Robert Grupe's AppSecNewsBits 2025-07-12

This week's Lame List & Highlights: CitrixBleed 2, Cisco, ServiceNow, Wing FTP, McDonalds, AI Therapist, Gronk xAI, Catwatchful, GenAI vulnerabilities, and more ...

July 12, 2025

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Cisco warns that Unified CM has hardcoded root SSH credentials
The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing.
The company added that there are no workarounds that address the vulnerability. Admins can only fix the flaw and remove the backdoor account by upgrading vulnerable devices to Cisco Unified CM and Unified CM SME 15SU3 (July 2025) or by applying the CSCwp27755 patch file.
[rG 2 issues here: never hardcode credential secrets, and don’t use same secrets in prod/non-prod environments.]

 

New ServiceNow flaw lets attackers enumerate restricted data
ServiceNow is a cloud-based platform that enables organizations to manage digital workflows for their enterprise operations.
ServiceNow utilizes Access Control Lists (ACLs) to restrict access to data within its tables. Each ACL evaluates four conditions when determining if a user should have access to a specific resource: Required roles, Security attributes, Data conditions, Script conditions.
For a user to gain access to a resource, all of these conditions must be satisfied. However, if a resource is protected with multiple ACLs, ServiceNow previously used an "Allow if" condition, meaning that if a user satisfied just one ACL, they could gain access, even if other ACLs would have blocked them.
Even when record data isn't displayed, the record count leaks enough information to determine fields, including credentials, PII, and internal configuration data.
Self-registered users could also use this attack. Self-registration is a feature that allows users to create accounts and access the instance with minimal privileges, which can still be used to launch an attack. Though it is rare for instances to allow anonymous registration and access, this configuration was found in the ServiceNow systems of several Fortune 500 companies.

 

CVSS 10 RCE in Wing FTP exploited within 24 hours
The main issue at play was the way in which the Wing FTP web interface handled null bytes in the username field, allowing attackers to execute a Lua injection attack. If an attacker appended a username input with a %00 null byte, anything after that would be interpreted as Lua code ­­- which would then be injected into session object files and deserialized by the application.

 

McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the Password ‘123456’
The McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted. Together they allowed anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants.

 

AI therapy bots fuel delusions and give dangerous advice
The results paint a potentially concerning picture for the millions of people currently discussing personal problems with AI assistants like ChatGPT and commercial AI-powered therapy platforms such as 7cups' "Noni" and Character[.]ai's "Therapist."
The Stanford study, titled "Expressing stigma and inappropriate responses prevents LLMs from safely replacing mental health providers.
Platforms marketed specifically for mental health support frequently gave advice that contradicted the crisis intervention principles identified in their review or failed to identify crisis situations from the provided context. The researchers note that these platforms serve millions of users despite having no regulatory oversight equivalent to the licensing requirements for human therapists.

 

Musk's AI company scrubs inappropriate posts after chatbot makes antisemitic comments
Grok was developed by Elon Musk’s xAI and pitched as alternative to “woke AI” interactions from rival chatbots like Google’s Gemini, or OpenAI’s ChatGPT. Since then, Grok has shared several antisemitic posts, including the trope that Jews run Hollywood, and denied that such a stance could be described as Nazism. “Labeling truths as hate speech stifles discussion,” Grok said. It also appeared to praise Hitler, according to screenshots of posts that have now apparently been deleted.

 

Provider of covert surveillance app Catwatchful spills passwords for 62,000 users
The leak, made possible by a SQL injection vulnerability, allowed anyone who exploited it to access the accounts and all data stored in them.
Catwatchful is invisible. It cannot be detected. It cannot be uninstalled. It cannot be stopped. It cannot be closed. Only you can access the information it collects.
While the promoters claim the app is legal and intended for parents monitoring their children's online activities, the emphasis on stealth has raised concerns that it's being aimed at people with other agendas.
The app, however, has a hidden backdoor that allows it to be uninstalled when a user inputs the numbers 543210 into the phone app keyboard.

