🚨 𝐎𝐩. 𝐄𝐧𝐝𝐠𝐚𝐦𝐞 3.0 𝐃𝐢𝐬𝐦𝐚𝐧𝐭𝐥𝐞𝐬 𝐑𝐡𝐚𝐝𝐚𝐦𝐚𝐧𝐭𝐡𝐲𝐬, 𝐕𝐞𝐧𝐨𝐦𝐑𝐀𝐓 𝐚𝐧𝐝 𝐄𝐥𝐲𝐬𝐢𝐮𝐦

The third "season" of Operation Endgame resulted in:
🗄️ Over 1025 servers taken down or disrupted
🌐 20 domains seized
🚪 11 locations searched
👮 One arrest

📰 https://www.infosecurity-magazine.com/news/operation-endgame-3-dismantles/

𝐏𝐎𝐃𝐂𝐀𝐒𝐓 - 𝐇𝐨𝐰 𝐏𝐫𝐢𝐯𝐚𝐭𝐞 𝐑𝐞𝐬𝐞𝐚𝐫𝐜𝐡𝐞𝐫𝐬 𝐀𝐫𝐞 𝐓𝐚𝐤𝐢𝐧𝐠 𝐃𝐨𝐰𝐧 𝐑𝐚𝐧𝐬𝐨𝐦𝐰𝐚𝐫𝐞 𝐎𝐩𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐬

I sat down with Matthew Maynard, a cybersecurity pro by day and a cyber ghost-buster by night, who doesn’t just hunt vulnerabilities, but haunts the hackers themselves.

🎧 Listen here: https://feeds.soundcloud.com/users/soundcloud:users:619327530/sounds.rss

𝐕𝐨𝐭𝐫𝐞 𝐕𝐏𝐍 𝐞𝐬𝐭-𝐢𝐥 𝐮𝐧 𝐜𝐡𝐞𝐯𝐚𝐥 𝐝𝐞 𝐓𝐫𝐨𝐢𝐞 𝐜𝐡𝐢𝐧𝐨𝐢𝐬 ? 🇨🇳

D’après 3 études, des dizaines d’applis VPN (Google Play Store/Apple App Store) sont liées entre elles… et certaines appartiennent à Qihoo 360, proche de l’armée chinoise.

🔗 Nouvelle édition de Coupe-Circuit : https://coupecircuit.substack.com/p/tous-les-vpn-ne-se-valent-pas

🔎 VulnWatch Friday: CVE-2025-57819 🔓

The Sangoma FreePBX Security Team has warned of a vulnerability being exploited in the wild.

FreePBX is an open-source graphical user interface (GUI) for managing Asterisk, the popular open-source Private Branch Exchange (PBX) and telephony platform.

It simplifies the configuration and administration of Voice over IP (VoIP) systems, making it accessible to businesses and individuals without deep technical expertise in Asterisk.

The critical flaw, tracked as CVE-2025-57819, affects FreePBX versions 15, 16 and 17. When exploited, it can allow unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution.

🔧 Fix? FreePBX 15.0.66, 16.0.89 and 17.0.3.

🔎 Security advisory: https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
💾 Download JSON: https://cveawg.mitre.org/api/cve/CVE-2025-57819

🧐 VulnWatch Wednesday: CVE-2025-7775 🔓

Citrix has released patches for three critical zero days in NetScaler ADC and Gateway, one of which was already being exploited by attackers.

According to Kevin Beaumont, exploit campaigns 🎯CVE-2025-7775 began before the patches were made available.

📰 My story on Infosecurity Magazine: https://www.infosecurity-magazine.com/news/citrix-patch-netscaler-zero-days/
🔎 Citrix's security advisory: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938

🧐 VulnWatch Wednesday: CVE-2025-31324 🔓

A critical vulnerability in SAP NetWeaver AS Java Visual Composer, tracked as CVE-2025-31324, is now being widely exploited following the release of public exploit tooling.

The flaw, patched in April 2025, allows unauthenticated remote code execution via the platform’s metadata uploader endpoint.

🆕 What’s new is the public availability of the full source code, which makes the exploit easy to use even for attackers with little technical expertise.

“With the source code now widely available, even script kiddies can leverage it,” said Jonathan Stross, SAP Security Analyst at Pathlock.

📰 Read our latest story on Infosecurity Magazine: https://www.infosecurity-magazine.com/news/sap-netweaver-flaw-exploit-released/
💾 Download JSON: https://cveawg.mitre.org/api/cve/CVE-2025-31324

𝐋𝐞𝐠𝐢𝐭𝐢𝐦𝐚𝐭𝐞 𝐂𝐡𝐫𝐨𝐦𝐞 𝐕𝐏𝐍 𝐄𝐱𝐭𝐞𝐧𝐬𝐢𝐨𝐧 𝐓𝐮𝐫𝐧𝐬 𝐭𝐨 𝐁𝐫𝐨𝐰𝐬𝐞𝐫 𝐒𝐩𝐲𝐰𝐚𝐫𝐞

A popular Google-featured browser extension offering a VPN service recently turned malicious and is now spying on users’ every move online.

