Good Morning Security Gang,

Yesterday’s Patch Tuesday hit like a tidal wave: Microsoft dropped fixes for five actively-exploited zero-days, Fortinet disclosed a remote-code flaw already abused in the wild, and SAP, Ivanti, Adobe, and VMware all issued critical updates of their own.

Outside the patch cadence, regulators put Tencent’s WeChat on the hot seat for fentanyl-linked money laundering, new research exposed Chinese support for North Korean IT operatives, and fresh breaches stretched from Alabama’s statehouse to Marks & Spencer’s online tills.

Even Microsoft’s robust profit line couldn’t spare 6,000 employees from a round of “manager-of-managers” layoffs. Below, each headline is unpacked—followed by an action checklist to steady your team after the busiest patch day of 2025.

Microsoft Patch Tuesday: 70 Fixes, 5 Zero-Days

Redmond shipped patches for 70 CVEs, flagging five as exploited in the wild. Four privilege-escalation bugs lurk in the Common Log File System, Ancillary Function Driver (AFD) and DWM Core; the fifth is a type-confusion RCE in the Scripting Engine that can be triggered via a malicious link. While most require an already-authenticated attacker, defenders fear chaining—escalation plus scripting RCE—to produce full system takeover across Windows ecosystems and their interconnected supply chains.

Fortinet FortiVoice Zero-Day (CVE-2025-32756)

Fortinet’s PSIRT found attackers hitting a remote-code execution bug in FortiVoice Enterprise IP-PBX systems (also touching FortiMail, FortiNDR, FortiRecorder and FortiCamera). Exploits arrive as crafted HTTP requests; logs showed tampering, SSH brute-force, and FCgi debugging toggles. A swiftly-issued patch underscores how internal product security teams should monitor field telemetry and self-report.

SAP NetWeaver Under Sustained Chinese Assault

SAP’s May patch batch totals 18 notes, topped by two critical fixes for Visual Composer. CVE-2025-31324 (RCE, CVSS 9.8) has been exploited since January; telemetry links the campaign to Chinese actor “Chaya,” which planted web shells on at least 200 exposed servers. A second deserialization flaw (CVSS 9.1) was unearthed during incident response—proof opportunistic hackers probe patched victims for follow-up gaps.

Ivanti EPMM Double 0-Day (CVE-2025-4427/4428)

Yes, another Ivanti disclosure: an auth-bypass plus RCE chain lets unauthenticated attackers seize on-prem Endpoint Manager Mobile. Ivanti admits “a very limited” set of customers was already exploited before the patch—raising eyebrows after last winter’s VPN fiasco. Organizations still running the platform are urged to update or, as James quips, “divorce Ivanti.”

Adobe’s 39-Fix Mega-Rollout

Adobe ColdFusion heads the list with seven critical bugs (arbitrary file read, code exec, privilege escalation). Photoshop, Illustrator, Lightroom, Dreamweaver, InDesign, Substance 3D and Bridge all receive code-execution or memory-corruption patches— reinforcing that creative-suite endpoints are prime initial-access vectors.

VMware Tools Insecure File Operations (CVE-2025-22247)

Guest users with non-admin rights can tamper with local files and trigger insecure operations in Windows and Linux VMs. Broadcom patched in Tools 12.5.2; no workaround exists. While rated “medium” (CVSS 6.1), the flaw offers lateral-movement potential in dense virtual estates.

Leave a comment

WeChat Under Fentanyl-Money-Laundering Probe

AGs from New Hampshire, Colorado, New Jersey, Mississippi, North & South Carolina demanded Tencent explain how criminal brokers use WeChat Pay to swap U.S. drug cash for Chinese yuan. With a bipartisan deadline of June 11, the letter could presage TikTok-style regulatory heat on another Chinese mega-app, and also proves the level of Chinese involvement in the US drug trade.

Chinese Firms Equip North Korean IT Operatives

Strider Technologies traced shipments of PCs, GPUs and network gear from a Chinese company—already under U.S. sanctions—to North Korea’s Ministry of the People’s Armed Forces. The report warns Western firms risk accidental hiring of DPRK freelancers who embed malware in commercial software and funnel proceeds to Pyongyang.

