FlagThis - #vulnerability

Microsoft has issued its July 2025 Patch Tuesday updates, a crucial monthly release that addresses a significant number of vulnerabilities across its product lines. This release tackles a total of 130 CVEs, with 10 of them classified as critical. Notably, while no vulnerabilities were reported as actively exploited in the wild at the time of the release, one flaw in Microsoft SQL Server (CVE-2025-49719) has been publicly disclosed. This information disclosure vulnerability, rated as important with a CVSS score of 7.5, means that technical details are available, potentially increasing the risk of future exploitation. Organizations should prioritize patching this vulnerability, particularly as it affects SQL Server versions 2016 through 2022 and does not require authentication to exploit, potentially exposing sensitive data like credentials.

Among the critical vulnerabilities addressed, a particularly concerning one is a remote code execution (RCE) flaw in Windows SPNEGO Extended Negotiation (NEGOEX), designated CVE-2025-47981. This vulnerability carries a high CVSS score of 9.8 and is described as a heap-based buffer overflow, allowing an unauthenticated attacker to execute code remotely on a target system with low attack complexity and no user interaction. The nature of this flaw makes it a prime target for attackers seeking initial access or lateral movement within networks. Microsoft has also highlighted critical RCE vulnerabilities in Microsoft Office, with several rated as "more likely" to be exploited, including some that can be triggered via the preview pane without requiring a user to open a document, posing a significant risk to users' security.

The July Patch Tuesday also includes fixes for vulnerabilities in Microsoft SharePoint, with an RCE flaw that requires authenticated access but could allow an attacker to execute code on the server. Additionally, vulnerabilities impacting Windows Hyper-V and other system components have been addressed. With a total of 130 CVEs patched, including numerous critical flaws, it is imperative for all organizations to review and apply these updates promptly to protect their systems and data from potential exploitation. The proactive patching of these vulnerabilities is essential for maintaining a strong security posture against the ever-evolving threat landscape.


References :

• Tenable Blog: Microsoft’s July 2025 Patch Tuesday Addresses 128 CVEs (CVE-2025-49719)
• Cisco Talos Blog: Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities
• isc.sans.edu: Microsoft Patch Tuesday, July 2025, (Tue, Jul 8th)
• cyberscoop.com: Microsoft Patch Tuesday addresses 130 vulnerabilities, none actively exploited
• krebsonsecurity.com: Microsoft Patch Tuesday, July 2025 Edition
• thecyberexpress.com: Microsoft Patch Tuesday July 2025: 130 Vulnerabilities Fixed, 17 High-Risk
• blog.talosintelligence.com: Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities
• Arctic Wolf: Reports on Microsoft's July 2025 security update addressing 130 vulnerabilities.
• The Register - Security: Microsoft enjoys first Patch Tuesday of 2025 with no active exploits
• Action1: Patch Tuesday July 2025
• securityaffairs.com: Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day
• The Hacker News: Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server
• arcticwolf.com: Microsoft Patch Tuesday: July 2025
• Arctic Wolf: Microsoft's July 2025 security update, addressing 130 newly disclosed vulnerabilities.
• arcticwolf.com: Microsoft Patch Tuesday: July 2025
• Sophos News: July Patch Tuesday offers 127 fixes
• SOC Prime Blog: CVE-2025-47981: Critical Heap-Based Buffer Overflow Vulnerability in Windows SPNEGO Extended Negotiation Leads to RCE
• socprime.com: CVE-2025-47981: Critical Heap-Based Buffer Overflow Vulnerability in Windows SPNEGO Extended Negotiation Leads to RCE
• Threats | CyberScoop: Microsoft Patch Tuesday addresses 130 vulnerabilities, none actively exploited

Classification:

• HashTags: #PatchTuesday #Vulnerability #Cybersecurity
• Company: Microsoft
• Target: Windows Users
• Product: Microsoft
• Feature: patch
• Malware: CVE-2025-49719, CVE-2025-47981, CVE-2025-49701, CVE-2025-49704, CVE-2025-49735
• Type: Vulnerability
• Severity: Critical

Citrix NetScaler ADC and Gateway systems are currently facing a critical security threat, identified as CVE-2025-5777, and widely nicknamed "CitrixBleed 2". This vulnerability, similar to the infamous CitrixBleed from 2023, allows unauthenticated attackers to exploit memory overread issues. This exploitation can lead to the disclosure of sensitive information, including session tokens and user credentials, enabling attackers to bypass multi-factor authentication and hijack active remote sessions. Security researchers have noted that exploitation of this flaw began as early as mid-June, with evidence pointing to its use in active hacking campaigns.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. This designation carries significant weight, and CISA has issued a stern warning, urging federal civilian agencies to apply necessary patches within 24 hours. The urgency stems from the understanding that vulnerabilities like this are frequent vectors for malicious cyber actors, posing a substantial risk to government and corporate networks. While Citrix initially released guidance and patches in June, concerns have been raised about the vendor's response in acknowledging the widespread exploitation of this critical flaw.

