Top Incident/Vulnerability
- Actively Exploited Microsoft Exchange Zero-Day (CVE-2025-4421)
A critical zero-day vulnerability in Microsoft Exchange Server was disclosed and actively exploited in targeted attacks. The server-side request forgery (SSRF) flaw allowed unauthenticated attackers to bypass authentication and access user mailboxes, leading to significant data theft from on-premises environments.
Business Impact
This breach allowed for widespread espionage and data exfiltration from unpatched on-prem Exchange servers, compromising sensitive emails, calendars, and contacts without needing credentials. It posed an immediate and critical risk to all organizations still managing their own Exchange servers.
Why It Happened
The vulnerability existed in how Exchange processed specific web requests, allowing attackers to trick the server into making unauthorized internal requests and accessing restricted resources, such as user mailboxes.
Recommended Executive Action
Treat this as an ongoing emergency. Mandate that all Exchange servers have the out-of-band patches applied. Direct the SOC to use Microsoft’s IoCs to hunt for any signs of pre-patch compromise. Re-evaluate the risk and accelerate plans for migrating to Microsoft 365.
- Actively Exploited Atlassian Confluence RCE (CVE-2025-9115)
A critical unauthenticated remote code execution (RCE) vulnerability was discovered in Confluence Data Center and Server. The flaw was immediately added to CISA’s KEV catalog, confirming it was being actively exploited in the wild to take over servers.
Business Impact
Confluence servers are the “crown jewels” for intellectual property, storing project plans, internal wikis, and system documentation. A full server takeover allows attackers to steal all this data, deploy ransomware, or pivot deep into the corporate network.
Why It Happened
The flaw in Confluence’s web framework allowed unauthenticated attackers to bypass security checks and execute arbitrary code on the server, making it a high-value, easy target.
Recommended Executive Action
Ensure that all Confluence instances, especially internet-facing ones, have been patched immediately. Order a compromise assessment to search for signs of exploitation, as patching only stops future attacks, not existing ones.
Cloud Security & DevOps
- Critical Kubernetes Zero-Day (CVE-2025-9988)
A critical zero-day vulnerability was found in the Kubernetes API server’s authentication module, allowing unauthenticated attackers to gain administrative access to entire clusters. The flaw was confirmed to be under active exploitation.
Business Impact
This was a catastrophic flaw for cloud-native environments. A cluster takeover grants attackers full access to all applications, data, and secrets within that cluster, enabling service disruption, massive data theft, and potential “escape” to the underlying cloud infrastructure.
Why It Happened
A complex logic error in how the API server validated certain authentication tokens allowed a malicious actor to craft a token that bypassed all legitimate security checks, granting them admin privileges.
Recommended Executive Action
Mandate that all DevOps and platform teams apply the emergency Kubernetes patches. Implement enhanced monitoring for unusual Kubernetes API activity and review access logs for signs of compromise prior to the patch.
AI/ML in Cybersecurity
- AI-Powered Social Engineering Now the 1 Cyber Threat
A landmark report from ISACA this month revealed that, for the first time, IT and cybersecurity professionals now consider AI-powered social engineering (deepfakes, advanced phishing) to be the leading cybersecurity threat, ranking it higher than ransomware.
Business Impact
This marks a fundamental shift in the threat landscape. Attackers are using AI to create highly convincing deepfake audio/video and personalized phishing lures at a scale and quality that bypasses traditional employee training and security filters, increasing the success rate of fraud and data theft.
Why It Happened
The accessibility and power of generative AI have democratized sophisticated social engineering, which was previously a time-consuming, manual process. This leads to more effective and believable attacks.
Recommended Executive Action
Invest in AI-powered defensive tools that analyze the behavior and context of a request, not just its content. Reinforce a “zero trust verification” culture, mandating that all sensitive requests (especially wire transfers) be verified through a separate, secure channel.
- Real-World AI Deepfake Voice Fraud Leads to Major Financial Loss
Multiple reports this month confirmed large-scale financial fraud committed using AI. In one high-profile case, attackers used a real-time voice deepfake of a CEO to instruct the finance department to make an “emergency” wire transfer, leading to a multi-million dollar loss.
Business Impact
This attack proves that AI voice cloning is no longer theoretical. It effectively bypasses voice verification as a security control, exposing organizations to a new, highly effective vector for financial fraud that preys on an employee’s trust in executive authority.
Why It Happened
Attackers used publicly available audio of the executive (from interviews, earnings calls) to train an AI model. This, combined with social engineering (urgency, secrecy), was enough to bypass financial controls.
