This Month in Security: July 2025

This month’s threat landscape was defined by emergency patching and incident response as threat actors rapidly exploited critical zero-day vulnerabilities in Microsoft SharePoint. A significant ransomware attack against a major IT distributor highlighted the persistent risk in the supply chain, while the U.S. Government laid out a new strategic plan for securing AI.

‍

Critical Zero-Day Exploits

‍

July was a chaotic month for defenders as threat actors pounced on newly disclosed and patched enterprise platform vulnerabilities, leading to widespread compromises. 

• SharePoint Under Siege (CVE-2025-53770): A critical, unauthenticated remote code execution (RCE) zero-day vulnerability in on-premise Microsoft SharePoint servers became the month's biggest story. Tracked as CVE-2025-53770 (CVSS 9.8), the flaw allowed attackers to execute code, steal cryptographic keys for persistent access, and deploy webshells. The vulnerability, a patch bypass for a previously disclosed issue (CVE-2025-49704), was actively exploited before a patch was available. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive. Microsoft has also published a guidance document for those affected or at risk (Microsoft).
• "Citrix Bleed 2": CISA and security researchers warned of the active exploitation of a critical flaw in Citrix NetScaler Application Delivery Controllers (ADC). Dubbed "Citrix Bleed 2" for its similarity to a previous flaw in the application. The vulnerability allows attackers to bypass authentication, including MFA, by leveraging a memory leak to capture session tokens. Evidence suggests the flaw has been actively exploited since at least June 2025 (SWK Technologies).

Notable Threats and Incidents

‍

Ransomware continued to cause major disruptions, with a significant attack on the IT supply chain and a new strain targeting critical infrastructure.

• Ingram Micro Hit by SafePay Ransomware: Global IT solutions distributor Ingram Micro suffered a significant ransomware attack between July 3 and July 9. The SafePay ransomware group claimed responsibility, forcing the company to shut down multiple systems and disrupting operations. The attack reportedly began with a password spraying attack against Ingram's VPN platform, allowing the actors to gain access and exfiltrate data before deploying ransomware (SWK Technologies).
• Interlock Ransomware Targets Healthcare: A joint advisory from CISA, the FBI, and other agencies warned of a spike in attacks using Interlock ransomware. The campaign was observed targeting organizations in North America and Europe, with a particular focus on the healthcare sector and other critical infrastructure industries (CISA).
• Dell Data Leaked by Extortion Group: The World Leaks extortion group published 1.3 terabytes of data allegedly stolen from Dell Technologies. The leaked files reportedly originated from Dell's Customer Solution Centers and included employee data, software tools, and infrastructure scripts (Bright Defense).
• UK Intelligence Data Exposed in Afghan Breach: It was revealed in July that a 2022 data breach of a contractor for the UK's Foreign Office exposed a spreadsheet containing the personal details of British intelligence officers, SAS soldiers, and diplomats. The breach was kept secret under a super-injunction that was partially lifted this month (Bright Defense).
• Gamers in Middle East Targeted by Infostealers: A malware campaign targeted online gamers in the Middle East with fake beta versions of indie games. The downloads were bundled with infostealer malware like Leet Stealer and RMC Stealer, designed to steal login credentials, payment data, and cryptocurrency wallets (Intelligent CIO).
• Growing Concerns Over AI Platform Security: Alongside the White House's focus on AI security, industry experts highlighted specific risks in widely used platforms. 
  
  • A security overview of Amazon Bedrock emphasized the critical importance of properly managing API keys. Mishandling keys could lead to unauthorized access to foundational models, potential data inference, and significant financial costs (Adan Alvarez on Medium).
  • A case study demonstrated the dual-edge risk of AI in the software development lifecycle. An AI coding assistant introduced a subtle, but critical Insecure Direct Object Reference (IDOR) vulnerability into a Python application. Other AI powered security scanning tools failed to detect this bug, which was only found through deeper contextual analysis by a human. This highlighted the potential for AI to both create and miss novel security flaws, underscoring the limitation of over reliance on current AI tooling (DryRun Security).

