Week 15, 2025

Apr 6 - 12

Trends

spending

There is a growing concern about the disparity between cybersecurity spending and actual defense effectiveness. Factors like tariffs potentially leading to recession could see organizations cutting cybersecurity budgets, further exposing vulnerabilities. An emphasis on reducing Mean Time to Remediate (MTTR) and prioritizing proactive defense strategies over compliance is needed. The healthcare sector's struggle with resource-intensive HIPAA cybersecurity rules exemplifies these challenges.

Follow-up source

• https://approov.io/blog/public-comments-analysis-on-hipaa-security-rule-amendment-for-cybersecurity

• https://www.infoadvisor.com/4idqdij

• https://cloudsecurityalliance.org/blog/2025/04/18/oracle-cloud-infrastructure-breach-mitigating-future-attacks-with-agentic-ai

• https://www.govtech.com/blogs/lohrmann-on-cybersecurity/navigating-cybersecurity-amid-doge-cuts-and-global-tariffs

• https://x.com/DarkReading/status/1910081371621458114

---

design

The 'Secure by Design' approach is gaining traction, with experts optimistic about its progress in reducing vulnerabilities from the outset. Advocates are pushing for increased security awareness among developers, emphasizing early integration of security in the development process to enhance API resilience against common attacks.

Follow-up source

• https://www.google.com/search?q=%27Secure+by+Design%27+approach+is+gaining+traction%2C+with+experts+optimistic+about+its+progress+in+reducing+vulnerabilities+from+the+outset&oq=%27Secure+by+Design%27+approach+is+gaining+traction%2C+with+experts+optimistic+about+its+progress+in+reducing+vulnerabilities+from+the+outset&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIHCAEQIRiPAjIHCAIQIRiPAtIBBzEwN2owajGoAgCwAgA&sourceid=chrome&ie=UTF-8

---

preparation

The proactive measures taken for the 2024 Paris Olympics underline the importance of advanced preparation in cybersecurity. With a focus on in-depth penetration testing, crisis management exercises, and collaborative efforts, the event sets a precedent for securing large-scale international events against potential cyber threats.

Follow-up source

• https://www.onsitecomputing.net/2025/04/10/advanced-preparation-key-secure-paris-olympics/

---

spyware

As more nations sign the Code of Practice for States to curb the misuse of commercial spyware, questions regarding the implementation and enforcement of these measures remain. The US's withdrawal from this initiative highlights the complexity and the need for international consensus on handling spyware responsibly.

Follow-up source

• https://www.onsitecomputing.net/2025/04/11/pall-mall/

• https://www.justsecurity.org/113115/agreement-spyware-regulation-pall-mall-process/

---

genai

Xanthorox AI has introduced a modular Generative AI platform for offensive cyber operations, allowing for the development of diverse cybercriminal activities. This platform represents a concerning trend where advanced AI capabilities are being exploited for malicious purposes, posing significant threats to cybersecurity across sectors. Over time, both cybersecurity professionals and organizational processes may need to adapt to counter these evolving AI-driven threats.

Follow-up source

• https://d-ddaily.com/mobileversion/DailyMobile04-08-25.htm

• https://www.linkedin.com/posts/navin-kumar-565730291_cybersecurity-itsecurity-activity-7315030967461543936-x5c9

---

deferred

NIST is implementing a 'deferred' status for vulnerabilities published before 2018, indicating lower prioritization for updates in the National Vulnerability Database. This decision reflects an emerging pattern of focusing resources on current threats, potentially affecting how organizations manage older vulnerabilities. Security teams may need to adjust their vulnerability management strategies accordingly.

Follow-up source

• https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology

• https://news.backbox.org/2025/04/07/nist-to-implement-deferred-status-to-dated-vulnerabilities/

• https://www.nist.gov/itl/nvd

---

china

Recent activities highlight a strategic pattern of China-linked groups targeting ethnic minorities and political entities with spyware and information operations. These campaigns aim to influence political views and disrupt elections. The ongoing efforts suggest a persistent threat to political stability and social harmony in targeted regions, affecting community leaders and political processes.

Follow-up source

• https://www.darkreading.com/vulnerabilities-threats/china-continues-harassing-ethnic-groups-spyware

• https://en.wikipedia.org/wiki/China

• https://www.canada.ca/en/privy-council/news/2025/04/information-operation-on-wechat-targeting-the-45th-general-election.html

---

rats

The emergence of advanced Remote Access Trojans (RATs) like Neptune and Triton, developed with sophisticated evasion and data theft capabilities, signifies a growing threat to cybersecurity. These RATs are being distributed through platforms like Telegram and YouTube, which may impact users and IT systems globally. The increasing sophistication of RATs suggests a need for enhanced detection and preventive measures in cybersecurity practices.

Follow-up source

• https://onsitecomputing.net/2025/04/08/windows-hijacking-neptune-rat-telegram-youtube/

• https://www.cyfirma.com/research/neptune-rat-an-advanced-windows-rat-with-system-destruction-capabilities-and-password-exfiltration-from-270-applications/

• https://www.cadosecurity.com/blog/python-based-triton-rat-targeting-roblox-credentials

---

toddycat

The ToddyCat APT group has been exploiting vulnerabilities in ESET security software to deliver malware and gain administrative privileges on compromised systems. This activity highlights a trend of threat actors targeting security tools themselves to bypass defenses, posing a significant risk to businesses relying on these technologies.

