Cybersecurity Threats 12-20 July 2025

Introduction

July 2025 has seen a surge in critical cybersecurity vulnerabilities and sophisticated attack campaigns targeting major platforms and organizations. From browser exploits to supply chain attacks, businesses and individuals must stay vigilant. This article summarizes the most pressing threats, including vulnerabilities in Google Chrome, NVIDIA, SharePoint, Sophos, and Ubiquiti devices, alongside major attack campaigns exploiting Citrix, Fortinet, and Louis Vuitton systems. We also cover emerging security issues in Apache Tomcat and Windows Server 2025.

1.     Critical Vulnerabilities

1.1.         Google Chrome ANGLE and GPU Vulnerability (CVE-2025-6558)

Severity: High 

Affected: Google Chrome versions prior to 138.0.7204.157 

Description: A critical flaw in Chrome’s ANGLE and GPU components allows remote attackers to potentially escape the browser’s sandbox via crafted HTML pages. ANGLE, which translates graphics commands for device-specific drivers, can be exploited to access low-level GPU operations, risking deeper system compromise. 

Mitigation: Update to Chrome 138.0.7204.157 or later immediately. 

More details: https://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desktop_15.html                  

1.2.         NVIDIA Container Toolkit Vulnerabilities (CVE-2025-23266, CVE-2025-23267)

Severity: Critical (9.0), High (8.5) 

Affected: NVIDIA Container Toolkit (all platforms) 

Description: Misconfigurations in the toolkit’s OCI hook "createContainer" allow attackers to execute arbitrary code with elevated privileges. CVE-2025-23266 could enable complete server takeover by loading malicious libraries via LD_PRELOAD in Dockerfiles. 

Mitigation: Apply NVIDIA’s latest patches, review Docker configurations, and restrict container privileges. 

More details: https://nvidia.custhelp.com/app/answers/detail/a_id/5659

1.3.         Microsoft SharePoint RCE Vulnerability (CVE-2025-53770)

Severity: Critical (9.8) 

Affected: SharePoint Server 2016, 2019, Subscription Edition 

Description: A remote code execution flaw allows attackers with low privileges to execute arbitrary code via malicious XML payloads in WebPart controls. Exploiting unsafe deserialization, attackers can achieve full system compromise. 

Mitigation: Apply Microsoft’s July 2025 patches (KB5002658, KB5002657, KB5002656), enforce strict input validation, and monitor web service endpoints. 

More details: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

1.4.         Sophos Intercept X LPE Vulnerabilities (CVE-2024-13972, CVE-2025-7433, CVE-2025-7472)

Severity: High (8.8, 8.8, 7.5) 

Affected: Sophos Intercept X for Windows (pre-2024.3.2), Central Device Encryption (pre-2025.1), Installers (pre-1.22) 

Description: Three local privilege escalation vulnerabilities enable arbitrary code execution with SYSTEM privileges due to permissive registry ACLs, flawed encryption modules, and improper installer permissions. 

Mitigation: Update to Intercept X 2024.3.2, Device Encryption 2025.1, and Installer 1.22. Enforce least privilege and monitor for anomalies. 

More details: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250717-cix-lpe

1.5.         Ubiquiti UniFi Command Injection (CVE-2025-27212)

Severity: Critical (9.8) 

Affected: UniFi Access Reader Pro, G2/G3 Reader Pro, Intercom, Intercom Viewer 

Description: A command injection vulnerability allows unauthenticated attackers to execute arbitrary commands remotely, risking full system compromise and data exfiltration in physical security systems. 

Mitigation: Apply firmware updates (e.g., Reader Pro 2.15.9+), segment networks, and monitor for unauthorized access. 

More details: https://community.ui.com/releases/Security-Advisory-Bulletin-051-051/583fa6e1-3d85-42ec-a453-651d1653c9b3

2.      Attack Campaigns

2.1.         CitrixBleed 2 (CVE-2025-5777)

Description: Since June 23, 2025, attackers have launched 11.5 million attacks exploiting CitrixBleed 2, a pre-authentication memory overread flaw, compromising over 100 organizations, particularly in financial services (40% of attacks). The vulnerability enables session hijacking and MFA bypass. 

Mitigation: Apply Citrix patches, terminate active sessions, and monitor for indicators like repeated doAuthentication requests. Nearly 4,700 unpatched instances remain as of July 17, 2025. 

More details: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

2.2.         Fortinet FortiWeb Webshell Attacks (CVE-2025-25257)

Description: A pre-authenticated SQL injection flaw in Fortinet FortiWeb’s Fabric Connector allows attackers to escalate to remote code execution, with 77 instances compromised by webshells as of July 15, 2025. Public PoC exploits accelerated attacks. 

Mitigation: Patch to FortiWeb 7.6.4, 7.4.8, 7.2.11, or 7.0.11, disable HTTP/HTTPS admin interfaces, and monitor for webshell activity. 

More details: https://fortiguard.fortinet.com/psirt/FG-IR-25-151

2.3.         Louis Vuitton Data Breach

Description: On July 2, 2025, Louis Vuitton UK suffered a data breach exposing customer personal data (names, contact details, purchase histories). Likely caused by SQL injection or credential stuffing via a third-party provider, the attack went undetected for nearly a month. 

Mitigation: Implement zero-trust architecture, enhance MFA, and conduct regular audits. Customers should beware of phishing risks. 

More details: https://www.dior.com/en_us/fashion/data-security-update

3.      Security News

3.1.         Apache Tomcat DoS Vulnerability (CVE-2025-53506)

Description: A flaw in Apache Tomcat’s HTTP/2 engine allows unauthenticated attackers to trigger denial-of-service attacks by exploiting a race condition in stream limit handling, exhausting server resources. 

Mitigation: Upgrade to Tomcat 11.0.9, 10.1.43, or 9.0.107, disable HTTP/2, or configure reverse proxies to limit streams. 

More details: https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/

3.2.         Windows Server 2025 Golden dMSA Attack

Description: A design flaw in Windows Server 2025’s delegated Managed Service Accounts allows attackers to bypass authentication and generate passwords for all managed accounts, enabling forest-wide lateral movement. 

Mitigation: Audit KDS root key access, limit dMSA creation, and monitor for abnormal authentication patterns. Microsoft plans localhost restrictions but has no immediate patch. 

More details: https://www.semperis.com/blog/golden-dmsa-what-is-dmsa-authentication-bypass/

Conclusion

The cybersecurity landscape in July 2025 underscores the need for proactive patching, robust network monitoring, and zero-trust principles. Organizations should prioritize updates for affected systems, enforce strict access controls, and educate users on phishing risks. Stay informed and act swiftly to mitigate these evolving threats. For consultation and for tailored cybersecurity advisory, contact our Cyber Threat Management team at Crowe UAE, +971 55 343 8693, [email protected]