Daily Brief

Adobe has issued updates to address 30 security vulnerabilities across a range of its products, including ColdFusion. Among the addressed issues, 11 critical vulnerabilities in ColdFusion could allow arbitrary file reads and code execution. The critical flaws impact multiple versions of ColdFusion (2025, 2023, and 2021). Updates also target vulnerabilities in other Adobe products like After Effects, Media Encoder, Bridge, Premiere Pro, Photoshop, Animate, and FrameMaker. Flaws addressed include out-of-bounds write and heap-based buffer overflow bugs that could also lead to arbitrary code execution. Adobe has confirmed that there are no known exploits in the wild for these vulnerabilities as of their report. Users are strongly urged to update their software to the latest versions to protect against these vulnerabilities and enhance security integrity.

A former University of Maryland Medical Center (UMMC) pharmacist, Matthew Bathula, allegedly compromised hospital IT systems to spy on female colleagues using webcams. Bathula is accused of installing spyware on over 400 computers across various UMMC locations, enabling him to view private activities such as breastfeeding and sexual intercourse in home settings. The cyber-voyeurism extended to accessing personal cloud-stored photos and identification documents, enabled by keylogging software to capture login credentials. UMMC faces a lawsuit for negligence in failing to detect and prevent Bathula’s activities, which reportedly continued for nearly a decade. An IT department employee had flagged potential security breaches as early as 2024, but no definitive action was taken until a major incident was acknowledged publicly in October 2024. Post-discovery, UMMC placed Bathula on administrative leave, terminated his employment, and has taken steps to improve data security and compliance with health information protection laws. The FBI is involved in an ongoing criminal investigation, highlighting the severity of the privacy violations and data theft.

Microsoft's recent Patch Tuesday addressed over 120 flaws but did not fix a critical Windows 10 bug allowing ransomware attacks. The specific vulnerability, CVE-2025-29824, actively exploited by Storm-2460 group, affects Windows 10 and elevates user privileges via the Common Log File System Driver. Victims have been reported in the US, Spain, Venezuela, and Saudi Arabia, with the vulnerability being used to deploy PipeMagic ransomware. Microsoft has patched this issue for Windows Server and Windows 11 but is yet to release a fix for Windows 10, with updates promised "as soon as possible." Critical flaws fixed in this update include those that enable remote code execution, impacting Microsoft Office, Excel, LDAP, and Remote Desktop. Adobe and AMD also released updates fixing several critical vulnerabilities in their products, underscoring a broad concern over software security this month. Stakeholders running Windows 10 are advised to anticipate the patch and implement additional security measures in the interim.

Threat actors used SourceForge to distribute malicious Microsoft Office add-ins, impacting over 4,604 systems, predominantly in Russia. The fake "officepackage" project mimicked a legitimate Microsoft project available on GitHub but distributed malware instead. Victims who downloaded the fake add-ins received a malware-laden ZIP file that bypassed antivirus detection by inflating the file size. The malware established system persistence, performed environment checks, and downloaded additional harmful scripts. The attack utilized a cryptocurrency miner and a clipboard hijacker to steal cryptocurrency. This campaign highlights the risks of downloading software from non-official sources and the importance of verifying download channels and scanning files with antivirus software. Users are advised to download software only from trusted and verifiable sources to avoid similar security threats.

Microsoft identified a high-severity zero-day vulnerability, CVE-2025-29824, in the Windows Common Log File System, exploited by the RansomEXX ransomware gang. The exploit allows attackers with low privilege access to escalate to SYSTEM privileges through a use-after-free weakness, without needing user interaction. Patch updates have been issued, but patches for specific Windows 10 versions are delayed. Users of Windows 11 version 24H2 remain unaffected. Targets of these attacks include sectors such as IT and real estate in the U.S., financial services in Venezuela, a Spanish software firm, and retail in Saudi Arabia. The ransomware deploys via the PipeMagic backdoor, which also enables further exploits and lateral movements within affected networks. Microsoft urges all users to apply the security updates immediately to protect against these targeted ransomware attacks. Past exploits by the RansomEXX group have affected notable organizations including GIGABYTE, Konica Minolta, and several governmental bodies.