Follow-up source

• https://news.backbox.org/2025/04/07/toddycat-apt-targets-eset-bug-to-load-silent-malware/

• https://thehackernews.com/2025/04/new-tcesb-malware-found-in-active.html

• https://securityaffairs.com/176364/security/an-apt-group-exploited-eset-flaw-to-execute-malware.html

---

scatteredspider

Members of the Scattered Spider cybercriminal group, including a 20-year-old named 'King Bob', have pleaded guilty to charges related to phishing and SIM swapping attacks. These events underscore the ongoing threat posed by organized cybercriminal groups and the importance of monitoring and protecting against social engineering attacks and infrastructure vulnerabilities.

Follow-up source

• https://www.onsitecomputing.net/2025/04/07/scattered-spider-king-bob-pleads-guilty-charges/

• https://www.securityweek.com/suspected-scattered-spider-hacker-pleads-guilty/

---

breach

The US Office of the Comptroller of the Currency experienced a significant email system breach from May 2023 until early 2024, attributed to the Chinese hacking group Silk Typhoon. This breach highlights a trend of sophisticated, long-term cyber intrusions targeting sensitive financial regulatory information. Financial institutions and regulatory bodies may be increasingly targeted, emphasizing the need for enhanced cybersecurity measures and vigilance in administrative account access.

Follow-up source

• https://www.cybersecuritydive.com/news/treasury-department-office-overseeing-bank-regulations-hacked/744871/

• https://www.bloomberg.com/news/articles/2025-04-08/hackers-spied-on-100-bank-regulators-emails-for-over-a-year

• https://www.bleepingcomputer.com/news/security/hackers-lurked-in-treasury-occs-systems-since-june-2023-breach/

---

cyberespionage

The Gamaredon group, linked to Russia, has been active in targeting Western military missions in Ukraine using infected drives. Alongside, the UAC-0226 group is deploying malware through phishing, highlighting an ongoing pattern of cyber-espionage in Eastern Europe. These activities suggest a persistent threat to military and governmental organizations, emphasizing the need for enhanced security measures and awareness against phishing and data breaches.

Follow-up source

• https://securityaffairs.com/176433/apt/gamaredon-targeted-the-military-mission-of-a-western-country-based-in-ukraine.html

• https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.html

https://devops-scanner.com/

• https://blog.polyswarm.io/giftedcrook-stealer-targets-ukraine

---

apivulnerabilities

Recent discoveries of SQL injection vulnerabilities in Zabbix and Shopware APIs underscore a recurring issue in API security. Despite patches, vulnerabilities persist, highlighting the importance of following OWASP guidelines and implementing a secure-by-design approach. This indicates ongoing risks to data integrity and security across digital services, affecting developers and security teams.

Follow-up source

• https://apisecurity.io/issue-269-api-security-guidelines-mastering-openapi-security-flaws-in-shopware-and-zabbix-apis/

• https://apisecurity.io/issue-266-api-governance-kyc-leak-at-the-post-office-sql-injection-bug-in-fintech-api-api-best-practices/

---

arrests

Europol's recent arrests linked to the SmokeLoader malware operation indicate continued law enforcement success in tracking and detaining cybercriminals. Following Operation Endgame, authorities leveraged seized data to link online activities to individuals. This highlights the effectiveness of international cooperation in combating cybercrime and the diminishing anonymity for cybercriminals.

Follow-up source

• https://www.cypro.se/2025/04/10/europol-arrests-five-smokeloader-clients-linked-by-seized-database-evidence/

• https://www.itpro.com/security/europol-operation-endgame-botnet-follow-up-arrests

---

leadership

The politically-driven dismissal of high-ranking officials at the NSA and Cyber Command, prompted by far-right conspiracy influences, signals potential instability within these critical agencies. This could impact US national security and international relationships, highlighting vulnerabilities in leadership transitions under political pressure.

Follow-up source

• https://www.pbs.org/newshour/show/trump-abruptly-shakes-up-nsa-leadership-amid-pressure-from-right-wing-activist

---

privacy

The Trump administration's rollback of a Biden-era Executive Order concerning EU-US data privacy has created uncertainty in transatlantic data flows. This threatens the trust between the US and EU, impacting American tech companies reliant on stable data exchange frameworks and raising concerns over US intelligence practices.

Follow-up source

• https://www.lawfaremedia.org/article/maga's-nsa-purge-will-get-messy

---

hosting

A data breach at Media Land, a bulletproof hosting provider, resulted in the exposure of sensitive information related to criminal service providers. The incident, potentially linked to the BlackBasta ransomware group, underscores the vulnerabilities within bulletproof hosting services and the broader implications for illegal online operations.

Follow-up source

• https://gbhackers.com/threat-actor-leaks-data-from-major-bulletproof/

• https://news.risky.biz/risky-bulletin-hackers-leak-data-from-major-bulletproof-hosting-provider/

---

encryption

Recent developments in the UK highlight a legal battle over encryption, with the Investigatory Powers Tribunal making public a case concerning the government's attempt to access encrypted data from Apple's iCloud services. The court's decision to dismiss the government's secrecy application underscores the ongoing tension between privacy rights and government surveillance capabilities. This indicates a growing public discourse and potential policy shifts around encryption, affecting tech companies, government agencies, and privacy advocates.

