Week 32 of 2025 brought a wave of high impact security disclosures and emerging threats across enterprise, cloud and endpoint environments.

From Google unmasking a vishing campaign targeting Salesforce users to SonicWall probing reports of a potential SSL VPN zero-day, the week underscored how trusted technologies are increasingly being exploited.

Vulnerabilities in widely used platforms, including Trend Micro Apex One, Dell firmware, Microsoft Exchange and the Cursor AI editor, raised serious concerns about patching speed and persistent access risks.

Google Exposes Vishing Campaign Targeting Salesforce with Fake Data Loader App

Google’s Threat Intelligence Group (GTIG) has unveiled a sophisticated vishing operation by the threat cluster UNC6040, which deceives employees into installing a malicious version of Salesforce’s Data Loader, often disguised as “My Ticket Portal.”

Once authorised, the tool grants attackers direct access to Salesforce environments, enabling large-scale data exfiltration and lateral movement into services like Okta, Microsoft 365 and Workplace.

The campaign, impacting around 20 organisations across sectors such as retail, hospitality and education, includes delayed extortion attempts where attackers pose as the notorious ShinyHunters group to pressure victims into paying.

SonicWall Probes Possible SSL VPN Zero Day

SonicWall is investigating a sharp rise in cybersecurity incidents involving Gen 7 firewalls with SSL VPN enabled, potentially indicating a yet unpatched zero day vulnerability.

Researchers at Arctic Wolf and Huntress reported that despite the use of MFA and recent patching, Akira ransomware actors were breaching some devices and rapidly pivoting to domain controllers and deploying ransomware.

In response, SonicWall issued guidance urging organisations to disable SSL VPN where feasible, restrict access via IP allow‑list, enable Botnet Protection and Geo‑IP filtering, enforce strong MFA and remove inactive accounts.

Cybercriminals Abusing Legitimate Link Wrapping to Redirect Victims to Microsoft 365 Phishing Pages

Cybersecurity researchers have uncovered a sophisticated phishing campaign where attackers exploit trusted link wrapping services to mask malicious destinations and sneak around email security controls.

The campaign employs a multi tier redirect chain. Attackers first use URL shorteners like Bitly, then hide the next hop using legitimate URL wrapping services.

Victims are tricked into clicking what appears to be secure, then redirected to deceptive Microsoft 365 login pages to steal credentials. By leveraging trusted infrastructure and obfuscation tactics, threat actors significantly raise the odds of deceiving both users and filters.

Cursor AI Code Editor Vulnerabilities Enable Remote Code Execution

Researchers have uncovered two critical security flaws in the AI powered code editor Cursor, known as CurXecute (CVE 2025 54135) and MCPoison (CVE 2025 54136), both of which enable remote code execution (RCE) via abused Model Context Protocol (MCP) configurations.

In the CurXecute attack, an attacker can exploit a prompt injection vulnerability to create or modify a trusted MCP configuration file, such as .cursor/mcp.json, that executes malicious commands before user approval.

MCPoison works by altering previously trusted MCP configurations, allowing arbitrary code to execute silently, with no warning or re-approval required.

Cursor has addressed both flaws in updates, specifically version 1.3.9 and above for CurXecute and 1.3 for MCPoison.

High Severity Flaw in Hybrid Exchange Deployments

Microsoft has issued an urgent warning about a high severity vulnerability, CVE 2025 53786, affecting hybrid Exchange deployments, configurations where on premises Exchange servers are connected to Exchange Online.

Attackers who gain administrative access to the on prem environment could abuse the shared service principal identity to forge tokens or API requests that the cloud side trusts, enabling privilege escalation into Exchange Online, often without triggering any audit logs.

Although active exploitation hasn’t been observed yet, Microsoft considers it “Exploitation More Likely” due to easily reproducible exploitability.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) cautions that failure to mitigate could lead to “total domain compromise” across both on prem and cloud environments. Immediate steps include applying April 2025 hotfixes, deploying a dedicated hybrid app, initiating Service Principal Clean Up Mode and running Microsoft’s Exchange Health Checker.

CISA also recommends disconnecting public facing, end of support servers from the internet.

France’s Telecom Giant Orange Discloses Cyberattack, Disruptions Reported

French telecom provider Orange detected a cyberattack on one of its internal systems on July 25th, prompting immediate isolation by its cybersecurity unit.

This response led to service disruptions affecting both business and consumer platforms, particularly in France, though operations were expected to resume by around July 30th.

At this stage, Orange states there is no evidence of any data exfiltration and the investigation is ongoing in collaboration with relevant authorities 

Attackers Exploit Critical Trend Micro Apex One Zero Day Flaws

Trend Micro has confirmed that two critical command injection vulnerabilities, CVE 2025 54948 and CVE 2025 54987, both rated CVSS 9.4, within its Apex One on premise Management Console are being actively exploited in the wild. These unauthenticated RCE flaws enable attackers with network access to execute arbitrary commands by exploiting improper input validation in the console’s backend.

A temporary mitigation tool has been released (FixTool_Aug2025), which fully prevents known exploits but disables the Remote Install Agent feature. A full patch is expected by mid‑August 2025.

Trend Micro strongly advises clients to apply the mitigation immediately, restrict external access to the console and prioritise patch deployment once available.

“ReVault” Firmware Flaws Put Millions of Dell Laptops at Risk of Persistent Exploits

Researchers at Cisco Talos have disclosed five critical firmware vulnerabilities collectively dubbed ReVault, affecting the ControlVault3 hardware security components in over 100 Dell Latitude and Precision laptop models.

These flaws (including out of bounds memory access, arbitrary free, stack overflow and unsafe deserialisation issues) allow attackers to escalate privileges, bypass Windows login, steal credentials or biometric data and implant malware that remains even after operating system reinstallation.

Dell has released patches for both firmware and driver components between March and May 2025 and is urging users to apply updates immediately.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.