Podcasts
CyberWire Daily
Ep 2350
The CyberWire Daily Podcast 7.16.25
Ep 2350 | 7.16.25

Chrome’s high-risk bug gets squashed.

Show Notes
Transcript

Google and Microsoft issue critical updates. CISA warns of active exploitation of a critical flaw in Wing FTP Server. Cloudflare restores their DNS Resolver service following a brief outage. A critical vulnerability in a PHP documentation tool allows attackers to execute code on affected servers. NSA and FBI officials say they’ve disrupted Chinese cyber campaigns targeting U.S. critical infrastructure. A UK data breach puts Afghan soldiers and their families at risk. Researchers find malware hiding in DNS records. A former U.S. Army soldier pleads guilty to charges of hacking and extortion. Ben Yelin joins us with insights on the Senate Armed Services Committee’s response to rising threats to critical infrastructure.The large print giveth and the small print taketh away.

Today is Wednesday July 16th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Google and Microsoft issue critical updates. 

Google has issued a critical Chrome update fixing six vulnerabilities, including one actively exploited flaw, CVE-2025-6558. Rated high-severity (8.8), this bug allows attackers to escape Chrome’s sandbox via a specially crafted HTML page. It targets ANGLE, a graphics layer that processes untrusted GPU commands from websites. Discovered by Google’s Threat Analysis Group, the flaw affects Chrome versions before 138.0.7204.157. While technical details remain restricted, the risk is serious, as sandbox escapes can allow malware to spread beyond the browser. Users are urged to update Chrome immediately. The patch also addresses five additional flaws, though none were exploited. This marks the fifth exploited Chrome vulnerability fixed in 2025.

Meanwhile, Microsoft has issued an emergency update (KB5064489) to fix a bug that blocked some Azure virtual machines from starting. The issue affected Windows Server 2025 and Windows 11 24H2 systems using VBS with Trusted Launch disabled, particularly on older VM SKUs. It stemmed from a secure kernel initialization problem introduced in the July Patch Tuesday update. Microsoft advises impacted users to install the new patch and recommends enabling Trusted Launch to prevent similar issues. Updated VM images now include the fix.

CISA warns of active exploitation of a critical flaw in Wing FTP Server. 

A critical flaw in Wing FTP Server, tracked as CVE-2025-47812, is being actively exploited, prompting a CISA alert. The vulnerability, rated 10/10 in severity, allows total server compromise and affects Windows, Linux, and macOS versions. CISA added it to the Known Exploited Vulnerabilities catalog, ordering federal agencies to patch by August 4. Wing FTP is used by major organizations like the U.S. Air Force and Sony. Exploits were observed as early as July 1, with attackers attempting file downloads, reconnaissance, and remote monitoring installs. Huntress and Arctic Wolf researchers confirmed the threat and shared detection guidance. Despite attackers’ clumsy execution, the bug is actively targeted. Shadowserver found 2,000 exposed instances; Censys reported over 8,000. Organizations are urged to upgrade to version 7.4.4 immediately to mitigate risk.

Cloudflare restores their DNS Resolver service following a brief outage. 

Yesterday, Cloudflare’s 1.1.1.1 DNS Resolver service went offline globally for over an hour due to a misconfiguration introduced in June during internal preparations for a new data localization service. A configuration error mistakenly included 1.1.1.1 in a test topology, and when activated, this change caused the withdrawal of the Resolver’s IP routes from Cloudflare’s network. DNS traffic dropped immediately, effectively cutting off many users’ internet access. Cloudflare reverted the change by 22:20 UTC and fully restored service by 22:54 UTC. While a brief BGP hijack of 1.1.1.0/24 occurred during the outage, it wasn’t the cause. Cloudflare pledged to accelerate deprecation of legacy systems and adopt staged deployments to prevent future outages. DNS-over-HTTPS remained mostly unaffected throughout the incident

A critical vulnerability in a PHP documentation tool allows attackers to execute code on affected servers. 

A critical vulnerability in LaRecipe, a PHP documentation tool, allows attackers to execute code on affected servers via Server-Side Template Injection (SSTI). Tracked as CVE-2025-53833 with a CVSS score of 10.0, the flaw stems from insecure handling of user input in templates. Exploitation requires minimal skill, using standard SSTI payloads to read files, execute commands, or access environment variables. Users should upgrade to version 2.8.1 or later immediately and audit systems for signs of compromise.

NSA and FBI officials say they’ve disrupted Chinese cyber campaigns targeting U.S. critical infrastructure. 

