Plus: An “explosion” of AI-generated child abuse images is taking over the web, a Russian professional basketball player is arrested on ransomware charges, and more.

WIRED reported this week on public records that show the United States Department of Homeland Security urging local law enforcement around the country to interpret common protest activities and surrounding logistics—including riding a bike, livestreaming a police encounter, or skateboarding—as “violent tactics.” The guidance could influence cops to use everyday behavior as a pretext for police action.

An AI hiring bot used on the McDonald’s “McHire” site exposed tens of millions of job applicants’ personal data because of a group of web-based security vulnerabilities—including use of the classically guessable password “123456” on an administrator account. The site’s chatbot, known as Olivia, was built by the artificial intelligence software firm Paradox.ai. Meanwhile, in the wake of last week’s devastating floods in Texas that killed at least 120 people, conspiracy theories about the extreme weather event have gained enough traction among anti-government extremists, GOP influencers, and others with large platforms to produce real-world consequences like death threats.

Finally, the metadata of the “full raw” surveillance footage captured near Jeffrey Epstein’s cell the night before the disgraced financier was found hanged shows it’s not “raw” footage at all. Instead, according to a WIRED analysis and digital video forensics experts, the full video is made up of two clips, and it was likely processed using powerful editing software.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**4 Young People Arrested Over Cyberattacks Against UK Retailers**

Earlier this year, three retailers in the UK—Harrods, the Co-Op, and M&S—were disrupted by sprawling cyberattacks. Some shelves were left empty for weeks, and M&S executives expect the attacks will cost around £300 million ($407 million) in total. This week, law enforcement officials at the National Crime Agency (NCA), the country’s equivalent of the FBI, announced the arrest of four people as part of investigations into the three attacks.

A 20-year-old female, two males aged 19, and another aged 17 were all arrested at their homes in the West Midlands and London on Thursday morning. One of the 19-year-old males is from Latvia, while the others are from the UK, the NCA says. They are suspected of potential Computer Misuse Act offenses, blackmail, money laundering, and “participating in the activities of an organized crime group,” the NCA said in a statement. The law enforcement agency has not named the individuals arrested or released precise locations of where they are based; however, NCA’s deputy director Paul Foster said the arrests were a “significant step” in its investigations.

The attacks against the three British retailers have been broadly linked, including partially by the NCA, to the loose cybercriminal group Scattered Spider. The hacking group, which first emerged in 2022, is largely made up of young, English-speaking individuals, and has recently been seen targeting retailers, airlines, and the insurance industry across the UK and the US.

**‘Explosion’ of AI-Generated Child Abuse Images Could Overwhelm the Web, Experts Warn**

It didn’t take criminals long to start using generative AI to create ultra-realistic child sexual abuse images. Now huge volumes of illegal, AI-created content are being found online, with criminals moving to use the technology to create videos as well as still images. During the first six months of this year, analysts at the Internet Watch Foundation, a UK-based organization that removes child sexual abuse material (CSAM) from the web, identified 1,286 AI-generated videos that show abuse—more than 1,000 of the videos showed the most serious type of abuse.

“There is an incredible risk of AI-generated CSAM leading to an absolute explosion that overwhelms the clear web,” said Derek Ray-Hill, the interim chief executive of the Internet Watch Foundation. Separate figures from the US-based National Center for Missing & Exploited Children (NCMEC) say it has received 485,000 reports of AI CSAM in the first half of this year—up from 67,000 for the entirety of last year. Around 35 tech companies have reported finding AI-generated CSAM on their platforms, NCMEC said.

**Italian Police Arrest an Alleged Member of China’s Silk Typhoon Hacking Group**

In a rare instance of Western law enforcement actually laying hands on an alleged Chinese state-sponsored hacker, Italian police arrested Xu Zewei, a 33-year-old from Shanghai, at an airport in Milan on July 3. The police were acting on a warrant issued by the US Department of Justice seeking Xu’s arrest on hacking charges. Authorities allege he’s a member of the espionage group known as Silk Typhoon or Hafnium, which has carried out widespread data theft from Western governments and private sector companies for years. US prosecutors are specifically accusing Xu of taking part in Silk Typhoon’s hacking that targeted researchers working to develop a Covid-19 vaccine in 2020 and 2021. He’s also alleged to have participated in a far less targeted hacking campaign in which the same group broke into tens of thousands of Microsoft exchange servers around the world, leaving behind backdoors for later reconnaissance. Xu’s lawyer denied the charges, saying it’s a case of mistaken identity, and Xu’s wife also has reportedly said that Xu is an IT technician at the company GTA Semi Conductor.