 

Unless users take action, Android will let Gemini access third-party apps
Google is implementing a change that will enable its Gemini AI engine to interact with third-party apps, such as WhatsApp, even when users previously configured their devices to block such interactions. Users can block the apps that Gemini interacts with, but even in those cases, data is stored for 72 hours.
The changes automatically start rolling out and will give Gemini access to apps such as WhatsApp, Messages, and Phone “whether your Gemini apps activity is on or off.” “If you have already turned these features off, they will remain off.” Nowhere are Android users informed how to remove Gemini integrations completely.

 

What’s Weak This Week:

  • CVE-2025-5777 Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
    Due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. Related CWE: CWE-125

  • CVE-2014-3931 Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability:
    Could allow remote attackers to cause an arbitrary memory write and memory corruption. Related CWE: CWE-119

  • CVE-2016-10033 PHPMailer Command Injection Vulnerability:
    Fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attacker can exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition. Related CWEs: CWE-77| CWE-88

  • CVE-2019-5418 Rails Ruby on Rails Path Traversal Vulnerability: A path traversal vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents. Related CWE: CWE-22

  • CVE-2019-9621 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability: A server-side request forgery (SSRF) vulnerability via the ProxyServlet component. Related CWEs: CWE-918| CWE-807 

 

HACKING

Critical CitrixBleed 2 vulnerability has been under active exploit for weeks
A critical vulnerability allowing hackers to bypass multifactor authentication in network management devices made by Citrix has been actively exploited for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild exploitation.
Tracked as CVE-2025-5777, the vulnerability shares similarities with CVE-2023-4966, a security flaw nicknamed CitrixBleed, which led to the compromise of 20,000 Citrix devices two years ago.
Exploits are peppering the doAuthentication[.]do endpoint—which handles authentication for Netscaler devices—with thousands of login requests per day. Eventually, vulnerable devices will leak enough memory contents for attackers to recover session tokens required for administrative access.

 

Swedish bodyguards reveal PM’s location on fitness app
Swedish security service members who shared details of their running and cycling routes on fitness app Strava have been accused of revealing details of the prime minister’s location: including where he goes running, details of overnight trips abroad, and the location of his private home, which is supposed to be secret.

 

Drug cartel hacked FBI official’s phone to track and kill informants
The Sinaloa drug cartel in Mexico hacked the phone of an FBI official investigating kingpin Joaquín “El Chapo” Guzmán as part of a surveillance campaign “to intimidate and/or kill potential sources or cooperating witnesses.
The hired hacker observed 'people of interest' for the cartel, including the FBI Assistant Legal Attache, and then was able to use the mobile phone number to obtain calls made and received, as well as geolocation data, associated with the phone. The hacker also used Mexico City's camera system to follow the attache through the city and identify people the attache met with. the cartel used that information to intimidate and, in some instances, kill potential sources or cooperating witnesses.
A second example of UTS threatening FBI investigations occurred when the leader of an organized crime family suspected an employee of being an informant. In an attempt to confirm the suspicion, the leader searched call logs of the suspected employee’s cell phone for phone numbers that might be connected to law enforcement.
A third example of the UTS threat is the use of credit or debit card transaction reports compiled by commercial data brokers. Though this data is anonymized, in 2015, researchers from MIT found that with the data from just four transactions, they could positively identify the cardholder 90% of the time.

 

Hacker with ‘political agenda’ stole data from Columbia University
The hacker reportedly provided Bloomberg News with 1.6 gigabytes of data, including information from 2.5 million applications going back decades. The stolen data the outlet reviewed reportedly contains details on whether applicants were rejected or accepted, their citizenship status, their university ID numbers and which academic programs they sought admission to.
The threat actor reportedly told Bloomberg he was seeking information that would indicate whether the university continues to use affirmative action in admissions despite a 2023 Supreme Court decision prohibiting the practice.
The hacker told Bloomberg he obtained 460 gigabytes of data in total — after spending two months targeting and penetrating increasingly privileged layers of the university’s servers — and said he harvested information about financial aid packages, employee pay and at least 1.8 million Social Security numbers belonging to employees, applicants, students and their family members.