Follow-up source

• https://pressgazette.co.uk/media_law/investigatory-powers-tribunal-ipt-apple-rejects-secrecy-encryption-bare-details/

• https://thecyberwire.com/newsletters/daily-briefing/14/65

---

ransomware

The Port of Seattle experienced a significant ransomware attack in August 2024, impacting 90,000 individuals' personal data, including sensitive identifiers such as Social Security numbers. This incident disrupted airport operations temporarily and highlights the persistent threat of ransomware attacks on critical infrastructure. Organizations should strengthen cybersecurity measures to protect against such attacks, which pose operational and reputational risks.

Follow-up source

• https://www.portseattle.org/news/port-seattle-providing-notice-individuals-affected-fall-2024-cyberattack

• https://komonews.com/news/local/seattle-cyberattack-exposes-data-of-90000-people-raises-security-concerns

---

credential

Australian superannuation funds have faced a spate of credential-stuffing attacks, resulting in substantial financial losses for some customers. Attackers used stolen passwords to gain unauthorized access to retirement accounts, emphasizing the vulnerability of password-based security systems. This points to the increasing sophistication of cybercriminals targeting financial services, urging institutions to implement stronger authentication measures and educate users on securing their accounts.

Follow-up source

• https://www.infosecurity-magazine.com/news/aussie-pension-savers-hit/

• https://www.lawfaremedia.org/article/maga's-nsa-purge-will-get-messy

---

malware

North Korean threat actors are leveraging the ClickFix technique to spread malware, including GolangGhost and QakBot, via npm packages. This approach is part of the broader Contagious Interview campaign, which aims to infiltrate and compromise systems under the guise of fixing issues. The trend indicates a growing sophistication in malware distribution tactics, potentially affecting developers and IT departments using npm packages. Organizations must enhance scrutiny of third-party software and implement robust code validation processes.

Follow-up source

• https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html

• https://la-cyber.com/Current-Active-Threats.php

• https://thehackernews.com/search/label/lazarus%20group

---

exploits

Recent reports highlight the prevalence of 'use-after-free' vulnerabilities in Microsoft products, specifically within Windows Common Log File System Driver and Windows LDAP. These vulnerabilities allow for local privilege escalation and remote code execution, respectively. This underscores the need for continuous monitoring and prompt patching of Microsoft systems to safeguard against evolving exploitation tactics.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

tiki

The Tiki wikiplugin_includetpl in PHP has been identified with a critical vulnerability that mishandles input in an eval function. This issue, prior to version 28.3, underscores a broader trend of input validation flaws in PHP-based applications, which can lead to arbitrary code execution. Continuous vigilance and regular updates are crucial for maintaining security in environments that utilize PHP and similar web technologies.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

prevalence

The trend of SQL Injection vulnerabilities continues to grow, with recent reports identifying multiple instances in WordPress plugins and other applications such as Martin Nguyen Next-Cart Store to WooCommerce Migration and click5 History Log. This pattern signals a persistent threat where improper input validation allows attackers to access sensitive data. Organizations using these technologies need to prioritize code audits and enhance their security protocols to protect against potential data exploitation attacks.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-30807

---

exposure

A significant number of SQL Injection vulnerabilities have been identified in applications like SeaCMS and various WordPress plugins. This illustrates an ongoing issue with input validation across platforms, posing a continuous risk to data integrity and security. Companies leveraging these technologies should invest in regular vulnerability assessments and consider adopting more robust security frameworks to safeguard against these vulnerabilities.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-31531

• https://nvd.nist.gov/vuln/detail/CVE-2025-29647

• https://www.cisa.gov/news-events/bulletins/sb25-097

---

vulnerability

The closure of plugins like Salesmate Add-On for Gravity Forms due to SQL Injection vulnerabilities underscores a critical need for better security practices in plugin development. This highlights the importance of ongoing security evaluations and updates to prevent potential exploitation. Businesses relying on such plugins should monitor for updates and ensure their systems are safeguarded against similar vulnerabilities.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

wordpress

Recent reports highlight a concerning trend in WordPress plugin vulnerabilities, with multiple plugins, including tagDiv Composer, Simple WP Events, and WPQuads, facing severe security issues like SQL Injection, PHP Object Instantiation, and authentication bypasses. These vulnerabilities affect thousands of installations and pose significant risks of unauthorized access and data exploitation. Continuous monitoring and timely patching are essential for WordPress administrators to safeguard their systems against evolving threats.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2024-13645

• https://securityvulnerability.io/vulnerability/CVE-2025-2004

• https://www.sans.org/newsletters/at-risk/xxv-14/

• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

---

elevations

Recent vulnerabilities in Microsoft's Visual Studio Code and Visual Studio Tools for Applications (CVE-2025-20570, CVE-2025-29803) highlight a trend of privilege escalation risks in widely-used development tools. These issues, with moderate CVSS scores, could potentially impact developer environments and business operations if exploited. Continuous monitoring and timely updates are essential to mitigate potential threats.

Follow-up source

• https://feedly.com/cve/CVE-2025-20570

---

ivanti

The cyber espionage group UNC5221, linked to China, has been exploiting a now-patched flaw in Ivanti Connect Secure (CVE-2025-22457) to deliver malware. This reflects a broader trend of threat actors rapidly adapting to patches and targeting unpatched systems, highlighting the importance of timely updates and vulnerability management in cybersecurity strategies.

Follow-up source

• https://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure

---

ottokit

The rapid exploitation of a newly disclosed vulnerability (CVE-2025-3102) in the OttoKit plugin highlights a growing trend of threat actors quickly targeting publicly disclosed security flaws. This pattern suggests an increasing need for organizations to expedite their patch management processes to protect against zero-day exploits, especially in widely used platforms like WordPress.

