Cisco Unified CM Vulnerability Lets Remote Attacker Gain Root Access
Cisco has warned of a critical vulnerability in its Unified Communications Manager (Unified CM) and Unified CM Session Management Edition, posing serious risks to enterprise voice and video networks. Tracked as CVE-2024-20399 and carrying a CVSS score of 9.9, the flaw stems from improper input validation in the web-based management interface. An unauthenticated, remote attacker could exploit it by sending crafted HTTP requests, potentially executing arbitrary code on the underlying operating system with root privileges. Cisco has confirmed there are no workarounds, making patching essential. Organizations using affected versions are urged to upgrade immediately to prevent exploitation, as Unified CM is widely deployed in critical business communication environments and could become a high-value target for threat actors seeking to disrupt operations or eavesdrop on sensitive conversations. (GBHackers)
Researchers uncover multiple critical vulnerabilities in Agorum Core Open
Security researchers at usd HeroLab discovered multiple critical vulnerabilities in Agorum Core Open that allow unauthenticated attackers to fully compromise systems. Chained together, these flaws enable remote code execution with root privileges. Issues include command injection, path traversal, plaintext password storage, XML external entity attacks, SSRF, cross-site scripting, and incorrect authorization. The findings were responsibly disclosed to Agorum. These vulnerabilities pose a severe risk, enabling full system takeover without authentication if left unpatched. (usd)
Qantas doesn’t crash, but their computers do
Qantas has reported Australia’s largest data breach in years after a hacker accessed a third-party call centre platform containing data on six million customers. Exposed information includes names, emails, phone numbers, birth dates, and frequent flyer numbers. The airline detected unusual activity and acted quickly to contain the breach, with no impact on operations or flight safety. While cybercrime group Scattered Spider has targeted other airlines recently, Qantas has not attributed the breach. The incident adds to Qantas’ reputational challenges following COVID-era controversies, illegal worker dismissals, and ticketing scandals. CEO Vanessa Hudson apologized, emphasizing data security is taken seriously. The airline notified national cybersecurity and privacy agencies and said no passwords or login credentials were compromised, though a significant data exposure is expected. (Reuters)
French government impacted by Ivanti hacks
Ahhh the Ivanti Cloud Service Appliance vulnerabilities, the flaws that keep on giving. France’s cybersecurity agency, ANSSI, issued a reporting finding that a campaign used these vulnerabilities to target “organizations from governmental, telecommunications, media, finance, and transport sectors.” ANSSI said the attacks were linked to the threat actor Houken, described by Mandiant as UNC5174, believed to be a contractor for China’s Ministry of State Security. The agency acknowledged the attacks were designed to exfiltrate data that the group could sell to state intelligence agencies. (The Record)
The Feds shut down a covert North Korean IT operation
The U.S. Department of Justice announced enforcement actions targeting North Korea’s covert IT operations that fund its nuclear program. Authorities arrested Zhenxing “Danny” Wang, a U.S. citizen, for running a scheme from New Jersey that placed North Korean IT workers in U.S. tech jobs, generating over $5 million. Eight others, six Chinese nationals and two Taiwanese citizens, were also indicted for wire fraud, money laundering, identity theft, hacking, and sanctions violations. From 2021-2024, they impersonated over 80 Americans to gain remote jobs at 100+ companies, causing $3 million in damages. They ran U.S. laptop farms and shell companies to hide workers’ identities and stole sensitive data, including AI tech from a California defense firm. The FBI seized 137 laptops and raided 21 sites in 14 states linked to the scheme. (TechCrunch)
Chinese Hackers Target France in Ivanti Zero-Day Exploit Campaign
Chinese state-backed hackers have been implicated in cyber-espionage campaigns targeting French government institutions by exploiting Ivanti Connect Secure VPN vulnerabilities. According to France’s national cybersecurity agency, ANSSI, attackers believed to be linked to Chinese interests leveraged flaws in Ivanti’s VPN appliances to infiltrate sensitive government networks. The hackers reportedly used sophisticated tools and custom implants to maintain persistence and gather intelligence, underscoring the ongoing threat posed by advanced persistent threat (APT) groups exploiting known vulnerabilities in widely deployed enterprise software. ANSSI did not publicly attribute the attacks to a specific APT group by name but warned that Ivanti devices remain a key focus for foreign espionage operations. The breaches highlight the critical importance of timely patching and monitoring of remote access infrastructure, which has become an increasingly attractive target for state-sponsored actors seeking to compromise government and corporate environments. (infosecurity)
Chrome Zero-Day CVE-2025-6554 under active attack — Google issues security update Google has patched a zero-day vulnerability in Chrome, a type confusion flaw in the V8 JavaScript engine that was actively exploited in the wild. The bug allowed attackers to execute arbitrary code via malicious HTML, prompting a swift mitigation pushed to all platforms. Discovered by Google’s Threat Analysis Group, the flaw marks Chrome’s fourth zero-day fix of 2025. (The Hacker News)
U.S. agencies issue urgent warning over Iran threat
A new warning from U.S. cyber agencies urges critical infrastructure organizations to stay on high alert for possible cyberattacks from Iranian state-backed hackers —especially defense contractors with ties to Israel. While there’s no evidence of a coordinated campaign yet, the advisory from CISA, the FBI, NSA, and DoD Cyber Crime Center points to heightened risk amid growing tensions in the Middle East. Officials say near-term cyber operations from Iranian actors are possible, especially targeting sectors like defense, water, and aviation. (The Record), (CISA)
