Cybersecurity News – July 21, 2025

Table of Contents

• Meta Patches Critical AI Prompt Exposure Flaw
• Critical SharePoint Zero-Day Vulnerability (CVE-2025-53770) Actively Exploited
• RingReaper: Linux EDR Evasion via io_uring Kernel Feature
• Russian Alcohol Retailer WineLab Shuts 2,000+ Stores After Ransomware Attack
• British Ministry of Defence Data Leak Endangers Afghan Allies
• Amazon Prime Day Targeted by Over 1,000 Fake Domains
• Major Linux Boot Vulnerability Allows Secure Boot Bypass

Meta Patches Critical AI Prompt Exposure Flaw

Background and Discovery

Meta recently remediated a severe vulnerability within its AI chatbot platform, which allowed authenticated users to access and modify private prompts and outputs submitted by unrelated individuals. The vulnerability resulted from improper authorization checks during prompt editing. A unique but easily predictable identifier assigned to each prompt-response session enabled attackers to increment or modify the ID and retrieve another user’s interaction history.

Technical Details

The AI chatbot backend would return any prompt and AI-generated response if provided with a valid session identifier. Security researcher Sandeep Hodkasia identified the flaw by dissecting browser network traffic and found there were no mechanisms barring unauthorized access to arbitrary records. This design oversight presented the risk of large-scale scraping of sensitive and proprietary user content submitted to Meta’s generative AI system.

Remediation and Aftermath

Meta swiftly issued a patch once notified, closing the exposure and tightening session-bound access controls. The company reports no evidence of abuse during the vulnerable period and rewarded the security researcher accordingly. The incident underscores ongoing privacy challenges with large-scale generative AI services.

Critical SharePoint Zero-Day Vulnerability (CVE-2025-53770) Actively Exploited

Vulnerability Overview

A critical zero-day vulnerability in Microsoft SharePoint, designated CVE-2025-53770, is being actively exploited in the wild. The flaw allows remote authenticated attackers to execute arbitrary code on vulnerable SharePoint servers, bypassing standard security controls.

Attack Mechanics

Exploitation requires access to a SharePoint instance but no elevated privileges. Attackers leverage the vulnerability by submitting specially crafted API requests, triggering deserialization flaws in the backend service logic. Successful exploitation results in arbitrary code execution within the context of the SharePoint server, potentially leading to widespread lateral movement and data exfiltration within affected organizations.

Mitigation Guidance

Administrators are urged to implement intrusion detection rules targeting suspicious SharePoint API calls and audit for anomalous internal lateral movement. Microsoft is expected to issue an urgent patch, and organizations should monitor for related indicators of compromise.

RingReaper: Linux EDR Evasion via io_uring Kernel Feature

Emergence of RingReaper

A sophisticated evasion tool codenamed RingReaper has surfaced in the cybersecurity landscape, targeting Linux systems equipped with Endpoint Detection and Response (EDR) software. RingReaper leverages the legitimate io_uring kernel feature, introduced for high-performance I/O operations in recent Linux kernels.

Technical Exploit

RingReaper operates by utilizing io_uring’s asynchronous execution and direct kernel communication, making its activity challenging for traditional EDR hooks to monitor. The tool is capable of injecting and executing arbitrary code in user and kernel space, all while evading detection by security monitoring agents that do not inspect io_uring-based operations.

Defensive Recommendations

Linux administrators should review system configurations and consider restricting the use of io_uring unless necessary. EDR vendors are being urged to update their engines to analyze and log io_uring activity for anomalous patterns that could indicate malware abuse.

Russian Alcohol Retailer WineLab Shuts 2,000+ Stores After Ransomware Attack

Incident Summary

WineLab, a major Russian alcohol retailer, was forced to close over 2,000 outlets nationwide following a significant ransomware attack on July 14. The attack crippled critical IT infrastructure—including online ordering, mobile applications, and point-of-sale systems—rendering the business inoperable.

Impact Assessment

Novabev Group, the operator, reported daily financial losses estimated between $2.6 million and $3.8 million due to lost sales and operational disruptions. The hackers demanded a ransom, but the company refused to pay. Although no evidence currently points to customer data exfiltration, the wider investigation continues.

Notable Implications

This incident stands out as Russian-based ransomware operators typically avoid domestic companies, indicating either a shift in criminal tactics or possible international involvement. WineLab’s IT recovery operations are ongoing, involving internal teams and external cybersecurity consultants.

British Ministry of Defence Data Leak Endangers Afghan Allies

Background of the Breach

A recent report confirmed the accidental disclosure of sensitive personal information belonging to nearly 19,000 Afghan nationals who had applied to the UK relocation scheme post-Taliban takeover. The breach, traced to a British Ministry of Defence official’s error in February 2022, included names, contact details, and family backgrounds—placing those involved at heightened risk of Taliban reprisals.

Response and Fallout

The breach was kept under a superinjunction until July 2025, with UK authorities subsequently launching a covert Afghan Relocation Route. Roughly 4,500 individuals and families have been relocated, though many remain in dangerous circumstances. Despite the severe implications, the Ministry opted not to pursue criminal charges against the responsible parties.

Continued Concerns

Advocacy groups and victims continue to press for enhanced safety assurances and compensation, highlighting persistent security and humanitarian challenges following the release of affected individuals’ data.

Amazon Prime Day Targeted by Over 1,000 Fake Domains

Phishing Surge Overview

In the lead-up to Amazon Prime Day 2025, cybersecurity researchers identified over 1,000 newly registered domains mimicking Amazon’s brand and event-related keywords. These domains are being utilized in sophisticated phishing campaigns aimed at stealing credentials and payment data from unsuspecting shoppers.

Attack Methodology

The fake domains deploy convincing lookalike webpages to lure users into entering sensitive data or downloading malicious payloads. Attackers often employ email campaigns, social media ads, and search engine manipulation to amplify traffic to these sites.

Protective Measures

Online shoppers are urged to confirm the authenticity of websites before entering credentials and utilize browser-based anti-phishing plugins. E-commerce companies are recommended to monitor domain registrations and take swift action to dismantle fraudulent domains.

Major Linux Boot Vulnerability Allows Secure Boot Bypass

Vulnerability Details

A significant bootloader flaw affecting modern Linux distributions permits attackers with brief physical system access to bypass Secure Boot. The attack vector involves manipulating the initramfs (initial RAM filesystem) during the boot process so that malicious payloads are loaded before kernel signature checks.

Attack Execution

In practical terms, an attacker inserts a modified USB or disk with a crafted initramfs. If the host system is not tightly locked down or if certain kernel parameters are weakly protected, an attacker’s unsigned code can gain privileged execution early in the boot sequence, even with Secure Boot enabled.

Mitigation Steps

System administrators should enforce strict physical security for sensitive devices, review BIOS and UEFI settings to prevent unauthorized boot sources, and ensure FULL kernel and initramfs signing policies are enforced to protect against this class of attack.