Follow-up source

• https://thehackernews.com/2025/04/ottokit-wordpress-plugin-admin-creation.html

---

zendto

A recurring theme of OS command injection vulnerabilities has been observed, with the latest affecting ZendTo's lib/NSSDropoff.php, allowing remote attackers to execute arbitrary commands. This pattern highlights the ongoing need for rigorous input validation and secure coding practices to prevent exploitation.

Follow-up source

• https://isomer-user-content.by.gov.sg/36/ad1f444a-19bc-4f89-9233-9200ee4f38b6/09_Apr_2025.pdf

---

Directives

oracle

Organizations using Oracle servers are advised to verify their infrastructure in light of a breach involving 'obsolete' servers. Oracle has confirmed the breach but stated it does not affect the Oracle Cloud Infrastructure. Customers should assess potential impacts and take steps to mitigate risks. The breach has led to legal actions and raises concerns over Oracle's legacy systems' security.

Follow-up source

• https://approov.io/blog/public-comments-analysis-on-hipaa-security-rule-amendment-for-cybersecurity

• https://www.infoadvisor.com/4idqdij

• https://cloudsecurityalliance.org/blog/2025/04/18/oracle-cloud-infrastructure-breach-mitigating-future-attacks-with-agentic-ai

• https://www.govtech.com/blogs/lohrmann-on-cybersecurity/navigating-cybersecurity-amid-doge-cuts-and-global-tariffs

• https://x.com/DarkReading/status/1910081371621458114

---

clearance

The Trump administration has revoked security clearances of former CISA director Chris Krebs and his current colleagues at SentinelOne. This move, following an executive order, affects those who disagreed with the administration's stance on free speech and misinformation. The implications are significant for affected individuals and organizations like SentinelOne, potentially disrupting operations and drawing criticism from the cybersecurity community.

Follow-up source

• https://onsitecomputing.net/2025/04/10/trump-doj-krebs-revokes-sentinelone-security-clearance/

• https://therecord.media/trump-memo-chris-krebs-cisa-sentinelone

---

vulnerabilities

CISA has issued a warning about critical vulnerabilities in the CentreStack File-Sharing Platform and CrushFTP, listing them in the Known Exploited Vulnerabilities catalog. Managed service providers using these platforms should be vigilant, as the flaws could lead to remote code execution attacks, jeopardizing customer data and service integrity.

Follow-up source

• https://www.linkedin.com/posts/lcnr-solutions-ltd_zero-day-in-centrestack-file-sharing-platform-activity-7316210973487292416-eMoM

• https://cyber.vumetric.com/security-news/rce/

• https://thehackernews.com/2025/04/cisa-adds-crushftp-vulnerability-to-kev.html

---

patching

Microsoft has released a significant patch update addressing 126 security flaws in its software, including a zero-day exploited by ransomware groups. This update underscores the critical need for organizations using Microsoft products to promptly apply these patches to mitigate potential ransomware attacks. The directive is clear: businesses should ensure their systems are up-to-date to protect against active threats exploiting these vulnerabilities.

Follow-up source

• https://www.bankinfosecurity.com/microsoft-warns-ransomware-actors-exploiting-windows-flaw-a-27960

• https://www.cybersecuritydive.com/news/windows-clfs-zero-day-exploited-ransomware/744878/

• https://www.zero-day.cz/database/

• https://la-cyber.com/Current-Active-Threats.php

• https://www.bleepingcomputer.com/news/security/microsoft-windows-clfs-zero-day-exploited-by-ransomware-gang/

---

gmail

Security experts advise that the new end-to-end encryption for Gmail is insufficient for protecting an organization's most sensitive data. Enterprises are cautioned not to rely solely on Gmail for secure communications and should consider more robust encryption solutions to safeguard critical information.

Follow-up source

• https://support.google.com/mail/answer/6330403?hl=en

• https://bsky.app/hashtag/notsecure

---

fastflux

CISA and other international cybersecurity agencies have issued a warning about the ongoing use of the fast flux DNS technique by threat actors. This method is being leveraged to enhance the resilience of malware, command and control (C2) infrastructures, and phishing networks. Organizations are advised to be vigilant and consider this in their security monitoring strategies.

Follow-up source

• https://www.darkreading.com/cyber-risk/cisa-dns-trick-fast-flux-thriving

• https://techconnex.westcon.com/news/2592096

---

fortinet

Fortinet has released critical updates for FortiSwitch devices to address a vulnerability that allows unauthorized password changes. The company advises all users to update to the latest versions immediately. For those unable to update, Fortinet recommends disabling HTTP/HTTPS access from administrative interfaces and configuring trusted hosts to mitigate risks.

Follow-up source

• https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity

• https://www.bleepingcomputer.com/news/security/critical-fortiswitch-flaw-lets-hackers-change-admin-passwords-remotely/

• https://thehackernews.com/2025/04/fortinet-urges-fortiswitch-upgrades-to.html

---

brute-force

Palo Alto Networks has issued warnings about a rise in brute-force login attempts targeting PAN-OS GlobalProtect gateways. This surge in suspicious login scanning activity highlights a significant threat to users relying on these gateways. Businesses using this technology should enhance monitoring and consider implementing multi-factor authentication to mitigate potential unauthorized access.

