Security updates
      Back to home
      1. Knowledge base
      2. Security updates

      July 2025 security update: Nation-state attacks and cyber security as integral to defense are the new norm

       

      Table of contents

      Today's threat landscape:

      Top 3 vulnerabilities: 

      Industry news: 


      Today’s threat landscape 

      Nation-state strikes and attacks on infrastructure are the new norm 

      The digital battlefield widened in June. Escalating geopolitical tensions between Iran and Israel have spurred a 700 % surge in cyberattacks targeting Israeli infrastructure, with ripple effects threatening U.S. systems through disinformation, DDoS, and phishing campaigns. Retail has also emerged as a primary battleground while others, like the Scattered Spider gang, have pivoted to insurance firms. In response, both policy and innovation are accelerating on the EU level with the recent DNS4EU and a new blueprint to improve coordinated response and crisis management during major cross-border cyber incidents. 

      June also saw a chilling reminder of spyware’s political reach, as European and Italian journalists were targeted using the Israeli-made Paragon Graphite spyware, which exploited a zero-click flaw in Apple’s iMessage app (CVE-2025-43200). The spyware, sold only to governments, was reportedly used against journalists in clear violation of license agreements. The spyware’s ability to silently access data and communications underscores the ongoing threat posed by state-level surveillance tools. 

      Beyond targeted espionage, a wave of cyberattacks hit public and private institutions across Europe. In Sweden, public broadcasters SVT and Sveriges Radio were knocked offline by massive DDoS attacks, part of what officials call an effort to “damage Swedish society.” Meanwhile in Switzerland, personal data of 130,000 UBS customers was leaked on the dark web. These events signal a broad offensive against critical information infrastructure in both the media and industrial sectors. 

      Top 3 vulnerabilities 

      Critical Roundcube vulnerability enables remote code execution 

      A critical security flaw (CVE-2025-49113 with CVSS score of 9.9) potentially impacting over 53 million hosts has been discovered in Roundcube Webmail. Exploitation requires only low-level authenticated access, making it one of the most severe issues recently reported. 

      The flaw stems from improper validation of the _from parameter in the upload.php script allowing PHP object deserialization. In simple terms, attackers can craft malicious data that, when converted back into a PHP object, allows them to execute arbitrary code on the mail server. Consequences include full system takeover, data exfiltration, and lateral movement across networks. 

      Exploitation has been confirmed in over 80,000 servers, with proof-of-concept code on GitHub and active abuse reported by multiple sources, including threat group Ghostwriter. 

      Mitigation  

      Take the following steps

      • Update to 5.10 or 1.6.11 immediately 
      • If patching is delayed, consider isolating the service 

      Palo Alto Networks patches command injection flaw 

      A high-severity vulnerability (CVE-2025-4231) was patched in Palo Alto Networks PAN-OS, affecting versions 10.1 through 11.0.2. This flaw allows an authenticated administrator to execute commands as the root user, leveraging a command injection bug in the management web interface. 

      The vulnerability scores 9.0 in CVSSv2, 7.2 in CVSSv3 and 8.6 in CVSSv4, reflecting its potential impact on confidentiality, integrity, and availability. Exploitation requires network access to the web interface and valid admin credentials, conditions more dangerous when management interfaces are exposed to the internet or untrusted networks. 

      Cloud NGFW, Prisma Access, and GlobalProtect portals are not directly affected, but systems with misconfigured management profiles remain at risk. 

      Mitigation  

      To solve the issue, update: 

      • PAN-OS 11.0.0-11.0.2 to 11.0.3 
      • PAN-OS 10.2.0–10.2.7 to 10.2.8 
      • PAN-OS 10.1 to 10.2.8 or 11.0.3 

      All older or unsupported versions should be upgraded immediately to supported versions. 

      If unable to update, Palo Alto advises to restrict management web access to trusted internal IPs, verify that no exposed management interfaces are accessible from the internet, and review assets tagged PAN-SA-2024-0015 via Palo Alto’s support portal. 

      Critical Veeam vulnerability allows remote code execution 

      Veeam has released a critical security update to patch a remote code execution vulnerability (CVE-2025-23121 with CVSS score of 9.9) in its widely used Backup & Replication software.  

      The flaw allows an authenticated domain user to execute arbitrary code on the Backup Server, potentially leading to full system compromise. All builds prior to version 12.3.2 (build 12.3.2.3617) are affected, including 12.3.1.1139. 

      This patch follows concerns that an earlier fix for CVE-2025-23120, a similar RCE bug, could be bypassed. Veeam also addressed CVE-2025-24286 (CVSS 7.2) and CVE-2025-24287 (CVSS 6.1), which could allow unauthorized modification of backup jobs and local privilege escalation, respectively. 

      Given that over 20% of recent incident response cases involved Veeam exploitation after attackers gained initial access, organizations should prioritize patching. 

      Mitigation 

      Take the following steps: 

      • Upgrade to Veeam Backup & Replication 12.3.2 (build 12.3.2.3617) 
      • Update Veeam Agent for Windows to version 6.3.2 
      • Limit backup server access to trusted users only 

      Delaying this update could expose critical infrastructure to significant risk. 

      Industry news 

      Cyber security is a critical part of European defense 

      In response to escalating threats, NATO announced that cyber security will be integrated into its core defense spending targets, reflecting the strategic importance of digital resilience. The United States, however, moved in the opposite direction, with the Trump administration proposing cuts to CISA’s 2026 budget, sparking concern among security leaders. 

      Europe, meanwhile, is moving to reinforce its digital front. ENISA unveiled an updated national cyber security strategy framework, aiming to harmonize and strengthen defenses across member states. Sweden also introduced a new digitalization strategy for 2025–2030, prioritizing secure cloud policy, improved data infrastructure, and stronger digital trust frameworks. These shifts highlight a growing divide in how governments are choosing to prioritize cyber resilience in the face of intensifying global threats.