Daily Brief

NVIDIA has issued guidance to enable System Level Error-Correcting Code (ECC) to protect GDDR6 GPUs from Rowhammer attacks. Recent research demonstrated potential Rowhammer exploits on NVIDIA’s A6000 GPU, highlighting the vulnerability when System-Level ECC is not active. Rowhammer attacks manipulate data by repeatedly accessing memory cells to induce bit flips, affecting data integrity and potentially leading to data corruption or privilege escalation. ECC works by adding redundant bits to data, allowing the system to correct single-bit errors and maintain data accuracy, which is particularly crucial in large-scale AI computations. NVIDIA specifically recommends enabling System-Level ECC on several GPUs including those in data centers, workstations, and embedded or industrial environments. Built-in on-die ECC protection is already present in NVIDIA’s newer GPUs like the Blackwell and Hopper series, thus not requiring manual activation. Two methods to verify if ECC is activated include using an out-of-band approach via BMC and hardware interface software, or an in-band method using the nvidia-smi command-line utility. The real-world exploitation of Rowhammer attacks is complex and challenging due to the need for specific conditions and control, although it remains a significant security concern in multi-tenant cloud environments.

A security vulnerability in OpenVSX could have allowed attackers to compromise over 10 million devices. OpenVSX, essential in the developer toolchain for AI coding assistants like Cursor and Windsurf, contained a critical zero-day flaw allowing full-system access. The flaw enabled unsophisticated attackers to control the marketplace by pushing malicious updates via the @open-vsx account. Security researcher Oren Yomtov of Koi Security discovered the issue, demonstrating its viability through lab-based simulations. Such an attack would enable widespread supply chain disruption, akin to infamous incidents like SolarWinds, affecting even browser-based tools like Gitpod or StackBlitz. The discovered vulnerability underscores the necessity of treating extensions as potential security threats, advocating for zero-trust policies and rigorous oversight in extension management. Yomtov and Koi Security collaborated with the Eclipse Foundation to mitigate the risk, leading to the deployment of a robust fix securing the marketplace.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has reported active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway platforms. Federal agencies have been given just one day to apply critical patches to address this severe vulnerability, indicating the seriousness of the threat. CitrixBleed 2 is a critical memory safety issue allowing unauthenticated attackers access to restricted memory areas in affected NetScaler configurations. Citrix released updates on June 17, prior to third-party revelations about the potential for widespread exploitation. As proof-of-concept exploits became publicly available, hacker activity on forums increased, discussing and refining attack methods using the vulnerability. CISA's directive includes upgrading firmware to secure versions and disconnecting compromised sessions, with a review for suspicious activity. Despite Citrix's initial reports of no evidence of wild exploitation, recent activities and CISA's confirmation suggest that threat actors have successfully developed and deployed exploits. The situation underscores the ongoing risk of known vulnerabilities being weaponized, stressing the importance of timely patch management and security oversight.

Fortinet has patched a critical SQL injection vulnerability in FortiWeb, identified as CVE-2025-25257, with a CVSS score of 9.6. The flaw allows unauthenticated attackers to execute arbitrary SQL commands through crafted HTTP or HTTPS requests. The vulnerability was discovered by Kentaro Kawane and affects versions of FortiWeb linked to its Fabric Connector component. The security gap stems from inadequate input sanitization within the function "get_fabric_user_by_token." Attackers could potentially manipulate SQL queries to export data to files within the system, escalating the attack’s severity. Temporary mitigation includes disabling the HTTP/HTTPS administrative interface until patches are fully applied. Rapid patch application is urged due to historical exploitation of similar vulnerabilities in Fortinet products.

Cybersecurity researchers discovered four security flaws in OpenSynergy's BlueSDK Bluetooth stack that could lead to remote code execution on millions of vehicles. The vulnerabilities, named PerfektBlue, affect multiple automakers including Mercedes-Benz, Volkswagen, and Skoda, with a fourth unnamed OEM also compromised. PerfektBlue vulnerabilities involve critical memory corruption and logical issues that can be exploited to perform actions ranging from tracking GPS coordinates to gaining control of critical vehicle functions. The vulnerabilities allow hackers to exploit the infotainment system remotely, requiring only that the attacker be within Bluetooth range to pair with the system. Infotainment systems, though often considered isolated, can be used as a gateway to more critical functions due to poor isolation and lack of secure communication protocols. Following the responsible disclosure in May 2024, manufacturers issued security patches in September 2024 to address these vulnerabilities. The breach demonstrates that automakers need to enhance the security of vehicle systems to prevent potential exploitation and improve customer safety.

