Google patches actively exploited Chrome zero-day in GPU rendering engine

Google has patched a high-severity zero-day vulnerability (CVE-2025-6558) in its Chrome browser that has been exploited in the wild, marking the fifth zero-day patched by Google in 2025. The flaw stems from insufficient validation of untrusted input in Chrome’s ANGLE and GPU components, which could allow attackers to escape the browser sandbox using a specially crafted HTML page.

Discovered by Google’s Threat Analysis Group (TAG), the exploit could enable attackers to execute code outside of Chrome’s secure environment, potentially gaining access to the host system without any user interaction beyond visiting a malicious site. This makes it particularly dangerous in targeted or nation-state campaigns.

Users are strongly urged to update Chrome to version 138.0.7204.157/.158, and users of Chromium-based browsers like Edge and Brave should apply updates once available. The issue underlines the increasing importance of monitoring GPU and rendering path flaws in web browsers.

Cisco warns of critical ISE vulnerability allowing root access (CVE-2025-20337)

Cisco has issued a critical alert for a newly discovered zero-click vulnerability affecting Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). Tracked as CVE-2025-20337 and carrying the maximum CVSS score of 10.0, the flaw allows unauthenticated remote attackers to execute code as root on the underlying OS via a crafted API request. No credentials are needed.

The vulnerability affects ISE/ISE-PIC versions 3.3 and 3.4, but not earlier releases. Patches have been issued in 3.3 Patch 7 and 3.4 Patch 2. While there’s no evidence of exploitation yet, Cisco urges admins to update immediately.

Separately, Fortinet is seeing active exploitation of CVE-2025-25257, with attackers using public exploits to install web shells on FortiWeb appliances. Over 70 infected instances have been identified globally, underscoring the need for rapid patching.

Co-op confirms massive data breach affecting 6.5 million members

UK retailer Co-op has confirmed that the personal data of all 6.5 million of its members was stolen during a major cyberattack in April. The breach, which forced the company to shut down IT systems and disrupted food supplies, was linked to the DragonForce ransomware gang.

CEO Shirine Khoury-Haq described the attack as “personal” during a BBC interview, saying the criminals had full access to members' contact details, though no payment data was exposed.

The breach reportedly began on 22 April with a social engineering attack that led to compromised credentials. Hackers then stole sensitive internal files, including password data.

The cybercriminals are believed to be connected to Scattered Spider, the same group behind the M&S attack. Four suspects—aged 17 to 20—were arrested last week by the National Crime Agency in connection with attacks on Co-op, M&S, and Harrods. Investigations are ongoing.

'Operation Eastwood' hits pro-Russian DDoS group NoName057(16)

International law enforcement agencies have disrupted the infrastructure of pro-Russian hacktivist group NoName057(16), responsible for widespread DDoS attacks across Europe. Dubbed “Operation Eastwood,” the Europol- and Eurojust-led initiative took place on 15 July with support from 12 countries.

Authorities searched properties in Germany, Latvia, Spain, Italy, Czechia, Poland, and France, taking more than 100 servers offline. Two arrests were made, and seven European arrest warrants were issued—six targeting suspects believed to be in Russia.

NoName057(16) emerged in 2022, using Telegram and crowdsourced malware “DDoSia” to coordinate attacks against Ukraine supporters. Their targets include NATO institutions, banks, energy firms, and government websites.

Eurojust confirmed 14 prolonged attacks in Germany alone, impacting 230 organisations. Further disruptions occurred during the 2023 Ukrainian Peace Summit in Switzerland and the NATO Summit in the Netherlands last month.

Despite the crackdown, the group remains active, continuing to announce new attacks on German firms.

South Africa elevates cyber security in new national strategy

The South African government is making cyber security a central pillar of its national security strategy, following a string of damaging attacks on state institutions. Minister in the Presidency Khumbudzo Ntshavheni outlined the updated 2024–2029 National Security Strategy this week, stressing cyber threats now require a counter-intelligence and protective security focus.

Cyber crime joins other key threats like illegal migration, transnational crime, and climate insecurity. The move follows attacks on several public bodies, including South African Airways, the Weather Service, and the Department of Justice.

Authorities plan to boost cyber forensic capabilities, address vulnerabilities in procurement and IT systems, and reduce reliance on foreign vendors. Experts warn that SA faces over 3,800 cyber attacks per week—double the global average.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.