07/09/2025-07/16/2025 Google AI “Big Sleep” Stops Exploitation of Critical SQLite Vulnerability, Critical mcp-remote Vulnerability, Patch for Critical SQL Injection Flaw And More.

1. Google AI “Big Sleep” Stops Exploitation of Critical SQLite Vulnerability Before Hackers Act

Google announced that its AI-assisted vulnerability detection system, Big Sleep, uncovered a critical flaw (CVE-2025-6965, CVSS 7.2) in the SQLite database before it could be exploited. The memory corruption bug, affecting versions prior to 3.50.2, could allow attackers to trigger an integer overflow via arbitrary SQL injection.Google described this latest discovery as the first known case where an AI directly prevented a real-world exploit.

To ensure AI agents like Big Sleep operate safely, Google published a white paper outlining a hybrid security model. It combines traditional, rule-based controls with dynamic AI reasoning to create “defense-in-depth” safeguards. These enforced boundaries aim to reduce risks such as prompt injection and unauthorized actions.

2. Critical mcp-remote Vulnerability Exposes LLM Clients to Remote Code Execution Attacks

A critical vulnerability, CVE-2025-6514 (CVSS 9.6), affects versions 0.0.5–0.1.15 of the mcp-remote project, allowing remote code execution (RCE) via untrusted MCP server connections. The flaw poses serious risks to LLM clients (e. g., Claude Desktop) by enabling OS command injection through malicious authorization_endpoint values during OAuth metadata discovery.

Attackers can exploit this either by hosting a malicious MCP server or via man-in-the-middle attacks over unsecured HTTP connections. On Windows systems, the issue stems from PowerShell’s subexpression evaluation, enabling arbitrary command execution—such as writing files or running system commands—without proper validation.

Remediation steps:

• Update to mcp-remote v0.1.16 immediately.
• Use HTTPS-only connections to trusted servers.
• Audit MCP configurations and remove any HTTP-based endpoints.
• Enforce strict trust policies for remote servers.

With LLM platforms increasingly integrating MCP, maintaining secure configurations and monitoring for similar threats is critical to preventing system compromise.

3. Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)

Fortinet has patched a critical vulnerability (CVE-2025-25257, CVSS 9.6) in FortiWeb that allows unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP/HTTPS requests. The flaw stems from improper input sanitization in the get_fabric_user_by_token function, part of the Fabric Connector component, and affects multiple API endpoints.

Exploiting this SQL injection can lead to remote code execution by using SQL’s SELECT ... INTO OUTFILE to write and execute malicious files on the system, which runs queries under the mysql user.

Impacted versions include:

• FortiWeb 7.6.0–7.6.3 (fix: update to 7.6.4+)
• 7.4.0–7.4.7 (update to 7.4.8+)
• 7.2.0–7.2.10 (update to 7.2.11+)
• 7.0.0–7.0.10 (update to 7.0.11+)

Fortinet recommends disabling the HTTP/HTTPS admin interface as a temporary workaround and urges users to apply patches immediately due to past exploitation of Fortinet vulnerabilities.

4. Hackers Are Exploiting Critical RCE Flaw In Wing FTP Server

Hackers began exploiting a critical RCE vulnerability (CVE-2025-47812) in Wing FTP Server just one day after technical details became public. The flaw combines a null byte and Lua code injection, allowing unauthenticated remote attackers to execute code as root/SYSTEM on affected systems (v7.4.3 and earlier).

The vulnerability stems from unsafe handling of null-terminated strings and poor input sanitization. By injecting a null byte in the username field, attackers can bypass authentication and inject Lua code into session files, leading to arbitrary code execution.

Security firm Huntress observed real-world attacks using this flaw to gain persistence, run recon commands, and attempt malware downloads via certutil. At least five IP addresses targeted a customer’s server, indicating mass scanning.
Three additional flaws (CVE-2025-27889, -47811, -47813) were also disclosed, exposing passwords and file paths.

Users must upgrade to version 7.4.4. If not possible, disable web portal access, restrict anonymous logins, and monitor the session directory for suspicious files.

5. CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises

CISA has added a critical vulnerability in Citrix NetScaler ADC and Gateway (CVE-2025-5777, CVSS 9.3) to its KEV catalog, confirming active exploitation in the wild. Dubbed Citrix Bleed 2, the flaw stems from insufficient input validation, allowing unauthenticated attackers to perform memory overreads and steal sensitive session data.

First reported in mid-June 2025, attackers have leveraged it to extract session tokens and access internal systems. Exploitation attempts have been traced to 10 IPs from multiple countries, with links to RansomHub ransomware.

Citrix released a patch (version 14.1-43.56+) on June 17. Admins are urged to update immediately and terminate all active sessions to prevent token reuse. Logs should be reviewed for suspicious authentication endpoint activity.