A security flaw in Wing FTP Server, CVE-2025-47812, allows for remote code execution and is currently being actively exploited. The vulnerability scores the maximum CVSS rating of 10.0 due to its ability to let attackers execute system commands with high privileges. Attackers exploit the flaw by mishandling null bytes in the server’s web interface, specifically through user session files allowing arbitrary Lua code injection. The issue, which impacts both user and admin interfaces, has been patched in the latest version 7.4.4 of the software. Following the public disclosure by RCE Security, cybercriminals exploited the vulnerability to conduct reconnaissance, download malicious files, and attempt system persistence. Evidence of exploitation was first spotted on July 1, 2025, a day after public disclosure, showing immediate danger to unpatched systems. Over 8,000 Wing FTP servers are potentially at risk, with significant numbers located in major countries including the U.S., China, Germany, the U.K., and India. Users are urged to apply security updates promptly to mitigate the risk and safeguard their systems against potential breaches.

The Zscaler ThreatLabz 2025 Data Risk Report highlights growing vulnerabilities in data security as enterprises adopt AI tools and cloud platforms. Insights from over 1.2 billion blocked transactions between February and December 2024 stress the urgency of improving data protection strategies. Key challenges identified include data leakage through generative AI, persistent risks from email, SaaS applications, and file-sharing services. The report underscores the necessity of a proactive, unified, AI-driven approach to protect sensitive enterprise data. Evolving technology environments are intensifying data security risks, necessitating a reevaluation of current security measures. Enterprises are encouraged to explore Zscaler’s Zero Trust Architecture and AI-enhanced security solutions to mitigate data threats effectively.

Iranian-backed ransomware-as-a-service (RaaS), Pay2Key, has reintroduced itself with new capabilities and strategies, including an increased profit share for cybercriminals targeting the U.S. and Israel. Linked to the Fox Kitten APT group, Pay2Key now incorporates functionalities of the Mimic ransomware, enhancing its destructive potential. The scheme offers an 80% profit share to affiliates who conduct cyber-attacks aligning with Iranian interests, a rise from the previous 70%. Since February 2025, Pay2Key has claimed over 51 successful operations, generating more than $4 million in ransoms and $100,000 in affiliate profits. Pay2Key.I2P operates on the Invisible Internet Project (I2P), marking a significant development in RaaS infrastructure and anonymity. The latest updates include targeting Linux systems, introducing advanced evasion tactics, and removing traces to avoid forensic detection. U.S. cybersecurity agencies have issued warnings regarding potential retaliatory attacks by Iran, highlighting a surge in Iranian cyber activities against U.S. industrial and critical infrastructure sectors. Pay2Key represents a growing convergence of state-sponsored cyber warfare and sophisticated global cybercrime threats, necessitating heightened security vigilance from Western organizations.

The Online Safety Act, enacted in October 2023, is criticized for failing to adequately address the spread of online misinformation and harmful content that is legal. During the summer of 2024, riots fueled by misinformation related to a fatal incident in Southport highlighted the act's shortcomings. MPs warn that social media platforms' algorithms amplify misleading content, which contributed to the unrest and misinformation during the crisis. The Science, Innovation and Technology Committee recommends that the government hold social media companies accountable for content curation and amplification. Recommendations include introducing regulations that cover the dissemination of "legal but harmful" content and ensuring accountability for algorithmic recommendations. The report revealed that false claims regarding the Southport incident reached a wide audience very quickly, partly due to social media algorithms promoting trending topics. The committee calls for a stronger regulatory framework based on principles such as protecting free expression while holding platforms accountable for their roles in content distribution.

The UK's National Crime Agency (NCA) arrested four individuals linked to cyberattacks on Marks & Spencer, Co-op, and Harrods. Suspects consist of two 19-year-old males, a 17-year-old male, and a 20-year-old female from London and the West Midlands. Charges include Computer Misuse Act offenses, blackmail, money laundering, and involvement in organized crime. The cyberattacks, attributed to the group Scattered Spider, led to considerable financial losses, notably a £300M impact on M&S's profits. Marks & Spencer was forced to pause online orders and reset all customer passwords due to compromised customer data. Electronic devices were seized during the arrests to find evidence and possible connections with other conspirators. The arrests may temporarily disrupt the activities of Scattered Spider, as remaining members may go into hiding. Investigations continue with international cooperation to identify and bring all involved parties to justice.

