UK Arrests Four Over Retailer Cyberattacks; CitrixBleed2 and Four Older Flaws Added to KEV; Patch Tuesday: Microsoft and Adobe

The UK's National Crime Agency (NCA) has published a press release stating that four people have been arrested in connection with the April 2025 cyberattacks on Marks & Spencer (M&S), Co-op, and Harrods. On July 10, 2025, "two males aged 19, another aged 17, and a 20-year-old female were apprehended in the West Midlands and London ... on suspicion of Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group," and their devices were seized for analysis. Archie Norman, chairman of Marks & Spencer since 2017, stated in a July 8 hearing with the UK Parliament's Business and Trade Sub-Committee on Economic Security that the attack on M&S was initiated via social engineering, with an attacker impersonating an employee to request a password reset from a third-party support service. Norman also verified the presence of DragonForce ransomware, though according to Bleeping Computer, he and several media sources conflate the ransomware-as-a-service (RaaS) with an unrelated hacktivist group of the same name based in Malaysia. Norman did not state whether M&S paid a ransom, but he did disclose an early internal decision that "nobody at M&S would deal with the threat actors directly," possibly indicating the aid of a third-party negotiator.

This week the US Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog. On Thursday, July 10, 2025, CISA added CVE-2025-5777, an out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway. The flaw, which is known widely as Citrix Bleed 2, and has a mitigation due date of Friday, July 11, 2025. On Monday, July 7, CISA added four older vulnerabilities to KEV: a server-side request forgery (SSRF) issue in Synacor Zimbra Collaboration Suite (ZCS) (CVE-2019-9621); a path traversal vulnerability in Rails Ruby on Rails (CVE-2019-5418); a command injection vulnerability in PHPMailer (CVE-2016-10033); and a buffer overflow vulnerability in Multi-Router Looking Glass (MRLG) (CVE-2014-3931). The vulnerabilities, which all have mitigation due dates of July 28, were added to KEV "based on evidence of active exploitation."

On Tuesday, July 8, Microsoft and Adobe both released updates to address multiple vulnerabilities across their product lines. Microsoft released updates to address at least 130 security issues. Just one of the patched vulnerabilities, an information disclosure issue in Microsoft SQL Server (CVE-2025-49719), was previously disclosed, and does not appear to have been actively exploited. However, it affects all versions of SQL Server going back to SQL Server 2016. This month's batch of Microsoft updates includes fixes for more than 50 privilege elevation vulnerabilities, more than 40 remote code execution vulnerabilities, and nearly 20 information disclosure vulnerabilities. Adobe released updates to address nearly 60 vulnerabilities, including five critical flaws (three arbitrary file system read vulnerabilities, a privilege escalation vulnerability, and a security feature bypass issue) in ColdFusion and a critical deserialization of untrusted data issue in Adobe Experience Manager Forms.

SAP has released 31 security notes, 27 new and four updated, which address vulnerabilities in Supplier Relationship Management (SRM), NetWeaver, Business Objects, Business Warehouse, and other products. Ivanti has released updates to address a total of 11 vulnerabilities in Ivanti Connect Secure (ICS) and Policy Secure (IPS), Endpoint Manager Mobile (EPMM), and Endpoint Manager (EPM). Fortinet has released advisories to address a total of eight vulnerabilities affecting FortiAnalyzer, FortiIsolator, FortiManager, FortiOS, FortiProxy, FortiSandbox, FortiSASE, FortiVoice, and FortiWeb. Splunk has published a dozen advisories addressing vulnerabilities in third-party dependencies in Splunk SOAR, Enterprise, and DB Connect.

Cisco has released updates to address a critical vulnerability in the Engineering Special (ES) builds of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) that could be exploited to gain root privileges on vulnerable systems. The root accounts of both products have "default, static credentials that cannot be changed or deleted." The vulnerability, CVE-2025-20309, has a CVSS score of 10.0.

