Bulletin — July 2025

July fits into two threads. The cyber centres on SharePoint: on the 8th Microsoft patches CVE-2025-49706/49704 (Pwn2Own ToolShell chain); on the 17–18th attackers find the patch can be bypassed and CVE-2025-53770/53771 enter at scale; on the 19th Microsoft publishes the OOB advisory and CISA adds to KEV on the 20th. On the 22nd Microsoft attributes to Linen Typhoon, Violet Typhoon and Storm-2603. The AI settles six months of jailbreaks against reasoning models — from DeepSeek-R1 in January to Claude 4 with extended thinking in May, through o3 and QwQ. And, in background, 19 July marks one year since CrowdStrike’s Channel File 291; Microsoft pushes the Windows Resiliency Initiative and CrowdStrike publishes its retrospective note. The month closes with Citrix and a Bleed 2 from late June that gets exploited during July, M&S declaring between 270 and 440 million pounds in impact, and Patch Tuesday with 137 CVEs and a SQL Server zero-day.

ToolShell — SharePoint on-prem reopened twice

Month timeline:

• 8 Jul (Patch Tuesday): Microsoft patches CVE-2025-49706 (auth bypass via Referer header) and CVE-2025-49704 (deserialization in ToolPane.aspx). The chain came from Pwn2Own Berlin (May), where Code White GmbH had demonstrated it.
• 17–18 Jul: Attackers find the 8th’s patch can be bypassed with trailing slash in the path and with a deserializable wrapper not included in the blacklist. Eye Security detects first mass wave on the 18th at 18:06 UTC.
• 19 Jul: Microsoft publishes OOB advisory with CVE-2025-53770 (CVSS 9.8) and patch for Subscription Edition.
• 20 Jul: CVE-2025-53771 (CVSS 6.5) added. Patch for SharePoint 2019. CISA puts 53770 in KEV.
• 22 Jul: Microsoft publishes attribution: Linen Typhoon (APT27), Violet Typhoon (APT31), Storm-2603. The latter deploys Warlock ransomware on the compromised servers.
• 23 Jul: Patch for SharePoint Server 2016.

The structural piece — the one that will be cited all H2 — is the kit’s web shell, spinstall0.aspx. It’s not a shell: it’s a MachineKeys extractor. It steals ValidationKey and DecryptionKey from IIS so the attacker can forge valid __VIEWSTATE after the patch. The persistence survives the update if you don’t rotate keys.

Eye Security scans 23,000+ public SharePoints in the first 48 hours and confirms 400+ compromised. Later figures from Unit 42 and Trustwave raise the count. Defenders affected: the US Administration (several agencies), regional bodies in Europe, several universities, and financial and energy sectors in Asia-Pacific — the on-prem inventories that keep SharePoint exposed to internet with pre-Entra ID auth.

We’ve published the full technical analysis with the chain reproduced in the lab, the bug in PostAuthenticateRequestHandler, the spinstall0.aspx web shell with its inline C# code, and the ysoserial.net flow to forge ViewState with the stolen MachineKeys.

Source: https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

CitrixBleed 2 — CVE-2025-5777 keeps being exploited

On 17 June Citrix published CVE-2025-5777 (CVSS 9.3, out-of-bounds memory read in NetScaler ADC and Gateway). Kevin Beaumont christens the bug CitrixBleed 2 by symmetry with last year’s CVE-2023-4966: same vendor, same class (information disclosure by bad HTTP input parsing), same consequence (memory leak containing active session tokens).

The difference with Bleed 1: the trigger is sending a POST to /p/u/doAuthentication.do with the login parameter present but without value. NetScaler reads uninitialised memory to build the XML response, and that memory contains fragments of other sessions — including NSC_AAAC cookies of authenticated users.

During July CISA adds to KEV on the 10th. Telemetry from Imperva and GreyNoise reports 11.5 million exploitation attempts in a few weeks. Mass exploitation started within the patch window. The Bleed 1 pattern repeats step by step: patch available → exploitation window → confirmation of victims with stolen sessions. Mitigation is the same — patch + terminate all active sessions (kill aaa session -all) + audit anomalous logs.

Affected versions: NetScaler ADC and Gateway 14.1 before 47.46, 13.1 before 59.19. 12.1 and 13.0 are EOL and remain vulnerable without official patch.

