Summary

CyberWire Daily: Patch Tuesday Updates – May 14, 2025

Hosted by Dave Buettner from N2K Networks

Introduction

In the latest episode of CyberWire Daily, host Dave Buettner delivers a comprehensive briefing on the recent cybersecurity developments, with a particular focus on the latest Patch Tuesday. The episode also features an insightful interview with Neil Hair Brown, CEO of Storm Guidance, discussing the intricacies of cyber incident response and the future of the CVE program.

Patch Tuesday Highlights

May 14, 2025, marked another bustling Patch Tuesday, where major software vendors released critical updates to address numerous vulnerabilities. Here's a detailed breakdown:

Microsoft's Comprehensive Patch Release

Total Vulnerabilities Addressed: 78
Actively Exploited in the Wild: 50
Affected Products: Windows, Office, Azure, Microsoft Defender
Noteworthy Flaws:
- Azure DevOps Server: A zero-day vulnerability with a perfect CVSS score of 10.
- Critical Vulnerabilities: Six in total, including five remote code execution (RCE) flaws and one information disclosure bug.

SAP's Urgent Patches

Products Affected: NetWeaver Servers
Details: SAP released patches for a second zero-day vulnerability discovered during investigations into prior attacks fixed in April. Both flaws have been actively exploited, underscoring the necessity for immediate patch application.

Ivanti's Endpoint Manager Mobile Software

Vulnerabilities Patched:
- Authentication Bypass
- Arbitrary Code Execution via Crafted API Requests
Impact: These vulnerabilities allowed attackers to achieve unauthenticated RCE by chaining the two flaws together. Ivanti has urged all customers to update to the latest software versions to mitigate these threats.

Fortinet's Forta Voice Enterprise Phone System

Vulnerability: Critical remote code execution due to a stack-based overflow.
Affected Products: Forta Voice, Fortamail, Forta NDR, FortaRecorder, and FortaCamera.
Exploitation: Actively exploited through malicious HTTP requests, enabling unauthenticated attackers to execute arbitrary code.

Other Major Vendors:

Juniper Networks: Addressed nearly 90 bugs in its Secure Analytics platform, some dating back several years.
VMware: Fixed a high-severity cross-site scripting (XSS) flaw in the ARIA automation appliance and a medium-severity issue in VMware Tools.
Zoom: Resolved nine security defects, including a high-severity privilege escalation vulnerability.
Industrial Control Systems (ICS): Siemens, Schneider Electric, and Phoenix Contact issued advisories addressing various vulnerabilities, with some requiring only mitigations or workarounds.

Adobe's Extensive Patch Rollout

Total Vulnerabilities Fixed: At least 39 across various products.
Critical Updates: Seven critical flaws in Adobe ColdFusion could lead to arbitrary file system reads, code execution, and privilege escalation, each carrying a CVSS score of 9.1.

Dave Buettner emphasized, "This month's Patch Tuesday highlights the importance of timely updates across a broad spectrum of software and hardware. Organizations are urged to prioritize patching these vulnerabilities to safeguard against active threats."

Current Cybersecurity News

Undocumented Communication Devices in Chinese-Made Power Inverters

Authorities Involved: US Energy Officials
Findings: Undocumented communication devices discovered within Chinese-manufactured inverters and batteries used in solar panels, batteries, and EV chargers.
Risks: Potential to bypass firewalls, enabling remote disruptions or destruction of critical infrastructure.
Government Response: The US Department of Energy is enhancing supply chain transparency and security amid rising tensions with China. Countries like Lithuania and Estonia are already restricting Chinese inverters to protect their energy systems.

Intel CPU Branch Privilege Injection Flaw

Impact: Affects all Intel CPUs from the 9th generation onward.
Discovery: Researchers at ETH Zurich uncovered that speculative execution on Intel's branch predictors can leak sensitive kernel data through race conditions during privileged switches.
Exploitation: Bypasses Spectre version 2 mitigations, allowing attackers to access protected data such as hashed passwords.
Non-Impact Targets: AMD and ARM CPUs are not vulnerable to this specific flaw.

Marks & Spencer's Major Cyber Attack

Financial Impact: Potential claim of up to £100 million from cyber insurers.
Details: Significant cyber attack compromised customer data and disrupted operations for nearly three weeks.
Insurance Coverage: Allianz expected to cover at least the first £10 million, with additional coverage from Beasley.
Economic Consequences: Marks & Spencer's shares dropped by 16%, wiping out £1.3 billion from its market value.
Operational Impact: The breach led to halted online sales and supply issues in physical stores, with estimated losses exceeding £60 million.