Researchers at Koi Security have discovered 18 malicious browser extensions – 10 for Chrome and 8 for Edge – that they posit are part of a campaign to add Man-in-the-Middle (MitM) surveillance and attack capabilities to extensions that had previously been legitimate and safe to use for years. These extensions perform their purported functionalities, and several have held "Verified" badges or have been "Featured" in Google and Microsoft online marketplaces, but all received subsequent automatic version updates that introduced the same type of malware. Infected extensions capture users' browser activity and exfiltrate it to a remote command-and-control (C2) server, and may redirect the browser to a malicious URL the C2 server returns. Koi estimates the total number of users affected at 2.3 million, and provides the extension IDs as indicators of compromise (IoCs), urging users to remove affected extensions; clear browser data; scan for malware; monitor accounts for suspicious activity; and continue to review extensions for similar malicious behavior. The researchers highlight the exploitation of "trust signals" such as "verification badges, install counts, featured placement, years of legitimate operation, and positive reviews" leveraging platform credibility to hide unsafe software.

Cloud-based Software-as-a-Service (SaaS) platform ServiceNow has issued a CVE (CVE-2025-3648) for a high-severity vulnerability affecting their Now Platform, two months after ServiceNow pushed out an update addressing the flaw, and 17 months after the Varonis Threat Labs researchers notified them about the issue. In a July 2025 security bulletin, ServiceNow describes the vulnerability: "Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them." ServiceNow has also added access control frameworks in their Xanadu and Yokohama releases.

Australia's Qantas Airlines has published updates and an FAQ in the wake of a June 30 cyberattack that breached a third-party customer service platform in one of the airline's call centers. Airline operations and safety have not been impacted. Qantas is notifying customers that personal data of 5.7 million individuals were accessed in varying combinations, possibly including name, email address, and frequent flyer number with account details, in conjunction with address, date of birth, phone number, gender, and/or meal preferences. No financial or passport details were stored on the affected system, and customer login credentials were not compromised. While "there is no evidence that any personal data stolen from Qantas has been released," Qantas is notifying affected customers over the age of 15 via email, and allowing customers with frequent flyer accounts to view potentially affected data types when logged in. The airline has set up a 24/7 support hotline providing "specialist identity protection advice and resources," and is implementing additional security to restrict system access and strengthen monitoring and detection. The Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police have been notified, and Qantas is working with the National Cyber Security Coordinator, the Australian Cyber Security Centre, and cybersecurity experts to investigate. While news sources initially reported a statement indicating contact with a threat actor, the updated post states, "Qantas has not been contacted by anyone claiming to have the data." The airline urges customers to verify the identity of callers and email senders, checking that any future Qantas emails originate from a domain ending in "qantas.com" or "qantas.com.au", and reporting any suspicious communications to the support line or to the National Anti-Scam Centre's Scamwatch service.

Major IT distributor Ingram Micro has filed form 8-K with the US Securities and Exchange Commission (SEC) and issued ongoing updates since its discovery of ransomware on certain internal systems on or before July 5, 2025. Upon identifying the ransomware, Ingram Micro proactively took certain systems offline and implemented mitigation measures, notified law enforcement, and began investigating alongside third-party cybersecurity experts. On July 7, subscription order service was restored globally, and phone and email order service were restored in western Europe, Brazil, India, and China. By July 8, phone and email ordering was restored in Austria, Canada, Singapore, the Nordics, and the US; the unauthorized access was also deemed fully contained, and the affected systems remediated. July 9 updates confirm full restoration of operations across all countries and regions. Palo Alto Networks (PAN) has confirmed that neither the GlobalProtect VPN platform nor any PAN products were the attacker's access route. The Register reports complaints from customers that Ingram Micro did not communicate directly about the incident and recovery, and that customer support phone lines and emails were unresponsive.

The International Criminal Court (ICC) experienced a "sophisticated and targeted" cyberattack in late June 2025. The ICC has not provided details beyond acknowledging that the incident "was swiftly discovered, confirmed and contained, through the Court’s alert and response mechanisms." This is the second cyberattack the ICC has reported since 2023, when the organization's systems were targeted by a cyberespionage group. The ICC is based in The Hague, Netherlands.