A vulnerability in WhatsApp for Windows allows execution of malicious code through rigged file attachments. The flaw, identified as CVE-2025-30401, impacts versions prior to 2.2450.6 of the desktop application. Attackers can mislabel executable files (.exe) as images (.jpg) by exploiting MIME type handling discrepancies. Users must manually open the attachment for the malicious code to execute, making social engineering a potential risk factor. WhatsApp's parent company, Meta, issued a security advisory encouraging users to update their app to avoid exploitation. Security expert Adam Brown highlighted the risks of data theft, malware propagation, and identity theft due to this vulnerability. The potential real-world exploitation of this bug remains unconfirmed as per the latest reports.

Fortinet has issued updates to fix a critical flaw in FortiSwitch, identified as CVE-2024-48887, with a CVSS score of 9.3. The vulnerability allows unauthorized remote attackers to change admin passwords through a specifically crafted request in the GUI. The security issue was detected internally by a member of the FortiSwitch web UI development team, Daniel Rozeboom. Affected users are advised to disable HTTP/HTTPS access to administrative interfaces and limit system access to trusted hosts. Although there have been no reported exploitations of this specific flaw, previous vulnerabilities in Fortinet products have been leveraged by cybercriminals. Implementing the newly released security patches promptly is crucial for maintaining the security integrity of the network.

This month's Microsoft Patch Tuesday has resolved 134 security vulnerabilities, including one zero-day that was actively exploited. The zero-day flaw, identified as CVE-2025-29824, could allow attackers to elevate privileges to SYSTEM level. The updates this April include fixes for eleven critical vulnerabilities, specifically targeting remote code execution risks. Security patches are currently available for Windows Server and Windows 11, with updates for Windows 10 to be released shortly. The vulnerabilities addressed span various aspects, but full details and affected system specifics can be found in the full Microsoft report. The discovery of the exploited zero-day was credited to the Microsoft Threat Intelligence Center. Alongside its regular patch release, Microsoft also disclosed earlier fixes involving Mariner and Microsoft Edge earlier in the month.

Hackers breached the U.S. Treasury’s Office of the Comptroller of the Currency (OCC) in June 2023, accessing over 150,000 emails. The attackers monitored OCC employees' emails by compromising an email system administrator’s account. The OCC reported the breach to the U.S. Cybersecurity and Infrastructure Security Agency in February 2025 as a cybersecurity incident affecting multiple accounts. Initially thought to be limited, the breach reportedly extended to about 100 bank regulators' emails. Treasury Department also suffered a breach in January 2025; attackers used a stolen Remote Support SaaS API key to compromise a BeyondTrust instance. This attack, deemed part of the larger breach, was attributed to Silk Typhoon, a Chinese state-backed hacking group. Silk Typhoon’s targets included significant Treasury divisions like the Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the U.S. (CFIUS). The full impact of the breaches, including one in the Treasury’s Office of Financial Research, is still under evaluation.

A critical security flaw was discovered in Amazon EC2 Simple Systems Manager (SSM) Agent, enabling potential privilege escalation and code execution. The vulnerability involved improper validation of plugin IDs, allowing attackers to manipulate filesystem directories and execute arbitrary scripts with root privileges. The security risk stemmed from the SSM Agent's dynamic creation of directories based on plugin specifications, which did not properly sanitize input for malicious content. Attackers could exploit the flaw by using path traversal sequences in specially crafted plugin IDs to gain elevated system access. Cybersecurity firm Cymulate identified and disclosed the vulnerability, which was subsequently patched by Amazon in the SSM Agent version 3.3.1957.0 released on March 5, 2025. Amazon addressed the issue by introducing a new method called BuildSafePath to prevent path traversal attacks in future updates of the SSM Agent. The patch was released following responsible disclosure practices, promoting cybersecurity across AWS services and its user base.

