End-of-Day report
Timeframe: Montag 21-07-2025 18:00 - Dienstag 22-07-2025 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
Ring denies breach after users report suspicious logins
Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th.
https://www.bleepingcomputer.com/news/security/ring-denies-breach-after-users-report-suspicious-logins/
Cisco: Maximum-severity ISE RCE flaws now exploited in attacks
Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks.
https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-rce-flaws-now-exploited-in-attacks/
Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents
Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX.
https://thehackernews.com/2025/07/iran-linked-dchspy-android-malware.html
Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access
The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe.
https://thehackernews.com/2025/07/hackers-exploit-sharepoint-zero-day.html
Disrupting active exploitation of on-premises SharePoint vulnerabilities
As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers.
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
Back to Business: Lumma Stealer Returns with Stealthier Methods
Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat.
https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html
Vulnerabilities
Security Updates for Firefox
Firefox released Security Updates for Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1 and Firefox for iOS 141.
https://www.mozilla.org/en-US/security/advisories/
ExpressVPN bug leaked user IPs in Remote Desktop sessions
ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users real IP addresses.
https://www.bleepingcomputer.com/news/security/expressvpn-bug-leaked-user-ips-in-remote-desktop-sessions/
HPE Aruba Instant On Access Points: Update schließt teils kritische Lücken
HPE Aruba Networking hat eine Sicherheitswarnung für seine "Instant On" Access Points veröffentlicht. Das Unternehmen warnt darin vor zwei Schwachstellen, von denen eine als kritisch eingestuft wurde.
https://www.heise.de/news/HPE-Aruba-Instant-On-Access-Points-Update-schliesst-teils-kritische-Luecken-10495627.html
Sophos Firewall: Hotfixes beseitigen Remote-Angriffsgefahr
Frische Hotfixes für die Sophos Firewall schließen insgesamt fünf Sicherheitslücken, von denen zwei als "kritisch", zwei mit einem hohen und eine mit mittlerem Schweregrad bewertet wurden. Sie könnten unter bestimmten Bedingungen zur Codeausführung aus der Ferne missbraucht werden - in zwei Fällen ohne vorherige Authentifizierung.
https://www.heise.de/news/Sophos-Firewall-Hotfixes-beseitigen-Remote-Angriffsgefahr-10496271.html
Security updates for Tuesday
Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri).
https://lwn.net/Articles/1030930/
Synology-SA-25:08 BeeDrive for desktop
Synology has released a security update for the BeeDrive desktop tool on Windows to address multiple vulnerabilities. Please refer to the Affected Products table for the corresponding updates.
https://www.synology.com/en-global/support/security/Synology_SA_25_08
Vulnerability Summary for the Week of July 14, 2025
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
https://www.cisa.gov/news-events/bulletins/sb25-202
Vulnerability in Kubernetes: CVE-2025-7342, CVSS Rating High 8.1
A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Nutanix or the OVA provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access.
https://github.com/kubernetes/kubernetes/issues/133115
VDE: MB connect line, Multiple vulnerabilities in mbNET.mini
https://certvde.com/en/advisories/VDE-2025-058/
VDE: Helmholz, Multiple vulnerabilities in REX 100
https://certvde.com/en/advisories/VDE-2025-059/
TYPO3-EXT-SA-2025-010: Insecure Direct Object Reference in extension "femanager" (femanager)
https://typo3.org/security/advisory/typo3-ext-sa-2025-010
TYPO3-EXT-SA-2025-009: Insecure Direct Object Reference in extension "powermail" (powermail)
https://typo3.org/security/advisory/typo3-ext-sa-2025-009
F5: K000152658, Golang vulnerability CVE-2024-45341
https://my.f5.com/manage/s/article/K000152658