Extradition of Lirodon Masurica

Nationality: Kosovan
Allegations: Operating BlackDB CC, an illegal online marketplace selling stolen account data and personal information.
Charges: Enabling fraud schemes, including tax fraud and identity theft.
Legal Proceedings: Arrested in December, appeared in a Tampa court, and faces up to 55 years in prison if convicted.

CISA Reverses Decision on Cybersecurity Alerts

Initial Announcement: CISA intended to prioritize social media, particularly X (formerly Twitter), for disseminating cybersecurity alerts.
Backlash: The cyber community criticized the move, arguing it could limit access to critical information.
Reversal: Following the backlash, CISA reinstated its commitment to maintaining cybersecurity alerts on its official website.
Implications: Highlights concerns over transparency and reliance on private platforms for public safety information, especially amid budget cuts and staffing shortages.

Guest Interview: Neil Hair Brown, CEO of Storm Guidance

Topic: Cyber Incident Response, Retainer Services, and the Future of the CVE Program

The Multifaceted Nature of Cyber Incident Response

Neil Hair Brown emphasized, “Cyber incidents or cyber incident response is actually a lot more than just the technical aspects.” He highlighted the importance of addressing non-technical areas such as legal affairs, crisis public relations, trauma counseling, and ransom negotiations. Brown pointed out that handling these aspects often falls outside the traditional scope of technical response plans.

The Importance of Preparation

When discussing preparation, Brown stated, "If you want to have a good outcome, organizations that are not prepared... they're still not going to have anywhere near the effectiveness of... more prepared [organizations]." He underscored the necessity for organizations to develop comprehensive incident response plans that encompass both strategic and operational elements. This includes conducting regular exercises to ensure plans are robust and can withstand the pressures of an actual incident.

Challenges with Managed Service Providers (MSPs)

Brown addressed the reliability of MSPs in incident response, noting potential conflicts of interest. “Some very careful thought has to be given... whether or not their providers would be conflicted if they were to help with the investigation.” He cautioned that MSPs involved in both providing security services and investigating incidents might lack the necessary independence to deliver clear and unbiased assessments.

Maximizing Investments in Retainer Services

Responding to concerns about the value of retainer services, Brown explained, "Good retainer services should provide a range of onboarding services... assimilation... risk assessment... proactive activities like staff awareness training, penetration testing, and cyber incident exercises.” He emphasized that even in the absence of an incident, organizations should leverage their retainer investments through ongoing proactive security measures.

CVE Program's 25th Anniversary and Future Prospects

In late March, the CVE (Common Vulnerabilities and Exposures) program celebrated its 25th anniversary. However, a leaked memo revealed that CISA had not renewed MITRE's funding contract, sparking concerns about the program's future. The memo indicated a critical 36-hour window before funding ceased, creating a "digital doomsday scenario" within the cybersecurity community.

Key Developments:

CISA's Reversal: Just 17 hours after the leak, CISA extended the contract for an additional 11 months, averting immediate crisis.
Emerging Alternatives:
- Europe's EU Vulnerability Database: Launched as a regional alternative.
- Luxembourg's Circle: Introduced the Global CVE Allocation system.
- CVE Foundation: Proposed a privately funded alternative aimed at ensuring global resilience and governance beyond a single US agency.

Controversies:

Conflict of Interest Allegations: Former CISA Director Jen Easterly criticized members of the CVE Foundation board for developing a rival while still overseeing the existing program.
Supporters' Perspective: Advocates argue that diversifying funding sources is essential for the program’s resilience, reducing dependence on any single entity susceptible to political or budgetary shifts.

MITRE's Stance:

MITRE remains committed to maintaining the CVE program, expressing gratitude for the support received and dedication to ensuring its continued operation despite the contractual uncertainties.

Industry Sentiment: Experts agree on the indispensable role of the CVE program in global vulnerability tracking. Whether through a more distributed model or under continued stewardship, the community recognizes that the CVE program remains a foundational element of cybersecurity infrastructure.

Conclusion

The May 14, 2025 episode of CyberWire Daily provides a thorough analysis of the latest cybersecurity vulnerabilities, ongoing threats, and critical industry developments. The in-depth discussion with Neil Hair Brown offers valuable insights into effective incident response strategies and the evolving landscape of vulnerability management. As the cybersecurity realm continues to advance, staying informed and prepared remains paramount for organizations worldwide.