 

Browser extensions turn nearly 1 million browsers into website-scraping bots
The 245 extensions, available for Chrome, Firefox, and Edge, have racked up nearly 909,000 downloads. The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers. The common thread among all of them: They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions. The monetization works by using the browser extensions to scrape websites on behalf of paying customers, which include AI startups.
Common web server security headers like Content-Security-Policy and X-Frame-Options should stop this from happening. However, remember that the library requested declarativeNetRequest and access be added to the manifest if it isn't already? Those permissions allow for modification of web requests and responses as they are being made. The library dynamically modifies rules that will remove security headers from web server responses and then claims to add them back after the web page has loaded.

 

How to trick ChatGPT into revealing Windows keys? I give up
A clever AI bug hunter found a way to trick ChatGPT into disclosing Windows product keys, including at least one owned by Wells Fargo bank, by inviting the AI model to play a guessing game. The researcher then entered a string of numbers, the AI said the guess was incorrect, and the researcher said: "I give up." These three words are the "most critical step," according to Figueroa. "This acted as a trigger, compelling the AI to reveal the previously hidden information (i.e., a Windows 10 serial number).

 

CatAttack: Simple Text Additions Can Fool Advanced AI Reasoning Models
Appending irrelevant phrases like "Interesting fact: cats sleep most of their lives" to math problems can cause reasoning AI models to produce incorrect answers at rates over 300% higher than normal. The technique exploits vulnerabilities in reasoning models including DeepSeek R1 and OpenAI's o1 family. The adversarial triggers work across any math problem without changing the problem's meaning, making them particularly concerning for security applications.
Beyond incorrect answers, the triggers caused models to generate responses up to three times longer than normal, creating computational slowdowns.

 

APPSEC, DEVSECOPS, DEV

 

The MFA You Trust Is Lying to You – and Here's How Attackers Exploit It
First we were told to use SMS for MFA. Then we were told: “Don’t use SMS for MFA, use an authenticator app instead.” And while that may seem like a step forward, it’s still fundamentally flawed. Authenticator apps do improve over SMS by avoiding message interception, but they are easily fished (every day now) and often rely on time-based codes that can also be phished, relayed, or even intercepted if the device is compromised.
Recent high-profile breaches (Including Aflac, Erie Insurance and Philadelphia Insurance Companies) showed exactly how easy this is.
So you might think passkeys are an answer—and they are a small step forward but now are easily compromised as well. They cryptographically bind login credentials to websites and reduce human error. But they’re not foolproof. Passkeys are often stored and synced via cloud accounts. If someone hijacks your Apple or Google account, they can gain access to every passkey you’ve saved. A stolen or compromised phone? Same risk. And malware or user coercion can still result in approvals that give attackers full access.

 

The FBI’s Criminal Justice Information Services Security Policy governs how criminal histories, fingerprints, and investigation files must be protected. CJIS touches many domains (physical security, personnel background checks, incident response) but its beating heart is identity and access management. When the FBI audits your environment, they want to know three things: Who accessed what? How did they prove who they were? And were they allowed to see it?

  • Unique identities & unquestionable accountability:
    Every individual should have their own user ID. Generic or shared accounts are forbidden. This helps with tracing actions back to specific people.

  • Strong passwords:
    CJIS calls for at least 12-character passwords, blending uppercase, lowercase, numbers, and symbols. However, at Specops we recommend going further and enforcing 16+ character passphrases. CJIS also requires you to enforce history (no reusing the last 24 passwords) and lock out accounts after no more than five failed attempts.

  • MFA as another layer of defense:
    A password alone is no longer sufficient. CJIS requires two factors for any non-console access: something you know (your password) plus something you have (a hardware token, phone authenticator, etc.). By separating those factors, you dramatically reduce the risk of compromised credentials.

