Daily Brief

Microsoft paid $17 million to 344 security researchers across 59 countries for identifying vulnerabilities. The program received 1,469 eligible reports, addressing over 1,000 security issues in products like Azure, Microsoft 365, and Windows. The highest individual payout reached $200,000, reflecting the critical nature of some vulnerabilities. Microsoft expanded its bounty programs, including new AI categories and increased rewards for specific vulnerabilities. Updates include higher payouts for moderate-severity AI flaws and increased awards for certain .NET vulnerabilities. The company will offer up to $5 million in bounties at the Zero Day Quest hacking contest, promoting proactive security measures. These initiatives reinforce Microsoft's commitment to leveraging independent research for enhanced product security.

Trend Micro identified and mitigated critical vulnerabilities in its Apex One Management Console, impacting on-premise systems. The flaws, CVE-2025-54948 and CVE-2025-54987, allow remote code execution and command injection, each rated 9.4 on CVSS. Exploitation requires pre-authenticated access, potentially enabling attackers to upload malicious code. Trend Micro has released a temporary fix tool for on-premise systems, with a full patch expected by mid-August 2025. The fix tool disables the Remote Install Agent function but maintains other installation methods. Customers are advised to apply patches promptly and review remote access policies to secure critical systems. Trend Micro observed at least one exploitation attempt, though specific attack details remain undisclosed.

CERT-UA reports cyber attacks by UAC-0099 on Ukrainian government and defense sectors. Phishing emails with court summons lures are used to deliver C# malware. The attack chain involves HTA files leading to the deployment of MATCHBOIL, MATCHWOK, and DRAGSTARE malware. MATCHWOK executes PowerShell commands, while DRAGSTARE collects sensitive data and system information. Previous attacks exploited WinRAR vulnerabilities to distribute LONEPAGE malware. UAC-0099's activities align with espionage objectives, leveraging sophisticated techniques for persistence and data exfiltration. Continuous vigilance and enhanced email security measures are recommended to mitigate such threats.

Pentera is pioneering the use of AI to transform adversarial testing, aiming to make security validation more intuitive and effective. The company envisions a future where AI-driven testing allows users to conduct security assessments using natural language, enhancing the ease and scope of testing. AI integration is set to redefine the lifecycle of penetration testing by automating attack plan execution and adapting to real-time defenses. Pentera's API-first approach enables granular control over testing processes, allowing AI to perform precise and context-aware security assessments. The platform is enhancing web attack surface testing with AI, improving the precision and adaptability of emulated attacker behavior. AI-powered reporting and support tools are being developed to provide tailored insights and faster issue resolution, improving overall user experience. Pentera's advancements aim to ensure organizations can secure AI-enabled systems and close security gaps effectively.

CISA identified three D-Link router vulnerabilities as actively exploited, adding them to its Known Exploited Vulnerabilities catalog. The flaws, dating from 2020 and 2022, are being exploited, though specific exploitation methods remain undisclosed. CVE-2020-40799, affecting an end-of-life model, remains unpatched; users are advised to replace the DNR-322L model. D-Link released patches for the other two vulnerabilities in 2020, urging users to apply these updates promptly. Federal agencies must implement mitigation measures by August 26, 2025, to protect their networks. The situation emphasizes the importance of timely updates and replacing unsupported hardware to maintain security.

Check Point researchers identified a remote code execution flaw in the AI coding tool Cursor, which could lead to unauthorized code execution. The vulnerability, named "MCPoison," allows attackers to modify previously approved configurations, executing malicious commands without user prompts. Cursor released a patch (version 1.3) on July 29, requiring user approval for any changes to MCP Server entries, mitigating the risk. The flaw reveals significant risks in the trust model of AI-assisted development environments, particularly in collaborative settings. MCP, an open-source protocol, facilitates AI systems' interactions but also expands the attack surface for potential exploits. The incident underscores the need for robust validation processes in AI tools to prevent persistent compromise in development environments. Check Point plans to disclose more vulnerabilities in AI platforms, emphasizing the importance of security in AI-driven workflows.

Pandora, a leading jewelry brand, confirmed a data breach affecting customer information through a third-party platform. The breach involved unauthorized access to names, birthdates, and email addresses; sensitive data like passwords and financial information were not compromised. The attack is part of a broader campaign targeting Salesforce databases via social engineering and phishing to steal credentials. Threat actors, identified as ShinyHunters, are extorting companies by threatening to leak stolen data if ransoms are not paid. Salesforce clarified that their platform remains secure, emphasizing the importance of customer adherence to security best practices. Companies are urged to implement multi-factor authentication and review account security to mitigate ongoing threats. Other affected organizations include Adidas, Qantas, and several luxury brands, with additional undisclosed companies potentially impacted.

PBS experienced a data breach, exposing contact information of nearly 4,000 employees and affiliates. The breach involved data being shared on Discord, primarily among fans of "PBS Kids." Information leaked includes names, emails, job titles, departments, and supervisors' names. The data was stolen from MyPBS.org, an internal service for public television employees. PBS has initiated an investigation and informed affected individuals, with no other systems compromised. No malicious use of the data has been reported, but its circulation raises potential misuse concerns. The incident highlights the risk of data exposure even when initial intent is non-malicious.