The flaw allows remote code execution and lateral movement in hybrid IT environments. CISA mandated federal agencies to patch within 24 hours. Another Citrix flaw (CVE-2025-6543) is also being exploited.

07/02/2025-07/09/2025 Microsoft Fixes 130 Security Flaws, CISA Flags Four Actively Exploited Old Vulnerabilities, Cisco Patches Critical Unified CM Flaw And More.

1. Microsoft Fixes 130 Security Flaws, Including Public SQL Server Bug

Microsoft’s July 2025 Patch Tuesday delivers fixes for 130 vulnerabilities, including a publicly disclosed SQL Server flaw (CVE-2025-49719, CVSS 7.5). Though not exploited in the wild, this bug allows unauthenticated information disclosure over the network. Users are urged to update SQL Server and related drivers. This release ends an 11-month streak without zero-day patches. About a dozen critical bugs were addressed, 10 of which enable remote code execution (RCE). High-priority fixes target NEGOEX, SharePoint, and the Kerberos Key Distribution Center proxy.

Office updates include patches for two local code execution flaws (CVE-2025-49695 and CVE-2025-49696). Another key fix is CVE-2025-49724—a use-after-free bug in Windows Connected Devices Platform, exploitable if Nearby Sharing is enabled and specific user actions occur.

Of the 130 bugs, 53 allow privilege escalation, 41 RCE, and others impact info disclosure, spoofing, and denial-of-service. Users are advised to update systems promptly.

2. Malicious Pull Request Targets 6,000+ Developers via Vulnerable Ethcode VS Code Extension

Researchers have uncovered a supply chain attack targeting the Visual Studio Code extension Ethcode, used to deploy Ethereum smart contracts. The extension, with over 6,000 installs, was compromised via a GitHub pull request by a newly created user, Airez299, on June 17, 2025. ReversingLabs found that the attacker slipped malicious code into 43 commits, including a hidden npm package, keythereum-utils. The package, now removed, downloaded an obfuscated payload via PowerShell. The goal may have been to steal crypto assets or tamper with contracts.

Microsoft removed Ethcode from its marketplace after responsible disclosure. The extension was later reinstated without the malicious dependency.

This attack highlights growing supply chain threats. In Q2 2025, over 16,000 malicious open-source packages were discovered, with many stealing credentials or damaging data. Meanwhile, fake Firefox extensions were also found redirecting users and stealing OAuth tokens, emphasizing the evolving risk in trusted developer tools and browser add-ons.

3. CISA Adds Four Older CVEs to Known Exploited Vulnerabilities List

On July 7, CISA added four vulnerabilities—dating back to 2014–2019—to its KEV catalog, urging federal agencies to patch them by July 28. Private organizations are strongly advised to follow suit.

Despite their age, two of the flaws are rated critical, showing that old vulnerabilities remain valuable targets for attackers. The bugs include:

• CVE-2014-3931: MRLG buffer overflow (9.8 severity)
• CVE-2016-10033: PHPMailer command injection (9.8)
• CVE-2019-5418: Ruby on Rails path traversal (7.5)
• CVE-2019-9621: Zimbra SSRF vulnerability (7.5)

Trend Micro linked CVE-2019-9621 to Chinese threat actor Earth Lusca, and intelligence suggests renewed interest from state-backed groups.

Experts warn that threat actors prioritize impact over age, targeting internet-facing systems like email servers and web frameworks. Security teams should inventory legacy software, limit exposure of critical tools, and segment networks to reduce risk. Even decade-old flaws can be actively exploited if left unpatched.

4. Critical Cisco Vulnerability in Unified CM Grants Root Access via Static Credentials

Cisco has released a patch for a critical vulnerability (CVE-2025-20309, CVSS 10.0) in its Unified Communications Manager (Unified CM) and Session Management Edition (SME). The flaw, caused by hard-coded root credentials left from development, allows attackers to gain root access and execute arbitrary commands.
Cisco warns that exploitation could let attackers move laterally, intercept calls, or alter authentication settings. The flaw affects versions 15.0.1.13010-1 to 15.0.1.13017-1, regardless of configuration.

Discovered during internal testing, there is no evidence of active exploitation. Cisco has shared indicators of compromise (IoCs), including log entries showing root access in /var/log/active/syslog/secure. Admins can check using: cucm1# file get activelog syslog/secure

This patch follows recent fixes for two other critical flaws (CVE-2025-20281 and CVE-2025-20282) in Cisco Identity Services Engine products that also allowed root command execution.

06/25/2025-07/02/2025 New Flaw in IDEs Like Visual Studio Code, Flaw in Open VSX Registry, Critical Flaws in ISE and ISE-PIC And More.

