10th July 2025 Cyber Update: Critical Patches and Browser Hijacking Campaign Target Millions

Update: Microsoft's July 2025 Patch Tuesday addresses 137 security vulnerabilities, marking more than double the number fixed in June and ending an 11-month streak of patching actively exploited zero-day vulnerabilities. The release includes 14 critical-severity flaws and one publicly disclosed vulnerability in SQL Server (CVE-2025-49719) that could allow unauthorized access to uninitialized memory.

The most severe issue, CVE-2025-47981, carries a CVSS score of 9.8 and affects the Windows SPNEGO Extended Negotiation mechanism, potentially enabling "wormable" malware that could self-propagate across networks without user interaction. Security researchers warn this vulnerability could rival the impact of WannaCry, as it requires no authentication and affects Windows 10 version 1607 and above due to default Group Policy settings.

Why it Matters: The scale and severity of these vulnerabilities pose immediate risks to enterprise environments where Windows systems form the backbone of IT infrastructure. CVE-2025-47981's potential for self-propagation makes it particularly dangerous for organizations with interconnected systems, while the SQL Server vulnerability affects versions dating back to 2016, impacting countless database deployments.

Microsoft's acknowledgment that exploitation is "more likely" for several critical flaws, combined with the end-of-life status for SQL Server 2012, creates urgent patching priorities for IT administrators. The absence of actively exploited vulnerabilities this month provides a rare window for proactive defense, but the critical nature of these flaws demands immediate attention to prevent future compromise.

Update: SAP's July 2025 Security Patch Day delivered a record-breaking 27 new security notes plus four updates, representing twice the average monthly output and addressing multiple critical vulnerabilities across core enterprise systems. The most severe flaw, CVE-2025-30012, received the maximum CVSS score of 10.0 after being reclassified from its initial low-severity rating in May.

This vulnerability in the Supplier Relationship Management Live Auction Cockpit allows unauthenticated attackers to execute arbitrary operating system commands through insecure deserialization of crafted requests. Five additional critical vulnerabilities (CVSS 9.1-9.9) target NetWeaver components through similar deserialization attacks, while CVE-2025-42967 enables code injection in S/4HANA and SCM systems.

Security firm Onapsis, which collaborated with SAP's Product Security Research Team on these discoveries, warns that successful exploitation bypasses traditional SAP security controls and could enable ransomware deployment on critical business systems.

Why it Matters: These vulnerabilities represent the same class of security flaws recently exploited in massive global attacks attributed to sophisticated China-nexus threat actors, creating immediate concern for enterprise security teams. The maximum CVSS 10.0 rating for CVE-2025-30012 indicates complete system compromise potential, while the concentration of deserialization vulnerabilities suggests coordinated research efforts by both security researchers and potential attackers.

JP Perez-Etchegoyen from Onapsis emphasizes that exploitation could result in "espionage, sabotage, or fraud" with full system control, making these patches critical for organizations managing sensitive business data. The record number of patches also highlights the increasing scrutiny of enterprise software security, particularly as threat actors shift focus to high-value business applications that traditional endpoint security may not adequately protect.

Update: Security researchers at Koi Security have uncovered the "RedDirection" campaign, a sophisticated browser hijacking operation that compromised 18 extensions across Chrome and Edge web stores, affecting over 2.3 million users worldwide. The malicious extensions, including popular tools like the Geco color picker with 100,000+ downloads and Google's verified badge, initially provided legitimate functionality before receiving silent updates that deployed surveillance code.

These "sleeper agent" extensions remained clean for years before cybercriminals introduced malicious background service workers that capture visited URLs, transmit data to command-and-control servers with unique tracking identifiers, and enable automatic browser redirections. The campaign's sophistication extends beyond simple malware distribution, with extensions maintaining high ratings, featured placement, and verification badges that misled users about their safety. Idan Dardikman from Koi Security describes the operation as "a carefully crafted Trojan horse" rather than obvious scam software, highlighting the campaign's professional execution and long-term planning.

Why it Matters: This campaign exposes critical vulnerabilities in browser extension security models, where auto-update mechanisms can silently transform trusted productivity tools into surveillance networks without user knowledge or consent. The ability to maintain legitimate functionality while conducting covert data collection demonstrates advanced threat actor capabilities that challenge traditional security assumptions about official software repositories.

The scale of compromise, affecting millions of users across both major browser platforms, suggests coordinated efforts to establish persistent access to browsing data for potential future exploitation. Most concerning is the campaign's demonstration that verification badges and positive reviews can be weaponized to build false trust, potentially enabling more sophisticated attacks like credential theft or malware distribution through convincing redirect scenarios that users would trust based on the extension's established reputation.