Actively Exploited Flaws to Patch Now: CitrixBleed 2 Memory Safety, Wing FTP Server RCE; Former Employee Steals & Shares Semiconductor IP, Lands 3-Year Prison Sentence

In case you missed it last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added the CitrixBleed 2 vulnerability (CVE-2025-5777) to the Known Exploited Vulnerabilities (KEV) catalog on Thursday, July 10, with a mitigation due date for Federal Civilian Executive Branch (FCEB) agencies of July 11. This appears to be the first time CISA has set a one-day window for addressing a vulnerability added to KEV. Citrix disclosed and issued a fix for the critical memory safety vulnerability in mid-June. CISA describes the flaw: "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server."

Threat actors are exploiting a critical (CVSS 10.0) remote code execution vulnerability in Wing FTP Server (CVE-2025-47812). The vulnerability was detected by researchers at RCE Security who reported the issue to the developer; the vulnerability was patched in Wing FTP Server version 7.4.4, which was released in mid-May. RCE Security published their write-up of the vulnerability on June 30. Within one day of the disclosure, researchers at Huntress observed the flaw being actively exploited. The vulnerability was added to the US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog on July 14 with a mitigation due date of August 4, 2025.

A court in Rotterdam, Netherlands has sentenced an unnamed individual to three years in prison for stealing chip manufacturing technology from two employers and sharing the information with people in Russia. The individual "accessed his employer's network to retrieve files he did not need for his work," which constitutes computer hacking; he also violated EU sanctions against sharing sensitive information with Russia that have been in place since 2014. The data were taken from ASML and NXP, which are both part of the semiconductor industry.

A supply chain attack appears to have compromised two versions of the Gravity Forms WordPress plugin, a forms builder which has more than million active installations. The malware-infected versions of the plugin collect a host of "site metadata, including URL, admin path, theme, plugins, and PHP/WordPress version," and exfiltrate that information to external systems. According to Gravity Forms developer RocketGenius, "If installed, the malicious code modifications will block attempts to update the package and attempt to reach an external server to download additional payload. If it succeeds in executing this payload, it will then attempt to add an administrative account." The issue affects Gravity Forms version 2.9.11.1 manually downloaded on July 9 or 10; Gravity Forms 2.9.12 manually downloaded on July 10; and composer installs of version2.9.11.1 on July 9 or 10. Auto-updated versions were not compromised. In their write-up, RocketGenius has provided indicators of compromise and advice for securing infected sites. They have released Gravity Forms version 2.9.13.

Researchers from PCA Cyber Security have published a security advisory warning of four flaws in the BlueSDK Bluetooth stack -- a "hardware-agnostic" Bluetooth implementation primarily designed for automotive systems -- that can be chained to allow "1-click Remote Code Execution" on affected devices made by a variety of vendors. PCA provides proof-of-concept (PoC) exploits for Mercedes-Benz AG, Volkswagen, and Skoda among impacted vendors. An attacker in physical range and able to pair a laptop with the target system, in some cases without the ignition activated and without requiring confirmation, could escalate privileges to "track GPS coordinates, record audio inside a car, obtain personal phonebook information, ... and obtain access to critical elements of a car" by moving laterally through other embedded Electronic Control Units (ECUs). Vendors outside the automotive industry may also be affected. BlueSDK developer OpenSynergy worked with PCA after being contacted in May 2024, releasing patches in September 2024, however it took until June 2025 for all original equipment manufacturers (OEMs) to receive the patch, possibly due to "long and complex vehicle supply chains." Users should update affected systems or disable Bluetooth functionality entirely to protect against this attack, dubbed "PerfektBlue." Nick Tausek, lead security automation architect at Swimlane, posits that "attacks like PerfektBlue historically do more to illustrate the complicated landscape of [Internet of Things] patching than they do to represent a real threat to your average user."

Nvidia has published a security advisory reminding users to ensure System-level error correction code (ECC) is enabled on the company's GPU products after researchers at the University of Toronto showed the viability of exploiting the Rowhammer effect on an NVIDIA A6000 GPU with GDDR6 memory. The Rowhammer effect is a type of disturbance error observed for over a decade, where repeatedly reading ("hammering") memory locations in densely-celled dynamic random-access memory (DRAM) can leak an electrical charge that may cause bits to flip in an adjacent memory row. This is the first demonstration of Rowhammer bit flipping in discrete GPUs, allowing the researchers to "tamper with another user’s data on the GPU," and to degrade a deep neural network (DNN) model's accuracy "from 80% to 0.1% using a single bit flip." The researchers responsibly disclosed this vulnerability to Nvidia and major cloud providers in January 2025. Enabling ECC to mitigate memory disruption varies by GPU architecture, and Nvidia provides instructions for out-of-band and in-band paths; ECC is enabled by default on Nvidia's Hopper and Blackwell Data Center classes of GPUs. The researchers note that enabling ECC may reduce performance and memory capacity.

Albemarle County in the US state of Virginia had published information and resources for residents in the wake of a ransomware attack on the county's IT systems conducted overnight on June 10, 2025, and discovered the following morning. The county immediately implemented security protocols and engaged third-party cybersecurity experts, also notifying the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Fusion Center of the Virginia State Police. Investigation of the incident indicates that data stored in the cloud were not accessed, but locally-stored names, addresses, and Social Security numbers of county residents may have been accessed, as well as data belonging to local government and public school employees, including "names, addresses, driver’s license numbers, Social Security numbers, passport numbers, military ID numbers, and state ID card numbers." Non-emergency phone lines were restored after two weeks of outages after the attack. Albemarle County is offering all affected individuals complimentary fraud consultation, identity theft restoration services, and 12 months of credit monitoring. The notice recommends vigilance and possible fraud alerts or freezes on credit reports, and provides resources for understanding and reporting identity theft.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an Industrial Control System (ICS) advisory describing a weak authentication vulnerability in the End-of-Train and Head-of-Train remote linking protocol. CISA writes, "successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure." The issue was detected separately by two different researchers, first in 2012 and then again in 2016. The researcher who found the vulnerability in 2012 said he recently learned that it had first been reported to the Association of American Railroads (AAR) in 2005.

Two researchers discovered a weakness in a chatbot that fast food restaurant McDonald's uses to screen job applicants. The researchers write that they "identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted." The chatbot was built by Paradox.ai, which has assumed responsibility for the situation. They have addressed both the default username/password issue and the API endpoint vulnerability and "are launching several new security initiatives including providing an easy way to contact [their] security team ... and a bug bounty program."