Meta has issued an urgent update for the WhatsApp application on Windows to address a significant spoofing vulnerability identified as CVE-2025-30401. The flaw allows attackers to execute arbitrary code on the victims' PCs by sending files with mismatched MIME types and filename extensions. All previous versions of WhatsApp for Windows were affected, but the issue has been resolved in the newest release, version 2.2450.6. The vulnerability was discovered through Meta's Bug Bounty program by an external researcher, though it's unclear if it was exploited in the wild. This follows a series of security concerns for WhatsApp, including a previous issue that enabled Python and PHP files to execute code unexpectedly and a zero-day exploit used to install spyware. Meta continues to engage with the security community to address vulnerabilities promptly and enhance user safety on their platforms.

Threat actors are using SourceForge to distribute cryptocurrency miner and clipper malware disguised as cracked Microsoft Office software. The project titled "officepackage" on SourceForge cloned legitimate content from GitHub but added malicious downloads. Clicking the download links redirects users to another site, presenting a malicious MSI installer inside a ZIP archive. The installer deploys various scripts that download additional malicious payloads, including miner and ClipBanker malware. The malware campaign, primarily targeting Russian-speaking users, achieved over 4,600 potential victim encounters within three months. Attackers exploit legitimate-looking URLs and search engine indexing to ensnare users seeking pirated software. The cybersecurity report suggests that such malware distribution campaigns also open doors for additional system exploitation by other malevolent actors.

Exploitation of TVT NVMS9000 DVRs detected with a peak on April 3, 2025, involving over 2,500 unique scanning IPs. Vulnerability allows attackers to bypass authentication and execute administrative commands via exposed DVRs. Increased activity linked to Mirai-based malware, aiming to incorporate DVRs into a botnet for malicious purposes like DDoS attacks and cryptomining. Attacks primarily originating from Taiwan, Japan, and South Korea; targeted DVRs are mostly located in the U.S., the U.K., and Germany. GreyNoise identifies and confirms 6,600 distinct malicious IPs related to this exploitation. Recommended mitigation includes upgrading to firmware version 1.3.4, restricting DVR ports from public internet access, and blocking IPs listed by GreyNoise. Symptoms of infection include increased outbound traffic, high CPU/memory usage, frequent crashes, and altered DVR configurations. Uncertainty remains about current support for DVRs as the last firmware update released was in 2018.

AWS has integrated ML-KEM, a post-quantum cryptographic algorithm, into its Key Management Service, Certificate Manager, and Secrets Manager to improve TLS security against potential quantum computing threats. ML-KEM, based on CRYSTALS-Kyber algorithm, aims to protect against future quantum threats that could potentially decrypt currently secure encryption methods like RSA and ECC. The National Institute of Standards and Technology (NIST) selected CRYSTALS-Kyber as the foundation for its post-quantum cryptography standard, finalized in August 2024. AWS plans to deprecate CRYSTALS-Kyber by 2026, transitioning fully to ML-KEM across all related service endpoints. Users need to update their client SDKs and enable ML-KEM explicitly to utilize this new security feature in their AWS environments. AWS has conducted performance benchmarks, indicating minimal impact on service performance when ML-KEM is enabled, with notable efficiency during TLS connection reuse. AWS encourages users to conduct their own performance tests to ensure compatibility and performance standards are met within their specific operational environments.

Despite multiple arrests in previous years, the cybercriminal group Scattered Spider has persisted with its social engineering attacks into 2025. The group has introduced multiple phishing kits and a new version of Spectre RAT malware to steal sensitive data and gain persistent access in victim systems. Silent Push, a threat detection firm, has analyzed and published details on these phishing kits and provided tools for defenders like a Spectre RAT string decoder and a C2 emulator. Scattered Spider's recent targets include major corporations across various sectors, using domains that impersonate well-known companies and software vendors for phishing. The cybercriminals have stopped using the "Rickrolling" tactic in their phishing schemes, focusing instead on more direct methods to compromise security. Silent Push has identified and replicated findings of a new phishing domain that integrates multiple brands, enhancing the detection and understanding of Scattered Spider's techniques. The group has also started using publicly rentable subdomains, complicating the tracking and attribution of their activities by cybersecurity experts.