**Russian Pro Basketball Player Arrested on Ransomware Charges**

In more news of alleged hackers arrested in European airports—and a very unusual case of alleged cybercriminal moonlighting—French police this week detained Russian professional basketball player Daniil Kasatkin in the Charles de Gaulle airport in Paris, accusing him of being part of a ransomware group. Authorities haven’t yet named the ransomware crew they claim Kasatkin was a part of, but say that from 2020 to 2022 it hit close to 900 organizations, including two American government agencies. Kasatkin’s lawyer, Frédéric Bélot, denied the accusations, saying his client is “useless with computers and can't even install an application.” Kasatkin, who played for the pro basketball team MBA Moscow, had traveled to France with his fiancée to propose to her.

**Bodyguards Using Strava Leaked the Detailed Locations of Sweden’s Prime Minister**

Here’s your annual reminder, athletic oversharers of the world, to set your Strava account settings to private. This week, Sweden’s Dagens Nyheter newspaper revealed that seven bodyguards for Swedish government officials left their Strava accounts public, revealing their locations as they carried out 1,400 exercise activities—and in many cases, the locations of the people they were protecting, including the Swedish prime minister, Ulf Kristersson. The leaked locations of the prime minister included hotels where he stayed, private addresses, a family vacation, trips abroad, and his private home, which was intended to be secret. Repeat after me, Strava enthusiasts with security clearances: Go to Settings, tap Privacy Controls, then Activities. Future scandal averted.

4 Arrested Over Scattered Spider Hacking Spree

Thorsten takes stock of a rapidly evolving vulnerability landscape: record-setting CVE publication rates, the growing fragmentation of reporting systems, and why consistent tracking and patching remain critical as we move through 2025.

Thursday, July 10, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

We’ve made it halfway through 2025 already! It’s been a while since I last wrote about CVEs and how free support for Windows 10 will end on October 14, 2025, leaving you with no more security fixes.

While the CVE system remains the global standard for vulnerability reporting, recent developments have sparked concerns within the community about its long-term stability. Currently, the program operates solely as a U.S. government-funded initiative. Following the last-minute funding extension, we’re now seeing competing ideas and projects emerging. Whether it’s the CVE Foundation working to transition from a single funding stream to a diversified and stable model, ENISA’s EUVD, or the Global CVE Allocation System (GCVE), the landscape is changing.

On one hand, a multi-source environment enhances availability and resilience. On the other, this fragmentation raises practical concerns for both researchers and practitioners. We now face questions like “Where should I report a vulnerability?” and “How do I integrate and correlate vulnerability data across multiple sources with multiple identifiers?”

Looking back at the first six months of this year, we see that the rapid pace of CVE publications in 2024 has continued into 2025, with no signs of slowing down. In fact, the current trend suggests that 2025 will surpass last year’s total of a little more than 40,000 CVEs. To illustrate: the first half of 2024 saw an average of 113 CVEs published per day, whereas the first half of 2025 is running at a rate of 131 CVEs per day.

What concerns me even more is the steep increase in Known Exploited Vulnerabilities (KEVs). It wasn’t just the spike in March — we’re seeing a generally sharper rise overall.

Vendor diversity also continues to expand, increasing from 45 vendors during the first half of last year to 61 so far this year. Additionally, the proportion of KEVs affecting network-related gear has grown from 22.5% in 2024 to 25% in 2025.

But there’s a small piece of good news: So far, I haven’t seen any CVEs from as far back as 2012 being added to the KEV catalogue like we saw last year. This time, the oldest additions “only” go back to 2017.

Keep in mind that the CVE year merely indicates when a vulnerability was reserved or assigned. The vulnerability itself may have existed for many years prior. For example, the recent sudo/chroot issue remained undiscovered for over 12 years. 

In a nutshell: Keep tracking, keep patching. Vulnerabilities certainly won’t patch themselves.

**The one big thing **

Microsoft’s July 2025 security update addresses 132 vulnerabilities, including 14 marked as “critical,” with several remote code execution (RCE) issues affecting Windows, Office, SharePoint and Hyper-V. Although none have been exploited in the wild yet, some vulnerabilities — like those in SharePoint and SPNEGO NEGOEX — are more likely to be targeted and could allow attackers to execute code remotely or locally.

**Why do I care? **

These vulnerabilities could let attackers take control of your systems, steal information or disrupt business operations, even if you haven’t seen any attacks yet. If you’re running Windows servers, SharePoint or Microsoft Office, your environment could be at risk, especially for organizations that rely on these products daily.

