Major Incidents or Breaches

  • UK Legal Aid Agency (LAA) Incident: The LAA, part of the UK’s Ministry of Justice, is investigating a cybersecurity incident that may have exposed law firm data. The agency has warned impacted firms of potential data access by attackers.
  • T-Mobile Data Breach Settlement: Payments to victims of T-Mobile’s 2021 data breach (which exposed data of 76 million customers) have begun distribution after previous delays.
  • Langflow AI App Servers Compromised: A critical remote code execution (RCE) vulnerability in Langflow has been exploited in the wild, with CISA urging immediate patching.
  • Samsung MagicINFO 9 Server Exploits: Active exploitation of an unauthenticated RCE flaw in Samsung MagicINFO 9 Server has been observed, leading to device hijacking and malware deployment.
  • GeoVision IoT Devices Used in Mirai Botnet: Threat actors are exploiting vulnerabilities in end-of-life GeoVision IoT devices to conscript them into Mirai botnets for DDoS attacks.
  • Commvault Vulnerability Still Exploitable: Despite prior patches, CVE-2025-34028 affecting Commvault remains exploitable and is under active attack.
  • SonicWall SMA Devices Under Attack: Two vulnerabilities in SonicWall’s Secure Mobile Access (SMA) devices are being actively exploited by threat actors.
  • Linux Supply Chain Attack: Malicious Go modules uploaded to GitHub have been used to deliver disk-wiping malware targeting Linux servers.

Newly Discovered or Actively Exploited Vulnerabilities

  • Apache Parquet CVE-2025-30065: A proof-of-concept exploit for this maximum severity vulnerability has been released, increasing the risk to unpatched servers.
  • Google Android FreeType Flaw: Google patched an actively exploited, zero-click FreeType 2 code execution vulnerability in Android as part of its May 2025 security updates.
  • Langflow Critical RCE: The Langflow platform is subject to an easily exploitable RCE vulnerability (CVSS 9.8), now under active exploitation.
  • Samsung MagicINFO 9 Server RCE: Ongoing exploitation of the unauthenticated RCE flaw is resulting in widespread device compromise.
  • SonicWall SMA Device Vulnerabilities: CISA has highlighted two actively exploited vulnerabilities affecting SonicWall’s SMA remote access devices.
  • Commvault CVE-2025-34028: Despite being previously patched, this vulnerability remains exploitable and is being leveraged in attacks.

Notable Threat Actor Activity

  • Mirai Botnet Expansion: Threat actors are leveraging vulnerabilities in Samsung MagicINFO and GeoVision IoT devices to expand Mirai botnet operations, primarily for DDoS attacks.
  • Investment Scam Operations: Two threat actor groups are running investment scams using Facebook ads, RDGA domains, and IP filtering to target victims and evade detection.
  • Device Code Phishing: Attackers are employing “device code phishing” tactics to bypass multi-factor authentication, targeting users with social engineering campaigns that exploit device enrolment flows.

Trends, Tools, or Tactics of Interest

  • Modular Malware: Continued evolution in malware development with increased use of modular architectures, allowing threat actors to rapidly adapt and repurpose code.
  • Machine Credentials and Third-Party Risk: The Verizon 2025 DBIR highlights that third-party access and compromised machine credentials are leading drivers behind major breaches, surpassing ransomware and zero-day exploits.
  • External Attack Surface Management (EASM): Growing emphasis on EASM as organisations struggle to maintain visibility and control over sprawling digital assets and shadow IT.
  • Kubernetes Security Risks: Microsoft warns that default Helm chart configurations in Kubernetes deployments may lead to data leaks due to insecure defaults and misconfigurations.
  • Supply Chain Attacks via Open-Source Modules: The attack on Linux servers via malicious Go modules underscores ongoing risks in the open-source software supply chain.

Regulatory or Policy Developments

  • NSO Group Fined for Pegasus Spyware Attacks: A US federal jury ordered NSO Group to pay $168 million to WhatsApp (Meta) for facilitating Pegasus spyware attacks against 1,400 users, setting a significant legal precedent for spyware vendors.
  • California Privacy Enforcement: The California Privacy Protection Agency issued a six-figure fine and mandated business practice changes for a national clothing retailer over privacy violations, reinforcing active regulatory oversight.
  • US CISA Funding and Policy Scrutiny: US lawmakers are questioning proposed cuts to CISA funding and demanding a comprehensive national cybersecurity plan.
  • DOD Cyber Policy Review: The US Department of Defense’s nominee for cyber policy has pledged to re-evaluate guardrails for offensive cyber operations, signalling potential policy shifts.

Other Noteworthy Items

  • Signal Clone Security Issue: Analysis of TM Signal, a Signal clone, revealed that it sends user message logs in plaintext, raising concerns over secure messaging app clones.
  • Credential Hygiene in Public Figures: Reports indicate poor password practices among high-profile individuals, including the US Director of National Intelligence, highlighting ongoing issues with credential reuse at senior levels.