10th July 2025 Cyber Update: Critical Patches and Browser Hijacking Campaign Target Millions

Microsoft patches 137 vulnerabilities including critical SPNEGO flaw, SAP addresses record 27 security notes with maximum CVSS 10.0 vulnerability, while 2.3 million users fall victim to sophisticated browser extension hijacking campaign.

10th July 2025 Cyber Update: Critical Patches and Browser Hijacking Campaign Target Millions
Photo by Christina @ wocintechchat.com / Unsplash

Cyber News Centre's cyber update for 10th July 2025: Microsoft has released 137 security fixes in its largest Patch Tuesday of the year, including a high-risk flaw with self-propagating potential. SAP has issued a record-breaking set of critical patches, featuring a CVSS 10.0 vulnerability in its enterprise suite. Meanwhile, researchers have uncovered a browser hijacking campaign that compromised 2.3 million users through 18 extensions on the Chrome and Edge stores.

1. Microsoft Delivers 137 Security Fixes in July's Largest Patch Tuesday

Microsoft Corporation, the world's largest software company, provides operating systems, productivity software, and cloud services to billions of users globally. The company's monthly Patch Tuesday releases address security vulnerabilities across its vast product ecosystem, making these updates critical for enterprise and consumer security worldwide.

The Update and Why It Matters

Update: Microsoft's July 2025 Patch Tuesday addresses 137 security vulnerabilities, marking more than double the number fixed in June and ending an 11-month streak of patching actively exploited zero-day vulnerabilities. The release includes 14 critical-severity flaws and one publicly disclosed vulnerability in SQL Server (CVE-2025-49719) that could allow unauthorized access to uninitialized memory.

The most severe issue, CVE-2025-47981, carries a CVSS score of 9.8 and affects the Windows SPNEGO Extended Negotiation mechanism, potentially enabling "wormable" malware that could self-propagate across networks without user interaction. Security researchers warn this vulnerability could rival the impact of WannaCry, as it requires no authentication and affects Windows 10 version 1607 and above due to default Group Policy settings.


Why it Matters: The scale and severity of these vulnerabilities pose immediate risks to enterprise environments where Windows systems form the backbone of IT infrastructure. CVE-2025-47981's potential for self-propagation makes it particularly dangerous for organizations with interconnected systems, while the SQL Server vulnerability affects versions dating back to 2016, impacting countless database deployments.

Microsoft's acknowledgment that exploitation is "more likely" for several critical flaws, combined with the end-of-life status for SQL Server 2012, creates urgent patching priorities for IT administrators. The absence of actively exploited vulnerabilities this month provides a rare window for proactive defense, but the critical nature of these flaws demands immediate attention to prevent future compromise.


2. SAP Releases Record Security Updates Including Maximum CVSS 10.0 Vulnerability

SAP SE is a German multinational software corporation that develops enterprise software to manage business operations and customer relations. As the world's largest enterprise resource planning (ERP) software vendor, SAP's applications manage critical business processes for over 440,000 customers in more than 180 countries, making security vulnerabilities in its products particularly impactful for global commerce.

The Update and Why It Matters

Update: SAP's July 2025 Security Patch Day delivered a record-breaking 27 new security notes plus four updates, representing twice the average monthly output and addressing multiple critical vulnerabilities across core enterprise systems. The most severe flaw, CVE-2025-30012, received the maximum CVSS score of 10.0 after being reclassified from its initial low-severity rating in May.

This vulnerability in the Supplier Relationship Management Live Auction Cockpit allows unauthenticated attackers to execute arbitrary operating system commands through insecure deserialization of crafted requests. Five additional critical vulnerabilities (CVSS 9.1-9.9) target NetWeaver components through similar deserialization attacks, while CVE-2025-42967 enables code injection in S/4HANA and SCM systems.

Security firm Onapsis, which collaborated with SAP's Product Security Research Team on these discoveries, warns that successful exploitation bypasses traditional SAP security controls and could enable ransomware deployment on critical business systems.


Why it Matters: These vulnerabilities represent the same class of security flaws recently exploited in massive global attacks attributed to sophisticated China-nexus threat actors, creating immediate concern for enterprise security teams. The maximum CVSS 10.0 rating for CVE-2025-30012 indicates complete system compromise potential, while the concentration of deserialization vulnerabilities suggests coordinated research efforts by both security researchers and potential attackers.

JP Perez-Etchegoyen from Onapsis emphasizes that exploitation could result in "espionage, sabotage, or fraud" with full system control, making these patches critical for organizations managing sensitive business data. The record number of patches also highlights the increasing scrutiny of enterprise software security, particularly as threat actors shift focus to high-value business applications that traditional endpoint security may not adequately protect.


3. Massive Browser Hijacking Campaign Compromises 2.3 Million Chrome and Edge Users

Google Chrome and Microsoft Edge represent the dominant web browsers globally, with Chrome commanding over 60% market share and Edge serving as Windows' default browser. Both platforms maintain official extension stores that undergo review processes to protect users from malicious software, making successful infiltration of these trusted channels particularly concerning for user security and platform integrity.

The Update and Why It Matters

Update: Security researchers at Koi Security have uncovered the "RedDirection" campaign, a sophisticated browser hijacking operation that compromised 18 extensions across Chrome and Edge web stores, affecting over 2.3 million users worldwide. The malicious extensions, including popular tools like the Geco color picker with 100,000+ downloads and Google's verified badge, initially provided legitimate functionality before receiving silent updates that deployed surveillance code.

These "sleeper agent" extensions remained clean for years before cybercriminals introduced malicious background service workers that capture visited URLs, transmit data to command-and-control servers with unique tracking identifiers, and enable automatic browser redirections. The campaign's sophistication extends beyond simple malware distribution, with extensions maintaining high ratings, featured placement, and verification badges that misled users about their safety. Idan Dardikman from Koi Security describes the operation as "a carefully crafted Trojan horse" rather than obvious scam software, highlighting the campaign's professional execution and long-term planning.


Why it Matters: This campaign exposes critical vulnerabilities in browser extension security models, where auto-update mechanisms can silently transform trusted productivity tools into surveillance networks without user knowledge or consent. The ability to maintain legitimate functionality while conducting covert data collection demonstrates advanced threat actor capabilities that challenge traditional security assumptions about official software repositories.

The scale of compromise, affecting millions of users across both major browser platforms, suggests coordinated efforts to establish persistent access to browsing data for potential future exploitation. Most concerning is the campaign's demonstration that verification badges and positive reviews can be weaponized to build false trust, potentially enabling more sophisticated attacks like credential theft or malware distribution through convincing redirect scenarios that users would trust based on the extension's established reputation.


Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Cyber News Centre.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.