**So now what? **

Don’t wait. Make sure you’re applying Microsoft’s July patches as soon as possible. If you use Cisco Security Firewall or SNORT®, update your rulesets to the latest versions to maximize your protection.

**Top security headlines of the week **

**Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage**  
A Chinese national was arrested in Milan, Italy for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which is responsible for cyberattacks against U.S. organizations and government agencies. (Bleeping Computer) 

**Jailbreaking AI with information overload**   
Researchers say you can trick AI chatbots like ChatGPT or Gemini into teaching you how to make a bomb or hack an ATM if you make the question complicated, full of academic jargon, and cite sources that do not exist. (404 Media) 

**SatanLock is shutting down**  
The announcement that the group was closing its doors first came through its official Telegram channel and dark web leak site. Hunters International, another well-known ransomware group, also recently announced that it was shutting down its operations. (Dark Reading) 

**Ingram Micro scrambling to restore systems after ransomware attack**  
The IT distributor giant confirmed over the weekend that a ransomware attack was responsible for a widespread outage over its services, and they were forced to take certain systems offline on Friday afternoon, in response to the incident. (SecurityWeek) 

**Malicious Chrome extensions with 1.7M installs found on Web Store**  
Malicious extensions with 1.7 million downloads in Google's Chrome Web Store pose as legitimate tools but could track users, steal browser activity, and redirect to potentially unsafe web addresses. (Bleeping Computer)

**Can’t get enough Talos? **

**Scams, jailbreaks and poetic justice**  
In this episode of the TTP, Hazel Burton sits down with Talos' Jaeson Schultz to explore the underground world of criminal LLM abuse, from elaborate scams to role-playing jailbreak prompts designed to trick AI into ignoring its own rules.

**Vulnerability Roundup**  
Cisco Talos’ Vulnerability Discovery & Research team has disclosed and coordinated patches for two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat.

**PDFs: Portable documents, or perfect deliveries for phish?**   
A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks.

**Beers with Talos: Terms and conceptions may apply**   
In this episode, the crew reassembles after a totally intentional and not-at-all accidental hiatus. They cover AI-assisted IVF, a possible underground war against dairy, and the real heroes: conference dogs.

**Upcoming events where you can find Talos **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe   
Detection Name: Simple\_Custom\_Detection   

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**    
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos

Patch, track, repeat

Generative AI is not arriving with a bang, it’s slowly creeping into the software that companies already use on a daily basis. Whether it is video conferencing or CRM, vendors are scrambling to integrate AI copilots and assistants into their SaaS applications. Slack can now provide AI summaries of chat threads, Zoom can provide meeting summaries, and office suites such as Microsoft 365 contain

What Security Leaders Need to Know About AI Governance for SaaS

Stories about Chinese APTs attacking the US and Canada are plentiful. In a turnabout, researchers found what they believe is a North American entity attacking a Chinese entity, thanks to a mysterious issue in Microsoft Exchange.

North American APT Uses Exchange Zero-Day to Attack China

Worried about hackers employing LLMs to write powerful malware? Using targeted reinforcement learning (RL) to train open source models in specific tasks has yielded the capability to do just that.

New AI Malware PoC Reliably Evades Microsoft Defender

For the first time in 2025, Microsoft's Patch Tuesday updates did not bundle fixes for exploited security vulnerabilities, but acknowledged one of the addressed flaws had been publicly known.
The patches resolve a whopping 130 vulnerabilities, along with 10 other non-Microsoft CVEs that affect Visual Studio, AMD, and its Chromium-based Edge browser. Of these 10 are rated Critical and the

Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server

A Chinese state-sponsored hacker, Xu Zewei, 33, has been arrested for his alleged role in the widespread HAFNIUM cyber attacks and theft of COVID-19 research. Learn about the charges and China's Ministry of State Security involvement.

In a significant development in international cybercrime efforts, Xu Zewei, a 33-year-old Chinese national, was apprehended in Milan, Italy, on July 3, 2025. The arrest was made at the request of the United States, where Xu faces serious charges related to widespread computer intrusions.

Xu, alongside his co-defendant Zhang Yu, 44, is named in a nine-count indictment unsealed in the Southern District of Texas. The charges stem from their alleged involvement in cyberattacks carried out between February 2020 and June 2021. These intrusions include the notorious HAFNIUM (aka Silk Typhoon) campaign, which compromised thousands of computers globally, including many within the United States.

According to the US Department of Justice’s July 8 press release, Xu Zewei was directed in his hacking activities by officers from China’s Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB). It must be noted that MSS and SSSB are intelligence agencies responsible for China’s domestic counterintelligence, non-military foreign intelligence, and aspects of its internal security.