U.S. cybersecurity officials from the NSA and FBI say they’ve disrupted Chinese cyber campaigns, particularly Volt Typhoon, which targeted U.S. critical infrastructure. Speaking at the International Conference on Cyber Security at Fordham University in New York City yesterday, NSA’s Kristina Walter confirmed China’s attempts to quietly infiltrate networks were unsuccessful thanks to coordination between the NSA, FBI, and private sector. Volt Typhoon aimed to set the stage for future sabotage, especially around naval infrastructure in places like Guam. Public disclosures forced Chinese hackers to adapt, burning older tactics. FBI cyber director Brett Leatherman also detailed a real-time cyber battle with China’s Flax Typhoon, where the FBI temporarily hijacked botnet infrastructure before Chinese actors retaliated with a DDoS attack, only to shut down their own systems upon learning the FBI was involved. Both officials emphasized the Chinese cyber ecosystem blends government and private entities. U.S. efforts to expose these operations aim to disrupt their tactics and force resource-draining resets, building friction into their campaigns.

A UK data breach puts Afghan soldiers and their families at risk. 

Sometimes, a cyber breach isn’t just about stolen data—it can put lives at risk. A leaked database from 2022 exposed personal details of nearly 19,000 Afghans who supported British forces and applied to relocate to the UK after the Taliban takeover. The breach, caused by a UK defence official, remained secret until this week, when a super-injunction was lifted. Defence Secretary John Healey admitted he couldn’t confirm whether the leak led to any deaths but called it a grave failure. About 600 Afghan soldiers and their families remain in Afghanistan, potentially exposed. The UK’s response includes a £850 million resettlement scheme, yet critics question the secrecy and delays. Officials stress that while the Taliban likely already had much of this data, the breach heightened fear and panic among those affected. The incident reignites debate over accountability, transparency, and the deadly consequences of cyber negligence during wartime evacuations.

Researchers find malware hiding in DNS records. 

Hackers are hiding malware inside DNS records—an area often overlooked by security tools. DomainTools researchers found a strain of nuisance malware, Joke Screenmate, embedded in the TXT records of subdomains on whitetreecollective[.]com. The malware was encoded in hexadecimal, split into chunks, and hidden in DNS records. Attackers can reassemble the chunks using normal-looking DNS queries, bypassing standard defenses. With growing use of encrypted DNS protocols like DOH and DOT, detecting such activity becomes even harder. This stealthy tactic isn’t new—PowerShell scripts have been hidden in DNS for years—but it’s evolving. Researchers also found DNS records used to host prompt injection attacks targeting AI chatbots. These included bizarre or dangerous commands designed to manipulate the AI. As Ian Campbell of DomainTools puts it, DNS remains “a strange and enchanting place” where attackers can quietly operate beyond the reach of conventional cybersecurity tools.

A former U.S. Army soldier pleads guilty to charges of hacking and extortion. 

Former U.S. Army soldier Cameron John Wagenius has pleaded guilty to wire fraud, extortion, and identity theft after hacking U.S. telecom companies and attempting to ransom or sell stolen customer data. While on active duty, he and accomplices breached systems using stolen credentials, stealing call and text metadata from hundreds of thousands of users, including high-profile targets. Prosecutors say Wagenius demanded up to $500,000 in cryptocurrency and even offered stolen data to a foreign intelligence agency. Court documents reveal he tried to defect, violated military orders, and continued hacking even after federal searches. He posted stolen data on cybercrime forums like BreachForums and Telegram, with some of the compromised files containing government officials’ phone records. Authorities seized over 17,000 identity documents from his devices. Wagenius faces up to 27 years in prison and will be sentenced on October 6. He is considered a significant flight risk and national security threat.

 

The large print giveth and the small print taketh away. 

As 20th century philosopher and musician Tom Waits so eloquently stated, “The large print giveth and the small print taketh away.”  File transfer utility WeTransfer recently updated its terms of service—and promptly sent privacy advocates into mild hysteria. Content creators, understandably jumpy about their hard work being fed to some ravenous AI, took to XTwitter to say they were jumping ship. The fuss centered around wording that suggested WeTransfer might use uploaded files to train machine learning models. Cue the panic. In a brisk about-face, WeTransfer clarified: “No, we’re not selling your audition tape to Skynet.” They’ve since scrubbed the language and now promise their only goal is to “improve the Service”—with a capital S, no less. The change takes effect August 8. This isn’t the first AI-fueled freak-out either—Dropbox faced similar outrage in 2023. As one privacy lawyer quipped, in the age of AI gold rushes, your data is the new pickaxe—and vague terms are the minefield.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.