Follow-up source

• https://securityaffairs.com/176446/hacking/brute-force-login-attempts-on-pan-os-globalprotect.html

• https://thehackernews.com/2025/04/palo-alto-networks-warns-of-brute-force.html

---

patches

Multiple vendors, including Adobe, Ivanti, and VMware, have released critical security patches addressing vulnerabilities across various products such as ColdFusion, Endpoint Manager, and Tanzu Greenplum. Organizations using these technologies should prioritize applying these updates to prevent potential exploitation, ensuring system security and protecting digital assets.

Follow-up source

• https://www.sans.org/newsletters/newsbites/xxvii-28/

• https://35.82.236.153/2025/04/08/adobe-patches-11-critical-coldfusion-html/

---

spam

SentinelOne's SentinelLABS observed a spam campaign using OpenAI's gpt-4o-mini model, targeting SMB websites through contact forms and chat widgets. The campaign employs the AkiraBot framework for automation. OpenAI has disabled the involved API key and SentinelLABS advises using indicators of compromise for protection. Businesses should monitor and block these domains to avoid disruption.

Follow-up source

• https://www.sans.org/newsletters/newsbites/xxvii-28/

• https://techconnex.westcon.com/news/2595947

---

ransomware

On April 6, 2025, Sensata Technologies disclosed a ransomware incident affecting their operations, including shipping and manufacturing. The company proactively took its network offline and implemented containment measures with third-party assistance. Sensata will notify individuals and authorities post-investigation. Businesses must ensure robust response protocols and incident management strategies to minimize operational disruption.

Follow-up source

• https://straussborrelli.com/2025/04/17/sensata-technologies-data-security-investigation/

• https://www.bleepingcomputer.com/news/security/sensata-technologies-hit-by-ransomware-attack-impacting-operations/

---

scams

Australia's financial regulator took decisive action by shutting down and deregistering 95 companies linked to online investment and romance scams. These entities were providing credibility to scamming apps and websites. This move aims to protect consumers and maintain the integrity of financial systems.

Follow-up source

• https://uabonline.org/category/english-news/page/2/

https://www.cfr.gov.au/

---

deepfake

In a series of arrests, Spanish authorities detained six individuals involved in a cryptocurrency investment scam that defrauded victims of over €19 million. The suspects used AI tools to create deepfake endorsements featuring Spanish celebrities, promoting fraudulent investment opportunities. The use of advanced AI techniques in scams highlights the need for businesses and users to be vigilant against increasingly sophisticated social engineering tactics, which could have significant financial implications.

Follow-up source

• https://news.risky.biz/risky-bulletin-hackers-leak-data-from-major-bulletproof-hosting-provider/

• https://www.bleepingcomputer.com/news/security/six-arrested-for-ai-powered-investment-scams-that-stole-20-million/

---

breach

On December 7, 2024, WK Kellogg experienced a data breach due to an unauthorized access of servers hosted by Cleo, which was only discovered on February 27, 2025. The breach was linked to the Clop ransomware group and involved sensitive employee data. WK Kellogg has since taken measures to ensure vendor compliance with security standards. This breach underscores the importance of vendor security and timely breach detection for businesses reliant on third-party services.

Follow-up source

• https://www.techmonitor.ai/technology/cybersecurity/wk-kellogg-confirms-data-breach-clop-ransomware-incidents

• https://cybersecurityventures.com/ransomware-report/

---

vulnerability

A vulnerability in Verizon's Call Filter app could have exposed call records of millions of users due to inadequate server-side verification. Discovered by a security researcher, this flaw highlights the potential risks in mobile applications that handle sensitive data. Verizon must address these issues to protect user privacy and prevent unauthorized data access, emphasizing the need for rigorous testing and validation in app development.

Follow-up source

• https://www.bleepingcomputer.com/news/security/verizon-call-filter-api-flaw-exposed-customers-incoming-call-history/

• https://thehackernews.com/2025/04/weekly-recap-vpn-exploits-oracles.html

---

critical

Cisco has identified a critical vulnerability (CVE-2024-20439) in its Smart Licensing Utility with a severity rating of 9.8. Organizations using this utility should immediately apply the vendor's recommended mitigations or consider discontinuing use if mitigations are unavailable. This serves as an urgent reminder for businesses to stay updated on security patches and to act quickly to protect against severe vulnerabilities.

Follow-up source

• https://nvd.nist.gov/vuln/detail/cve-2024-20439

---

quickshell

Google has addressed vulnerabilities CVE-2024-38272 and CVE-2024-38271, part of the 'QuickShell' attack chain affecting Windows users via Google Quick Share. The patches aim to prevent zero-click file transfers that could allow remote code execution. Businesses using Windows should apply these patches immediately to protect against potential exploitation.

Follow-up source

---

nvidia

An incomplete patch for CVE-2024-0132 in the NVIDIA Container Toolkit leaves systems vulnerable to container escapes, risking sensitive data exposure. Organizations utilizing NVIDIA Container Toolkit should stay alert for further updates and apply available security patches promptly to mitigate potential data breaches.

Follow-up source

• https://cvefeed.io/vuln/detail/CVE-2024-0132

• https://thehackernews.com/2025/04/incomplete-patch-in-nvidia-toolkit.html

---

whatsapp

Meta has issued a security advisory for CVE-2025-30401, a spoofing vulnerability in WhatsApp Desktop for Windows, resolved in version 2.2450.6. This flaw allowed arbitrary code execution via malicious attachments. Users and businesses should update to the latest version to prevent exploitation.