Xu was allegedly employed by Shanghai Powerock Network Co. Ltd. (Powerock), a company identified as one of many “enabling” entities that conduct hacking operations for the Chinese government.

“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” stated Assistant Attorney General John A. Eisenberg. US Attorney Nicholas Ganjei for the Southern District of Texas added that Xu was allegedly “hacking and stealing crucial COVID-19 research at the behest of the Chinese government.”

****Targeting Vital Research and Global Systems****

The indictment (PDF) details how Xu and his co-conspirators targeted US-based universities, immunologists, and virologists involved in COVID-19 vaccine, treatment, and testing research in early 2020. Xu reportedly confirmed compromising a research university in the Southern District of Texas in February 2020 and was directed to access specific email accounts of researchers.

Later, in late 2020, Xu and his associates exploited vulnerabilities in Microsoft Exchange Server, a widely used email product. This exploitation was central to the HAFNIUM campaign, a large-scale intrusion that became public in March 2021 when Microsoft disclosed it.

“Through HAFNIUM, the CCP targeted over 60,000 US entities, successfully victimizing more than 12,700 in order to steal sensitive information,” noted Assistant Director Brett Leatherman of the FBI’s Cyber Division.

Victims of the HAFNIUM campaign included another university in Texas and a global law firm, where information related to US policymakers and government agencies was sought. Xu faces multiple charges, including conspiracy to commit wire fraud, wire fraud, conspiracy to cause damage to protected computers, and aggravated identity theft.

These charges carry significant penalties, with some counts carrying a maximum of 20 years in prison. Xu is currently awaiting extradition to the US whereas his co-defendant, Zhang Yu, remains at large.

US Announces Arresting Chinese Hacker Linked to HAFNIUM Group

Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft's most-dire "critical" rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.

**Microsoft** today released updates to fix at least 137 security vulnerabilities in its **Windows** operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.

While not listed as critical, CVE-2025-49719 is a publicly disclosed information disclosure vulnerability, with all versions as far back as **SQL Server 2016** receiving patches. Microsoft rates CVE-2025-49719 as less likely to be exploited, but the availability of proof-of-concept code for this flaw means its patch should probably be a priority for affected enterprises.

**Mike Walters**, co-founder of **Action1**, said CVE-2025-49719 can be exploited without authentication, and that many third-party applications depend on SQL server and the affected drivers — potentially introducing a supply-chain risk that extends beyond direct SQL Server users.

“The potential exposure of sensitive information makes this a high-priority concern for organizations handling valuable or regulated data,” Walters said. “The comprehensive nature of the affected versions, spanning multiple SQL Server releases from 2016 through 2022, indicates a fundamental issue in how SQL Server handles memory management and input validation.”

**Adam Barnett** at **Rapid7** notes that today is the end of the road for **SQL Server 2012**, meaning there will be no future security patches even for critical vulnerabilities, even if you’re willing to pay Microsoft for the privilege.

Barnett also called attention to CVE-2025-47981, a vulnerability with a CVSS score of 9.8 (10 being the worst), a remote code execution bug in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. This pre-authentication vulnerability affects any Windows client machine running **Windows 10 1607** or above, and all current versions of **Windows Server**. Microsoft considers it more likely that attackers will exploit this flaw.

Microsoft also patched at least four critical, remote code execution flaws in **Office** (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The first two are both rated by Microsoft as having a higher likelihood of exploitation, do not require user interaction, and can be triggered through the Preview Pane.

Two more high severity bugs include CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the former is a weakness that could allow malicious files to bypass screening by **Microsoft Defender SmartScreen**, a built-in feature of Windows that tries to block untrusted downloads and malicious sites.

CVE-2025-47178 involves a remote code execution flaw in **Microsoft Configuration Manager**, an enterprise tool for managing, deploying, and securing computers, servers, and devices across a network. **Ben Hopkins** at **Immersive** said this bug requires very low privileges to exploit, and that it is possible for a user or attacker with a read-only access role to exploit it.

“Exploiting this vulnerability allows an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager,” Hopkins said. “This access can be used to manipulate deployments, push malicious software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, giving the attacker broad control over the entire IT environment.”

Separately, **Adobe** has released security updates for a broad range of software, including **After Effects**, **Adobe Audition**, **Illustrator**, **FrameMaker**, and **ColdFusion**.

The **SANS Internet Storm Center** has a breakdown of each individual patch, indexed by severity. If you’re responsible for administering a number of Windows systems, it may be worth keeping an eye on AskWoody for the lowdown on any potentially wonky updates (considering the large number of vulnerabilities and Windows components addressed this month).