1. New Flaw in IDEs Like Visual Studio Code Lets Malicious Extensions Bypass Verified Status

A new study revealed vulnerabilities in popular IDEs like Visual Studio Code, Visual Studio, IntelliJ IDEA, and Cursor that let attackers run malicious code on developer machines by exploiting flaws in extension verification. Researchers from OX Security found that Visual Studio Code’s verification process can be bypassed by creating malicious extensions mimicking verified ones, making them appear trustworthy while executing harmful OS commands. This abuse of extension sideloading allows rogue plugins distributed outside official marketplaces to appear legitimate, posing a serious risk in development environments with sensitive data.

The team demonstrated a proof-of-concept where a malicious extension opened the Calculator app on Windows. Similar flaws were found in IntelliJ IDEA and Cursor by altering verification values without losing the verified status.

Microsoft claims this is by design and has signature verification to block such extensions from the Marketplace, but the flaw was still exploitable as of June 2025.

2. Researchers Uncover Flaw in Open VSX Registry, Exposing Developer Extensions to Takeover

Cybersecurity researchers discovered a flaw in the Open VSX Registry that risked control over its extensions ecosystem used by over eight million developers. The vulnerability, disclosed by Koi Security on May 4, 2025, remained unpatched until June 25, 2025.

Open VSX, managed by the Eclipse Foundation, supports VS Code forks like Cursor and VSCodium. The flaw was in its automated publishing workflow, where a privileged token (OVSX_PAT) used to publish extensions was exposed during npm installs, allowing attackers to extract it by running malicious build scripts.
With this token, attackers could overwrite any extension with malicious code, potentially compromising developer machines without detection since updates run silently in the background. Given extensions’ deep access to environments, this posed a serious security risk. After disclosure, the Eclipse Foundation patched the issue, securing the publishing process to prevent token exposure during builds. This incident highlights the critical need for strict security in extension marketplaces.

3. Critical Vulnerability in Anthropic’s MCP Exposes Developer Machines to Remote Exploits

Cybersecurity researchers have uncovered a critical vulnerability (CVE-2025-49596, CVSS 9.4) in Anthropic’s Model Context Protocol (MCP) Inspector that allows remote code execution (RCE), giving attackers full access to affected machines. The flaw stems from insecure default settings, such as lack of authentication and encryption, exposing local servers to browser-based attacks. By exploiting a legacy browser vulnerability known as “0.0.0.0 Day” and chaining it with a CSRF flaw, a malicious website can trigger arbitrary code execution on a developer’s machine. The issue was patched in version 0.14.1 with added authentication and origin checks. Despite being a reference tool not meant for production, MCP Inspector has been widely adopted and forked over 5,000 times. Security experts warn that such misconfigurations create major risks for developers, especially in public networks, and stress the need for stricter AI rules to guard against prompt injection and context poisoning in agent workflows.

4. Chinese Group Silver Fox Uses Fake Websites to Deliver Sainbox RAT and Hidden Rootkit

A new campaign uses fake websites advertising popular software like WPS Office and Sogou to deliver the Sainbox RAT and an open-source Hidden rootkit. This activity is linked with medium confidence to the Chinese hacking group Silver Fox (aka Void Arachne), based on similarities to their previous campaigns. The phishing sites, such as “wpsice[.]com,” distribute malicious MSI installers in Chinese, targeting Chinese-speaking users. The malware includes Sainbox RAT—a Gh0st RAT variant—and the Hidden rootkit.The installers launch a legitimate executable that sideloads a rogue DLL to execute shellcode and deploy Sainbox. The embedded rootkit helps hide malware processes and registry keys.

Silver Fox has used similar tactics before, including campaigns in 2024 delivering Gh0st RAT variants like ValleyRAT. Using commodity RATs and open-source rootkits lets attackers maintain control and stealth with minimal custom coding.

5. Cisco Patches Critical Flaws in ISE and ISE-PIC That Allow Root Access

Cisco has released urgent patches for two critical vulnerabilities in its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), rated CVSS 10.0. These flaws, CVE-2025-20281 and CVE-2025-20282, allow attackers to gain root access without credentials, risking full system compromise.

CVE-2025-20281 affects ISE and ISE-PIC versions 3.3 and later, enabling remote root command execution via a vulnerable API. CVE-2025-20282 impacts version 3.4, letting attackers upload and execute malicious files with root privileges.
Both flaws affect all deployments of versions 3.3 and 3.4, with no workarounds available—only software patches fix the issue. Cisco urges immediate patching, noting no known exploitation yet but highlighting the high risk.

Discovered via Trend Micro’s Zero Day Initiative, these vulnerabilities stress the importance of securing API endpoints and applying timely updates to protect critical identity management systems.