In today’s cybersecurity news…
CISA gives one day for Citrix Bleed 2 fix
Following up on a story we have been covering for a couple of weeks now, CISA has now ordered all federal civilian agencies to “immediately patch a vulnerability impacting several NetScaler products used by organizations to manage network traffic.” This Citrix vulnerability, known colloquially as Citrix Bleed 2, has been described by CISA Acting Executive Assistant Director for Cybersecurity Chris Butera as posing “a significant, unacceptable risk to the security of the federal civilian enterprise.” This has led CISA to take the unusual step of giving federal civilian agencies just one day to patch it. The bug “affects Citrix customers who manage their own NetScaler ADC and NetScaler Gateway appliances — but not those with Citrix-managed cloud services.”
(The Record)
Google Gemini flaw hijacks email summaries for phishing
As posted in BleepingComputer. “Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links.” As a reinvention of the white font, zero-point size technique, this attack leverages indirect prompt injections that are invisible to humans but obeyed by Gemini when generating the message summary. The model disclosed by a researcher at Mozilla as part of that company’s bug bounty program for generative AI tools, shows how an attacker can hide malicious instructions in the body text at the end of the message using HTML and CSS that literally sets the font size to zero and its color to white. Lacking any links or attachments allows the email to slip through, at which point, the “if the recipient opens the email and asks Gemini to generate a summary of the email, Google’s AI tool will parse the invisible directive and obey it.”
Louis Vuitton says UK customer data stolen in cyber-attack
The leading brand of the French luxury group LVMH has announced that that an unauthorised third party accessed the systems of its UK operation’s systems, obtaining information such as customer names, contact details and purchase history. This follows a similar attack on its Korean operation, announced last week. The company says no financial data was compromised but warns that phishing and fraud attempts may occur.
Huge thanks to our sponsor, ThreatLocker
Hackers exploit RCE flaw in Wing FTP Server
Just one day after technical details on this flaw became public, exploitation by hackers has been reported. The vulnerability has a CVE number (CVE-2025-47812) and also has a the maximum severity rating of 10. It allows a remote unauthenticated attacker to execute code with the highest privileges on the system (root/SYSTEM). Wing FTP Server manages secure file transfers that uses scripts written in Lua, which is widely used in enterprise and SMB environments. According to researchers at Huntress, “one Wing FTP instance was targeted by five distinct IP addresses within a short time frame, potentially indicating mass-scanning and exploitation attempts by several threat actors.” This attack, however, failed, due to the hackers’ inexperience, or thanks to Microsoft Defender. Regardless, Huntress states that hackers are likely to scan for other Wing FTP instances and try again.
GPUHammer degrades AI models on NVIDIA GPUs
A warning from NVIDIA to customers: enable your System-level Error Correction Codes (ECC). This is to defend against a variant of the RowHammer attack, named GPUHammer. This is the first-ever RowHammer exploit demonstrated against NVIDIA’s GPUs, one that allows “malicious GPU users to tamper with other users’ data by triggering bit flips in GPU memory.” According to researchers at the University of Toronto, this can result in the degradation of an AI model’s accuracy from 80% to less than 1%. RowHammer is to modern DRAMs as Spectre and Meltdown are to contemporary CPUs, except that “unlike CPUs, which have benefited from years of side-channel defense research, GPUs often lack parity checks and instruction-level access controls, leaving their memory integrity more exposed to low-level fault injection attacks.”
Albemarle County, Virginia suffered ransomware attack in June
This attack, which happened June 11, and which has not yet been claimed by any cybercrime group, caused the usual type of damage that we have seen frequently when hitting towns, municipalities and counties across the U.S. and elsewhere. Some phone systems were disabled, and the data of local government and public-school employees, including driver’s license numbers, Social Security numbers, passport numbers, military IDs and more, was likely accessed, as stated by officials. Residents, too, may have had their names, addresses and Social Security numbers exposed. The county believes the hackers “failed to gain access to cloud-based systems and were only able to breach data held on local servers.”
Former Mexican president investigated over alleged spyware bribes
Former Mexican President Enrique Peña Nieto is being investigated by Mexico’s Attorney General following allegations that he “took bribes from Israeli businessmen” to secure government contracts for spyware and other technology.” The total amount of the bribes is said to equal $25 million. The contracts appeared to include a deal to buy Pegasus. The investigation comes in response to an account in the Israeli business publication TheMarker, which is based on documents filed as part of a legal dispute between the two Israeli businessmen who had entered into arbitration in Israeli courts “to determine [their] individual proceeds from a joint $25 million investment in Peña Nieto.
