At a glance.
- WinRAR patches actively exploited zero-day.
- New HTTP/2 flaw can be used to launch major DDoS attacks.
- North Korea's Kimsuky APT reportedly sustains breach.
- Threat actors exploit Erlang flaw to target OT networks.
- Patch Tuesday notes.
- Norwegian dam sabotage blamed on pro-Russian hackers.
WinRAR patches actively exploited zero-day.
WinRAR has received a patch for a vulnerability that was exploited as a zero-day by the Russia-aligned threat actor RomCom, SecurityWeek reports. Researchers at ESET discovered the flaw (CVE-2025-8088), which can allow an attacker to execute arbitrary code via maliciously crafted archive files. The attackers used spearphishing emails with phony job applications to target "financial, manufacturing, defense, and logistics companies in Europe and Canada."
RomCom is known for conducting cyberespionage alongside opportunistic criminal activity. ESET notes that this campaign "targeted sectors that align with the typical interests of Russian-aligned APT groups, suggesting a geopolitical motivation behind the operation."
New HTTP/2 flaw can be used to launch major DDoS attacks.
Security researchers from Imperva and Tel Aviv University discovered a design flaw in HTTP/2 implementations that can be exploited to launch large-scale DDoS attacks, SecurityWeek reports. The flaw is a variant of the HTTP/2 Rapid Reset vulnerability that surfaced in 2023. Imperva has dubbed the new variant "MadeYouReset."
Imperva explains, "[T]he attack moves beyond resetting streams directly and instead targets the server’s behavior when handling invalid (but protocol-compliant) frames. But here’s the twist: the client never sends a single RST_STREAM frame. Instead, it sends carefully crafted frames that violate protocol expectations in subtle ways. The server, upon processing these frames, detects an invalid internal state and reacts by resetting the stream or the entire connection, essentially performing the attack on itself."
Multiple vendors, including Apache, Fastly, and Mozilla, have issued patches or mitigations for the flaw, according to Carnegie Mellon.
North Korea's Kimsuky APT reportedly sustains breach.
Two hackers, going by "Saber" and "cyb0rg," have leaked 8.9 GB of backend data allegedly stolen from the North Korean state-sponsored APT Kimsuky, BleepingComputer reports. The hackers published their findings in the latest issue of the Phrack e-zine, which was distributed at DEF CON last week. The hackers claim the dump contains "many of Kimsuky's backdoors and their tools as well as the internal documentation." BleepingComputer notes that the data could also "provide insight into unknown campaigns and undocumented compromises."
Threat actors exploit Erlang flaw to target OT networks.
Palo Alto Networks' Unit 42 is tracking exploitation of CVE-2025-32433, a maximum-severity remote code execution flaw affecting Erlang/OTP that was patched in April. Unit 42 detected exploitation beginning on May 1st. Notably, a majority (70%) of the exploit attempts targeted firewalls protecting OT networks, with a disproportionate focus on organizations in the healthcare, agriculture, media and entertainment, and high technology.
Unit 42 notes, "The geographic, industrial, and temporal footprint of CVE-2025-32433 exploit attempts highlights a strategic shift in attacker behavior toward operational environments across diverse sectors and regions. Exploits are not limited to traditionally defined industrial control systems. They appear in healthcare, education, high tech and other verticals — many of which host embedded OT systems not previously treated as high risk."
Patch Tuesday notes.
Microsoft on Tuesday patched 107 flaws, including one publicly disclosed zero-day (CVE-2025-53779) affecting Windows Kerberos, KrebsOnSecurity reports. Thirteen of the vulnerabilities are rated as "critical," with the most severe being a remote code execution flaw (CVE-2025-53766) in the Windows GDI+ component.
Intel, AMD, and Nvidia have issued fixes for dozens of flaws, including high-severity vulnerabilities in Intel's Xeon processors, SecurityWeek reports.
Adobe patched more than sixty vulnerabilities across thirteen products, including Commerce, Photoshop, InDesign, FrameMaker, and Substance 3D tools.
SecurityWeek also has a roundup of patches from ICS vendors. Notably, Siemens issued a patch for a critical vulnerability (CVE-2025-40746) affecting Simatic RTLS Locating Manager that could "allow an authenticated remote attacker with high privileges in the application to execute arbitrary code with 'NT Authority/SYSTEM' privileges."
Finally, Fortinet and Ivanti have both issued important patches for a variety of products. One of the Fortinet vulnerabilities—a FortiSIEM flaw (CVE-2025-25256) that can allow an unauthenticated attacker to execute unauthorized code—was assigned a CVSS score of 9.8. Fortinet warns that "[p]ractical exploit code for this vulnerability was found in the wild."
Norwegian dam sabotage blamed on pro-Russian hackers.
The Norwegian Police Security Service (PST) has attributed an April cyberattack on a dam to pro-Russian hackers, the Associated Press reports. The hackers took control of the Bremanger dam's control systems and opened its floodgate, releasing more than seven million gallons of water before the incident was detected and remediated four hours later. The river was far below flood levels, so no damage was caused.
In a speech on Wednesday, PST director Beate Gangås said the incident appeared to be a display of the hackers' capabilities rather than an attempt to cause real damage. "They don’t necessarily aim to cause destruction, but to show what they are capable of," Gangås said. "The purpose of these kinds of actions is to exert influence and create fear or unrest in the population."
