Cybersecurity Threats and Trends - 07/15/2025

This week's threat landscape demonstrates the accelerating pace of vulnerability exploitation and the persistent targeting of critical infrastructure and consumer-facing platforms.

Author

J.W. Croley
July 15, 2025

While you were busy arguing with your smart thermostat about the optimal temperature for productivity, threat actors were busy turning enterprise networks into their personal ATMs. This week's cybersecurity landscape looks like a horror movie where the call is definitely coming from inside the house – and the house is on fire.

1. CISA Issues Unprecedented 1-Day Deadline for Citrix Bleed 2

Primary Threat: Primary Threat: Critical memory safety vulnerability in Citrix NetScaler ADC and Gateway is being actively exploited, prompting CISA's fastest-ever patch mandate.

Risk: CRITICAL

The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) and issued an unprecedented one-day deadline for federal agencies to apply fixes. This marks the shortest timeline in CISA's Known Exploited Vulnerabilities catalog history, underscoring the severity of ongoing attacks. The critical memory safety flaw allows unauthenticated attackers to access restricted memory areas in NetScaler devices configured as Gateway or AAA virtual servers. Security researcher Kevin Beaumont dubbed it "CitrixBleed 2" due to similarities with the infamous CVE-2023-4966 that was extensively exploited by cybercriminals. Proof-of-concept exploits published by watchTowr and Horizon3 researchers on July 7 have accelerated threat actor adoption, with multiple exploits now circulating on hacker forums. The vulnerability affects versions prior to 14.1-43.56, 13.1-58.32, 13.1-37.235-FIPS/NDcPP, and 2.1-55.328-FIPS.

Detection and Remediation Tips:

  • Immediately upgrade NetScaler firmware to versions 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+

  • Disconnect all active ICA and PCoIP sessions using kill icaconnection -all and kill pcoipconnection -all commands

  • Review session logs for suspicious activity using show icaconnection command

  • Implement firewall rules or ACLs to limit external NetScaler access if immediate patching isn't possible

  • Monitor for unusual authentication patterns and session token abuse

  • Establish out-of-band communication channels for critical operations

2. Wing FTP Server Under Active Attack via Critical RCE Flaw

Primary Threat: Hackers are exploiting a maximum-severity remote code execution vulnerability in Wing FTP Server just one day after technical details became public.

Risk: HIGH

Security researchers at Huntress discovered active exploitation of CVE-2025-47812, a critical vulnerability in Wing FTP Server that achieved the maximum CVSS score of 10.0. The flaw combines null byte injection with Lua code execution, allowing unauthenticated attackers to achieve root/SYSTEM level access. Exploitation began on July 1st, merely one day after security researcher Julien Ahrens published technical details. The attack involves sending malformed login requests with null-byte-injected usernames to create malicious session files that execute arbitrary Lua code. Huntress observed multiple threat actors targeting the same Wing FTP instance within hours, indicating widespread scanning and exploitation attempts. The vulnerability affects all Wing FTP versions 7.4.3 and earlier, with version 7.4.4 released in May 2025 containing the necessary fixes.

Detection and Remediation Tips:

  • Upgrade Wing FTP Server to version 7.4.4 immediately

  • Disable HTTP/HTTPS access to Wing FTP web portal if upgrading isn't possible

  • Disable anonymous login functionality

  • Monitor session directories for suspicious .lua file additions

  • Review authentication logs for malformed login attempts with null bytes

  • Implement network segmentation to limit FTP server exposure

3. Four Arrested in £440M Scattered Spider Attacks on UK Retailers

Primary Threat: UK authorities arrested four individuals connected to massive cyber attacks on Marks & Spencer, Co-op, and Harrods, with financial damages reaching nearly half a billion pounds.

Risk: HIGH

The UK National Crime Agency announced the arrest of four suspects aged 17-20 in connection with cyber attacks causing £270-440 million in damages to major British retailers. The arrests represent a significant blow to the Scattered Spider cybercrime group, known for sophisticated social engineering tactics targeting help desks and deploying ransomware. Marks & Spencer confirmed the attack involved DragonForce ransomware deployed through social engineering, while the broader campaign affected multiple high-profile retailers. The young, native English-speaking attackers leveraged their linguistic advantages to convincingly impersonate employees during phone-based social engineering attacks. Independent journalist Brian Krebs identified two of the arrested individuals as Owen David Flowers and Thalha Jubair, with Jubair allegedly connected to the LAPSUS$ group and serving as administrator of the Doxbin doxxing site.

Detection and Remediation Tips:

  • Implement robust identity verification procedures for IT help desk interactions

  • Deploy phishing-resistant multi-factor authentication across all systems

  • Train help desk staff to recognize and resist social engineering attempts

  • Establish out-of-band verification protocols for sensitive account changes

  • Monitor for suspicious authentication patterns and privilege escalations

  • Review and strengthen third-party vendor access controls

Did you know...?

The term "CitrixBleed" was coined by security researcher Kevin Beaumont to highlight the similarity between CVE-2025-5777 and the infamous CVE-2023-4966 vulnerability. Both flaws involve memory safety issues in Citrix NetScaler devices, but the rapid exploitation timeline for CitrixBleed 2 – with proof-of-concept exploits published just days after the patch release – demonstrates how quickly the threat landscape can evolve. The original CitrixBleed vulnerability was exploited by numerous threat actors for months before widespread patching occurred, making CISA's unprecedented one-day deadline a clear signal that lessons have been learned about the critical nature of Citrix infrastructure vulnerabilities.

