Good Morning Security Gang!
Live from Israel and fully dialed in after the travel shuffle, it’s your Monday, July 21st, 2025 CyberHub Podcast — and this episode? It’s a full-blown vulnerability marathon. From not one but multiple Microsoft SharePoint zero-days, to China poking at critical infrastructure from Singapore to the Pentagon, to Cursor IDE background agents being used as hacker playgrounds — we’ve got the kind of headlines that make you question your patch management, third-party risk strategy, and maybe your entire development stack.
So pour that espresso (double if you're in a Microsoft shop), and let’s jump in.
🧩 SharePoint Zero-Days Under Active Exploitation
The weekend didn’t offer a break for SharePoint admins. Microsoft confirmed two zero-days (CVE-2025-53770 & CVE-2025-53771), collectively dubbed “ToolShell,” that allow remote code execution and cryptographic key exfiltration. Exploits were observed installing web shells on victim servers. Microsoft has released emergency patches — but admins must also rotate SharePoint machine keys post-patch. Palo Alto and Google's threat intelligence have confirmed active exploitation.
After installing the updates, Microsoft urges admins to rotate the SharePoint machine keys using the following steps:
SharePoint admins can rotate machine keys using one of the two methods below:
Manually via PowerShell
To update the machine keys using PowerShell, use the Update-SPMachineKey cmdlet.
Manually via Central Admin
Trigger the Machine Key Rotation timer job by performing the following steps:
Navigate to the Central Administration site.
Go to Monitoring -> Review job definition.
Search for Machine Key Rotation Job and select Run Now.
After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.
It is also advised to analyze your logs and file system for the presence of malicious files or attempts at exploitation.
This includes:
Creation of C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx file.
IIS logs showing a POST request to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx and a HTTP referer of _layouts/SignOut.aspx.
📡 CrushFTP Exploit Offers Admin-Level Access
Another zero-day (CVE-2025-54309) hit CrushFTP — a widely used file transfer server — enabling attackers to gain admin access via the web interface. The vendor claims it previously patched a related issue, but threat actors reverse-engineered it and exploited unpatched instances. The classic security catch-22: auto-patching risks uptime, manual patching risks breach. No good answer, just higher stakes.
"This presents one of those conundrums in cyber - when you do auto-patching, you could have a CrowdStrike-like situation, but if you wait for customers to patch, your brand reputation gets hurt. Either way, it's a lose-lose situation." - James Azar on the patching dilemma facing software vendors
Administrators who believe their systems were compromised are advised to restore the default user configuration from a backup dated before July 16th. Indicators of compromise include:
Unexpected entries in MainUsers/default/user.XML, especially recent modifications or a
last_loginsfieldNew, unrecognized admin-level usernames such as 7a0d26089ac528941bf8cb998d97f408m.
CrushFTP recommends reviewing the upload and download logs for unusual activity and taking the following steps to mitigate exploitation:
IP whitelisting for server and admin access
Use of a DMZ instance
Enabling automatic updates
🧬 Fortinet’s New SQL Injection RCE
Fortinet released a fix for CVE-2025-25257 — a critical SQL injection bug allowing unauthenticated attackers to execute arbitrary SQL commands. Versions 7.6.4, 7.4.8, and others are affected. Shadowserver saw infections drop from 85 to 35 over the weekend, proof that speedy patching works when urgency is clear.
🔐 HPE Aruba Hard-Coded Credential Flaw
HPE disclosed a nasty bug (CVE-2025-37103) in Aruba Instant On access points. These compact wireless devices used in SMB environments were shipped with hardcoded credentials — a gaping backdoor into enterprise WiFi. Affected firmware versions are 3.2.0.1 and below. Anyone using these devices should update immediately or risk remote control of their WiFi infrastructure.
💻 Cursor IDE Background Agent Exploited
Ricoh researchers revealed a security bombshell: Cursor IDE’s background agent allows privilege escalation and lateral movement across environments. Cursor — which runs AI-generated code workflows — can be exploited to execute commands, escalate to root, pivot into Docker containers, and even hijack GitHub repository tokens. TL;DR: If you’re using Cursor or Windsurf, isolate and harden them immediately.
