svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief July 19, 2025

Jul 19, 2025

bulletproof VPN - stay anonymous

CrushFTP Zero-Day Exploited for Admin Access

A critical zero-day vulnerability (CVE-2025-54309) in CrushFTP allows attackers to gain administrative access via the web interface on unpatched servers. The flaw was exploited in the wild as early as July 16, 2025, targeting HTTP(S) interfaces. CrushFTP claims systems updated after July 1 are not vulnerable.
Impact: Unauthenticated remote code execution and potential full system compromise.
Mitigation: Update to CrushFTP v10.8.5 or v11.3.4_23, kill active sessions, and review logs for indicators like modified user.XML files.
Source: BleepingComputer

Phobos Ransomware Decryptor Released

Japanese police and Europol released a free decryptor for Phobos and 8Base ransomware variants, reversing encryption for files with extensions like .phobos, .8base, and .LIZARD. The tool follows the takedown of Phobos infrastructure earlier this year.
Impact: Decrypts files encrypted by recent Phobos variants, preventing data loss.
Mitigation: Apply the decryptor and ensure systems are patched against initial infection vectors.
Source: BleepingComputer

NVIDIA Container Toolkit Flaw Exposes AI Cloud Services

CVE-2025-23266 (CVSS 9.0) in NVIDIA Container Toolkit allows container escape via misconfigured OCI hooks, granting root access to the host. Exploitable in multi-tenant AI cloud environments, potentially compromising other tenants’ data.
Impact: Privilege escalation, data tampering, and cross-tenant breaches in shared GPU environments.
Mitigation: Update to NVIDIA Container Toolkit v1.17.8 or GPU Operator v25.3.1; isolate containers using virtualization.
Source: The Hacker News

CitrixBleed 2 Exploited Against 100+ Organizations

CVE-2025-5777 in NetScaler ADC/Gateway allows session hijacking via token theft, bypassing MFA. Over 4,700 instances remain unpatched as of July 17, 2025. Attackers use stolen tokens for ransomware deployment and persistence via MSP tools.
Impact: Session hijacking, ransomware attacks, and lateral movement.
Mitigation: Patch to NetScaler ADC 14.1-43.56 or later, kill all sessions, and clear session cookies.
Source: SecurityWeek

Arch Linux AUR Packages Deliver Chaos RAT

Malicious packages (librewolf-fix-bin, firefox-patch-bin, zen-browser-patched-bin) in Arch User Repository (AUR) deployed the Chaos RAT via DLL side-loading. The malware connects to C2 server 130.162.225.47:8080.
Impact: Remote code execution and credential harvesting.
Mitigation: Remove suspicious “systemd-initd” executables and audit installed AUR packages.
Source: BleepingComputer

UK MoD Data Leak Exposes Afghan Relocation Applicants

A 2022 breach at the UK Ministry of Defence exposed 100+ British personnel (including MI6 agents) and 80,000–100,000 Afghan applicants seeking relocation. Data was mistakenly emailed outside secure channels and later posted on Facebook.
Source: DataBreaches.net

Qantas Obtains Injunction After AI-Powered Hack

Qantas secured a court order to prevent publication of customer data stolen in a hack where AI impersonated an employee. The breach exposed addresses, phone numbers, and dates of birth for 1.3 million accounts.
Source: DataBreaches.net

Seoul Guarantee Insurance Crippled by Ransomware

South Korea’s largest guarantee insurer faced a ransomware attack disabling core systems for three days, affecting $344.4 billion in guarantees. The breach was confirmed by financial regulators.
Source: DataBreaches.net

Google Sues Badbox 2.0 Botnet Operators

Google filed a lawsuit against Chinese groups operating the Badbox 2.0 botnet, which infected 10M Android devices for ad fraud and proxy services. The botnet pre-installs malware or tricks users into downloading malicious apps.
Source: SecurityWeek

TeleMessage SGNL Flaw Actively Exploited

CVE-2025-48927 in TeleMessage’s Signal clone exposes heap dumps containing credentials via unsecured /heapdump endpoints. GreyNoise observed scanning for vulnerable Spring Boot Actuator interfaces.
Impact: Credential theft and unauthorized access.
Mitigation: Disable /heapdump endpoints and restrict Actuator access.
Source: The Hacker News

Authentic Antics Malware Linked to APT28

Ukraine’s CERT-UA tied the LLM-powered LAMEHUG malware to APT28 (Fancy Bear), which generates commands via Qwen2.5-Coder-32B-Instruct API. Targets include Ukrainian government agencies.
Source: The Hacker News

Share this brief: https://svo.bz/4Wxt

If you want to support us, you can donate here: Donate