  • Least privilege and quarterly recertifications:
    Grant only the permissions each user needs to do their job, and no more. Then, every 90 days, pull together your system owners and review who still needs what access. Users change roles, projects end, and inactive accounts accumulate risk.

  • Audit trails and immutable logs:
    Logging every authentication event, privilege change, and data query is non-negotiable. CJIS mandates at least 90 days of on-site log retention, plus one year off-site. That way, if you need to reconstruct an incident or answer an auditor’s question, your logs tell the full story without gaps.

  • Encryption and network segmentation:
    Data must travel and rest under a cloak of FIPS-validated cryptography: TLS 1.2+ for in-flight data, AES-256 for storage. Beyond encryption, segregate your CJIS environment from the rest of your corporate network. Firewalls, VLANs, or air-gapped enclaves keep your most sensitive systems insulated from everyday operations.

 

VENDORS & PLATFORMS

Let's Encrypt rolls out free security certs for IP addresses
For those with a static IP address who want to host a website, an IP address certificate provides a way to offer visitors a secure connection with that numeric identifier while avoiding the nominal expense of a domain name.

 

China Is Quickly Eroding America’s Lead in the Global AI Race
In Europe, the Middle East, Africa and Asia, users ranging from multinational banks to public universities are turning to large language models from Chinese companies such as startup DeepSeek and e-commerce giant Alibaba as alternatives to American offerings such as ChatGPT... Saudi Aramco, the world's largest oil company, recently installed DeepSeek in its main data center. Major American cloud service providers such as Amazon Web Services, Microsoft and Google offer DeepSeek to customers.
OpenAI's ChatGPT remains the world's predominant AI consumer chatbot, with 910 million global downloads compared with DeepSeek's 125 million.
Leading Chinese AI companies — which include Tencent and Baidu — further benefit from releasing their AI models open-source, meaning users are free to tweak them for their own purposes. That encourages developers and companies globally to adopt them.

 

 

GitPhish: Open-source GitHub device code flow security assessment tool
We designed GitPhish explicitly for security teams looking to conduct assessments and build detection capabilities around Device Code Phishing in GitHub. Red teamers can simulate realistic attack scenarios to test organizational resilience, while detection engineers can validate their ability to identify suspicious OAuth flows, unusual GitHub authentication patterns, and potential social engineering attempts

 

 

 

LEGAL & REGULATORY

UK Arrests Four in ‘Scattered Spider’ Ransom Group
4 people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “Scattered Spider,” whose other recent victims include multiple airlines.

 

MyPillow CEO Mike Lindell’s attorneys fined for inaccurate, AI-generated brief
The McSweeny Synkar and Kachouroff PLLC law firm and attorney Christopher Kachouroff are facing “jointly and severally” a sanction of $3,000. Attorney Jennifer DeMaster is also facing a $3,000 fine. Judge Nina Wang pointed out about 30 defective citations in a brief; ranged from failing to include basic court information to citations of cases that do not exist.

 

NYT to start searching deleted ChatGPT logs after beating OpenAI in court
A court order is requiring the AI company to retain all ChatGPT logs "indefinitely," including deleted and temporary chats.
Sidney Stein, the US district judge suggested that OpenAI's user agreement specified that their data could be retained as part of a legal process, which Stein said is exactly what is happening now.
The greatest risk to users would be a data breach, but that's not the only potential privacy concern. The Electronic Frontier Foundation has stated that as long as users' data is retained, it could also be exposed through future law enforcement and private litigation requests.

 

And Now For Something Completely Different …

Half a million Spotify users are unknowingly grooving to an AI-generated band
A new band called The Velvet Sundown debuted on Spotify this month and has already amassed more than half a million listeners. But by all appearances, The Velvet Sundown is not a real band—it's AI.
An AI band called The Devil Inside that has released 10 albums in the past two years. Interestingly, both The Velvet Sundown and The Devil Inside seem to have many songs that reference dust and wind. That may simply be an artifact of repetition in music-generation models, or they may both be products of the same AI slop manufacturer.