July 21, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Jul 21, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

01:00 [VULNERABILITY] SharePoint Critical Vulnerability “ToolShell” Exploited in the wild
Microsoft has published an advisory stating they are aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update. The vulnerability allows an unauthorized attacker to execute code over a network.

03:39 [VULNERABILITY] FortiWeb Critical SQL Injection Vulnerability
An improper neutralization of special elements used in an SQL command vulnerability in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

04:38 [VULNERABILITY] Critical Citrix NetScaler Vulnerability CVE-2025-5777 (CitrixBleed2) Under Mass Exploitation
Continuing Kroll's previous reporting on CVE-2025-5777, Kroll is now observing what appears to be widespread mass exploitation attempts and scanning for vulnerable devices.
The vulnerability allows an attacker to make a request to the affected application and read memory, which can contain session tokens. This can enable an attacker to replay those session tokens and log in as an active user.

06:00 [CAMPAIGN] JavaScript-embedded SVG files used in phishing campaign
It has been reported that SVG files (which are common, simple image files) have been used in phishing emails to redirect victims to credential harvesting sites. The malicious files were seen embedded in phishing emails, either as an attachment or a link in the email body. Embedded inside the file was JavaScript that, when the file was opened in a browser, opened a URL in the current window.

07:19 [VULNERABILITY] Wing FTP Server vulnerability exploited in wild
The vulnerability CVE-2025-47812 in Wing FTP Server is actively exploited in the wild and carries a CVSS score of 10 (Critical). According to research from Huntress, this exploitation has taken from as early as July 1, 2025, only a day after the vulnerability’s disclosure on the June 30.

08:11 [VULNERABILITY] New RowHammer Attack Variant, GPUHammer, Degrades AI Models on NVIDIA GPUs
In an advisory released last week, NVIDIA is urging customers to enable system-level Error Correction Codes (ECC) as a defense against a variant of a RowHammer attack demonstrated against its graphics processing units (GPUs).

09:12 CL-STA-1020 Targeting Government Agencies in Southeast Asia
Unit 42 researchers have been closely monitoring a sophisticated cyber campaign known as CL-STA-1020, which has targeted government agencies in Southeast Asia, quietly gathering sensitive information related to tariffs and trade disputes.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.