🇨🇳 Microsoft’s China Problem and the Pentagon
A ProPublica investigation exposed how Microsoft used Chinese engineers to escort U.S. staff through Pentagon system changes — raising alarms in the Senate. Senator Tom Cotton has demanded a DoD audit on all military contractors relying on Chinese labor. This echoes the Rockwell Automation drama years ago, where critical ICS code was written in China. We’ve clearly learned nothing.
"We never learn! Congressional oversight is suggesting that Microsoft and other high-profile companies... we talked about Allen Bradley/Rockwell a few years ago... Now we're seeing Microsoft do that - they obviously didn't learn from the Rockwell automation story either." - James Azar on DOD contractors using Chinese workers for sensitive systems
🌐 Singapore Publicly Blames China for Infrastructure Attacks
Singapore’s National Security Minister confirmed that state-sponsored group UNC3886 has targeted its critical infrastructure — including routers and firewalls — with clear espionage goals. The campaign matches China’s larger pattern: compromise infrastructure now, exploit later. With Taiwan still in the crosshairs, this is strategic pre-positioning.
🧾 Meta Settles $8B Privacy Lawsuit
And in a twist no one saw coming: the investor class-action lawsuit against Meta over Cambridge Analytica-era privacy failures settled just one day after trial started. Terms are undisclosed — but let’s be real, this isn’t the last time Meta (or its investors) will be in court over user data.
✅ Action List for Security Teams:
🛠️ Patch SharePoint ASAP and rotate machine keys immediately
🔒 Update CrushFTP servers — and audit admin-level access logs
🚫 Disable HTTP/HTTPS admin interface on unpatched Fortinet devices
📶 Update Aruba firmware if you’re running Instant On APs
📦 Harden and isolate Cursor and Windsurf development environments
🇺🇸 If you're a federal contractor, audit all dev labor — no China-based contributors on classified systems
🧰 Monitor lateral movement and Docker instances in DevOps environments
🌏 Watch for state-sponsored probing of infrastructure, especially from UNC3886
🧠 James Azar’s CISO Take:
This Monday's episode really highlighted the accelerating pace of zero-day discoveries and exploitation, with SharePoint, CrushFTP, and Fortinet all facing active attacks within the same weekend timeframe. What concerns me most is the fundamental patching dilemma we're facing as an industry - the CrushFTP situation perfectly encapsulates this impossible choice between auto-patching (which could cause CrowdStrike-like outages) and waiting for customers to manually patch (which leaves them vulnerable to active exploitation). We're stuck in a lose-lose situation where vendors get blamed either for pushing updates too aggressively or for not protecting their customers from known vulnerabilities. The SharePoint ToolShell attacks hitting 85+ organizations show just how quickly threat actors can weaponize these discoveries, and the fact that CISA added it to the KEV catalog within days of weekend discovery shows the urgency level we're operating at.
The geopolitical cybersecurity implications from today's stories are equally concerning. Singapore's accusation of Chinese infrastructure attacks by UNC-3886, combined with the Senate Intelligence Committee's investigation into Microsoft using Chinese workers for Pentagon systems, demonstrates how deeply intertwined our technology supply chains have become with potential adversaries. The Cursor AI platform security breakdown is particularly troubling because it represents the new attack surface we're creating as AI-powered development tools reach 70-80% market penetration. These tools are fundamentally changing how code gets written and deployed, but we're not adapting our security practices fast enough to match the pace of adoption. The fact that privilege escalation was possible "by design and necessity" for the Cursor agent shows how we're trading security for functionality in these AI development environments. Between the immediate technical challenges of zero-day management and the longer-term strategic concerns about supply chain security and AI tool risks, we're facing threats on multiple fronts that require both tactical patching discipline and strategic policy changes.
✅ Story Links:
https://www.securityweek.com/fortinet-fortiweb-flaw-exploited-in-the-wild-after-poc-publication/
https://www.reco.ai/blog/hijacking-cursors-agent-how-we-took-over-an-ec2-instance
https://therecord.media/singapore-accuses-chinese-backed-hackers-critical-infrastructure-attacks
https://www.cybersecuritydive.com/news/microsoft-china-employees-us-military-senate-letter/753465/
https://therecord.media/meta-investors-zuckerberg-settle-privacy-lawsuit
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post