This week's report has been particularly eventful, with some significant threats that could impact UK healthcare organisations. From Git vulnerabilities, Critical Citrix NetScaler Zero-Day Under Active Attack, WhatsApp Zero-Click Exploit, and Major US Healthcare Data Breach Affects 211,000 Patients. Full report below...
Critical Git Remote Code Execution Vulnerability (CVE-2025-48384)
A critical vulnerability in Git, the popular version control system, is being actively exploited by attackers. The flaw stems from how Git handles configuration values containing control characters, allowing attackers to craft malicious repositories that execute code when cloned. The vulnerability can be exploited to write malicious Git Hook scripts, resulting in remote code execution whenever common commands like git commit and git merge are run.
What makes this particularly concerning is how trivial the exploitation is - attackers simply create malicious Git repositories that automatically execute code when developers clone them. The vulnerability was originally patched in July, but CISA's addition to their Known Exploited Vulnerabilities catalogue confirms it's now being weaponised in real-world attacks.
Healthcare development teams using Git for medical software, EHR systems, or device firmware are at direct risk. Many NHS trusts and health tech companies rely on Git for collaborative development of critical healthcare applications.
- Immediately update Git to fixed versions (v2.50.1, v2.49.1, v2.48.2, v2.47.3, v2.46.4, v2.45.4, v2.44.4, or v2.43.7)
- Audit CI/CD build systems to ensure they're running patched Git versions
- Avoid recursively cloning submodules from untrusted repositories
- Review recent Git activity for any suspicious repository clones or unexpected code execution
Citrix NetScaler Memory Overflow Vulnerability (CVE-2025-7775)
A critical zero-day vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being actively exploited by attackers. This memory overflow flaw allows unauthenticated remote code execution and denial of service attacks when the appliance is configured as a Gateway or AAA virtual server.
The vulnerability affects multiple configurations including VPN, ICA Proxy, AAA, and load balancing virtual servers. What's particularly alarming is that this is another in a series of critical NetScaler vulnerabilities (following CitrixBleed and CitrixBleed2) that have plagued healthcare organisations. The vulnerability requires no authentication, making it an attractive target for attackers seeking to gain initial access to healthcare networks.
Many NHS trusts and private healthcare providers use Citrix NetScaler for secure remote access to clinical systems, especially for staff working remotely or accessing systems from multiple locations within hospital networks.
- Immediately upgrade NetScaler firmware to fixed versions (14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, 12.1-FIPS/NDcPP 12.1-55.330+)
- Upgrade any End of Life versions (12.1 and 13.0) to supported releases immediately
- Review NetScaler configuration to determine if your deployment is affected
- Monitor NetScaler logs for suspicious activity or unauthorised access attempts
WhatsApp Patches Critical Zero-Click Vulnerability (CVE-2025-55177)
WhatsApp has addressed a critical security vulnerability that may have been exploited in sophisticated spyware attacks targeting specific individuals, including civil society members.
The flaw, CVE-2025-55177, relates to insufficient authorisation of linked device synchronisation messages and could allow an unrelated user to trigger processing of content from an arbitrary URL on a target's device. What makes this particularly dangerous is that it's a "zero-click" attack, requiring no user interaction whatsoever - no clicking links or opening messages. The vulnerability may have been chained with a recently disclosed Apple flaw (CVE-2025-43300) as part of advanced persistent threat campaigns. WhatsApp has notified fewer than 200 users who may have been targeted, and the company has recommended performing full device factory resets for those affected.
The attack appears to impact both iPhone and Android users, with early indications suggesting government spyware is being used against journalists and human rights defenders.
Recommendations:
- Immediately update WhatsApp to the latest version on all iOS and macOS devices
- Review and audit use of WhatsApp for clinical communications within your organisation
- Consider implementing additional security controls for messaging platforms used in healthcare settings
- Monitor for any suspicious activity or unexpected behaviour in messaging applications
University of Iowa Health Care Affiliate Suffers Significant Data Breach
UI Community HomeCare, an affiliate of University of Iowa Health Care, has disclosed a data breach affecting approximately 211,000 patients. On 3 July 2025, cybercriminals gained unauthorised access to the company's computer systems and were able to view and copy files containing patient information.
The organisation quickly shut down its servers and brought in cybersecurity experts, managing to restore systems within one business day. However, the investigation revealed that sensitive patient data, including names, dates of birth, medical record numbers, provider information, insurance details, and service dates, were compromised.
While the main UIHC electronic health record system wasn't affected, the breach highlights the risks posed by affiliate organisations and shared data files in healthcare networks.
- Review data sharing agreements and security requirements for all healthcare affiliates and partners
- Implement network segmentation to limit the impact of affiliate breaches
- Ensure incident response plans cover third-party and affiliate organisations
- Regular security assessments of all organisations with access to patient data
Learn more about our Threat Intelligence Service
Receive instant threat alerts via our compliance platform, ensuring you remain informed and responsive to emerging risks.