May 2025 has been a pivotal month in cybersecurity, marked by significant vulnerabilities, high-profile ransomware attacks, and escalating geopolitical cyber tensions. This report provides a comprehensive overview of the month’s critical developments.
๐ Critical Vulnerabilities (CVEs) of May 2025
Several high-severity vulnerabilities were disclosed and exploited this month, necessitating immediate attention:
- CVE-2025-32756 โ Fortinet Stack-Based Buffer Overflow
A critical vulnerability in Fortinet’s FortiFone, FortiVoice, FortiNDR, and FortiMail products allows remote code execution via crafted HTTP requests. - CVE-2025-30400 โ Microsoft DWM Core Library Use-After-Free
An elevation of privilege vulnerability in the Desktop Window Manager, actively exploited in the wild. - CVE-2025-32701 & CVE-2025-32706 โ Windows CLFS Driver Vulnerabilities
Use-after-free and heap-based buffer overflow vulnerabilities in the Common Log File System driver, both exploited in zero-day attacks. - CVE-2025-32709 โ Windows Ancillary Function Driver for WinSock Use-After-Free
An elevation of privilege vulnerability in the Ancillary Function Driver, confirmed to be exploited in the wild. - CVE-2025-30397 โ Microsoft Scripting Engine Memory Corruption
A memory corruption vulnerability in the scripting engine, allowing remote code execution through malicious links. - CVE-2025-29966 & CVE-2025-29967 โ Windows Remote Desktop Services RCE
Critical remote code execution vulnerabilities in Remote Desktop Services, exploitable via heap-based buffer overflows. - CVE-2025-29833 โ Windows Virtual Machine Bus TOCTOU Race Condition
A time-of-check time-of-use vulnerability allowing arbitrary code execution over a network. - CVE-2025-31200 & CVE-2025-31201 โ Apple CoreAudio and PAC Bypass
Zero-day vulnerabilities affecting iOS and macOS, enabling remote code execution via malicious media files and bypassing Pointer Authentication Codes. - CVE-2025-32433 โ Cisco Erlang/OTP SSH Protocol RCE
A critical remote code execution flaw in Cisco products due to issues in the Erlang/OTP framework’s SSH protocol handling. - CVE-2025-27840 โ Espressif ESP32 Undocumented HCI Commands
A vulnerability in ESP32 chips allowing unauthorized memory access via undocumented HCI commands.
๐ก๏ธ Notable Ransomware and Data Breaches
Ransomware attacks and data breaches have continued to impact organizations globally:
- Marks & Spencer (UK): Suffered a ransomware attack attributed to the “Scattered Spider” group, leading to significant operational disruptions and a potential ยฃ300 million hit to profits.
- Harrods and Co-op (UK): Both retailers experienced cyberattacks, with Harrods restricting internet access and Co-op admitting data theft affecting millions of customers.
- Victoria’s Secret (US): Faced a security incident leading to the temporary shutdown of its U.S. website and limited in-store services.
- Sheboygan, Wisconsin (US): A ransomware attack compromised personal information of nearly 70,000 residents, including Social Security numbers and state IDs.
- Khidmah (UAE): The real estate services company was targeted by Everest Ransomware, resulting in the leak of 3,300 personal records.
๐ Geopolitical Cyber Activities
Cyber operations have increasingly become tools of statecraft and conflict:
- Czech Republic: Accused China of orchestrating a cyberattack on its foreign ministry’s communications network, attributed to the state-sponsored group APT31.
- India-Pakistan Tensions: Over 650 cyberattacks targeted India’s critical infrastructure between May 7-10, reportedly launched by Pakistan-aligned actors amid escalating military tensions.
- UK’s Cyber Strategy: The UK announced plans to bolster its offensive cyber capabilities against threats from Russia and China, emphasizing the integration of digital efforts across military branches.
๐ ๏ธ Law Enforcement and Cybercrime Disruption
- Operation Endgame: An international operation led by German authorities dismantled a major Russian-led cybercrime network responsible for deploying malware like Qakbot and Conti, affecting over 300,000 computers globally.
- LockBit Ransomware Group: The notorious ransomware gang LockBit appeared to have been hacked, with leaked data revealing communications between its members and victims, potentially disrupting its operations.
๐ Expert Insight: Embracing Zero Trust Architecture
The events of May 2025 underscore the necessity for organizations to adopt a Zero Trust security model. By assuming that threats can originate both outside and inside the network perimeter, Zero Trust emphasizes continuous verification of user identities, device health, and access privileges. Implementing this approach can significantly reduce the risk of unauthorized access and lateral movement within networks, enhancing overall cybersecurity resilience.