Week that Was for 04.12.25

At a glance.

• UK court blocks government's attempt to keep Apple encryption case secret.
• President Trump strips clearances from Chris Krebs and SentinelOne employees.
• CISA warns of exploited CrushFTP flaw.
• Port of Seattle says last year's breach affected 90,000 people.
• Treasury Department's Office of the Comptroller of the Currency discloses major breach.

UK court blocks government's attempt to keep Apple encryption case secret.

The UK Investigatory Powers Tribunal has blocked the British government's effort to keep secret a case involving its request to circumvent Apple's encrypted iCloud services, Bloomberg reports. The court, which hears complaints related to government surveillance, ruled that the government's efforts were a "fundamental interference with the principle of open justice."

The Tribunal's ruling, which also publicly confirmed the existence of the case for the first time, said it would have been "a truly extraordinary step to conduct a hearing entirely in secret without any public revelation of the fact that a hearing was taking place." The court added, "We do not accept that the revelation of the bare details of the case would be damaging to the public interest or prejudicial to national security."

President Trump strips clearances from Chris Krebs and SentinelOne employees.

President Trump yesterday signed a memorandum stripping former CISA director Chris Krebs of his security clearance and ordering a probe into Krebs's conduct as a government employee, looking for "any instances where Krebs’ or CISA’s conduct appears to be contrary to the administration’s commitment to free speech and ending federal censorship." The memorandum adds that the "review will include a comprehensive evaluation of all of CISA’s activities over the last 6 years."

Notably, the order "also suspends any active security clearance held by individuals at entities associated with Krebs"—which includes Krebs's employer, SentinelOne—"pending a review of whether such clearances are consistent with the national interest." SentinelOne said in a statement, "In regard to the Executive Order dated April 9, 2025 focused on Chris Krebs in his prior role as a government employee, we will actively cooperate in any review of security clearances held by any of our personnel – currently less than 10 employees overall and only where required by existing government processes and procedures to secure government systems. Accordingly, we do not expect this to materially impact our business in any way."

Krebs was fired from CISA by Trump in 2020 over Krebs's efforts to debunk election-related dis- and misinformation. CISA's practice of working with social media companies to remove misinformation also drew criticism from free speech advocates, and the agency moved away from this activity last year.

Axios notes that Krebs is well-respected within the cybersecurity community, and the latest move by the Trump administration is sure to upset many in the industry.

CISA warns of exploited CrushFTP flaw.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the CrushFTP file transfer service to its Known Exploited Vulnerabilities (KEV) catalog, Infosecurity Magazine reports. The vulnerability (CVE-2025-31161) has been assigned a CVSS score of 9.8, and can allow authentication bypass and takeover of the crushadmin account. The flaw makes it "trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account."

CISA's notice requires Federal Civilian Executive Branch (FCEB) agencies to patch the flaw by April 28th.

Port of Seattle says last year's breach affected 90,000 people.

The Port of Seattle, the agency that oversees Seattle's seaport and airport, has disclosed that the ransomware attack it sustained in August affected data belonging to approximately 90,000 people, BleepingComputer reports. Around 71,000 of the victims are residents of Washington state. The Port says the breached information included "some combination of names, dates of birth, Social Security numbers (or last four digits of Social Security number), driver’s license or other government identification card numbers, and some medical information."

The agency previously disclosed that the Rhysida ransomware gang posted the stolen data to its leak site after the Port refused to pay the ransom.

Treasury Department's Office of the Comptroller of the Currency discloses major breach.

Bloomberg reports that hackers intercepted 103 bank regulators' emails for over a year after compromising an administrator account at the US Treasury Department's Office of the Comptroller of the Currency (OCC). The OCC notified Congress of the incident yesterday, stating, "The OCC discovered that the unauthorized access to a number of its executives’ and employees’ emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes."

Bloomberg cites a draft letter to Congress as saying the hackers had access to approximately 150,000 emails beginning in May 2023 until they were ousted earlier this year.

Patch news.

This week's Patch Tuesday saw fixes from Microsoft, Fortinet, Ivanti, VMWare, and multiple ICS vendors. Microsoft issued patches for 134 vulnerabilities, including one actively exploited zero-day (CVE-2025-29824), BleepingComputer notes.

Fortinet fixed a critical password change vulnerability (CVE-2024-48887) in the FortiSwitch GUI that could "allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request."

Ivanti patched three high-severity vulnerabilities affecting its Endpoint Manager, including one that could allow a remote unauthenticated attacker to obtain admin privileges.

VMware addressed 47 flaws in its Tanzu cloud native application platform, ten of which are rated as "critical," SecurityWeek reports.

SecurityWeek also has a roundup of vulnerabilities patched by ICS vendors, including Siemens, Rockwell, Schneider, and ABB.

Google has released patches for 62 Android vulnerabilities, including two zero-days that were being exploited in targeted attacks, Malwarebytes reports. One of the zero-days (CVE-2024-53197), a privilege escalation flaw affecting the Linux kernel, was reportedly used by digital forensics firm Cellebrite to gain access to locked Android devices. The flaw came to light when the Serbian government allegedly abused Cellebrite's tool to target a student activist and other members of civil society. The other zero-day (CVE-2024-53150) is an information disclosure flaw in the Linux kernel that can be exploited by local attackers without user interaction. There are no details on how this flaw is being exploited in the wild.

Juniper Networks has issued patches for dozens of vulnerabilities affecting Junos OS and Junos OS Evolved, SecurityWeek reports. Eleven of the flaws are rated as high-severity, and most of them can lead to denial-of-service (DoS) conditions. The company also released Junos Space version 24.1R3, addressing nearly 50 flaws in third-party software. Some of these vulnerabilities are rated as critical.

Crime and punishment.

Europol has announced follow-up arrests from last year's Operation Endgame, which disrupted the IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee malware operations. A database seized during the operation helped law enforcement track down customers of the Smokeloader pay-per-install botnet, leading to at least five detentions.