Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome
Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month.
The vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), is an incorrect validation of untrusted input in the browser’s ANGLE and GPU components that could result in a sandbox escape via a crafted HTML page.
While there are no details on how the issue has been weaponized by threat actors, Google acknowledged that an “exploit for CVE-2025-6558 exists in the wild.” Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) have been credited with discovering and reporting the shortcoming.
The iPhone maker, in its latest round of software updates, also included patches for CVE-2025-6558, stating the vulnerability impacts the WebKit browser engine that powers its Safari browser.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/07/apple-patches-safari-vulnerability-also.html
Link: https://www.securityweek.com/apple-patches-safari-vulnerability-flagged-as-exploited-against-chrome/
Sophos and SonicWall Patch Critical RCE Flaws Affecting Firewalls and SMA 100 Devices
Sophos and SonicWall have alerted users of critical security flaws in Sophos Firewall and Secure Mobile Access (SMA) 100 Series appliances that could be exploited to achieve remote code execution.
The two vulnerabilities impacting Sophos Firewall are listed below –
- CVE-2025-6704 (CVSS score: 9.8) – An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode
- CVE-2025-7624 (CVSS score: 9.8) – An SQL injection vulnerability in the legacy (transparent) SMTP proxy can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA
Sophos said CVE-2025-6704 affects about 0.05% of devices, while CVE-2025-7624 impacts as many as 0.73% of devices. Both vulnerabilities have been addressed alongside a high-severity command injection vulnerability in the WebAdmin component (CVE-2025-7382, CVSS score: 8.8) that could result in pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled.
Source: The hacker news / Securityweek
Link: https://thehackernews.com/2025/07/sophos-and-sonicwall-patch-critical-rce.html
Link: https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/
Kali Linux can now run in Apple containers on macOS systems
Cybersecurity professionals and researchers can now launch Kali Linux in a virtualized container on macOS Sequoia using Apple’s new containerization framework.
During WWDC 2025, Apple announced a new containerization framework that allows Apple Silicon hardware to run isolated Linux distros in its virtualized environment, similar to Microsoft Windows Subsystem for Linux 2 (WSL2).
To get started, users on macOS Sequoia with Apple Silicon can install the container CLI via Homebrew and initialize Apple’s container framework:
brew install –cask container
container system start
You can then launch Kali Linux using the following command, which loads the container from the DockerHub container library and executes inside a macOS VM.
container run –rm -it kalilinux/kali-rolling
You can also use a container to mount a local directory into the Kali VM with a command like:
container run –remove –interactive –tty –volume $(pwd):/mnt –workdir /mnt docker.io/kalilinux/kali-rolling:latest
This command allows you to access files on the host device from within the container.
However, there are some limitations to the new feature, as it’s only available on Apple Silicon and does not support Intel Macs.
Source: Bleeping computer
Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware
Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company.
Cybersecurity firm Darktrace discovered the attack during an incident response in April 2025, where an investigation revealed that the Auto-Color malware had evolved to include additional advanced evasion tactics.
Darktrace reports that the attack started on April 25, but active exploitation occurred two days later, delivering an ELF (Linux executable) file onto the targeted machine.
The Auto-Color malware was first documented by Palo Alto Networks’ Unit 42 researchers in February 2025, who highlighted its evasive nature and difficulty in eradicating once it has established a foothold on a machine.
The backdoor adjusts its behavior based on the user privilege level it runs from, and uses ‘ld.so.preload’ for stealthy persistence via shared object injection.
Source: Bleeping computer
Palo Alto Networks Grabs IAM Provider CyberArk for $25B
Palo Alto Networks has agreed to acquire CyberArk for approximately $25 billion, thrusting the networking and next-generation firewall giant into the identity and access management (IAM) space.
Under terms of the agreement, which was announced Wednesday morning, CyberArk shareholders will receive $45 in cash and approximately 2.2 shares of Palo Alto Networks common stock per CyberArk share. The deal is expected to close during the second half of Palo Alto Networks’ fiscal 2026.
CyberArk was founded in 1999, establishing a strong presence in the IAM market with core offerings like single sign-on and multifactor authentication, as well as privileged access management (PAM) and machine identity services. The vendor made numerous acquisitions of its own over the years, the most notable of which was last year’s $1.54 billion deal for Venafi, which specialized in machine identity management.
The addition of CyberArk gives Palo Alto Networks a key piece for its widening cybersecurity portfolio. Since its founding in 2005, the company has steadily expanded beyond its network security and firewall roots into cloud security, extended detection and response, and secure access service edge.
Source: Dark reading / Securityweek
Link: https://www.securityweek.com/palo-alto-networks-to-acquire-cyberark-for-25-billion/
IR Trends Q2 2025: Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy
Phishing remained the top method of initial access this quarter, appearing in a third of all engagements – a decrease from 50 percent last quarter. Threat actors largely leveraged compromised internal or trusted business partner email accounts to deploy malicious emails, bypassing security controls and gaining targets’ trust. Interestingly, the objective of the majority of observed phishing attacks appeared to be credential harvesting, suggesting cybercriminals may consider brokering compromised credentials as simpler and more reliably profitable than other post-exploitation activities, such as engineering a financial payout or stealing proprietary data.
Ransomware and pre-ransomware incidents made up half of all engagements this quarter, similar to last quarter. Cisco Talos Incident Response (Talos IR) responded to Qilin ransomware for the first time, identifying previously unreported tools and tactics, techniques, and procedures (TTPs), including a new data exfiltration method. Our observations of Qilin activity indicate a potential expansion of the group and/or an increase in operational tempo in the foreseeable future, warranting this as a threat to monitor. Additionally, ransomware actors leveraged a dated version of PowerShell, PowerShell 1.0, in a third of ransomware and pre-ransomware engagements this quarter, likely to evade detection and gain more flexibility for their offensive capabilities.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/ir-trends-q2-2025/
Why CISOs should rethink identity risk through attack paths
Identity-based attack paths are behind most breaches today, yet many organizations can’t actually see how those paths form. The 2025 State of Attack Path Management report from SpecterOps makes the case that traditional tools like identity governance, PAM, and MFA aren’t enough. They help manage access, but they miss the bigger problem: how identity and privilege sprawl across the environment in ways that attackers can string together.
Attack Path Management (APM) is a continuous security practice, not a one-time project. It helps organizations map, understand, and dismantle the chains of access and control that attackers exploit.
The real problem is privilege chaining. Researchers contrast two models: access graphs and attack graphs. Access graphs show who has access to what, often for audits or compliance. But attackers don’t care about who’s authorized, they care about what’s reachable. Attack graphs show how identities, sessions, and permissions can be chained together to reach critical assets, even when each link looks harmless on its own.
This shift in perspective helps explain why identity compromise is so hard to detect or prevent. Most tools can tell you whether a credential is being used. Few can show whether that credential is just one hop away from Domain Admin.
Source: Helpnet security
Link: https://www.helpnetsecurity.com/2025/07/30/ciso-attack-path-management-apm/