The exploitation of CitrixBleed 2, alongside other critical vulnerabilities like CVE-2025-5349 and CVE-2025-6543, presents a significant risk to organizations. CVE-2025-5777 specifically allows attackers to steal session tokens, effectively enabling them to impersonate authenticated users and bypass security measures like MFA. This is a direct echo of the impact of the original CitrixBleed vulnerability, which was widely abused by nation-state actors and ransomware groups. The ongoing exploitation means that a considerable portion of the Citrix NetScaler user base may still be vulnerable, underscoring the critical need for immediate patching and diligent security practices.


References :

• Wiz Blog | RSS feed: Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know
• labs.watchtowr.com: How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) - watchTowr Labs
• socprime.com: CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2†in NetScaler ADC Faces Exploitation Risk
• SOC Prime Blog: CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2†in NetScaler ADC Faces Exploitation Risk
• Talkback Resources: CVE-2025-5777: CitrixBleed 2 Write-Up… Maybe?
• Resources-2: ​​CVE-2025-5777: Citrix Bleed 2 Memory Leak Vulnerability Explained
• Glenn ?: 🥜 & - Thanks to Horizon3, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling.
• community.emergingthreats.net: Citrix Netscaler ADC & Gateway Memory Leak CitrixBleed2 (CVE-2025-5777)
• doublepulsar.com: CitrixBleed 2 exploitation started mid-June — how to spot it
• horizon3.ai: CVE-2025-5777: CitrixBleed 2 Write-Up… Maybe?
• The Register - Security: CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands
• www.stormshield.com: Security alert Citrix NetScaler CVE-2025-5777: Stormshield Products Response
• Stormshield: Security alert Citrix NetScaler CVE-2025-5777
• techcrunch.com: CISA confirms hackers are actively exploiting critical Citrix Bleed 2 bug
• Blog: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
• Zack Whittaker: CISA has given the federal government just one day to patch its NetScaler systems, after confirming Citrix Bleed 2 is being actively exploited in hacking campaigns.
• www.cybersecuritydive.com: Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw
• www.imperva.com: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
• The Register - Security: Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
• techcrunch.com: CISA warns hackers are actively exploiting critical ‘Citrix Bleed 2’ security flaw
• The Hacker News: CISA adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
• Help Net Security: CISA has added one new vulnerability to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
• securityaffairs.com: U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
• Talkback Resources: CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch

Classification:

• HashTags: #CitrixBleed #NetScaler #Vulnerability
• Company: Citrix
• Target: Citrix NetScaler ADC and Gateway users
• Product: NetScaler ADC
• Feature: Memory Disclosure
• Malware: CitrixBleed 2
• Type: Vulnerability
• Severity: Disaster

Cybersecurity researchers have uncovered critical vulnerabilities in Kigen's eSIM technology, potentially impacting billions of Internet of Things (IoT) devices and mobile networks worldwide. Security Explorations, a research lab, demonstrated that they could compromise Kigen's eUICC cards, a component essential for eSIM functionality. The attack allowed researchers to extract private encryption keys and download arbitrary eSIM profiles from major mobile network operators. This breach raises significant concerns about identity theft and the potential interception of communications for a vast number of connected devices.

The exploitation of these flaws builds upon prior Java Card research from 2019, which highlighted fundamental weaknesses in virtual machine implementations. Researchers were able to bypass security measures on the eUICC chip, which is designed to securely store and manage mobile carrier profiles. By exploiting type confusion vulnerabilities, they gained unauthorized access to the chip's memory, enabling the extraction of critical cryptographic keys like the private ECC key for GSMA certificates. This effectively undermined the trust model that underpins the entire eSIM ecosystem, as the eSIM profiles themselves and the Java applications stored on the chip were found to lack proper isolation or protection.

While Kigen has acknowledged the issue and deployed mitigations, including hardening bytecodes and tightening test profile rules, concerns remain regarding the root cause of the vulnerability. The GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, has been identified as a contributing factor, allowing for the installation of unverified or malicious applets. Although the latest version of the GSMA standard addresses this, the existence of these fundamental flaws in widely deployed eSIM technology highlights the ongoing challenges in securing the rapidly expanding IoT landscape and the potential for widespread compromise if not adequately addressed.


References :

• Cyber Security News: New eSIM Hack Let Attackers Clobe your eSIM Profile Clone
• securityaffairs.com: Experts uncover critical flaws in Kigen eSIM technology affecting billions
• The Hacker News: eSIM Vulnerability in Kigen's eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks

Classification:

• HashTags: #eSIM #Vulnerability #IoTsecurity
• Company: Kigen
• Target: IoT Devices
• Attacker: Security Explorations
• Product: eSIM
• Feature: eSIM
• Malware: eUICC Exploit
• Type: Vulnerability
• Severity: Major