🕵️ Researchers from Koi Security detected that FreeVPN.One, a VPN extension with over 100,000 installs on the Google Chrome Web Store, a ‘Verified’ status and a 3.8/5 rating from 1110 reviews, has been acting as spyware for the past five months.

The researchers contacted the developer of FreeVPN.One, but their explanations for the extension’s behavior failed to align with the researchers’ observations.

⚠️ This new research, published on 𝑰𝒏𝒕𝒆𝒓𝒏𝒂𝒕𝒊𝒐𝒏𝒂𝒍 𝑽𝑷𝑵 𝑫𝒂𝒚, is a reminder that not all VPNs are equal and that many so-called privacy tools can be malicious, while even reputable commercial providers often lack transparency about the data they collect from users.

📰 Read my story here: https://www.infosecurity-magazine.com/news/chrome-vpn-extension-spyware/

📜 Read the full Koi Security report here: https://koi-security.webflow.io/blog/spyvpn-the-vpn-that-secretly-captures-your-screen#heading-3

👀 VulnWatch Monday: CVE-2025-25256 🔓

watchTowr Labs has published a technical analysis of CVE-2025-25256, a critical pre-auth command injection vulnerability in Fortinet's FortiSIEM, as well as a detection artifact generator.

🔧 Fix? Yes: from FortiSIEM 6.7 from 6.7.10; FortiSIEM 7.0 from 7.0.4; FortiSIEM 7.1 from 7.1.8; FortiSIEM 7.2 from 7.2.6; FortiSIEM 7.3 from 7.3.2; FortiSIEM 7.4.

🔎 Fortinet PSIRT's security advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-152
🐞 watchTowr's analysis: https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/
🐱 watchTowr's detection artifact generator: https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256?ref=labs.watchtowr.com
💾 Download XML: https://www.fortiguard.com/psirt/cvrf/FG-IR-25-152
💾 Download JSON: https://cveawg.mitre.org/api/cve/CVE-2025-25256

🚫 Elon Musk suspend à son tour FreeWechat alors que GreatFire s’entoure de 17 organisations de défense des droits humains pour faire pression sur Tencent/Group-IB et l’hébergeur.

Et aussi: 🇷🇺🇮🇷🇸🇾🇸🇩🍆

Cette semaine dans Coupe-circuit : https://open.substack.com/pub/coupecircuit/p/freewechat-elon-musk-complice-de?r=zesd&utm_medium=ios

Appli bloquée en Éthiopie = indisponible en Palestine

Saviez-vous qu'une application Android bloquée en Afghanistan le sera aussi en Mauritanie ? Et qu'une application qui disparaît du Google Play Store à Madagascar sera indisponible au Kosovo ?

L'explication ici: https://coupecircuit.substack.com/p/bloquer-une-app-en-ethiopie-la-bloque

🔎 VulnWatch Friday: CVE-2025-7624 🔓

In a July 21 security advisory, Sophos shared the patches for 5️⃣ vulnerabilities affecting its products.

One of the two critical vulnerabilities, tracked as CVE-2025-7624 is an SQL injection in the legacy SMTP proxy of some Sophos Firewall versions.

Sophos stated that it has not observed any of the five vulnerabilities being exploited at this time.

🔧 Fixes? Yes: Every Critical and High severity vulnerability was remediated through hotfixes. No action is required for Sophos Firewall customers to receive these fixes with the "Allow automatic installation of hotfixes" feature enabled on remediated versions.

🔗 Sophos' security advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
💾 Download JSON: https://cveawg.mitre.org/api/cve/CVE-2025-7624

🧐 VulnWatch Wednesday: CVE-2025-54309 🔓

Unfortunately, it's not 'just' about SharePoint this week...

At least 10,000 CrushFTP instances are vulnerable to a critical flaw, which is currently being exploited by attackers, affecting the file transfer solution, according to The Shadowserver Foundation and Rapid7.

The vulnerability, tracked as CVE-2025-54309, involves a mishandling of AS2 validation in all versions of CrushFTP servers prior to 10.8.5 and prior to 11.3.4_23.

🐞 It can be exploited when the demilitarized zone (DMZ) proxy feature is not used.
When exploited, CVE-2025-54309 allows remote attackers to obtain admin access via HTTPS.

🔧 Fix? Yes: CrushFTP 11.3.4_26 and CrushFTP 10.8.5_12.

