Welcome back to the studio!

After a brief trip to New York, the CyberHub Podcast is fully caffeinated, recharged, and ready to cover the latest security news. Today’s episode offers a deep dive into an especially significant Patch Tuesday, newly exposed espionage campaigns, and ongoing concerns about spyware targeting vulnerable communities.

Grab your espresso – complete with that perfect ring of foam – and let’s get started.

From Microsoft’s massive Patch Tuesday release—tackling 134 flaws and one actively exploited zero-day—to significant vulnerabilities in Adobe, Ivanti, VMware, and beyond, this week underscores the unrelenting nature of modern cyber risks. We also explore newly revealed attacks on U.S. Treasury systems, Chinese campaigns against Uyghur and Tibetan groups, and how nation-state actors employ creative methods (like malicious RDP files) for espionage and data theft. With each story, the overarching message remains clear: effective patch management, tailored threat intelligence, and robust security protocols are essential in protecting organizations and users alike.

Microsoft’s Patch Tuesday: 134 Flaws and a Dangerous Zero-Day

Microsoft released fixes for 134 vulnerabilities across its ecosystem. Among these is a critical zero-day (CVE-2025-29084) already exploited by the RansomEXX ransomware gang to escalate privileges on Windows systems. The flaw, a use-after-free vulnerability in the Common Log File System, impacts various Windows versions, though organizations running Windows 11 (version 24H2) are not currently affected. CISA promptly added this vulnerability to its Known Exploited Vulnerabilities Catalog, urging organizations to deploy patches immediately. Notably, Microsoft also addressed a wide range of privilege escalation, RCE, information disclosure, denial-of-service, and spoofing vulnerabilities in its monthly “Patch Tuesday” cycle.

Gladinet CenterStack Bug Joins CISA Catalog

A newly disclosed zero-day (CVE-2025-30406) in Gladinet’s CenterStack platform has also been weaponized in the wild since at least March. With a CVSS score of 9.0, the bug is tied to the improper management of cryptographic keys, allowing attackers to forge .NET view-state payloads and execute arbitrary code. Users are advised to update to CenterStack version 16.4.1.0315.56368 before the April 29 deadline set by CISA.

Massive Wave of Enterprise Patches

Other major vendors rushed to address critical flaws in their solutions:

• Adobe: Fixed 54 vulnerabilities across ColdFusion, FrameMaker, Photoshop, and Commerce. At least 15 ColdFusion flaws can lead to remote code execution (RCE) or security bypasses.

• Ivanti: Patched multiple endpoint manager vulnerabilities, including a DLL hijacking (CVE-2025-22458) and SQL injection (CVE-2025-22461). Despite no evidence of exploitation in the wild, Ivanti’s frequent inclusion in breach headlines highlights the need for quick patching or, as some joke, “ripping it out.”

• VMware Tanzu: 47 issues addressed, covering Greenplum and other components—some dating back three years.

• Zoom: Fixed six security defects across Windows, Linux, macOS, iOS, and Android apps.

• Fortinet: 10 patched vulnerabilities, including a critical flaw (CVE-2024-48887; CVSS 9.3) in FortiSwitch GUI that could let unauthenticated attackers change admin passwords.

Industrial/OT Patch Updates

On the operational technology (OT) front:

• Siemens: Issued 9 advisories, noting critical vulnerabilities in older devices and recommending replacement of certain hardware like the Sentron PAC 1260.

• Schneider Electric: Released 2 advisories, including high-severity flaws in the ConneXium Network Manager that could allow remote code execution.

• Rockwell: Published an advisory covering a dozen local code execution bugs in Arena products.

• ABB: Provided details on multiple third-party vulnerabilities in its Arctic Wireless Gateway.

U.S. Treasury / OCC Breach

The U.S. Office of the Comptroller of the Currency (OCC), a Treasury bureau, fell victim to a significant email system compromise that began last June. Attackers reportedly accessed over 150,000 sensitive emails by hijacking an admin account—only discovered in February. Though the OCC claims no wider financial sector impact, the protracted breach timeline underscores the dangers of advanced, persistent access.

Russian Nation-State Actors Exploit RDP

A threat actor tagged as UNC-5837 by Google’s Threat Intelligence Group employed a lesser-known Microsoft Remote Desktop Protocol (RDP) feature to conduct espionage against European government and military organizations. By embedding malicious RDP files in phishing emails, attackers enabled resource redirection and exfiltrated sensitive data, including files and clipboard content. This campaign again spotlights the importance of robust email filtering and meticulous review of RDP configuration settings.

Phishing Campaigns in Ukraine

Ukrainian authorities warn that Russian operatives continue intensifying phishing attacks on military and law enforcement bodies, using macro-enabled Excel files referencing sensitive topics like property compensation and UAV production. On execution, the macros deploy new malware variants, including a “gifted crook” stealer, emphasizing how threat actors tailor phishing lures to exploit localized concerns.

Chinese Spyware Targeting Uyghurs, Tibetans, and Taiwanese

In a coordinated advisory, the UK’s National Cyber Security Centre and global intelligence agencies revealed two spyware families—Moonshine and BadBazaar—actively surveilling Uyghur, Tibetan, and Taiwanese communities. Masquerading as religious or communication apps, these tools exfiltrate real-time data, including messages, photos, and even microphone or camera feeds. Such campaigns demonstrate China’s continued focus on internal and external dissident groups through digitally invasive means.

Action Items

• Prioritize Patching: Start with critical or actively exploited flaws—particularly Microsoft’s zero-day (CVE-2025-29084) and the Gladinet CenterStack bug (CVE-2025-30406).

• Harden RDP: Disable RDP file attachments in email filters and monitor resource redirection settings to prevent attackers from silently exfiltrating data.

• Check Vendor Alerts: Stay on top of Adobe, Ivanti, VMware, Zoom, and Fortinet advisories; OT environments should emphasize Siemens, Schneider, and Rockwell updates.

• Secure E-Mail Systems: Evaluate privileged admin accounts and logs for unusual access patterns, especially given the lengthy Treasury compromise.

• Elevate Phishing Defenses: Bolster awareness programs around localized or topical lures (e.g., property compensation, UAV projects) to reduce successful social engineering.

• Monitor High-Risk Groups: Organizations supporting Uyghur, Tibetan, or Taiwanese communities should watch for suspicious app installs claiming to be religious or communications tools.

• Map Patch Priorities to Business Risk: Use an exposure management approach that evaluates each vulnerability’s impact on critical business functions.

✅ Story Links:

https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2025-patch-tuesday-fixes-exploited-zero-day-134-flaws/

https://www.bleepingcomputer.com/news/security/microsoft-windows-clfs-zero-day-exploited-by-ransomware-gang/

https://www.securityweek.com/cisa-urges-urgent-patching-for-exploited-centrestack-windows-zero-days/

https://www.securityweek.com/adobe-calls-urgent-attention-to-critical-coldfusion-flaws/

https://www.securityweek.com/vulnerabilities-patched-by-ivanti-vmware-zoom/

https://www.securityweek.com/fortinet-patches-critical-fortiswitch-vulnerability/

https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-rockwell-abb-siemens-schneider/

https://www.bleepingcomputer.com/news/security/hackers-lurked-in-treasury-occs-systems-since-june-2023-breach/

https://www.bankinfosecurity.com/russian-apt-hacker-observed-deploying-unusual-rdp-tactics-a-27953

https://thehackernews.com/2025/04/uac-0226-deploys-giftedcrook-stealer.html

https://therecord.media/ncsc-shares-details-on-spyware-targeting-uyghur-tiben-taiwanese-groups

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.