Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 12-18 July
Wing FTP server remote code execution vulnerability exploited in network
Huntress researchers disclosed that the critical vulnerability CVE-2025-47812 (CVSSv3 10.0 according to MITRE) in Wing FTP Server, which allows remote code execution (RCE), has been actively exploited since July 1, 2025. The flaw, publicly disclosed on June 30 along with a functional exploit, allows malicious actors to inject arbitrary Lua code via a username trick, even using anonymous accounts (if enabled).
Upon visiting certain pages, the code is executed, facilitating malware download, reconnaissance and deployment of remote access tools. Arctic Wolf warned that these techniques could be used for data theft or ransomware. Upgrading to version 7.4.4 or higher is recommended.
Analysis of the AsyncRAT malware
AsyncRAT, an open source remote access Trojan released on GitHub in 2019, has become widely used by malicious actors due to its modularity and ease of modification. Although it is not a direct fork of Quasar RAT, it shares certain cryptographic elements with it, and has served as the basis for multiple variants.
Among the most active forks are DcRat and VenomRAT, which incorporate extended functionality such as AMSI evasion, AES-256 encryption, and ransomware modules. Some less common variants add plugins to steal cryptocurrencies, spread malware via USB, or collect geographical data. The diversity of versions demonstrates how the open nature of AsyncRAT has enabled its proliferation.
Each fork reflects different offensive priorities, from financial cybercrime to surveillance functions. According to ESET, although not all variants are documented, many have been actively observed in real campaigns.
Google Chrome 0-day vulnerability under active exploitation
Google has released an emergency update for Chrome version 138 after discovering a critical zero-day vulnerability (CVE-2025-6558, CVSSv3 8.8 according to CISA) that is already being actively exploited. The flaw, identified by Google's Threat Analysis Group, affects the ANGLE and GPU components of the browser and allows malicious code execution through improper validation of untrusted inputs.
In addition to this vulnerability, the update fixes other serious flaws: an integer overflow in V8 (CVE-2025-7656, CVSSv3 8.8 according to CISA) and a use-after-free in WebRTC (CVE-2025-7657, CVSSv3 8.8 according to CISA). The update is now available for Windows, Mac, Linux and soon for Android.
Google recommends updating immediately to prevent attacks, and has temporarily restricted technical details to protect users while patches are being implemented.
UNC6148 targets patched SonicWall SMA devices to deploy malware
Researchers from Google's GTIG group detected malicious activity targeting fully patched SonicWall SMA 100 Series devices as part of a campaign designed to launch the OVERSTEP backdoor. The activity, recorded since October 2024, has been attributed to the UNC6148 group. This would leverage stolen OTP credentials and password seeds, regaining access even after security updates have been applied.
The exact initial access vector used is unknown, although it is believed that it could have been obtained by exploiting known vulnerabilities. After gaining access, the attackers establish an SSL-VPN session and generate a reverse shell, possibly through 0-day exploitation. This is used to execute reconnaissance and file manipulation commands, among other acts.
Finally, a previously undocumented implant (OVERSTEP) is deployed, capable of modifying the appliance's boot process to maintain persistent access, as well as stealing credentials and hiding its components to evade detection. Once the deployment is complete, the group proceeds to delete the system logs and restarts the firewall to trigger the execution of the backdoor.
Exploit published for a critical vulnerability in FortiWeb that allows RCR without authentication
Fortinet has fixed a critical vulnerability, CVE-2025-25257 (CVSSv3 9.6 according to vendor), that affects multiple versions of FortiWeb (7.0.0 to 7.6.3). The vulnerability resides in the Fabric Connector component and allows unauthenticated attackers to execute arbitrary SQL commands and escalate to remote code execution (RCE). The root cause is improper validation of the Authorization: Bearer header, which allows SQL injections even with character restrictions via MySQL comment syntax (/**/).
WatchTowr researchers demonstrated that it is possible to write arbitrary files with INTO OUTFILE and execute malicious code via .pth files in Python directories, leveraging existing CGI scripts with elevated permissions. In misconfigured environments, the exploit even allows execution as root, and there are public proofs of concept, although no active campaigns have yet been detected.
Fortinet has released updates in versions 7.6.4, 7.4.8, 7.2.11 and 7.0.11 so it is recommended to patch immediately or temporarily disable the HTTP/HTTPS administration interface if this is not possible.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