Follow-up source

• https://www.bleepingcomputer.com/news/security/whatsapp-flaw-can-let-attackers-run-malicious-code-on-windows-pcs/

---

kev

CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including flaws in Gladinet CentreStack, Microsoft Windows Common Log File System, CrushFTP, and the Linux kernel. Organizations should prioritize mitigation efforts by the specified due dates to protect against these actively exploited vulnerabilities.

Follow-up source

• https://www.sans.org/newsletters/newsbites/xxvii-28/

• https://nvd.nist.gov/vuln/detail/CVE-2025-30406

---

patching

Microsoft has released fixes for over 120 security vulnerabilities, including eleven deemed critical such as a zero-day vulnerability in the Windows Common Log File System (CLFS) Driver, which can lead to local privilege elevation. Organizations utilizing Windows systems must prioritize applying these patches to mitigate potential exploitation risks.

Follow-up source

• https://www.sans.org/newsletters/newsbites/xxvii-28/

---

vulnerability

A critical vulnerability (CVE-2025-22457) has been identified in Ivanti Connect Secure products, allowing remote code execution by unauthenticated attackers. Given its high CVSS score of 9.0, businesses using these products are urged to apply security patches immediately to prevent potential breaches.

Follow-up source

• https://censys.com/advisory/cve-2025-22457

---

vulnerabilities

Two critical vulnerabilities, CVE-2025-27480 and CVE-2025-27482, have been identified in Microsoft Remote Desktop Gateway Service, both allowing unauthorized attackers to execute code remotely. These vulnerabilities were reported in quick succession and affect businesses using this Microsoft service. Immediate patching is essential to prevent potential unauthorized access and code execution across networks, which could lead to extensive data breaches and operational disruptions.

Follow-up source

• https://www.tenable.com/cve/CVE-2025-27480

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

escalation

CVE-2023-40714 presents a privilege escalation flaw in Fortinet FortiSIEM versions 6.5.0 through 7.0.0, allowing attackers to manipulate GUI elements. This vulnerability poses a severe risk (CVSS score 9.9) to organizations using FortiSIEM. It is crucial for IT teams to apply patches and review user privileges to mitigate unauthorized access and potential data compromise.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

switch

A critical vulnerability, CVE-2024-48887, in Fortinet FortiSwitch's GUI allows unauthenticated remote password changes, posing a high-risk threat (CVSS score 9.8). Organizations using FortiSwitch must urgently address this security flaw to avoid unauthorized access and potential network compromise, focusing on immediate patch deployment and strengthening password policies.

Follow-up source

• https://intruceptlabs.com/tag/patching/

---

evaluation

CVE-2025-2945 in pgAdmin 4 signifies a critical remote code execution risk due to unsafe parameter handling in the Python eval() function. Affecting Query Tool and Cloud Deployment modules, this vulnerability necessitates urgent attention from organizations using pgAdmin 4 to prevent unauthorized code execution and potential system takeovers. Immediate mitigation should include patching and code review.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-2945

---

netwrix

Two critical command injection vulnerabilities, CVE-2025-26817 and CVE-2025-26818, have been identified in Netwrix Password Secure. The vulnerabilities have a CVSS score of 9.8, indicating a high severity level. Organizations using Netwrix Password Secure are advised to review the advisories and apply available patches immediately to mitigate potential exploitation risks.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

tenda

A buffer overflow vulnerability, CVE-2025-29462, has been discovered in Tenda Ac15 routers, specifically in the webCgiGetUploadFile function. With a CVSS score of 9.8, this flaw allows attackers to execute arbitrary code remotely. It is vital for businesses using these routers to apply security updates from Tenda to protect their networks.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-29462

---

edimax

A command injection vulnerability, CVE-2025-28146, affecting Edimax AC1200 Wave 2 Dual-Band Gigabit Routers has been reported. The vulnerability has a CVSS score of 9.8, denoting critical risk. Users are strongly encouraged to implement patches provided by Edimax to prevent unauthorized access to network resources.

Follow-up source

• https://feedly.com/cve/CVE-2025-28146

---

mediatek

A critical remote code execution vulnerability, CVE-2025-20654, has been found in Wlan service, with a CVSS score of 9.8. The vulnerability allows exploitation without user interaction. It is crucial for users and businesses relying on this service to apply the latest security patches to safeguard their systems.

Follow-up source

• https://www.tenable.com/cve/CVE-2025-20654

---

isherlock

Multiple OS Command Injection vulnerabilities (CVE-2025-3361, CVE-2025-3362, CVE-2025-3363) have been identified in HGiga's iSherlock product, allowing remote attackers to execute arbitrary commands. The vulnerabilities pose a significant risk to businesses using this technology, with a CVSS score of 9.8. Affected organizations should urgently apply recommended patches and security measures to mitigate potential breaches.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-15/

---

s4hana

A critical backdoor vulnerability (CVE-2025-27429) in SAP S/4HANA allows attackers with user privileges to inject arbitrary ABAP code, severely impacting system integrity and confidentiality. Organizations using SAP S/4HANA should prioritize applying relevant patches and tightening user access controls to prevent exploitation.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-27429

---

consolidation

SAP Financial Consolidation is vulnerable to unauthorized access (CVE-2025-30016) due to insecure authentication practices. This flaw threatens the confidentiality, integrity, and availability of affected systems. Businesses should immediately implement stronger authentication protocols and apply SAP's security updates.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

transformation

A vulnerability (CVE-2025-31330) in SAP Landscape Transformation (SLT) permits arbitrary ABAP code injection, allowing attackers to bypass authorization checks and compromise the system. Organizations should apply the latest security patches and review authorization protocols to safeguard their systems.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

sentron

In recent security advisories, multiple critical vulnerabilities have been identified in Siemens SENTRON 7KT PAC1260 Data Manager, including remote code execution and hardcoded credentials. All versions are affected, with CVSS scores up to 10.0, indicating severe risk. Organizations using these systems should prioritize applying available patches and follow Siemens' security guidance to mitigate potential unauthorized access and control over affected devices.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