🔎 My article on Infosecurity Magazine: https://www.infosecurity-magazine.com/news/crushftp-critical-vulnerability/
🔐 The CrushFTP security advisory: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
🐞 The Rapid7 blog post: https://www.rapid7.com/blog/post/crushftp-zero-day-exploited-in-the-wild/
💾 Download JSON: https://cveawg.mitre.org/api/cve/CVE-2025-54309

𝐍𝐄𝐖 👮 𝐒𝐮𝐬𝐩𝐞𝐜𝐭𝐞𝐝 𝐗𝐒𝐒 𝐅𝐨𝐫𝐮𝐦 𝐀𝐝𝐦𝐢𝐧 𝐀𝐫𝐫𝐞𝐬𝐭𝐞𝐝 𝐢𝐧 𝐔𝐤𝐫𝐚𝐢𝐧𝐞

A man suspected of administering the Russian-language cybercrime forum XSS was arrested in Ukraine on July 22.

📴 The Ukrainian and French law enforcement agencies have also seized the XSS domains.

https://www.infosecurity-magazine.com/news/suspected-xss-forum-admin-arrested/

𝐍𝐄𝐖 🐞 𝐒𝐡𝐚𝐫𝐞𝐏𝐨𝐢𝐧𝐭 ‘𝐓𝐨𝐨𝐥𝐒𝐡𝐞𝐥𝐥’ 𝐕𝐮𝐥𝐧𝐬 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐞𝐝 𝐛𝐲 𝐂𝐡𝐢𝐧𝐞𝐬𝐞 𝐇𝐚𝐜𝐤𝐞𝐫𝐬

Microsoft has observed three China-based threat actors, Linen Typhoon, Violet Typhoon and Storm-2603, exploiting the SharePoint vulnerabilities dubbed as 'ToolShell.'

https://www.infosecurity-magazine.com/news/sharepoint-toolshell-chinese/

👀 VulnWatch Monday: CVE-2025-53770 🔓

CVE-2025-53770, aka 'ToolShell' is the talk of the cybersecurity-focused internet today!

Read the full Infosecurity Magazine analysis: https://www.infosecurity-magazine.com/news/microsoft-compromising-sharepoint/

💾 Download JSON here: https://cveawg.mitre.org/api/cve/CVE-2025-53770

Censure chinoise : @greatfirechina contre-attaque ✊

Episode 02 de l'affaire FreeWeChat (Tencent/Group-IB vs GreatFire) dans la dernière édition de Coupe-circuit ⤵️

Mais aussi les derniers blocages en date : 🇵🇰🇧🇩🇷🇺🇹🇬

C'est par ici: https://open.substack.com/pub/coupecircuit/p/freewechat-long-greatfire-contre?r=zesd&utm_campaign=post&utm_medium=web&showWelcomeOnShare=true

Why is a respected Singapore-based cybersecurity company involved in a SLAPP lawsuit against a Chinese anti-censorship NGO?

In the new edition of @coupecircuit I explore an intriguing case in which Tencent could be leveraging non-Chinese private companies to enforce censorship.

Read the latest edition of my newsletter here (in French) ⬇️

https://infosec.exchange/@coupecircuit/114856638097516608

Quand la censure de Pékin passe par Singapour et les Etats-Unis 🇨🇳🇸🇬🇺🇸

@greatfirechina, ONG contre la censure numérique chinoise, victime d’une procédure-bâillon impliquant Tencent, propriétaire de WeChat),
@cloudflare
et Group-IB, une entreprise de cybersécurité respectée.

https://open.substack.com/pub/coupecircuit/p/group-ib-entreprise-respectee-a-la?r=zesd&utm_campaign=post&utm_medium=web&showWelcomeOnShare=false

🔎 VulnWatch Friday: CVE-2025-25257 🔓

On July 8, 2025, Fortinet released fixes for a critical vulnerability in FortiWeb that could allow an unauthenticated threat actor to execute SQL commands via crafted HTTP or HTTPS requests.

The flaw lies in the Graphical User Interface (GUI) component and stems from improper neutralization of special elements used in SQL statements.

While no in-the-wild exploitation has been observed at the time of writing, Fortinet products have historically been frequent targets for threat actors.

🔧 Fix? FortiWeb 7.6.4 and above, 7.4.8 and above, 7.2.11 and above, 7.0.11 and above.

🔎 Fortinet's security advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-151
💾 Download CVRF: https://fortiguard.fortinet.com/psirt/cvrf/FG-IR-25-151

🧐 VulnWatch Wednesday: CVE-2025-47981 🔓

In its July Patch Tuesday, Microsoft patched CVE-2025-47981, a critical RCE flaw in SPNEGO, a protocol used in computer networks to help two parties securely agree on how to authenticate each other.

📰 My coverage of Microsoft's July 2025 Patch Tuesday: https://www.infosecurity-magazine.com/news/microsoft-patch-tuesday-july-2025/
🔎 Microsoft's Patch Tuesday list of vulnerabilities: https://msrc.microsoft.com/update-guide/releaseNote/2025-Jul
💾 Download JSON for CVE-2025-47981: https://cveawg.mitre.org/api/cve/CVE-2025-47981