Crowe UAE Cyber Security Bulletin: 5th – 11th July 2025

Stay ahead of evolving cyber threats with our weekly roundup of critical vulnerabilities, active attack campaigns, and major security news.

Vulnerability Highlights

1. Microsoft Patch Tuesday (July 2025)

• 130 vulnerabilities fixed, including 41 remote code execution (RCE) flaws.
• Affected: The vulnerabilities span multiple Microsoft platforms and services, including Windows operating systems, Microsoft Office (Excel, Word, PowerPoint, SharePoint), SQL Server, Microsoft Edge (Chromium-based), Azure Monitor Agent, Visual Studio, Microsoft Intune, Windows BitLocker, Windows Hyper-V, and RRAS (Routing and Remote Access Service).
• Notable CVEs:

• CVE-2025-47981 (SPNEGO Extended Negotiation, CVSS 9.8) – Wormable RCE
• CVE-2025-49717 – SQL Server RCE
• Multiple Office RCEs – Exploitable via malicious files

• Action: Immediate patching is critical, especially for internet-facing systems.
• Read more at: Vulnerabilities - Security Update Guide - Microsoft

2. Fortinet FortiWeb - CVE-2025-25257

• SQL Injection vulnerability (CVSS 9.6): Fortinet has disclosed a critical SQL injection vulnerability (CVE-2025-25257, CVSS 9.6) affecting FortiWeb versions 7.6, 7.4, 7.2, and 7.0. This flaw arises from improper handling of special characters in SQL commands and could allow unauthenticated attackers to execute arbitrary SQL code by sending specially crafted HTTP or HTTPS requests. Immediate patching is strongly recommended.
• Read more at: https://fortiguard.fortinet.com/psirt/FG-IR-25-151

3. Wing FTP Server - CVE-2025-47812

• Critical RCE (CVSS 10.0): A critical remote code execution vulnerability (CVE-2025-47812, CVSS 10.0) affects Wing FTP Server versions prior to 7.4.4. Due to improper handling of null (\0) bytes in user and admin web interfaces, attackers can inject arbitrary Lua code into session files and execute system-level commands—potentially leading to full server compromise. The flaw is exploitable even through anonymous FTP accounts, making immediate patching essential.
• Read more at: -  https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/

4. ServiceNow - CVE-2025-3648

• Data inference vulnerability via Conditional ACLs: ServiceNow has disclosed a high-severity vulnerability (CVE-2025-3648, CVSS 8.2) affecting the Now Platform, where certain conditional ACL configurations may allow unauthorized users to infer restricted data using range queries. Both authenticated and unauthenticated users could exploit this flaw to access sensitive instance information. ServiceNow has introduced new security controls—Query ACLs, Security Data Filters, and Deny-Unless ACLs—in the Xanadu and Yokohama releases to help mitigate this risk.
• Read more at: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567

Attack Campaigns of the Week

1. macOS Infostealers Surge

• Active campaigns distributing Atomic Stealer, Poseidon, and others.
• Targets include browser credentials, cookies, and crypto wallets.
• Delivered through Malware-as-a-Service (MaaS) and AppleScript abuse.
• Read more at: The Rising Threat of macOS Infostealers: What You Need to Know to Defend Against Them | Flashpoint

2. China-Linked “VELETRIX” Loader Attacks Telecom Infrastructure

• Targeting China Mobile Tietong via spearphishing and DLL sideloading.
• Uses anti-sandboxing and Cobalt Strike-like toolsets.
• Read more at: VELETRIX Loader Dissection: Kill Chain Analysis of China-Nexus Telecommunications Infrastructure Targeting - 0x0d4y Malware Reseach

3. Batavia Spyware Campaign in Russian Industrial Sectors

• Ongoing since 2024, using weaponized Word documents.
• Exfiltrates emails, documents, screenshots with persistent foothold.
• Read more at: https://securelist.com/batavia-spyware-steals-data-from-russian-organizations/116866/

Security Headlines

• DoNot APT (India-linked) Targets European Foreign Ministries

• Delivers LoptikMod malware via phishing, escalating espionage capabilities.
• Read more at: From Click to Compromise: Unveiling the Sophisticated Attack of DoNot APT Group on Southern European Government Entities

• Fake AI/Gaming Firms Scam Crypto Users

• Social engineering campaign using professional-looking sites and fake apps.
• Delivers Atomic Stealer to Windows/macOS via Electron apps and DMG files.
• Read more at: Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

• NCA Arrests Four in Retail Cyber Attacks

• Suspects linked to attacks on M&S, Co-op, and Harrods in the UK.
• Charges include blackmail, laundering, and organized crime involvement.
• Read more at: https://www.nationalcrimeagency.gov.uk/news/retail-cyber-attacks-nca-arrest-four-for-attacks-on-m-s-co-op-and-harrods

Crowe UAE’s Cybersecurity team continues to monitor and analyze emerging threats. Organizations are encouraged to stay updated, patch critical systems promptly, and strengthen user awareness through security training. For consultation and for tailored cybersecurity advisory, contact our team at Crowe UAE, +971 55 343 8693, [email protected]