• https://nvd.nist.gov/vuln/detail/cve-2024-41794

---

edge

A critical vulnerability has been discovered in Siemens Industrial Edge Device Kits and related devices, allowing unauthorized user impersonation due to weak authentication mechanisms during identity federation. With a CVSS score of 9.8, this flaw poses a significant risk of unauthorized access. Businesses utilizing these devices should immediately implement stronger authentication protocols and apply Siemens' recommended security updates to protect against potential exploitation.

Follow-up source

• https://1898advisories.burnsmcd.com/critical-vulnerability-in-siemens-industrial-edge-devices-cve-2024-54092

---

coldfusion

Adobe ColdFusion versions 2023.12, 2021.18, and 2025.0 and earlier are subject to multiple high-severity vulnerabilities, including improper input validation and authentication flaws. These vulnerabilities could allow arbitrary code execution with user interaction, posing a risk to sensitive data integrity. Organizations utilizing ColdFusion should urgently apply Adobe's security patches and review their access control settings to ensure robust protection against these vulnerabilities.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-24446

• https://www.wiz.io/vulnerability-database/cve/cve-2025-24447

• https://www.cisa.gov/news-events/bulletins/sb25-104

• https://www.wiz.io/vulnerability-database/cve/cve-2025-30282

---

mitigation

Recent discoveries highlight severe SQL Injection vulnerabilities across various WordPress plugins and applications including JS Help Desk, OpenEMR, and PostMash, all with CVSS scores exceeding 9.0. These vulnerabilities allow attackers to manipulate SQL commands, potentially leading to data breaches. Affected businesses, particularly those using JoomSky, OpenEMR, and WordPress plugins like XV Random Quotes and ShopperDotCom Shopper, should immediately apply available security patches or implement protective measures to mitigate potential exploits.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-30886

• https://nvd.nist.gov/vuln/detail/CVE-2024-22611

• https://nvd.nist.gov/vuln/detail/CVE-2025-30622

• https://www.sans.org/newsletters/at-risk/xxv-14/

• https://nvd.nist.gov/vuln/detail/CVE-2025-31534

---

woocommerce

The Advanced WooCommerce Product Sales Reporting plugin for WordPress has a critical SQL Injection vulnerability (CVE-2025-31553). This affects all versions up to 3.1 and impacts over 400 active installations. Organizations using this plugin should prioritize patching or seek alternative solutions to protect data integrity and prevent potential data breaches.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-31553

---

autokeyword

The WP AutoKeyword plugin for WordPress is vulnerable to SQL Injection (CVE-2025-31579), affecting all versions up to 1.0. With over 400 active installations, this flaw presents a significant risk to data security. Users are advised to update the plugin immediately or disable it if updates are not available.

Follow-up source

• https://www.recordedfuture.com/vulnerability-database/CVE-2025-31579

---

cbxpoll

A critical vulnerability (CVE-2025-31612) in the CBX Poll plugin for WordPress allows PHP Object Injection through deserialization of untrusted data, affecting versions up to 1.2.7. Users of this plugin should urgently update to a secure version to mitigate potential security breaches.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-31612

---

escalation

A critical vulnerability (CVE-2024-51800) in Favethemes Homey theme for WordPress allows privilege escalation, affecting installations up to version 2.4.1. This high-severity issue, with a CVSS score of 9.8, demands immediate attention to patch and secure active installations to prevent unauthorized access and control.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2024-51800

---

patches

Microsoft, Fortinet, Ivanti, and VMware have released patches for multiple vulnerabilities, including a zero-day flaw actively exploited (CVE-2025-29824). Fortinet's critical vulnerability in FortiSwitch GUI (CVE-2024-48887) and Ivanti's Endpoint Manager vulnerabilities highlight the need for immediate patching to secure systems against unauthorized access. Businesses should prioritize updates to mitigate the associated risks.

Follow-up source

• https://hawk-eye.io/2025/04/weekly-threat-landscape-digest-week-15/

---

winrar

Japan's Computer Security Incident Response Team and WinRAR developers have issued a security advisory for a vulnerability (CVE-2025-31334) allowing arbitrary code execution via symbolic link bypass in WinRAR. Exploited by threat actors, the flaw affects versions before 7.11 and has been fixed in version 7.10. Users are advised to update immediately to prevent potential exploitation.

Follow-up source

• https://www.sans.org/newsletters/newsbites/xxvii-27/

• https://www.bleepingcomputer.com/news/security/winrar-flaw-bypasses-windows-mark-of-the-web-security-alerts/

---

android

Google has released security patches for 62 Android vulnerabilities, including two zero-day exploits affecting the Linux kernel (CVE-2024-53197 and CVE-2024-53150). These vulnerabilities, which involve privilege escalation and information disclosure, were actively exploited. Organizations using Android devices should apply these updates promptly to mitigate risks of targeted attacks.