Source: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

Patch Tuesday July — 137 CVEs and a SQL Server zero-day

8 July. Microsoft closes 137 vulnerabilities, 14 critical. The month’s zero-day is CVE-2025-49719 (information disclosure in SQL Server and OLE DB drivers): incorrect memory handling that exposes uninitialised data — including credentials and connection strings in process memory. Microsoft catalogues it as publicly disclosed, not exploited, which in CVSS-ese means there’s a PoC in circulation.

Other notable bugs of the month:

• CVE-2025-47981 (CVSS 9.8): heap overflow in SPNEGO Extended Negotiation. Pre-auth RCE without user interaction; wormable in theory over exposed Windows.
• CVE-2025-49695 / 49696 / 49697 / 49702: four RCEs in Microsoft Office, all triggerable via Preview Pane (attacker sends document, preview in Outlook is enough).
• CVE-2025-49717: second in SQL Server, this time code execution in the engine with escalation to host OS. Relevant in environments keeping SQL Server in shared VLAN with app servers.

No actively exploited zero-days, which is rare for a July Patch Tuesday. The piece that will stay in SIEM logs for months is CVE-2025-49706 / 49704 — Microsoft patches without major alerts the ToolShell chain that will be exploited two weeks later. Retrospectively for many defenders July counts as two Patch Tuesdays: the 8th and the OOB of the 19th.

Source: https://msrc.microsoft.com/update-guide/releaseNote/2025-Jul

Reasoning model jailbreaks — H1 retrospective

By June 2025 there are five public families of reasoning models: o1 / o3 (OpenAI), Claude 4 with extended thinking (Anthropic), DeepSeek-R1 + R1-Distill, QwQ-32B (Alibaba) and Gemini 2.5 with thinking (Google). Six months after the first, DeepSeek-R1 in January, the field has consolidated five techniques that break these models:

• CoT exfiltration trivial in open-weights (R1, R1-Distill, QwQ) — the <think> block is accessible plain text.
• CoT prefill / poisoning in open-weights — the attacker prefills the assistant turn with adversarial reasoning.
• CoT hijacking (Anthropic + Oxford + Stanford, H1 2025 paper) — hide the harmful prompt in a long sequence of benign steps; success rate rises from 27% to 80%+ on o3, Claude 4, Gemini 2.5.
• Bypass of political filter specific to R1 — language change, prompt indirection. R1’s primary alignment resists; the censorship filter on top is fragile.
• Multi-turn manipulation — distribute the attack across 5–8 turns. Works especially well against Claude 4 with extended thinking because reasoning integrates the whole history.

Defences that have partially worked: Constitutional Classifiers v2 (Anthropic, Feb 2025; reduced success rate from 86% to 4.4% on their internal benchmark), deliberative alignment (OpenAI, Dec 2024 paper), CoT obfuscation as a product decision (don’t show the raw chain to the user), and robust safety training (DeepMind, H1 2025).

The field has consolidated two operational certainties: (1) old benchmarks (AdvBench, StrongREJECT v1, HarmBench v1) saturate and no longer discriminate well-aligned models; (2) the asymmetry between who sees the CoT (the vendor) and who responds for the deployment (the operator) remains structural in closed models.

We’ve published the full retrospective with a “technique → success rate per model” table, the detail of constitutional classifiers v2, and implications for H2 2025 deployment.

Source: https://www.anthropic.com/research/constitutional-classifiers

CrowdStrike Falcon — a year after Channel File 291

19 July 2024, 04:09 UTC: Channel File 291 pushes a configuration with mismatched field count and 8.5 million Windows machines BSOD. 19 July 2025: CrowdStrike publishes a retrospective note — One Year Later: Reflecting on Building Resilience by Design — and Microsoft does its counterpart on the Windows Resiliency Initiative.

What’s been applied, according to both companies:

• Falcon Super Lab (CrowdStrike): testing infrastructure with thousands of OS/kernel/hardware combinations before publishing Rapid Response Content. The piece missing in July 2024.
• Customer profile testing (CrowdStrike): content validation against specific customer profiles before mass deployment. Effective staged rollout.
• Chief Resilience Officer (CrowdStrike): new executive role reporting directly to the CEO. Announced in May 2025.
• Sensor in user space, not kernel (Microsoft): Windows Resiliency Initiative includes an eBPF-style API for EDR vendors to move part of the sensor out of kernel mode. Beta started in March 2025 with CrowdStrike, SentinelOne, Sophos, Bitdefender and Trend Micro. Production ETA Q4 2025.