For more detailed information on today's stories, visit dailybriefing@thecyberwire.com.

About the Podcast:

CyberWire Daily, hosted by Dave Buettner from N2K Networks, delivers daily cybersecurity news and expert analysis. Each episode features interviews with industry leaders from around the globe, providing listeners with the insights needed to stay ahead in the rapidly changing world of cybersecurity.

Note: This summary excludes advertisements, sponsorship messages, and non-content segments to focus solely on delivering the episode's core information and discussions.

Summary

CyberWire Daily: Patch Tuesday Updates – May 14, 2025

Hosted by Dave Buettner from N2K Networks

Introduction

Patch Tuesday Highlights

May 14, 2025, marked another bustling Patch Tuesday, where major software vendors released critical updates to address numerous vulnerabilities. Here's a detailed breakdown:

Microsoft's Comprehensive Patch Release

Total Vulnerabilities Addressed: 78
Actively Exploited in the Wild: 50
Affected Products: Windows, Office, Azure, Microsoft Defender
Noteworthy Flaws:
- Azure DevOps Server: A zero-day vulnerability with a perfect CVSS score of 10.
- Critical Vulnerabilities: Six in total, including five remote code execution (RCE) flaws and one information disclosure bug.

SAP's Urgent Patches

Products Affected: NetWeaver Servers
Details: SAP released patches for a second zero-day vulnerability discovered during investigations into prior attacks fixed in April. Both flaws have been actively exploited, underscoring the necessity for immediate patch application.

Ivanti's Endpoint Manager Mobile Software

Vulnerabilities Patched:
- Authentication Bypass
- Arbitrary Code Execution via Crafted API Requests
Impact: These vulnerabilities allowed attackers to achieve unauthenticated RCE by chaining the two flaws together. Ivanti has urged all customers to update to the latest software versions to mitigate these threats.

Fortinet's Forta Voice Enterprise Phone System

Vulnerability: Critical remote code execution due to a stack-based overflow.
Affected Products: Forta Voice, Fortamail, Forta NDR, FortaRecorder, and FortaCamera.
Exploitation: Actively exploited through malicious HTTP requests, enabling unauthenticated attackers to execute arbitrary code.

Other Major Vendors:

Juniper Networks: Addressed nearly 90 bugs in its Secure Analytics platform, some dating back several years.
VMware: Fixed a high-severity cross-site scripting (XSS) flaw in the ARIA automation appliance and a medium-severity issue in VMware Tools.
Zoom: Resolved nine security defects, including a high-severity privilege escalation vulnerability.
Industrial Control Systems (ICS): Siemens, Schneider Electric, and Phoenix Contact issued advisories addressing various vulnerabilities, with some requiring only mitigations or workarounds.

Adobe's Extensive Patch Rollout

Total Vulnerabilities Fixed: At least 39 across various products.
Critical Updates: Seven critical flaws in Adobe ColdFusion could lead to arbitrary file system reads, code execution, and privilege escalation, each carrying a CVSS score of 9.1.

Current Cybersecurity News

Undocumented Communication Devices in Chinese-Made Power Inverters

Authorities Involved: US Energy Officials
Findings: Undocumented communication devices discovered within Chinese-manufactured inverters and batteries used in solar panels, batteries, and EV chargers.
Risks: Potential to bypass firewalls, enabling remote disruptions or destruction of critical infrastructure.
Government Response: The US Department of Energy is enhancing supply chain transparency and security amid rising tensions with China. Countries like Lithuania and Estonia are already restricting Chinese inverters to protect their energy systems.

Intel CPU Branch Privilege Injection Flaw

Impact: Affects all Intel CPUs from the 9th generation onward.
Discovery: Researchers at ETH Zurich uncovered that speculative execution on Intel's branch predictors can leak sensitive kernel data through race conditions during privileged switches.
Exploitation: Bypasses Spectre version 2 mitigations, allowing attackers to access protected data such as hashed passwords.
Non-Impact Targets: AMD and ARM CPUs are not vulnerable to this specific flaw.

Marks & Spencer's Major Cyber Attack

Financial Impact: Potential claim of up to £100 million from cyber insurers.
Details: Significant cyber attack compromised customer data and disrupted operations for nearly three weeks.
Insurance Coverage: Allianz expected to cover at least the first £10 million, with additional coverage from Beasley.
Economic Consequences: Marks & Spencer's shares dropped by 16%, wiping out £1.3 billion from its market value.
Operational Impact: The breach led to halted online sales and supply issues in physical stores, with estimated losses exceeding £60 million.