Follow-up source

• https://www.darkreading.com/vulnerabilities-threats/android-zero-day-bugs-active-exploit

• https://techconnex.westcon.com/news/2592719

---

crushftp

The US CISA has issued a directive regarding a critical vulnerability (CVE-2025-31161) in the CrushFTP file transfer service. This flaw allows for authentication bypass and account takeover of the crushadmin account. Federal agencies are mandated to patch this vulnerability by April 28th to secure their systems.

Follow-up source

• https://www.cisa.gov/news-events/bulletins/sb25-097

---

exploitation

A high-severity security hole in the OttoKit WordPress plugin, tracked as CVE-2025-3102, has been actively exploited soon after its public disclosure. This affects websites using the WordPress plugin, with hackers bypassing authentication mechanisms. Businesses utilizing OttoKit or SureTriggers should promptly update or apply patches to prevent unauthorized access.

Follow-up source

• https://techconnex.westcon.com/news/2597229

• https://www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-auth-bypass-hours-after-disclosure/

---

crushftp

CVE-2025-31161 exposes CrushFTP versions 10 and 11 to authentication bypass vulnerabilities, allowing takeover of the crushadmin account due to a race condition in the AWS4-HMAC authorization method. Organizations using these versions should ensure a DMZ proxy is in use or apply the necessary updates to secure their FTP servers from potential exploitation.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

pexip

A critical flaw CVE-2024-38392 in Pexip Infinity Connect pre-1.13.0 versions allows remote code execution by bypassing authenticity checks. Organizations using this product should upgrade to version 1.13.0 or later to mitigate the risk of unauthorized code execution.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

commandinjection

The BL-AC2100 V1.0.4 router is affected by critical command injection vulnerabilities (CVE-2025-29062 & CVE-2025-29063), with a CVSS score of 9.8. Users of this device are at risk of unauthorized remote command execution, which can compromise network security. Businesses using these routers should immediately apply patches or mitigate this risk by disabling vulnerable features.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

sqlinjection

A severe SQL injection vulnerability (CVE-2025-29085) has been identified in vipshop Saturn v.3.5.1, allowing remote attackers to execute arbitrary code via the /console/dashboard/executorCount?zkClusterKey component. With a critical CVSS score of 9.8, administrators should urgently apply security updates to prevent potential exploitation.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

xss

pgAdmin versions up to 9.1 are vulnerable to Cross-Site Scripting (XSS) attacks (CVE-2025-2946), where attackers can execute arbitrary HTML/JavaScript in a user's browser. This vulnerability poses a significant threat to pgAdmin users, and upgrading to a secure version is strongly advised to prevent data breaches.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

remotecodeexecution

TOTOLINK x18 v.9.1.0cu.2024_B20220329 is exposed to a critical remote code execution vulnerability (CVE-2025-29064) through the sub_410E54 function of the cstecgi.cgi, rated at 9.8 CVSS. Immediate patching or disabling of vulnerable components is advised to thwart potential attacks.

Follow-up source

• https://access.redhat.com/security/cve/cve-2025-29064

---

bentoml

A critical Remote Code Execution (RCE) vulnerability has been identified in BentoML due to insecure deserialization, affecting versions prior to 1.4.3. Users are advised to update to the latest version immediately to prevent unauthenticated users from executing arbitrary code on their servers.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

aiven-extras

A vulnerability in aiven-extras can lead to privilege escalation in PostgreSQL databases. This issue arises from the format function not being schema-prefixed. Users should update to version 1.1.16 and execute 'ALTER EXTENSION aiven_extras UPDATE TO '1.1.16'' in each affected database to mitigate this risk.

Follow-up source

• https://nvd.nist.gov/vuln/detail/CVE-2025-31480

---

langflow

Langflow versions before 1.3.0 are vulnerable to remote code execution via the /api/v1/validate/code endpoint. It is imperative for users to update to version 1.3.0 or later to secure their systems against potential exploitation by remote attackers.

Follow-up source

• https://www.recordedfuture.com/vulnerability-database/CVE-2025-3248

---

ruoyi

Multiple privilege escalation vulnerabilities have been identified in RUoYi v.4.8.0, with CVE identifiers ranging from CVE-2025-28402 to CVE-2025-28413. These vulnerabilities, documented in NVD, have a high CVSS score of 9.8, indicating critical risks that could allow unauthorized access and control. Businesses using RUoYi should urgently apply security patches and review access controls to mitigate these risks.

Follow-up source

• https://www.cisa.gov/news-events/bulletins/sb25-104

---

sqlite

A critical integer overflow vulnerability (CVE-2025-29087) has been discovered in Sqlite 3.49.0 through the concat function, with a CVSS score of 9.8. Organizations utilizing this version should prioritize immediate patching to prevent potential exploitation that could result in severe data corruption or unauthorized access.

Follow-up source

• https://www.opencve.io/cve/CVE-2025-29087

---

hax

HAX CMS PHP has a file upload vulnerability due to incomplete denylist implementation, identified as CVE-2025-32028 with a CVSS score of 9.9. This 'fail open' scenario poses a significant security threat. Users of HAX CMS PHP should update their systems and ensure robust file validation measures are in place to prevent unauthorized uploads.

Follow-up source

• https://www.sans.org/newsletters/at-risk/xxv-14/

---

woocommerce

The Multiple Shipping And Billing Address For Woocommerce plugin has a critical vulnerability (CVE-2025-31087) allowing object injection through deserialization of untrusted data. With a CVSS score of 9.8, this affects over 200 installations. Users should update to the latest version and review security configurations to prevent exploitation.

Follow-up source

• https://www.cvedetails.com/cve/CVE-2025-31087/

---