If you’re a Windows home user, please consider backing up your data and/or drive before installing any patches, and drop a note in the comments if you encounter any problems with these updates.

Microsoft Patch Tuesday, July 2025 Edition

Some 17 of the bugs are at high risk for exploits, including multiple remote code execution bugs in Office and SharePoint.

Microsoft Patches 137 CVEs in July, but No Zero-Days

Microsoft has released its monthly security update for July 2025, which includes 132 vulnerabilities affecting a range of products, including 14 that Microsoft marked as “critical.”

Tuesday, July 8, 2025 16:29

Microsoft has released its monthly security update for July 2025, which includes 132 vulnerabilities affecting a range of products, including 14 that Microsoft marked as “critical.”  

In this month's release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 14 "critical" entries, 11 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including KDC Proxy service, Microsoft Office and SharePoint server. 

CVE-2025-49735 is an RCE vulnerability in Windows KDC Proxy Service (KPSSVC) given a CVSS 3.1 score of 8.1. To successfully exploit this vulnerability, an unauthenticated attacker could use a specially-crafted application to leverage a cryptographic protocol vulnerability in KPSSVC to perform RCE against the target. Microsoft has noted that this vulnerability only affects Windows servers that are configured as a Kerberos key Distribution Center (KDC) Proxy Protocol server, and domain controllers are not affected. Microsoft assessed that the attack complexity is “high,” and exploitation is "more likely."  

CVE-2025-49704 is an RCE vulnerability in Microsoft SharePoint server given a CVSS 3.1 score of 7.7. Microsoft noted that this vulnerability in Microsoft Office SharePoint is due to improper control of generation of code (“code injection”) which would allow an authenticated attacker to execute code over a network. To exploit this vulnerability, an authenticated attacker in a network-based attack, with a minimum of Site Member permission, could execute arbitrary code remotely on the SharePoint server. Microsoft assessed that the attack complexity is “low,” and exploitation is “more likely."  

CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49698, CVE-2025-49702 and CVE-2025-49703 are RCE vulnerabilities in Microsoft Office and Microsoft Word. The vulnerabilities CVE-2025-49695 and CVE-2025-49698 are "use after free” (UAF) vulnerabilities that occur when Microsoft Office tries to access memory that has already been freed. CVE-2025-49696 is an out-of-bounds read in Microsoft Office. Microsoft assessed that for CVE-2025-49695 and CVE-2025-49696, the attack complexity is "low," and exploitation is "more likely." For CVE-2025-49697, CVE-2025-49698, CVE-2025-49702 and CVE-2025-49703, the attack complexity is "low," and exploitation is "less likely."   

CVE-2025-48822 is an RCE vulnerability in Windows Hyper-V Discrete Device Assignment (DDA) given a CVSS 3.1 score of 8.6. This vulnerability is an out-of-bounds read in Hyper-V that could allow an unauthorized attacker to execute code locally. Microsoft assessed that the attack complexity is “low,” and exploitation is “less likely.” 

CVE-2025-47981is an RCE vulnerability in SPNEGO Extended Negotiation (NEGOEX) Security Mechanism given a CVSS 3.1 score of 9.8. This vulnerability is a heap-based buffer overflow that could allow an unauthorized attacker to execute code over a network. According to Microsoft, this vulnerability affects Windows client machines running Windows 10, version 1607 and above, due to the following GPO being enabled by default on these operating systems: "Network security: Allow PKU2U authentication requests to this computer to use online identities." Microsoft has assessed that the attack complexity is “low,” and exploitation is “more likely.”  

CVE-2025-49717 is an RCE vulnerability in Microsoft SQL Server, given a CVSS 3.1 score of 8.5. This vulnerability is a heap-based buffer overflow that could allow an unauthorized attacker to execute code over a network. However, Microsoft has assessed “exploitation unlikely”. 

The last critical vulnerability listed (CVE-2025-47980) is an information disclosure in Windows Imaging Component that, if exploited, could allow an attacker to read small portions of heap memory. Microsoft has assessed that the attack complexity is “low,” and exploitation is “less likely."   

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"  

*   CVE-2025-49701: Microsoft SharePoint Remote Code Execution Vulnerability 
*   CVE-2025-49724: Windows Connected Devices Platform Service Remote Code Execution Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.   

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.   

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 64435, 64436, 65092, 65096 – 65107, 65110 – 65113.  

The following Snort 3 rules are also available: 301114, 301268 – 301272.

Tag

#microsoft