Today’s Tech Brief – 11 July 2025 brings us network appliance nightmares, EU regulatory frameworks, and the kind of security lapses that make you wonder if we’ve learned anything since the days of password123.
Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
CISA’s advisory acknowledges active exploitation of CVE-2025-XXXX (CitrixBleed 2) affecting NetScaler ADC and Gateway appliances. The vulnerability allows unauthenticated remote code execution on unpatched systems configured as gateways or AAA servers. Citrix disputes the exploit claims despite mounting evidence from Mandiant and GreyNoise.
Anyone who lived through the Code Red worm knows this drill. Critical infrastructure gets compromised, vendors downplay the risk, and admins scramble to patch legacy systems that probably should have been replaced years ago.
The flaw affects NetScaler versions 14.1-21.5, with exploits bypassing authentication entirely. CISA mandates federal agencies patch within 48 hours-a timeline that would have been laughable in the NT 4.0 era but feels optimistic even now. The exploit targets appliances many organisations rely on for secure remote access, making this particularly nasty for hybrid work environments.
Prioritise, don’t panic: the Patch Tuesday advice your business really needs
Microsoft’s July 2025 Patch Tuesday addressed 73 CVEs, including 5 critical RCE flaws in Windows DNS and Remote Desktop. The guidance advocates a tiered approach: domain controllers first, client devices second, with proper testing for legacy applications using compatibility modes.
This feels remarkably familiar to anyone who remembers scheduling downtime around Windows 2000 Service Packs. The article specifically addresses Server 2012 R2 workarounds-systems that should be retired but somehow keep running mission-critical applications nobody wants to touch.
CVE-2025-3196 scores a perfect 9.8 on the CVSS scale, affecting DNS resolution in ways that could cascade across entire networks. The 72-hour testing window recommendation assumes you’ve got proper staging environments, which many smaller organisations still lack despite decades of painful lessons.
EU releases final version of AI Code of Practice
The EU’s finalised AI Code of Practice mandates transparency for generative AI systems, including watermarking synthetic content and banning emotion-recognition in workplaces. Models exceeding 10 billion parameters face “high-risk” classification with strict audit requirements.
The regulatory framework carves out exemptions for open-source research but imposes hefty compliance burdens on commercial deployments. TechUK criticised the delayed implementation timeline, though official implementation timelines pending final publication date confirmation. Fines can reach 6% of global revenue-enough to make even the biggest tech firms pay attention.
This echoes early web privacy debates around P3P standards, except the stakes are considerably higher. The code attempts to address AI “black boxes” by requiring explainable decision-making processes, particularly for public-sector deployments and critical infrastructure.
Lovestruck US Air Force worker admits leaking secrets on dating app
A US Air Force IT specialist pleaded guilty to sharing classified network diagrams and login credentials via dating platforms whilst attempting to impress potential romantic partners. The defendant used encrypted messaging to transmit screenshots of air-gapped systems, compromising DoD satellite communications projects.
The case reads like Kevin Mitnick’s social engineering playbook updated for the Tinder generation. Screenshots of Titan IV launch systems were apparently shared alongside the usual dating app banter, proving that operational security training still can’t compete with human psychology.
The breach involved systems specifically designed to be isolated from external networks. That an insider could so easily exfiltrate sensitive data through consumer messaging apps highlights fundamental gaps in data loss prevention, regardless of how many security briefings personnel attend. Dan Kaminsky would have recognised this pattern-technical solutions undermined by human factors.
From the Wayback Machine
On This Day: 1976 – Slide rule production by Keuffel & Esser reportedly ended in 1976. The transition from analog to digital computation mirrors today’s shift from traditional software to AI-powered tools-both representing moments when entire skill sets became historical curiosities almost overnight. By 1976, pocket calculators like the HP-35 and TI-30 had rendered slide rules obsolete for most users, just as AI tools are rapidly displacing traditional software workflows.
What This Means
Today’s Tech Brief – 11 July 2025 reveals familiar patterns in unfamiliar contexts. Network vulnerabilities still exploit the same trust relationships that plagued early internet infrastructure. Regulatory frameworks struggle to keep pace with technological change, just as they did during the browser wars. Human factors remain the weakest link in security chains, whether through social engineering or simple negligence. The slide rule’s obsolescence reminds us that even fundamental tools can vanish quickly when better alternatives emerge.
The more things change, the more they stay delightfully, frustratingly the same.
There’s more news where that came from – check out yesterday’s Tech Brief here.
Leave a Reply