4. Critical Fortinet FortiWeb RCE Exploits Released

Primary Threat: Proof-of-concept exploits have been published for a critical SQL injection vulnerability in Fortinet FortiWeb that enables pre-authenticated remote code execution.

Risk: HIGH

Security researchers from WatchTowr and independent researcher "faulty *ptrrr" have released working exploits for CVE-2025-25257, a critical vulnerability in Fortinet's FortiWeb web application firewall with a CVSS score of 9.8. The flaw stems from improper SQL query sanitization in the Fabric Connector's get_fabric_user_by_token() function, allowing attackers to inject malicious SQL commands through HTTP Authorization headers. Researchers demonstrated escalation from SQL injection to remote code execution by leveraging MySQL's SELECT INTO OUTFILE functionality to write malicious Python .pth files that execute automatically when legitimate FortiWeb CGI scripts run. The vulnerability affects FortiWeb versions prior to 7.6.4, 7.4.8, 7.2.11, and 7.0.11, with patches released last week by Fortinet. The public availability of working exploits significantly increases the risk of widespread exploitation.

Detection and Remediation Tips:

  • Immediately update FortiWeb to versions 7.6.4, 7.4.8, 7.2.11, or 7.0.11 and later

  • Monitor FortiWeb access logs for suspicious Authorization header patterns

  • Implement network segmentation to limit FortiWeb exposure to untrusted networks

  • Review and audit all Fabric Connector configurations and access controls

  • Establish monitoring for unauthorized file creation in Python site-packages directories

  • Consider temporarily disabling Fabric Connector if not essential for operations

5. McDonald's Job Platform Exposed 64 Million Applicant Records

Primary Threat: Security researchers discovered that McDonald's McHire chatbot platform exposed personal data from over 64 million job applications due to weak security controls.

Risk: HIGH

Cybersecurity researchers Ian Carroll and Sam Curry revealed that McDonald's McHire platform, powered by Paradox.ai and used by approximately 90% of franchisees, suffered from critical security flaws. The researchers discovered that the admin panel was protected by the laughably weak credentials "123456:123456" and contained an Insecure Direct Object Reference (IDOR) vulnerability. By manipulating lead_id parameters in API requests, they could access full chat transcripts, session tokens, and personal data from any job applicant. The exposed information included names, email addresses, phone numbers, home addresses, availability schedules, and personality test results. The vulnerability affected the entire job application process, demonstrating how poor security practices can expose massive amounts of personal data from individuals seeking employment.

Detection and Remediation Tips:

  • Audit all third-party platforms handling personal data for proper access controls

  • Implement strong authentication requirements for administrative interfaces

  • Deploy API security controls to prevent unauthorized data access

  • Review data minimization practices for job application processes

  • Establish regular security assessments for vendor-provided platforms

  • Monitor for potential misuse of exposed personal information

6. Interlock Ransomware Deploys New PHP Variant via FileFix

Primary Threat: The Interlock ransomware group has evolved their tactics with a new PHP-based remote access trojan delivered through an innovative FileFix mechanism targeting multiple industries.

Risk: MEDIUM/HIGH

Security researchers from The DFIR Report and Proofpoint documented a new campaign by the Interlock ransomware group deploying a PHP variant of their NodeSnake RAT through compromised websites. The attack begins with single-line JavaScript injections in website HTML that redirect users to fake CAPTCHA verification pages. The new FileFix technique, an evolution of ClickFix, tricks victims into copying and executing commands through Windows File Explorer's address bar. Once installed, the PHP-based RAT conducts system reconnaissance, establishes persistence through registry modifications, and communicates with command-and-control servers hidden behind Cloudflare Tunnel subdomains. The campaign has been active since May 2025 and represents a significant evolution in the group's tactics, moving from Node.js to PHP while maintaining sophisticated infrastructure abuse capabilities.

Detection and Remediation Tips:

  • Implement web filtering to block known malicious domains and suspicious redirects

  • Deploy endpoint detection and response solutions to identify RAT installations

  • Monitor for unusual registry modifications and persistence mechanisms

  • Educate users about fake CAPTCHA and verification page tactics

  • Review network traffic for connections to Cloudflare Tunnel subdomains

  • Establish baseline monitoring for legitimate vs. suspicious PHP script execution

IN SUMMARY:

From CISA's unprecedented one-day patch deadline for Citrix devices to the massive data exposures affecting millions of airline passengers and job seekers, organizations face threats that span from sophisticated state-sponsored activities to basic security hygiene failures.

The arrests of Scattered Spider members provide hope for law enforcement action, but the group's continued operations against major retailers and airlines show that the threat remains active and evolving.

🚨 Key Takeaways:
✔️ CISA's one-day patch deadline for CitrixBleed 2 represents the fastest response in KEV catalog history
✔️ Active exploitation of critical vulnerabilities is occurring within 24 hours of technical disclosure
✔️ Scattered Spider continues targeting major organizations despite law enforcement pressure
✔️ Weak authentication practices still expose millions of personal records
✔️ Social engineering remains the primary attack vector for high-impact breaches
✔️ Third-party platforms represent significant supply chain security risks

🔎 Immediate Actions:
✔️ Patch Citrix NetScaler devices immediately and disconnect active sessions
✔️ Upgrade Wing FTP Server to version 7.4.4 or disable web portal access
✔️ Implement phishing-resistant MFA and strengthen help desk verification procedures
✔️ Audit third-party platforms for proper access controls and authentication
✔️ Review data minimization practices for customer and employee information
✔️ Establish monitoring for fake CAPTCHA pages and suspicious web redirects

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)