Edward Kiledjian's Threat Intel

Cyber Threat Intelligence Report – Jul. 29, 2025

Incident: Microsoft SharePoint ToolShell zero-day chain exploited globally
Date of Incident (ET): Jul. 18-29, 2025
Date of Disclosure/Publication (ET): Jul. 28, 2025
Summary: Attackers chained CVE-2025-49704 and CVE-2025-49706 to execute unauthenticated remote code on on-premises SharePoint servers in finance, government and healthcare sectors worldwide.
Source: thehackernews.com/2025/07/c…
Additional Sources: www.microsoft.com/en-us/sec… unit42.paloaltonetworks.com/microsoft…

Incident: CVE-2025-54309 CrushFTP zero-day under active exploitation
Date of Incident (ET): Jul. 18-21, 2025
Date of Disclosure/Publication (ET): Jul. 21, 2025
Summary: A critical zero-day in CrushFTP allowed attackers to gain admin access via HTTPS in unpatched versions; about 1,000 servers in government and healthcare remain exposed.
Source: socradar.io/cve-2025-…
Additional Sources: www.esentire.com/security-… www.techradar.com/pro/secur…

Incident: CISA flags PaperCut NG/MF CSRF vulnerability under active exploitation
Date of Incident (ET): Not specified
Date of Disclosure/Publication (ET): Jul. 29, 2025
Summary: CISA added CVE-2023-2533 in PaperCut NG/MF to its Known Exploited Vulnerabilities Catalog after confirming remote code execution through exploited admin sessions.
Source: thehackernews.com/2025/07/c…
Additional Sources: www.cisa.gov/news-even… www.bleepingcomputer.com/news/secu…

Incident: SarangTrap mobile malware campaign steals data across Asia
Date of Incident (ET): Not specified
Date of Disclosure/Publication (ET): Jul. 29, 2025
Summary: Over 250 fake Android and iOS apps posed as dating and social platforms to steal user data in South Korea and other Asian countries.
Source: thehackernews.com/2025/07/c…

Incident: Toptal GitHub account breached for supply-chain attack
Date of Incident (ET): Jul. 20, 2025
Date of Disclosure/Publication (ET): Jul. 28, 2025
Summary: Threat actors published ten malicious npm packages via Toptal’s GitHub, downloaded 5,000 times, to exfiltrate GitHub CLI tokens.
Source: www.bleepingcomputer.com/news/secu…
Additional Sources: thehackernews.com/2025/07/h…

Incident: Scattered Spider hijacks VMware ESXi to deploy ransomware in U.S.
Date of Incident (ET): Jul. 28, 2025
Date of Disclosure/Publication (ET): Jul. 28, 2025
Summary: Scattered Spider used social engineering to seize VMware ESXi hypervisors at U.S. retail, airline and transport firms, deploying ransomware and stealing data.
Source: thehackernews.com/2025/07/s…

Incident: Akira ransomware causes U.K. transport firm collapse
Date of Incident (ET): Early Jul. 2025
Date of Disclosure/Publication (ET): Jul. 28, 2025
Summary: Akira actors accessed KNP via a guessed weak password, demanded five million pounds, and fully encrypted systems, forcing the 158-year-old firm to shut down.
Source: www.itpro.com/security/…

Incident: Allianz Life data breach via third-party CRM vendor
Date of Incident (ET): Jul. 16, 2025
Date of Disclosure/Publication (ET): Jul. 27, 2025
Summary: Social engineering on a third-party CRM exposed personal information of 1.4 million U.S. Allianz Life customers; internal systems unaffected.
Source: www.ft.com/content/a…

Incident: Cisco ISE zero-day flaws exploited for root access
Date of Incident (ET): Jul. 22, 2025
Date of Disclosure/Publication (ET): Jul. 28, 2025
Summary: CISA confirmed active exploitation of CVE-2025-20281 and CVE-2025-20337 in Cisco ISE, enabling remote root access; federal agencies must patch by Aug. 18.
Source: www.cisa.gov/news-even…

Incident: Tea app suffers second breach exposing messages and ID images
Date of Incident (ET): Jul. 25, 2025
Date of Disclosure/Publication (ET): Jul. 27-28, 2025
Summary: A misconfigured Firebase database exposed 72,000 images, including 13,000 IDs, and over 1.1 million messages from Tea app users; messaging was disabled.
Source: www.businessinsider.com/tea-anony…
Additional Sources: apnews.com/article/2… www.theverge.com/cyber-sec…