Extradition of Lirodon Masurica

Nationality: Kosovan
Allegations: Operating BlackDB CC, an illegal online marketplace selling stolen account data and personal information.
Charges: Enabling fraud schemes, including tax fraud and identity theft.
Legal Proceedings: Arrested in December, appeared in a Tampa court, and faces up to 55 years in prison if convicted.

CISA Reverses Decision on Cybersecurity Alerts

Initial Announcement: CISA intended to prioritize social media, particularly X (formerly Twitter), for disseminating cybersecurity alerts.
Backlash: The cyber community criticized the move, arguing it could limit access to critical information.
Reversal: Following the backlash, CISA reinstated its commitment to maintaining cybersecurity alerts on its official website.
Implications: Highlights concerns over transparency and reliance on private platforms for public safety information, especially amid budget cuts and staffing shortages.

Guest Interview: Neil Hair Brown, CEO of Storm Guidance

Topic: Cyber Incident Response, Retainer Services, and the Future of the CVE Program

The Multifaceted Nature of Cyber Incident Response

The Importance of Preparation

Challenges with Managed Service Providers (MSPs)

Maximizing Investments in Retainer Services

CVE Program's 25th Anniversary and Future Prospects

Key Developments:

CISA's Reversal: Just 17 hours after the leak, CISA extended the contract for an additional 11 months, averting immediate crisis.
Emerging Alternatives:
- Europe's EU Vulnerability Database: Launched as a regional alternative.
- Luxembourg's Circle: Introduced the Global CVE Allocation system.
- CVE Foundation: Proposed a privately funded alternative aimed at ensuring global resilience and governance beyond a single US agency.

Controversies:

Conflict of Interest Allegations: Former CISA Director Jen Easterly criticized members of the CVE Foundation board for developing a rival while still overseeing the existing program.
Supporters' Perspective: Advocates argue that diversifying funding sources is essential for the program’s resilience, reducing dependence on any single entity susceptible to political or budgetary shifts.

MITRE's Stance:

MITRE remains committed to maintaining the CVE program, expressing gratitude for the support received and dedication to ensuring its continued operation despite the contractual uncertainties.

Conclusion

For more detailed information on today's stories, visit dailybriefing@thecyberwire.com.

About the Podcast:

Note: This summary excludes advertisements, sponsorship messages, and non-content segments to focus solely on delivering the episode's core information and discussions.

Get to patching: Patch Tuesday updates.

Powered by Wave AI

Summary

Introduction

Patch Tuesday Highlights

Microsoft's Comprehensive Patch Release

SAP's Urgent Patches

Ivanti's Endpoint Manager Mobile Software

Fortinet's Forta Voice Enterprise Phone System

Other Major Vendors:

Adobe's Extensive Patch Rollout

Current Cybersecurity News

Undocumented Communication Devices in Chinese-Made Power Inverters

Intel CPU Branch Privilege Injection Flaw

Marks & Spencer's Major Cyber Attack

Extradition of Lirodon Masurica

CISA Reverses Decision on Cybersecurity Alerts

Guest Interview: Neil Hair Brown, CEO of Storm Guidance

The Multifaceted Nature of Cyber Incident Response

The Importance of Preparation

Challenges with Managed Service Providers (MSPs)

Maximizing Investments in Retainer Services

CVE Program's 25th Anniversary and Future Prospects

Conclusion

Summary

Introduction

Patch Tuesday Highlights

Microsoft's Comprehensive Patch Release

SAP's Urgent Patches

Ivanti's Endpoint Manager Mobile Software

Fortinet's Forta Voice Enterprise Phone System

Other Major Vendors:

Adobe's Extensive Patch Rollout

Current Cybersecurity News

Undocumented Communication Devices in Chinese-Made Power Inverters

Intel CPU Branch Privilege Injection Flaw

Marks & Spencer's Major Cyber Attack

Extradition of Lirodon Masurica

CISA Reverses Decision on Cybersecurity Alerts

Guest Interview: Neil Hair Brown, CEO of Storm Guidance

The Multifaceted Nature of Cyber Incident Response

The Importance of Preparation

Challenges with Managed Service Providers (MSPs)

Maximizing Investments in Retainer Services

CVE Program's 25th Anniversary and Future Prospects

Conclusion