Adobe issued urgent updates for two zero-day vulnerabilities in Adobe Experience Manager (AEM) Forms on JEE. The vulnerabilities, CVE-2025-54253 and CVE-2025-54254, enable unauthenticated remote code execution on affected systems. Researchers disclosed these flaws after Adobe delayed patches for over 90 days, prompting a public technical write-up. CVE-2025-49533, a Java deserialization flaw, was patched earlier, allowing remote code execution through malicious payloads. CVE-2025-54254 exploits a SOAP authentication service via crafted XML payloads to expose local files. CVE-2025-54253 involves an authentication bypass due to a misconfigured developer setting in the /adminui module. Administrators are urged to apply the latest updates immediately or restrict internet access to vulnerable platforms.

Cisco Talos identified five critical vulnerabilities in Broadcom BCM5820X chips affecting over 100 Dell PC models, including Latitude and Precision series. The flaws could allow attackers to take control of devices, steal passwords, and access sensitive biometric data. The vulnerabilities exist in ControlVault3, a secure enclave used for storing sensitive information. Dell has released updates to address these vulnerabilities and notified customers on June 13. No known active exploitation of these vulnerabilities has been reported. Talos advises disabling fingerprint login in high-risk environments and ensuring systems are updated with the latest firmware. The vulnerabilities will be discussed in detail at the Black Hat conference, including potential attack scenarios.

Researchers from the Universities of Guelph and Waterloo examined how users identify malware before installation. Participants, including novice to expert users, were tested on their ability to distinguish between legitimate software and malware. Users correctly identified 88% of malware samples, including LockBit Black ransomware and Async RAT. Legitimate software, such as printer drivers, was often misidentified as malware, with accuracy dropping to 62%. A system monitoring tool improved detection accuracy to 94% by providing additional data like network connections and verified publisher details. The study identified common misconceptions, such as misinterpreting Windows shield icons as indicators of security. Researchers suggest enhancing system monitoring tools to aid non-technical users in recognizing unusual system behavior. The findings will be presented at the 34th USENIX Security Symposium, with a preprint available online.

The ClickFix malware campaign exploits CAPTCHAs to deceive users into executing malicious commands. Initially detected in early 2024, it has rapidly replaced the previous ClearFake scam. The campaign employs phishing emails, drive-by downloads, and SEO poisoning to lure victims. Users are tricked into executing commands that deploy malware like stealers and remote access trojans. Techniques include using Google Scripts and legitimate-looking files to bypass detection. Both cybercriminals and nation-state actors have adopted this tactic in numerous campaigns. The campaign's success is attributed to evolving social engineering and technical evasion strategies. Organizations are advised to enhance awareness and strengthen defenses against such sophisticated threats.

Wiz Research uncovered a chain of high-severity vulnerabilities in Nvidia's Triton Inference Server, potentially leading to remote code execution. The vulnerabilities, found in the Python backend, could result in AI model theft, data breaches, and manipulation of AI responses. Three specific CVEs were identified: CVE-2025-23320, CVE-2025-23319, and CVE-2025-23334, with severity scores of 7.5, 8.1, and 5.9, respectively. Exploitation involves exceeding shared memory limits to reveal internal memory names, enabling attackers to manipulate the server. Nvidia has patched these vulnerabilities in version 25.07, released on August 4, urging users to update immediately. The incident underscores the importance of securing AI infrastructure and implementing defense-in-depth strategies. No evidence of exploitation in the wild was reported, but the vulnerabilities highlight potential risks in AI deployment environments.

Summer 2025 saw a significant increase in cyber attacks across multiple sectors, including healthcare, retail, and insurance. Healthcare was heavily targeted by ransomware groups like Interlock and Rhysida, exploiting patient data urgency and deploying advanced techniques such as PowerShell loaders. Retail giants, including Louis Vuitton and Belk, suffered data breaches, with attackers leveraging social engineering and ransomware-as-a-service models. Nation-state actors also played a role, with geopolitical tensions driving attacks on critical infrastructure and financial institutions. Key vulnerabilities in Microsoft SharePoint were exploited in widespread espionage campaigns, emphasizing the need for timely patching and vulnerability management. The report underscores the importance of proactive security measures, including patch management, identity hardening, and regular security simulations. Organizations are urged to validate their defenses against the latest threat tactics using platforms like Picus Security for enhanced readiness.

Google has released security updates to patch multiple vulnerabilities in Android, including two exploited flaws in Qualcomm components. The addressed vulnerabilities are CVE-2025-21479 and CVE-2025-27038, both actively exploited and concerning the Graphics component. CVE-2025-21479 involves an incorrect authorization issue leading to memory corruption, and CVE-2025-27038 is a use-after-free vulnerability affecting Chrome’s rendering process. These security flaws have been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog, necessitating urgent federal agency compliance by June 24, 2025. Past exploitations of similar Qualcomm chipset flaws have been linked to the use by commercial spyware vendors, suggesting a potential misuse context for the newly patched vulnerabilities. Alongside the Qualcomm fixes, Google patched additional high-severity privilege escalation and a critical remote code execution risks in the Android Framework and System component. Android users are strongly advised to update their devices with the latest patches to protect against these vulnerabilities and potential exploitation.