Recommended Executive Action
Update all financial transaction policies. Mandate multi-channel verification (e.g., a video call with a pre-agreed “safe word” or an SMS from a registered device) for any urgent or non-standard payment request, regardless of who it appears to come from.
Ransomware & Major Data Breaches
- Conduent 10.5M Record Data Breach
The business services giant Conduent disclosed a massive data breach affecting over 10.5 million individuals, exposing sensitive data including Social Security numbers, medical information, and health insurance details. The breach was claimed by the SafePay ransomware gang.
Business Impact
This is a catastrophic breach involving highly sensitive PII and PHI. The long dwell time (reportedly starting in Oct 2024) is a significant failure, leading to massive data exfiltration (8.5TB claimed) and exposing the company to severe regulatory fines and lawsuits.
Why It Happened
The long dwell time before detection suggests a failure in security monitoring and threat detection, allowing attackers months to map the network and exfiltrate data before finally deploying ransomware.
Recommended Executive Action
Review your organization’s security monitoring and log retention policies. Ensure your SOC or MSSP has the capability to detect lateral movement and data exfiltration, not just the final encryption phase of an attack.
- Critical Windows WSUS Flaw (CVE-2025-59287) Actively Exploited
A critical RCE flaw in Windows Server Update Service (WSUS) was actively exploited against over 50 organizations. An initial patch failed, requiring Microsoft to issue an emergency out-of-band patch.
Business Impact
Compromising WSUS is a “keys to the kingdom” attack. It allows attackers to push malware (like ransomware) to every Windows machine in the organization, disguised as a legitimate Microsoft update. This is a critical supply chain attack vector.
Why ItHolder
The flaw allowed for the deserialization of untrusted data. The attackers (tracked as UNC6512) used it for reconnaissance and data exfiltration, likely as a prelude to larger attacks.
Recommended Executive Action
Ensure the second emergency patch for WSUS is applied. Mandate that the SOC hunts for IoCs, as attackers may have established persistence before the final patch was deployed.
Geopolitics & Critical Infrastructure
- “Great Firewall” of China Data Leak
A massive data leak (over 500GB) from Chinese infrastructure firms associated with the Great Firewall (GFW) exposed the inner workings of China’s state censorship and surveillance apparatus, including source code, configuration files, and bug reports.
Business Impact
This unprecedented leak provides a technical blueprint of a nation-state’s surveillance technology. For multinational corporations, this data is invaluable for understanding how their data is being monitored, filtered, or intercepted, and for developing countermeasures.
Why It Happened
The source is unconfirmed but is likely either a sophisticated counter-espionage operation by a rival state or a high-level insider, representing a major breach of a secure state apparatus.
Recommended Executive Action
Direct your threat intelligence team to analyze the technical details from this leak. This information should be used to update and strengthen secure communication protocols for operations in and around China.
- Hacktivists Target Canadian Critical Infrastructure (ICS)
Canadian authorities issued an alert that hacktivist groups were actively breaching critical infrastructure, including water, energy, and agricultural sites. The attackers manipulated internet-exposed Industrial Control Systems (ICS).
Business Impact
This marks a dangerous escalation in hacktivism, moving from simple website defacement to manipulating physical processes. Tampering with pressure valves at a water facility or temperature levels in a grain silo poses a direct threat to public safety and the food supply chain.
Why It Happened
A fundamental security failure: critical ICS devices were left exposed to the open internet without a VPN or MFA, allowing attackers to scan for and simply “log in” to them.
Recommended Executive Action
Mandate an immediate audit to ensure no OT/ICS devices are publicly accessible. All remote access must be secured behind a properly configured firewall and require MFA. IT/OT network segmentation is non-negotiable.
- CISA KEV Alerts for Citrix Bleed & Oracle E-Business Suite
CISA re-added the “Citrix Bleed” vulnerability (CVE-2023-4966) to its KEV catalog, warning of renewed, widespread exploitation. This followed an earlier KEV alert for a critical Oracle E-Business Suite (EBS) flaw (CVE-2025-61884) that led to multiple corporate breaches, including at Envoy Air.
Business Impact
The “long tail” of unpatched vulnerabilities remains a massive risk. These flaws allow unauthenticated attackers to hijack sessions, bypass MFA, and breach internal corporate networks, leading directly to ransomware and data theft.
Why It Happened
Many organizations failed to patch, patched incorrectly, or (in the case of Citrix Bleed) failed to terminate active user sessions after patching, allowing attackers to maintain their access.
Recommended Executive Action
Run emergency vulnerability scans specifically for these CVEs. For Citrix, ensure all active sessions were properly terminated post-patching. For Oracle, any unpatched internet-facing EBS instance should be considered fully compromised.