A cybersecurity firm specializing in email and web security used iPads as an incentive for a customer satisfaction survey, which were later stolen from their secure storage. The theft led to the discovery that an ex-convict, hired as Head of Legal, accessed and stole the iPads, resulting in his termination. Post-incident, the company implemented mandatory background checks, requiring employees to upload sensitive documents to a newly created website. The website, developed by a used car salesman friend of the HR manager, was insecure, exposing employee data due to weak, easily guessable passwords embedded in the site’s code. An IT employee, "Boris," discovered the security flaws, but his attempts to report the issue resulted in an aggressive confrontation with HR. The company demanded the website be fixed only after the issue was demonstrated to senior management, without addressing the broader security and ethical implications. Disappointed by the handling of the situation and lack of accountability, Boris chose to leave the company for a new job.

Daniil Kasatkin, a 26-year-old Russian professional basketball player, was arrested in France on charges related to ransomware negotiations. Kasatkin was detained at Charles de Gaulle Airport and is facing extradition to the US for "conspiracy to commit computer fraud." He is accused of being part of a ransomware gang that targeted approximately 900 entities, including US federal agencies, from 2020 to 2022. Kasatkin's legal team asserts his innocence, claiming he lacks computer skills and was possibly framed with a hacked or planted computer. The Russian embassy has voiced concerns over the French authorities denying them access to Kasatkin. His arrest could potentially damage his professional basketball career; he has already left his team, MBA Moscow, following the arrest. The US Department of Justice has yet to release statements or evidence substantiating the charges, and the French authorities are reportedly slow in assessing the evidence.

GreatFire.org, an anti-censorship group, accuses Tencent and Group-IB of trying to shut down its website FreeWeChat.com. FreeWeChat.com archives content believed to be censored from the popular messaging app WeChat, widely used in China. Tencent, through its legal representative Group-IB, allegedly lodged legal complaints citing trademark infringement, cybersquatting, and unfair competition. GreatFire refuted these claims on factual and legal grounds, but their hosting provider still complied with the takedown request. According to GreatFire, Group-IB's action serves Tencent's political interests under the guise of intellectual property rights protection. GreatFire continues to seek alternative hosting solutions and remains determined to keep the site live despite these challenges. Martin Johnson, co-founder of GreatFire, criticized the move as an attempt to censor their work through legal means rather than direct technological attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-5777, a critical security vulnerability in Citrix NetScaler ADC and Gateway, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, deemed "Citrix Bleed 2" due to its similarities with the prior Citrix Bleed flaw, allows attackers to bypass authentication due to insufficient input validation. Real-world attacks on this vulnerability reportedly started around mid-June, exploiting devices as VPNs, proxies, or AAA virtual servers, which are central points for accessing networked environments. Data indicates the attacks are originating from malicious IP addresses across multiple countries, targeting a variety of global targets including the United States and European countries. While Citrix has yet to confirm these exploitations, independent security researchers and vendors have documented evidence of the attacks, which include links to RansomHub ransomware. CISA advises immediate upgrading to patched versions of the software and recommends forcibly terminating sessions authenticated via compromised setups. There's an urge for network admins to monitor logs for suspicious requests and unusual XML data, owing to the nature of the vulnerability which allows access to sensitive tokens and data without traditional malware traces. The threat is exacerbated in hybrid IT environments where compromised credentials can lead to broader network access and data breaches.

David Franklin Slater, a retired US Army lieutenant colonel and civilian employee of the US Air Force, has pleaded guilty to conspiring to transmit confidential national defense information. Slater shared classified information about the Russia-Ukraine war with a woman he met on a dating app who was identified as a foreigner and referred to as "co-conspirator 1" in court documents. The information disclosed included sensitive details about military targets and Russian military capabilities during the ongoing conflict. The communication between Slater and the woman occurred over email and an online messaging platform from February to April 2022, coinciding with the intensification of the Russia-Ukraine conflict. Despite signing a non-disclosure agreement that emphasized the severe consequences of negligent handling of sensitive compartmented information (SCI), Slater divulged such information to his online contact. Legal consequences for Slater could include up to 10 years in prison, three years of supervised release, and a fine of up to $250,000. The U.S. Attorney emphasized the gravity of Slater’s breach of duty in protecting national defense information, especially given his extensive military experience.