This week’s critical cybersecurity developments (July 21–27, 2025) encompass actively exploited zero-days, industrial control system vulnerabilities, and sophisticated ransomware and APT activity surfacing on underground forums. Microsoft SharePoint servers continue under siege via the “ToolShell” exploit chain (CVE-2025-49706, CVE-2025-49704), while Google Chrome’s V8 engine suffered an in-the-wild type-confusion zero-day (CVE-2025-6554). Multiple high-severity flaws in Honeywell’s Niagara Framework (CVE-2025-3936–CVE-2025-3945) risk smart-building safety. Dark web chatter reveals emergent RaaS platforms (BQTLOCK), mobile malware (Konfety), and state-linked espionage (Salt Typhoon).

>>Outpace Attackers With AI-Based Automated Penetration Testing

Emerging Hacking Techniques

• Man-in-the-Middle CSRF Token Harvesting & Chain Exploits
  Attackers intercept SharePoint anti-CSRF tokens via unencrypted Syslog traffic, then perform token-bound CSRF to create backdoor admin users and extract TLS keys for AitM enabling code execution (ToolShell).
• V8 Type-Confusion for Arbitrary Read/Write
  CVE-2025-6554 leverages a type-confusion flaw in Chrome’s V8 engine to attain arbitrary memory access via crafted HTML, resulting in remote code execution from sandboxed contexts.
• ICS MiTM via Shared Certificate Theft
  On Niagara Framework misconfigurations, adversaries chain argument delimiter neutralization (CVE-2025-3945) with improper CSRF (CVE-2025-3943) to steal shared TLS keys, enabling root-level MiTM and RCE on SCADA devices.
• Dark Web RaaS Customization Portals
  BQTLOCK’s onion-site interface allows affiliates to brand ransom notes, configure tiers, monitor infections in real time, and transact exclusively in Monero, signaling RaaS UX maturation.

Critical Vulnerabilities & Attack Campaigns

Niagara Framework Critical Flaws (CVE-2025-3936–CVE-2025-3945)

Overview

Nozomi Networks disclosed seven CVEs in Tridium’s Niagara Framework—used in HVAC, energy, building management—fully exploitable if encryption is disabled (misconfig); the most severe scored 9.8.

Technical Explanation

• CSRF Anti-Forgery Bypass (CVE-2025-3943): Logs refresh tokens unencrypted; attacker performs CSRF via spinstall0.aspx to capture session IDs.
• Argument Delimiter Neutralization (CVE-2025-3945): Enables command injection in Platform’s management interface.
• Exploit Chain: CSRF token → new admin → private key exfiltration → root-level RCE via CVE-2025-3944 (Incorrect Permission Assignment).

Impact/Risk

• Full device takeover in critical infrastructure
• Operational disruption of building automation
• Potential safety hazards (e.g., HVAC sabotage)

Takeaway for CISO

Harden Niagara instances per vendor guidelines: enable TLS encryption, disable unneeded services (Syslog), and patch to version 4.14.2u2/4.15.u1/4.10u.11.

CISA Industrial Control Systems Advisories (July 17–24)

Overview

CISA published nine ICS advisories covering Schneider Electric EcoStruxure components, Mitsubishi CNC series, LG cameras, Honeywell Experion PKS, and network thermostats between July 17–24, 2025.

Technical Explanation

• Multiple CWE-78/OS Command Injection in EcoStruxure Data Center Expert (CVE-2025-50121, CVSS 10.0) enables unauthenticated RCE via HTTP interface.
• XXE in SoMachine Basic: Unrestricted XML entities permit OOB data exfiltration.

Impact/Risk

• RCE in critical manufacturing and energy controls
• Supply chain disruptions
• Data theft from industrial sensors

Takeaway for CISO

Review and apply all ICS vendor patches; segment OT networks and apply strict ACLs on ICS management interfaces.

Darkweb Intelligence Highlights

BQTLOCK Ransomware-as-a-Service

New mid-July strain encrypts files with “.BQTLOCK” using AES-256/RSA-4096, operates via an onion portal offering affiliate tiers, branding, and live dashboards, communicating over Telegram/Twitter.

Konfety Android Malware

Deploys via third-party stores masquerading as benign apps, hides payloads in obfuscated APKs with encrypted runtime layers, redirects users to ad-fraud and phishing flows, leveraging broadcast receivers and geofencing evasion.

Salt Typhoon APT Activity

China-linked APT “Salt Typhoon” exploited multiple high-CVSS network device CVEs (e.g., SonicWall CVE-2025-23006) to breach a U.S. Army National Guard network, using SSH key manipulation, log tampering, and protocol tunneling for persistent espionage.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial