Google Project Zero Shortens Upstream Patch Gap; Saint Paul, MN Cyberattack Requires National Guard Assistance; Apple Updates and Microsoft Analysis of macOS Sploitlight

Google Project Zero is testing a new reporting transparency policy aimed at improving the upstream patch gap, "the period where an upstream vendor has a fix available, but downstream dependents, who are ultimately responsible for shipping fixes to users, haven’t yet integrated it into their end product." Google's 90+30 policy remains in place; vendors will still have 90 days to address a reported vulnerability, and Google will wait 30 days after the patch has been released to report technical details of the issue. What is different is the early announcement of a vulnerability's existence. Google will announce that they have disclosed a vulnerability to a vendor within 10 days of that disclosure; no technical information will be included, intended to help the downstream dependents be aware and anticipate a fix. Google has set up a transparency page, which lists the vendor to whom the vulnerability was reported, the product, the date reported, the day on which the 90-day deadline expires, and whether or not the vendor has requested a grace period.

On Tuesday, July 29, 2025, Minnesota Governor Tim Walz signed an executive order activating the Minnesota National Guard to help the city of Saint Paul recover from a cyberattack that took place on Friday, July 25, noting that "the magnitude and complexity of the cybersecurity incident have exceeded the city’s response capacity." The attack targeted "critical systems and digital services," disrupting the city's services through the weekend while officials worked with Minnesota Information Technology Services and a third-party cybersecurity vendor to respond. The order authorizes the Adjutant General to designate personnel, equipment, facilities, and resources, as well as procure goods and services to provide assistance, paid for from the general fund. Saint Paul's website provides ongoing updates on the status of city services: 911 service and recreation centers remain operational; public libraries remain open, but public internet access, Wi-Fi, printing, new library card account creation, and patron borrowing activity are unavailable; online payments are unavailable, and water bill payments cannot yet be accepted in any form, but late fees will not be assessed while the system is offline. The city is aware of some fraudulent invoices since the attack, and cautions residents against suspicious communications. Several email addresses and phone numbers for additional information and questions have been provided. Saint Paul Mayor Melvin Carter stated on Tuesday, July 29 that the threat is ongoing, and noted that the city defensively shut down its IT systems completely on Monday, July 28. Carter emphasized his certainty that the attack was not an internal error but a deliberate targeted attack, and mentioned the possibility that city employees' data may have been stolen.

Earlier this week, Apple released multiple updates to address nearly 90 vulnerabilities in Safari, iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. Among the flaws fixed in the updates is a zero-day improper input validation vulnerability (CVE-2025-6558) that has been exploited to target Google Chrome users. In a separate story, Microsoft has published a blog describing a vulnerability (CVE-2025-31199) in macOS "that could let attackers steal private data of files normally protected by transparency, consent, and control (TCC) ... that if exploited could let attackers bypass TCC and leak sensitive information cached by Apple Intelligence." Microsoft calls the vulnerability Sploitlight.

On July 28, 2025, the US Senate unanimously passed the "Telecom Cybersecurity Transparency Act," which, if passed by the House and signed into law, would require within 30 days of enactment the full unclassified release of a report investigating weaknesses in US telecommunications companies' security, prepared in 2022 for the US Cybersecurity and Infrastructure Security Agency (CISA). Marcy McCarthy, CISA's public affairs director stated the following day in communication with news sources that "CISA intends to release the U.S. Telecommunications Insecurity Report (2022), that was developed but never released under the Biden administration in 2022, with proper clearance," noting CISA's role working with telecommunications companies "before, during, and after Salt Typhoon — sharing timely threat intelligence [and] providing technical support." Senator Ron Wyden (D-Oregon), who introduced the bill, illustrated the report's importance by citing a 2024 whistleblower report filed with the Federal Communications Commission alleging "numerous incidents of successful, unauthorized attempts to access the network user location data of communications service providers operating in the USA."

A critical arbitrary file upload vulnerability in the Alone – Charity Multipurpose Non-profit WordPress Theme is being actively exploited. The vulnerability was submitted to Wordfence on May 30, 2025. The theme's developer released an update to address the vulnerability on June 16, and Wordfence disclosed the issue publicly on July 14. Wordfence writes, "Our records indicate that attackers started exploiting the issue on July 12th, 2025, before we disclosed the vulnerability. The Wordfence Firewall has already blocked over 120,900 exploit attempts targeting this vulnerability." The flaw affects all versions of Alone up to and including 7.8.3; users are urged to update to version 7.8.5 or later.

Earlier this week, Dropbox announced that its password manager, Dropbox Passwords, will be discontinued as of October 28, 2025. The discontinuation will be managed in a gradual manner: starting on August 28, passwords in both the mobile app and the browser extension will be read-only and autofill will be deactivated; on September 11, the mobile app will no longer function; and on October 28, the service will be "fully discontinued." Dropbox's announcement includes instructions for exporting information stored in DropBox Passwords to another application; users are urged to move data before October 28, because at that time, "all Dropbox Passwords data will be permanently and securely deleted."

Orange Group, a French company serving as a major telecommunications provider for Europe and Africa, has published a notice disclosing a cyberattack discovered on Friday, July 25, 2025. The company's teams and subsidiary Orange Cyberdefense immediately isolated affected services, also lodging a formal complaint and notifying and collaborating with relevant authorities. The notice warns of operational disruption due to the isolation measures, affecting business customers' management services and platforms, and consumer services primarily in France, but offers an anticipated restoration date for the main services of Wednesday, July 30. Orange is notifying affected customers, and notes that there has not been any evidence of data exfiltration. At time of this writing, the company has not confirmed restoration. The notice closes, "For obvious security reasons, Orange will not provide further comments."

US biotech firm Illumina Inc. has agreed to pay $9.8 million to settle allegations that the company "sold government agencies genomic sequencing systems with software that had cybersecurity vulnerabilities, without having an adequate security program and sufficient quality systems to identify and address those vulnerabilities. Specifically, the United States contended that Illumina knowingly failed to incorporate product cybersecurity in its software design, development, installation, and on-market monitoring; failed to properly support and resource personnel, systems, and processes tasked with product security; failed to adequately correct design features that introduced cybersecurity vulnerabilities in the genomic sequencing systems; and falsely represented that the software on the genomic sequencing systems adhered to cybersecurity standards." The False Claims Act allows the Justice Department (DoJ) to pursue claims against companies that violate the terms of their government contracts. In September 2023, a former senior executive at US biotech firm Illumina filed a qui tam action under the whistleblowing provisions of the False Claims Act. The settlement resolves the lawsuit.

Cybersecurity researchers from Group-IB discovered "a unique, stealthy approach used by a financially motivated threat actor group to compromise critical banking infrastructure." Specifically, cyber threat actors known as UNC2891 were found to have connected a Raspberry Pi device to a network switch that was also connected to an ATM, which gave them access to the associated bank's internal network. Group-IB writes, "Using the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain. This setup enabled continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses." According to Group-IB, "UNC2891 is a financially motivated threat actor ... known for its advanced intrusions targeting banking infrastructure. The group possesses deep technical expertise in Linux, Unix, and Oracle Solaris environments."