eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
CISA Adds Several Vulnerabilities to KEV Catalog
Bottom Line: CISA has added multiple items to the Known Exploited Vulnerabilities (KEV) catalog this week. Most notably is CVE-2025-5777, which has been given the due date of July 11th, 2025, to be addressed by federal agencies.
The week of July 7th, 2025, CISA added multiple critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating that exploitation of these vulnerabilities has been observed. Of the vulnerabilities that were added, the most notable addition is CVE-2025-5777, dubbed Citrix Bleed 2, which impacts NetScaler ADC and NetScaler Gateway products. The other vulnerabilities that were added to the KEV include CVE-2014-3931, CVE-2016-10033, CVE-2019 5418, and CVE-2019-9621.
CVE-2025-5777 (CVSS: 9.3) is an insufficient input validation vulnerability that can lead to memory overread when NetScaler is configured as a Gateway or AAA virtual server. The vulnerability was initially disclosed on June 17th, 2025, with Citrix confirming that a patch was available. As the vulnerability was similar to CVE-2023-4966 (Citrix Bleed), it was given the moniker Citrix Bleed 2. Amid reports of ongoing exploitation, watchTowr labs published Proof-of-Concept (PoC) exploit code on July 4th, 2025. On July 10th, CISA added the vulnerability to its KEV catalog, indicating that federal organizations must apply the relevant security patches by July 11th, 2025.
CVE-2014-3931 (CVSS: 9.8) is a buffer-overflow vulnerability within Multi-Router Looking Glass (MRLG) versions prior to 5.5.0, that when exploited, can allow threat actors to cause arbitrary memory write and memory corruption. CVE-2016 10033 (CVSS: 9.8) is a Remote Code Execution (RCE) vulnerability impacting PHPMailer versions prior to 5.2.18, that can allow attackers to pass extra parameters to the mail command, subsequently executing arbitrary code. CVE 2019-5418 (CVSS: 7.5) is an information disclosure vulnerability within Action View in Ruby on Rails, that can lead to arbitrary files on the target server being rendered and disclosing the files contents. CVE-2019-9621 (CVSS: 7.5) is a Server-Side Request Forgery (SSRF) attack found within Zimbra Collaboration Suite, enabling RCE. Patches are available for all the outlined vulnerabilities. CISA provided no real-world context on how these vulnerabilities were observed being exploited but require federal agencies to apply relevant security patches by July 28th, 2025.
eSentire Threat Intelligence Analysis:
Along with the vulnerabilities being added to the KEV, CISA instructs federal agencies to apply the recommended security patches within a given timeframe. For the vulnerabilities CVE-2014-3931, CVE-2016-10033, CVE-2019-5418, and CVE-2019-9621, CISA provided organizations with a 20-day timeframe to apply the relevant patches. However, for CVE-2025-5777, CISA provided a deadline of 1 day for security patches to be applied. Likely attributed to the release of PoC exploit code and reports of ongoing exploitation of the vulnerability, the short timeframe provided by CISA for patching highlights the criticality of Citrix Bleed 2.
For the remaining four vulnerabilities, CISA provided no background on observed exploitation. CVE-2019-9621 was reported on by Trend Micro in 2023 as having been exploited by the Chinese APT threat actor Earth Lusca (aka Aquatic Panda, FishMonger) to deploy webshells and Cobalt Strike in espionage-related campaigns. While there are no public reports confirming exploitation of the remaining vulnerabilities, technical details are available, along with PoC exploit code for CVE-2016-10033 and CVE-2019-5418. Kevin Surace, the chairman of the cybersecurity company Token, speculated that CISA may have some indication, based off of threat intelligence gathered, that “a known hacker group is preparing to broadly exploit these flaws”. Exploitation of these vulnerabilities would be notable as they all have had patches available for years, and is a common tactic used by threat actors as these “forgotten vulnerabilities” can be “well-documented, easy to weaponize and often lack monitoring by defenders”.
eSentire MDR for Network has detections in place for CVE-2016-10033, CVE-2019-9621, and CVE-2025-5777. eSentire's Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2025-5777, CVE-2016-10033, and CVE-2019-5418, with plugins for CVE-2019-9621 listed as “Coming Soon”. eSentire's Threat Response Unit (TRU) referenced CVE-2025-5777 in an advisory published for another Citrix Vulnerability, tracked as CVE-2025-6543, which contains patching recommendations that address CVE-2025-5777. Organizations are urged to apply the recommended security patches for all the vulnerabilities outlined above, as well as implement a robust patch management policy to ensure that vulnerabilities are identified, and relevant security patches are applied within a timely manner.
Microsoft Patch Tuesday
Bottom Line: Microsoft's July 2025 Patch Tuesday addresses 137 vulnerabilities, including 14 critical flaws and one publicly disclosed SQL Server vulnerability. Other notable fixes include SharePoint RCE and Windows Update Service privilege elevation issues.
On July 8th, 2025, Microsoft released its Patch Tuesday update, which addressed a total of 137 vulnerabilities. This update marked an increase in the number of vulnerabilities compared to the June release. More importantly, Microsoft confirmed public disclosure for only one of these vulnerabilities, and none were reported as being actively exploited in the wild at the time of the release.
