CISO Talk by James Azar
CyberHub Podcast
Cybersecurity Patch Tuesday Cadence Released for June, Criminals Pose as Job Seekers, 23andme Grilled by Congress, Microsoft Zeroday, Secure Boot Malware
0:00
-17:23

Cybersecurity Patch Tuesday Cadence Released for June, Criminals Pose as Job Seekers, 23andme Grilled by Congress, Microsoft Zeroday, Secure Boot Malware

Critical Patch Tuesday Analysis: Microsoft's 66 Vulnerabilities, Adobe's Record 254 Flaws, and the Evolution of Social Engineering from Job Boards to Genetic Data Privacy

Patch Tuesday Mayhem, Social Engineering Evolution, and Congressional DNA Drama

Good Morning Security Gang!

Welcome to another comprehensive breakdown of the latest cybersecurity developments from the Cyber Hub podcast. This episode, recorded live from the Teammate CISO Village, delivers critical insights into June's massive Patch Tuesday releases, evolving social engineering tactics, and significant privacy concerns surrounding genetic data breaches.

Cyber Hub Podcast Summary: June 11, 2025

Executive Summary

Host James Azar delivers a packed episode covering the most significant cybersecurity developments of the week. From Microsoft's 66-vulnerability patch release to Adobe's staggering 254 security flaws, this episode highlights the ongoing challenges facing security professionals.

The discussion extends beyond traditional patching to explore sophisticated social engineering attacks where threat actors impersonate job seekers, marking a concerning evolution in hiring-related cybercrime. The episode concludes with a heated analysis of the 23andMe congressional hearing, raising critical questions about genetic data privacy and foreign adversary access.

Major Story Breakdowns

Microsoft's June Patch Tuesday: A Critical Security Overhaul

Microsoft released their June 2025 Patch Tuesday update, addressing 66 vulnerabilities including one actively exploited zero-day and another publicly disclosed flaw. The patch bundle includes eight critical vulnerabilities with remote code execution capabilities and two elevation of privilege bugs.

The breakdown reveals 13 elevation of privilege vulnerabilities, three security feature bypasses, 25 remote code execution flaws, 17 information disclosures, six denial of service vulnerabilities, and two spoofing issues. This extensive list doesn't include fixes for Microsoft Edge, Mariner, and Power Automate that were addressed earlier in the month.

The most concerning vulnerability involves CVE-2025-33073, a Windows SMB client elevation of privilege flaw with improper access controls. This vulnerability allows unauthorized attackers to elevate privileges over the network. Research from Checkpoint revealed that the Stealth Falcon APT group had been exploiting one of these zero-days since March 2025, targeting a defense company in Turkey using a previously undisclosed technique involving WebDAV servers and Windows built-in tools.

Adobe's Massive Security Update: 254 Vulnerabilities Patched

Adobe delivered what may be the largest single security update in recent memory, addressing 254 security flaws across multiple products. The majority of these vulnerabilities, 225 specifically, affect Adobe Experience Manager, impacting both cloud services and all versions prior to 6.5.22. Almost all vulnerabilities have been classified as cross-site scripting (XSS) vulnerabilities, including stored XSS and DOM-based XSS that could lead to arbitrary code execution.

The most severe flaw, CVE-2025-47110, carries a CVSS score of 9.1 and represents a reflected cross-site scripting vulnerability in Adobe Commerce and Magento Open Source that could result in arbitrary code execution. The update also affects Adobe Commerce B2B, InCopy, and Substance products, making this a critical update for organizations using Adobe's enterprise software ecosystem.

Salesforce Industry Cloud Zero-Day Discoveries

Security researchers identified five zero-day vulnerabilities and fifteen misconfigurations in Salesforce Industry Cloud, potentially affecting tens of thousands of organizations. These vulnerabilities specifically target custom CRM extension solutions built for healthcare, financial services, manufacturing, communications, and government sectors. The issues stem from technology acquired through Salesforce's purchase of Vlocity in June 2020 and involve OmniStudio low-code tools.

Three vulnerabilities required fixes on Salesforce's end with no customer action needed, while two require customer involvement following Salesforce's instructions. The remaining fifteen issues represent misconfiguration traps that researchers believe many organizations have unknowingly adopted, highlighting the complex security challenges in multi-cloud, multi-SaaS environments.

SAP Security Patches: Critical NetWeaver Vulnerability

SAP released fourteen new security patches for their June 2025 security update, including a critical severity vulnerability in NetWeaver (CVE-2025-42989) with a CVSS score of 9.6. This bug represents a missing authorization check in the NetWeaver Application Server for ABAP, residing in the Remote Function Call (RFC) framework. Under certain conditions, authenticated attackers can bypass standard authorization checks for unauthorized objects when using transactional RFCs or queued RFCs, leading to privilege escalation.

RoundCube Webmail: Decade-Old Vulnerability Actively Exploited

Approximately 80,000 RoundCube webmail servers are affected by a critical remote code execution vulnerability (CVE-2025-49113) with a CVSS score of 9.9 that's already being exploited in active attacks. This post-authentication remote code execution flaw exists through PHP object deserialization and impacts all RoundCube versions from 1.1.1 through 1.6.10, representing over a decade of affected installations.