‍

Policy and Framework Updates

‍

The White House took significant steps to address the security of artificial intelligence, while regulators continued to focus on critical infrastructure and incident response.

‍

• White House Launches AI Action Plan: On July 23, the White House released a comprehensive AI Action Plan and accompanying Executive Orders. The plan focuses on promoting secure-by-design AI, bolstering critical infrastructure cybersecurity against AI-specific threats (like data poisoning), establishing an AI-ISAC led by DHS, and promoting a mature federal capacity for AI incident response (Wiley Rein LLP).
• CISA's #StopRansomware Initiative: The joint advisory on Interlock ransomware is part of CISA's ongoing #StopRansomware effort, which provides guidance and resources to network defenders to combat various ransomware strains (CISA).

‍

July Patches and Vulnerabilities

‍

July's Patch Tuesday was substantial, addressing numerous critical flaws alongside the out-of-band SharePoint emergency and new vulnerabilities in the AI ecosystem.

‍

• Microsoft's July Patch Tuesday: On July 8, Microsoft released patches for 132 new vulnerabilities. This included 14 rated Critical. A publicly disclosed but not-yet-exploited zero-day information disclosure flaw in Microsoft SQL Server (CVE-2025-49719) was addressed. The most severe vulnerability was a critical RCE in the Windows SPNEGO NEGOEX security mechanism (CVE-2025-47981), with a CVSS score of 9.8.
• NVIDIA AI Enterprise Vulnerability (NVIDIAScape): Security researchers disclosed a high-severity vulnerability, dubbed "NVIDIAScape" (CVE-2025-23266), in the NVIDIA AI Enterprise software suite. The flaw could allow an attacker with low privileges on a guest virtual machine to escalate privileges and gain code execution on the host, potentially leading to a full takeover of the enterprise AI infrastructure (Wiz.io Blog).
• CISA KEV Catalog Additions: CISA was active in updating its KEV catalog, adding four new exploited vulnerabilities on July 22 alone. These included flaws in CrushFTP (CVE-2025-54309), Google Chromium (CVE-2025-6558), and two in SysAid On-Prem (CVE-2025-2776, CVE-2025-2775).

‍

Key Takeaways for Staying Secure

‍

• Assume SharePoint Compromise: If you run an on-premise SharePoint server, you must assume it has been compromised. Follow Microsoft's and CISA's guidance to patch immediately and hunt for signs of exploitation, such as webshells or forged authentication tokens.
• Patch Critical Flaws Immediately: The vulnerabilities in Citrix NetScaler, the Windows SPNEGO NEGOEX protocol, and NVIDIA's AI Enterprise suite are critical and require immediate attention to prevent network compromise.
• Strengthen Supply Chain and Vendor Security: The Ingram Micro attack is a stark reminder that a compromise at a key supplier can have massive downstream effects. Review and enforce security requirements for all third-party vendors and partners.
• Enhance Ransomware Defenses: Implement network segmentation to limit lateral movement, ensure you have immutable and offline backups, and train users to spot social engineering and phishing attempts used by groups like Interlock.
• Secure Identity and Authentication: With password spraying attacks remaining effective, enforce strong, unique passwords and phishing-resistant MFA across all services, especially VPNs and other remote access solutions.
• Stay Informed on AI Security: As AI becomes more integrated into business processes, familiarize yourself with emerging threats and security best practices outlined in new government guidance like the White House AI Action Plan. Securely manage API keys and patch vulnerabilities in AI infrastructure promptly.
• Adopt Contextual Security Analysis: Move beyond simply identifying vulnerabilities. The industry is emphasizing the need for evaluation methodologies that provide deep, contextual analysis to understand which vulnerabilities pose a genuine, reachable threat to your specific environment, allowing for more effective prioritization and remediation (DryRun Security Blog).
• Reach Out: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners. 

‍