Svoboda Cybersecurity Brief July 22, 2025
Jul 22, 2025bulletproof VPN - stay anonymous
Critical SharePoint Zero-Day Exploited in Global Attacks
Microsoft has released emergency patches for CVE-2025-53770 (CVSS 9.8), a remote code execution flaw in on-premises SharePoint Server, actively exploited since July 18, 2025. Attackers deployed ToolShell backdoors to exfiltrate ASP.NET machine keys and maintain persistence. Over 9,000 exposed servers are potentially vulnerable, with confirmed breaches at US agencies, universities, and energy firms.
Impact: Full system compromise, credential theft, and lateral movement.
Mitigation: Apply patches (SharePoint 2019/Subscription Edition), enable AMSI, rotate machine keys, and restrict internet-facing instances.
Source: Microsoft
CrushFTP Zero-Day (CVE-2025-54309) Grants Admin Access
A zero-day in CrushFTP (versions <10.8.5/11.3.4_23) allows unauthenticated attackers to gain admin privileges via HTTP(S) by bypassing AS2 validation. Exploited since July 18, attackers tampered with version numbers to hide compromises. Over 1,040 servers remain unpatched.
Impact: Full server takeover, data exfiltration, and persistent backdoors.
Mitigation: Update to v10.8.5_12/11.3.4_26, review logs, and use DMZ proxies.
Source: BleepingComputer
Iran-Linked DCHSpy Spyware Targets Dissidents via Fake VPNs
MuddyWater (Iranian APT) deployed DCHSpy malware via fake VPN apps (e.g., “Earth VPN”) and Starlink lures to steal WhatsApp data, call logs, and device photos. Targets include activists and journalists amid Israel-Iran tensions.
Impact: Surveillance, credential theft, and geopolitical espionage.
Source: The Hacker News
Dell Confirms Breach of Test Lab Platform by World Leaks
World Leaks extortion group breached Dell’s Customer Solution Centers, exfiltrating 1.3 TB of synthetic data and outdated contact lists. The group, a rebrand of Hunters International, focuses on data theft over ransomware.
Impact: Limited operational disruption but reputational risk.
Source: BleepingComputer
ExpressVPN Bug Leaks User IPs in RDP Sessions
A debug code remnant in ExpressVPN Windows clients (v12.97–12.101.0.2-beta) caused RDP traffic to bypass VPN tunnels, exposing real IPs. Fixed in v12.101.0.45 (June 18, 2025).
Impact: IP address exposure, potential de-anonymization.
Mitigation: Update to latest version and audit RDP usage.
Source: BleepingComputer
SAS Soldiers’ Identities Leaked in UK Ministry of Defence Breach
A UK Ministry of Defence data leak exposed identities of SAS soldiers, with some details publicly available online for a decade. Follows a prior breach risking 100,000 lives linked to Taliban reprisals.
Impact: Operational security compromise and physical safety risks.
Source: DataBreaches.net
Dior Data Breach Exposes US Customer PII
Dior disclosed a January 2025 breach exposing names, addresses, SSNs, and passport details of US customers. Linked to ShinyHunters targeting LVMH’s third-party vendor.
Impact: Identity theft and phishing risks.
Source: BleepingComputer
HPE Instant On Access Points Vulnerable to Hard-Coded Credentials
CVE-2025-37103 (CVSS 9.8) in HPE Instant On Access Points allows admin bypass via hard-coded credentials. Patched in v3.2.1.0.
Impact: Unauthorized network access and command execution.
Mitigation: Update firmware and audit device configurations.
Source: The Hacker News
3,500 Websites Hijacked for Cryptojacking via Stealth JavaScript
Attackers injected obfuscated JavaScript miners using WebSockets to dynamically adjust CPU usage, evading detection. Linked to Magecart domains.
Impact: Performance degradation and resource theft.
Source: The Hacker News
Surveillance Firm Bypasses SS7 Location Protections
A firm abused TCAP manipulation in SS7 to hide IMSI fields, bypassing carrier checks and retrieving real-time user locations. Active since Q4 2024.
Impact: Mass location tracking and privacy violations.
Source: SecurityWeek
Share this brief: https://svo.bz/c9cy
If you want to support us, you can donate here: Donate