The vulnerability stems from flawed logic that incorrectly evaluates variable names beginning with an exclamation mark, leading to session corruption and PHP object injection. Security researcher Kirill Firsov discovered that this flaw has remained hidden for more than ten years, can be reproduced on default installations, requires no dependencies, and its exploitation goes undetected by firewalls.

Social Engineering Evolution: FIN7 Impersonates Job Seekers

The FIN7 hacking group, also known as Skeleton Spider, has evolved their social engineering tactics by impersonating job seekers to target recruiters instead of the traditional approach of posing as recruiters. This group, initially known for financial fraud and point-of-sale system compromises, expanded into ransomware operations with Ryuk and Conti variants in 2019.

According to Domain Tools researchers, FIN7 now uses convincing fake job seeker personas to approach recruiters and HR departments through LinkedIn and Indeed. They build rapport over time before following up with phishing emails, demonstrating the patience-based approach that makes these attacks particularly dangerous. The host emphasizes that this patience, described using the Arabic concept of "sabr," represents a strategic advantage similar to China's long-term planning approach versus Western short-term electoral cycles.

ConnectWise Certificate Rotation: Proactive Security Measures

ConnectWise is proactively rotating digital code signing certificates used for ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables following security researcher concerns about potential configuration data abuse. While unrelated to any security incident, the company is implementing good security hygiene practices. The original DigiCert certificate was scheduled for revocation on Tuesday but received an extension until Friday at 8 PM Eastern to allow for proper deployment of new certificates.

Secure Boot Bypass Vulnerability Discovered

Security researcher Alex Matarosov discovered a new secure boot bypass vulnerability involving a BIOS flashing utility signed with Microsoft's WHQL signing certificate. Originally designed for rugged tablets, this utility can run on any secure boot-enabled system due to its Microsoft certificate signature. The flaw was disclosed through CERT-CC on February 25th and was addressed as part of the recent Patch Tuesday updates.

23andMe Congressional Hearing: Genetic Data Privacy Concerns

Congressional lawmakers grilled 23andMe executives during a hearing focused on privacy implications of the company's sale and bankruptcy filing from March. Despite the company's data breach affecting millions, only 1.9 million of the 15 million customers (approximately 10%) have chosen to delete their data. Interim CEO Joe Salvaisage's testimony failed to persuade lawmakers about the company's data protection measures.

House Committee Chairman James Comer emphasized the imperative to ensure no legal or illegal access to American genetic data by foreign adversaries, citing a 2019 Department of Defense advisory telling service members to avoid 23andMe DNA testing.

The hearing revealed that a research institute called TTAM won the auction with a $305 million bid, though the FTC still must approve the sale. The discussion highlighted broader concerns about targeted advertising based on mental health conditions, insurance premium impacts, and credit restrictions based on genetic data.

Key Action Items for Security Professionals

  • Immediately apply Microsoft's June Patch Tuesday updates, prioritizing the actively exploited zero-day vulnerabilities and SMB client elevation of privilege fixes

  • Update all Adobe products affected by the 254-vulnerability patch, with special attention to Experience Manager, Commerce, and Magento installations

  • Review Salesforce Industry Cloud configurations if using custom CRM extensions, and implement any customer-required fixes provided by Salesforce

  • Patch SAP NetWeaver systems to address the critical authorization bypass vulnerability (CVE-2025-42989)

  • Immediately update RoundCube webmail servers to address the decade-old RCE vulnerability being actively exploited

  • Implement enhanced verification procedures for recruiting and HR processes to counter job seeker impersonation attacks

  • Validate LinkedIn and social media profiles through multiple platforms before engaging with unknown contacts

  • Review ConnectWise environments for certificate updates and prepare for the Friday deadline if using affected products

  • Assess genetic testing policies within organizations and recommend HIPAA-protected alternatives for employees

  • Strengthen social engineering awareness training to address evolving impersonation tactics and patience-based attack methods

Thanks for reading CISO Talk by James Azar! This post is public so feel free to share it.

Share

✅ Story Links:

https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2025-patch-tuesday-fixes-exploited-zero-day-66-flaws/

https://thehackernews.com/2025/06/adobe-releases-patch-fixing-254.html

https://www.securityweek.com/five-zero-days-15-misconfigurations-found-in-salesforce-industry-cloud/

https://www.securityweek.com/critical-vulnerability-patched-in-sap-netweaver/

https://www.securityweek.com/exploited-vulnerability-impacts-over-80000-roundcube-servers/

https://www.bleepingcomputer.com/news/security/fin6-hackers-pose-as-job-seekers-to-backdoor-recruiters-devices/

https://therecord.media/russian-devices-hit-by-rare-werewolf-crypto-mining

https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-signing-certificates-over-security-concerns/

https://www.bleepingcomputer.com/news/security/new-secure-boot-flaw-lets-attackers-install-bootkit-malware-patch-now/

https://therecord.media/23andme-leadership-grilled-by-lawmakers-hearing

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

👉Listen here: https://linktr.ee/cyberhubpodcast

Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.

Discussion about this episode

User's avatar