The publicly disclosed and critical vulnerabilities are as follows:
- CVE-2025-49719 (CVSS: 7.5): Microsoft SQL Server Information Disclosure Vulnerability
- “Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network”
- Although the flaw has been publicly disclosed, it is considered to have a low likelihood of being exploited
- CVE-2025-49704 (CVSS: 8.8): Microsoft SharePoint Remote Code Execution (RCE) Vulnerability
- A critical RCE, code injection vulnerability that can allow an authorized attacker to inject malicious code and execute commands on a SharePoint server
- CVE-2025-48799 (CVSS: 7.8): Windows Update Service Elevation of Privilege Vulnerability
- An important severity vulnerability due to improper link resolution before file access in Windows Update Service
- If exploited, an authorized attacker can elevate privileges locally
Other notable vulnerabilities addressed by the patches include CVE-2025-47981 (CVSS: 9.8), CVE-2025-49735 (CVSS: 8.1) and CVE-2025-49724 (CVSS: 8.8). CVE-2025-47981 is an RCE vulnerability within SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, while CVE-2025-49735 is an RCE vulnerability within Windows Kerberos Key Distribution Center (KDC) proxy service. CVE 2025-49724 is an RCE vulnerability in Windows Connected Devices Platform Service. These vulnerabilities have no reported Proof-of-Concept (PoC) exploit code, and no current reports of active exploitation, but have all been deemed as “Exploitation More Likely” by Microsoft.
eSentire Threat Intelligence Analysis:
Organizations are strongly encouraged to apply all relevant security patches released by Microsoft as part of their July Patch Tuesday disclosure. Vulnerabilities listed as “Exploitation More Likely”, and vulnerabilities in Internet facing applications should be prioritized for immediate patching.
CVE-2025-49719 can be mitigated by updating to a patched version of Microsoft SQL Server and installing the Microsoft OLE DB Driver 18 or 19. A similar vulnerability impacting Windows Kerberos KDC proxy service was also highlighted in the June Patch Tuesday release, specifically identified as CVE-2025-33071. At the time of writing, patches for CVE-2025-49695 and CVE-2025-49696 are not yet available. Microsoft has stated that updates will be released soon.
The notable increase in the list of vulnerabilities highlights the importance of a defense-in-depth strategy, as attackers may try to exploit them. eSentire's Threat Response Unit (TRU) is continuing to track these vulnerabilities for additional information and detection opportunities. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to all the CVEs listed in this briefing.
18 Malicious Browser Extensions Infected 2.3 Million Chrome and Edge Users
Bottom Line: An extensive browser hijacking campaign dubbed RedDirection involving a network of 18 malicious browser extensions was identified affecting 2.3 million users across Google Chrome and Microsoft Edge.
On July 8th, 2025, Koi Security revealed a large-scale campaign named RedDirection, involving 18 cross-platform browser extensions available on Google Chrome and Microsoft Edge stores. These malicious extensions were capable of hijacking browsers and are estimated to have affected around 2.3 million users.
The campaign was uncovered during Koi Security’s investigation into a malicious browser extension, “Color Picker, Eyedropper — Geco colorpick.” This extension was a legitimate tool for several years, before a malicious update was deployed. Post update, the extension continued to function as a color picker while simultaneously engaging in browser hijacking. This led to the discovery that 18 similar extensions were part of the broader Red Direction operation, all targeting Google Chrome and Microsoft Edge.
These extensions disguised themselves as popular tools, including emoji keyboards, weather widgets, video speed controllers, Discord and TikTok VPN proxies, dark mode themes, volume boosters, and YouTube unblockers. Several of these extensions were marked as “verified” on official browser extension stores, helping them appear trustworthy and avoid suspicion.
The browser hijacking mechanism is triggered whenever a user navigates to a new webpage. The extensions monitor all open tabs, collect the URLs, and send them to a remote Command-and-Control (C2) server along with a unique tracking ID. The C2 server then responds with a redirect link, causing the browser to automatically reroute to a specified site.
eSentire Threat Intelligence Analysis:
This campaign stands out because many of the involved extensions have long appeared legitimate, even carrying a “verified” label from the browsers. The hijacking activity was triggered by a malicious update pushed to these trusted extensions. Such attacks present a serious risk to organizations, as they can result in Man-in-the-Middle (MitM) attacks, data theft, or malware delivery. Google has confirmed that all known malicious extensions have been removed from the Chrome Web Store, though they still remain accessible through the Edge Add-ons store.
RedDirection takes advantage of the version update process for extensions in Chrome and Edge, silently injecting malicious code into extensions that had previously been safe. This allowed attackers to launch a large-scale supply chain attack by exploiting flaws in extension stores and user trust in “verified” listings.
Similar to the RedDirection campaign, in December 2024, a number of malicious Google Chrome extensions were found after a malicious version of Cyberhaven’s extension was identified. These extensions were related to AI/LLMs and free VPN services and were capable of browser data theft. While browser extensions can simplify many critical daily tasks and address a variety of user needs, it is essential to understand the risks associated with using third-party tools. Organizations should educate employees about the risks associated with third-party tools such browser extensions and encourage them to report suspicious behavior. Organizations are recommended to deploy security tools capable of scanning and monitoring browser extensions to significantly reduce the risk posed by malicious browser extensions.
Given that RedDirection reportedly impacted 2.3 million users, organizations must take steps to ensure no unauthorized extensions are present on devices within their network. If any are detected, they should be removed immediately. In cases where malicious activity is suspected, it is important to review user activity and network logs for signs of access to sensitive websites and perform scans through Endpoint Detection and Response (EDR) solutions to detect potential malware deployment.
eSentire's Threat Response Unit (TRU) regularly tracks malicious campaigns involving browser extensions for detection opportunities. The eSentire Threat Intelligence team has published a security advisory on the malicious Google Chrome extensions campaign on January 8th, 2025, and the one addressing the RedDirection campaign will soon be published.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
