a vulnerability in Cisco's Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products, which the company said in a security advisory https://www.darkreading.com/application-security/cisco-cvss-10-flaw-ise-ise-pic-patch-now

HTTP Parameter Pollution in form-data with PoC.

https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4

sev:CRIT 9.4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

https://www.cve.org/CVERecord?id=CVE-2025-7783

CRITICAL: CVE-2025-7783 impacts form-data (<2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3). Insufficient randomness → HTTP Parameter Pollution risk! Patch or mitigate ASAP. 🛡️ https://radar.offseq.com/threat/cve-2025-7783-cwe-330-use-of-insufficiently-random-ec36637b #OffSeq #CVE20257783 #infosec #jssec

The vulnerability, tracked as CVE-2025-23266, carries a CVSS score of 9.0 out of 10.0. It has been codenamed NVIDIAScape by Google-owned cloud security company Wiz. https://thehackernews.com/2025/07/critical-nvidia-container-toolkit-flaw.html

⚠️ CRITICAL: CVE-2025-49746 hits Azure Machine Learning. Improper authorization enables privilege escalation over the network—potential cross-tenant impact. No patch yet. Enforce least privilege, monitor access, and prep incident response! Details: https://radar.offseq.com/threat/cve-2025-49746-cwe-285-improper-authorization-in-m-bb846408 #OffSeq #Azure #CloudSec #Infosec

Microsoft published two sev:CRIT CVEs in Azure Machine Learning and one sev:CRIT in ADO.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49746

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49747

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47158

All of them are listed as not publicly disclosed and not exploited.

The vulnerability documented by this CVE requires no customer action to resolve

⚠️ CRITICAL: CVE-2025-47158 in Azure DevOps lets attackers bypass auth & escalate privileges remotely. No patch yet—restrict network access, enforce MFA, and review permissions. Monitor for updates & log suspicious activity. https://radar.offseq.com/threat/cve-2025-47158-cwe-302-authentication-bypass-by-as-ebe1715f #OffSeq #AzureDevOps #CVE2025 #infosec

Microsoft published two sev:CRIT CVEs in Azure Machine Learning and one sev:CRIT in ADO.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49746

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49747

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47158

All of them are listed as not publicly disclosed and not exploited.

The vulnerability documented by this CVE requires no customer action to resolve

🚨 CVE-2025-49747: CRITICAL flaw in Azure Machine Learning (CVSS 9.9). Missing authorization lets authorized users escalate privileges over the network. Review access controls & monitor for signs of abuse. No patch yet—follow Microsoft advisories. https://radar.offseq.com/threat/cve-2025-49747-cwe-862-missing-authorization-in-mi-f7184950 #OffSeq #AzureML #CloudSecurity #CVE2025

Microsoft published two sev:CRIT CVEs in Azure Machine Learning and one sev:CRIT in ADO.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49746

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49747

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47158

All of them are listed as not publicly disclosed and not exploited.

The vulnerability documented by this CVE requires no customer action to resolve

I admire NixOS a lot but it's been now, what, 3 or 4 days since CVE-2025-6558 was released (a Chromium sandbox escape in ANGLE, used in the wild) and the stable channel seems not to have been patched yet?