What hasn’t been applied: the standard contractual clause of mandatory staged rollout that cyber policies promised in August 2024. The industry continues pushing definitions and updates to entire estates without customer option. The Resiliency Initiative changes the sensor’s architecture; it doesn’t change the content deployment model.

We’ve published the technical analysis of the incident with the parser reproduced in C, the RCA of 6 August and the questioned deployment pattern.

Source: https://www.crowdstrike.com/en-us/blog/reflecting-on-building-resilience-by-design/

M&S and Co-op — postmortems with numbers

At the end of June the UK’s Cyber Monitoring Centre (CMC) classifies the attacks against Marks & Spencer, Co-op and the attempt against Harrods as “Category 2 cyber hurricane” — the second-highest level on the scale the CMC has published since 2024. It’s the first time the category is assigned to a single-actor incident cluster (Scattered Spider / DragonForce via social engineering against the helpdesk).

Figures consolidating during July:

• M&S: declared financial impact £270 to £440 million (USD 363-592 million). The insurance claim (Allianz as lead underwriter, with Beazley in excess) could reach £100 million — one of the largest cyber claims in the UK market. Six weeks of operational disruption to ecommerce; logistics and stock recovered mid-May.
• Co-op: exact figure unpublished but similar scale of impact. POS and back-office systems affected for three weeks.
• Harrods: contains the attempt. No impact reported.

Class actions start moving in July. Consumer rights groups (Joint The Claim, KPL Solicitors) open registers of damaged parties; the first civil suits are expected in Q4. The regulatory side remains pending — ICO maintains open investigation on both retailers.

We’ve covered the original vector in the April bulletin. The lesson remains the same: tier-1 helpdesk identity verification doesn’t scale with outsourcing templates. The compensating controls (verification via alternative channel, time-delay for privileged resets, manager checkpoint) are the same ones we’ve been saying since MGM 2023, now with proof that the cost of not applying them fits in the P&L.

Source: https://www.computerweekly.com/news/366626336/MS-Co-op-attacks-a-Category-2-cyber-hurricane-say-UK-experts

Rest of the month

• VMware ESXi — VMware publishes advisory for CVE-2025-22224 and CVE-2025-22225 exploited as zero-day since Q2. Combination of heap overflow in VMCI + arbitrary kernel write = VM escape to host. Broadcom issues patches and CISA adds to KEV.
• Google Chrome — Google patches CVE-2025-6554 (type confusion in V8) already exploited in the wild. Fourth Chrome zero-day of the year.
• Cisco ISE — CVE-2025-20281 and CVE-2025-20282 (pre-auth RCE in Identity Services Engine, CVSS 10.0 and 10.0). Cisco PSIRT publishes patches; Censys counts ~750 ISEs exposed to internet pre-advisory.
• Anthropic — Claude for Education (mid-Jul): integration with OpenAthens for SSO, per-session audit trail, configurable retention controls. Move to capture university market under AI Act pressure.
• OpenAI — Operator GA moves from the January beta to general availability on 11 July. Same agentic API, expanded enterprise controls: action allowlists, human-in-the-loop by default in sensitive categories, structured logs that include the reasoning summary.

Cross-cutting pattern

If July has a thread, it’s the chain the attacker keeps when you patch but don’t rotate state. ToolShell steals MachineKeys, you patch, and you remain compromised by forged ViewState. Citrix Bleed 2 leaks sessions, you patch, and previously stolen tokens remain active until kill aaa session -all. The structural piece behind both incidents is the same: the patch closes the door the attacker came through; not rotating state leaves the copy of the key the attacker already had. It’s the lesson we keep repeating since Citrix Bleed 1 in 2023, since Storm-0558 in July 23, since Snowflake in 2024. Every year a new case confirms the same and every year a portion of the field learns.

For H2 2025 the calendar is marked. On 2 August the second layer of the AI Act enters application — GPAI obligations. The next Patch Tuesday closes pending gaps in SharePoint and SQL Server. Black Hat 33 + DEF CON 33 (4-10 Aug) bring presentations on ToolShell, post-spec-update MCP poisoning, and the DARPA AIxCC final. The September question — what Apple does with iOS 19 and what OpenAI ships if the GPT-5 rumour confirms — will start to be answered soon. See you in August with the AI Act GPAI technical post and the AIxCC extra from Las Vegas.