North Korea’s Opal Sleet Phishing Ukrainian Targets

Microsoft attributes a February spear-phishing wave to Conni/Opal Sleet. Lures referencing NATO military events delivered password-protected RAR files whose CHM payloads ran PowerShell reconnaissance scripts. The activity aligns with North Korea’s on-ground support for Russia’s war and widens the conflict’s cyber front.

Alabama Government Credentials Compromised

Governor Kay Ivey confirmed state employee usernames and passwords were stolen on May 9, prompting round-the-clock remediation. Early reports say no resident PII left the network, but the incident mirrors recent state-level breaches in Oregon, Rhode Island and Virginia.

Marks & Spencer Admits Data Theft, Site Still Down

A month after DragonForce ransomware struck, M&S told customers names, addresses, DOBs and masked payment details were stolen; online shopping remains suspended. The outage—and similar hits on Harrods and Co-op—highlights the grueling cleanup retail faces when logistics meet ransomware extortion.

Australia Logs Decade-High Breach Notifications

The OAIC recorded 527 breaches (July–Dec 2024), a 9 % rise and the highest since 2020. Healthcare, government and finance dominate, with ransomware up 24 %. Phishing and stolen creds continue as the top ingress vectors despite years of user-awareness drives.

Microsoft Lays Off 6,000 Employees Cites “Too Many Managers”

Fresh off strong Q3 earnings, Microsoft will cut 3 % of its workforce, its biggest move since 2023. Satya Nadella says trimming layers of management will speed AI-heavy product cycles—while quietly noting that 20-30 % of some projects’ code now comes from Copilot.

📌 Action Items for Practitioners

• Prioritise Patch Tuesday: Deploy Microsoft, SAP, Fortinet, Ivanti, Adobe and VMware fixes—zero-days first, creatives and virtualization next.

• Hunt for CLFS & AFD Abuse: Add new Windows LPE IOCs to EDR rules; review domain-controller event logs.

• Scan PBX & Voice Appliances: FortiVoice systems exposed to the internet should be patched and reviewed for SSH or FCgi anomalies.

• Audit Supply-Chain Access: Double-check third-party contractors for ties to Chinese or North Korean fronts; enhance vendor due-diligence questionnaires.

• Block WeChat Payment Traffic: Financial institutions should flag or halt high-value WeChat transfers until Tencent provides compliance clarity.

• Test Ransomware BCP: Use the M&S and Co-op cases to stress-test offline ordering, fulfilment and customer-comms playbooks.

• Raise Phishing Guardrails: Warn execs and policy staff about Opal Sleet NATO-themed lures; tighten attachment controls on CHM, RAR and ISO files.

• Trim Privileged Accounts: Many zero-days require authenticated attackers—least privilege and strong MFA blunt their impact.

✅ Story Links:

https://www.securityweek.com/zero-day-attacks-highlight-another-busy-microsoft-patch-tuesday/

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-zero-day-exploited-in-fortivoice-attacks/

https://www.securityweek.com/sap-patches-another-critical-netweaver-vulnerability/

https://www.bleepingcomputer.com/news/security/ivanti-fixes-epmm-zero-days-chained-in-code-execution-attacks/

https://www.securityweek.com/adobe-patches-big-batch-of-critical-severity-software-flaws/

https://thecyberexpress.com/vmware-tools-vulnerability-cve-2025-22247/

https://therecord.media/states-push-wechat-for-money-laundering-answers

https://www.cybersecuritydive.com/news/north-korea-it-worker-scam-china-research/748009/

https://www.bleepingcomputer.com/news/security/north-korea-ramps-up-cyberspying-in-ukraine-to-assess-war-risk/

https://therecord.media/alabama-says-cyber-event-could-cause-disruptions

https://www.securityweek.com/marks-spencer-says-data-stolen-in-ransomware-attack/

https://thecyberexpress.com/australia-data-breaches-highest-this-decade/

https://www.securityweek.com/microsoft-to-lay-off-about-3-of-its-workforce/

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.