This week in cybersecurity, several critical threats were identified across various sectors, involving unauthenticated access, supply chain vulnerabilities, and sophisticated malware deployment.

A severe [SQL injection flaw in FortiWeb has been identified](#Critical Unauthenticated SQL Injection in FortiWeb Enables Full Remote Code Execution), enabling full remote code execution, while critical VMXNET3 vulnerabilities in VMware products may allow guest-to-host code execution. Meanwhile, FortiGuard Labs has uncovered the integration of Lcryx ransomware into the H2miner cryptomining botnet, signaling a dangerous evolution in hybrid cyberattacks.

The luxury retail sector has not been spared, with Louis Vuitton UK suffering its third customer data breach under the LVMH umbrella.

Elsewhere, weak credentials and malware have exposed millions of job seekers via Paradox.ai’s McHire bot, and threat actor UNC6148 has been found deploying the Overstep rootkit on SonicWall SMA devices, further underscoring the urgency for robust threat detection and prevention measures.

Critical Unauthenticated SQL Injection in FortiWeb Enables Full Remote Code Execution

Fortinet disclosed CVE 2025 25257, a critical SQL injection vulnerability in the GUI component of FortiWeb, with a CVSS score of 9.6. The flaw allows unauthenticated attackers to execute unauthorised SQL commands through crafted HTTP or HTTPS requests due to improper input sanitisation.

Affected FortiWeb versions span 7.0.0 to 7.6.3, and Fortinet has released fixed versions: 7.0.11, 7.2.11, 7.4.8, and 7.6.4.

Although not currently listed in the Known Exploited Vulnerabilities (KEV) catalog or linked to ransomware activity, the Irish NCSC urges immediate patching after appropriate testing.

Critical VMXNET3 Vulnerabilities in VMware Products Could Allow Guest-to-Host Code Execution

VMware disclosed four vulnerabilities (CVE 2025 41236 through CVE 2025 41239), three of which are rated critical with CVSS scores of 9.3. These affect a range of VMware products, including ESXi, vSphere, Workstation, Fusion, and various Telco Cloud platforms.

The vulnerabilities stem from an integer overflow issue in the VMXNET3 virtual network adapter and could allow a malicious actor with local admin access on a virtual machine to execute code on the host system. Only VMXNET3 adapters are affected; others remain unaffected.

Although not yet listed in the KEV catalog or known to be used by ransomware actors, immediate patching is strongly recommended by the NCSC following proper testing.

Lcryx Ransomware Discovered to be Embedded in H2miner Cryptomining Botnet

FortiGuard Labs’ FortiCNAPP team has identified a hybrid cyber threat in which the VBScript based Lcryx ransomware has been integrated into the H2miner cryptomining botnet. This is the first known instance where ransomware and cryptojacking capabilities coexist within the same campaign.

Combining file encryption and cryptocurrency mining lets attackers profit from both data ransom and resource exploitation, making it a more stealthy and lucrative threat.

Louis Vuitton UK Hit by Third LVMH Customer Data Breach

Luxury brand Louis Vuitton, a division of LVMH, confirmed that on July 2nd, 2025, hackers accessed its UK systems and exfiltrated customer names, contact details and purchase history.

This marks the third breach of LVMH brands in three months, following prior incidents at Louis Vuitton Korea and Christian Dior.

The company has notified UK authorities, implemented reinforced security measures and is actively investigating the incident.

Weak Passwords and Malware Compromise Expose Millions via Paradox.ai’s McHire Bot

Security researchers Ian Carroll and Sam Curry, that Paradox.ai’s McHire chatbot, used by McDonald’s franchisees and hosted at McHire.com, was vulnerable due to an administrator account protected by the password “123456.” This weak credential allowed unauthorised access to private chats of approximately 64 million job applicants, exposing names, emails, and phone numbers.

Paradox.ai confirmed the account had been dormant since 2019 and unrelated to other clients, stating only five chat records were downloaded by the researchers, with no evidence of broader data leakage. However, a separate malware infection (Nexus Stealer) on a developer’s device in Vietnam later compromised internal credentials and authentication tokens including those for SSO and Atlassian, heightening concerns about potential remote access attacks.

Paradox.ai confirmed that most exposed passwords were outdated, has enforced stricter security measures (SSO with MFA since 2020), and plans to strengthen password policies and auditing after passing ISO 27001 and SOC 2 audits in 2019.

UNC6148 Installs Overstep Rootkit on SonicWall SMA Devices

Google’s Threat Intelligence Group (GTIG) reports that the North Korea linked threat actor UNC6148 has been compromising SonicWall SMA 100 series appliances since at least October 2024, deploying a sophisticated malware dubbed Overstep.

This malware combines a backdoor with a user mode rootkit, enabling credential theft, stealthy persistence via /etc/ld.so.preload, log tampering, and even malicious modifications to the device’s INITRD during boot.

UNC6148 regained access using stolen admin credentials and OTP seeds, bypassing patches and wiping logs to obstruct forensic efforts. While direct ransomware deployment has not been confirmed, GTIG warns this campaign “possibly” supports future extortion or data theft operations.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.