Canada bans Chinese surveillance company
Canada has ordered Chinese surveillance giant Hikvision—known for manufacturing CCTV systems for civilian and military use—to shut down all operations in the country, citing national security concerns. The move follows a multi-step review by Canadian intelligence agencies, which concluded that the company’s continued presence could be harmful to national security. Hikvision is now also banned from selling products to Canadian Government departments, agencies, and crown operations. The surveillance company denies the allegations and calls the decision politically motivated. (Bleeping Computer), (Security Week)
The FDA issues new guidance on medical device cybersecurity
The FDA has issued new final guidance on medical device cybersecurity, replacing its 2023 version. The updated document reflects expanded authority under Section 524B of the Food, Drug, and Cosmetic Act, requiring that any internet-connected “cyber device” include cybersecurity details in premarket submissions. The guidance mandates elements like software bills of materials, vulnerability management plans, and demonstration of “reasonable assurance of cybersecurity.” Experts note this merges previous guidance with statutory updates into one cohesive document, clarifying that cybersecurity is integral to safety and effectiveness determinations. It explicitly covers debug ports, wireless modules, and access controls, widening regulatory scope. While the FDA aims to enhance device security amid rising healthcare cyber threats, experts warn that recent budget cuts and staffing losses could slow reviews. Researchers emphasize that manufacturers must prioritize security in design and documentation to avoid delays and reduce post-market risks, as nearly all modern devices now qualify as cyber devices. (GovInfo Security)
An NSA veteran is named top civilian at U.S. Cyber Command
Patrick Ware, a 34-year NSA veteran, has been appointed executive director of U.S. Cyber Command, becoming its top civilian leader. He replaces Morgan Adamski, who is expected to move to the private sector after serving in the role since June 2024. The position, traditionally filled by an NSA official, is the No. 3 role at Cyber Command. Ware takes over during a period of leadership uncertainty, as Cyber Command has lacked a permanent chief since Gen. Timothy Haugh was fired nearly three months ago. A planned appointment of Lt. Gen. Richard Angle was reportedly rejected by the White House for undisclosed reasons. Ware will oversee strategic initiatives, talent management, and partnerships amid questions about the future of the “Cyber Command 2.0” overhaul. Ware holds electrical engineering degrees from the University of Maryland and Johns Hopkins University. (The Record)
Researchers disclose a critical vulnerability in Open VSX
Researchers at Koi Security have disclosed a critical vulnerability in Open VSX, the open source extension marketplace hosted by the Eclipse Foundation. The flaw exposed the publishing account’s secret token to any extension or its dependencies. This token acts as a super-admin credential, giving attackers the ability to publish malicious extensions or overwrite existing ones, potentially compromising over 8 million developers. Open VSX is widely used by VS Code-based editors like Cursor, Gitpod, and Windsurf as an alternative to Microsoft’s marketplace. Koi Security warned that attackers could have installed keyloggers, information stealers, or backdoors, posing a SolarWinds-like supply chain risk for developer tooling. The vulnerability was discovered in early May and has now been patched after thorough vetting. SecurityWeek has reached out to the Eclipse Foundation for further comment. (SecurityWeek)
Microsoft security updates address CrowdStrike crash
A major IT outage last year, caused by a faulty software update from cybersecurity firm CrowdStrike, led to global crashes of millions of Windows devices. Although the issue stemmed from CrowdStrike’s Falcon software, which had deep access to the Windows kernel, Microsoft received much of the blame. In response, Microsoft has now announced changes to reduce such risks. Antivirus software will no longer have direct kernel access, and a new endpoint security platform will soon be introduced. This platform will require security updates from third-party vendors to pass through extensive testing and review before deployment to Windows systems worldwide. (Cyberscoop)
FBI warns of social engineering exploiting patients and healthcare providers
The Bureau has issued a warning about criminals posing as health insurers and claims investigators to steal medical and financial data from patients and healthcare providers. They use emails and texts to pressure victims into handing over sensitive information or to make payments for fake service overpayments. According to Health-ISAC’s Errol Weiss, such scams are increasing, often involving impersonation of trusted entities like government agencies or major brands. Criminals use previously leaked personal data – even partial data – to make their schemes more convincing, creating a false sense of trust and legitimacy. (The Register)
Hacker helped kill FBI source, says El Chapo case witness
A Justice Department watchdog report has revealed how a hacker, hired by the Sinaloa drug cartel “infiltrated cameras and phones to track an FBI official in Mexico investigating the drug lord El Chapo, then used data from that surveillance to kill and intimidate potential sources and witnesses the agent was meeting with.” According to the report, the hacker identified people of interest, including the FBI Assistant Legal Attache, and then was able to hack the attache’s mobile phone number to track calls made and received, as well as geolocation data. The hacker also used Mexico City’s camera system to follow the attache through the city and identify people they met with. “The cartel allegedly used that information to intimidate and, in some instances, kill potential sources or cooperating witnesses.” (Cyberscoop)
