Get to patching: Patch Tuesday updates.

A busy Patch Tuesday. Investigators discover undocumented communications devices inside Chinese-made power inverters. A newly discovered Branch Privilege Injection flaw affects Intel CPUs. A UK retailer may claim up to £100mn from its cyber insurers after a major cyberattack. A Kosovo national has been extradited to the U.S. for allegedly running an illegal online marketplace. CISA will continue alerts on its website following industry backlash. Our guest is Neil Hare-Brown, CEO at STORM Guidance, discussing Cyber Incident Response (CIR) retainer service provision. Shoring up the future of the CVE program. 

Today is Wednesday May 14th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A busy Patch Tuesday. 

Yesterday marked May’s Patch Tuesday, and Microsoft took center stage by addressing 78 vulnerabilities, including five zero-days actively exploited in the wild. These critical flaws span across Windows, Office, Azure, and Microsoft Defender. Notably, one of the zero-days carries a perfect CVSS score of 10, impacting Azure DevOps Server. Additionally, six vulnerabilities are rated as “Critical,” with five being remote code execution flaws and one an information disclosure bug. 

SAP has released patches for a second zero-day vulnerability (CVE-2025-42999) in its NetWeaver servers. This flaw was discovered during investigations into previous zero-day attacks involving another vulnerability (CVE-2025-31324) fixed in April. Both vulnerabilities have been exploited in the wild, emphasizing the need for immediate patching. 

Ivanti has patched two vulnerabilities in its Endpoint Manager Mobile (EPMM) software—CVE-2025-4427 and CVE-2025-4428—that attackers have chained together to achieve unauthenticated remote code execution. The first is an authentication bypass, and the second allows arbitrary code execution via crafted API requests. Ivanti urges customers to update to the latest versions to mitigate these threats. 

Fortinet has addressed a critical remote code execution vulnerability (CVE-2025-32756) in its FortiVoice enterprise phone systems. This stack-based overflow flaw has been actively exploited, allowing unauthenticated attackers to execute arbitrary code through malicious HTTP requests. The vulnerability also affects FortiMail, FortiNDR, FortiRecorder, and FortiCamera.

Juniper Networks, VMware, and Zoom have released patches for numerous vulnerabilities across their products. Juniper addressed nearly 90 bugs in its Secure Analytics platform, some dating back several years. VMware fixed a high-severity XSS flaw in its Aria automation appliance and a medium-severity issue in VMware Tools. Zoom resolved nine security defects in its Workplace Apps, including a high-severity privilege escalation vulnerability (CVE-2025-30663). 

Industrial control system giants Siemens, Schneider Electric, and Phoenix Contact have issued security advisories addressing vulnerabilities in their products. While most flaws have been patched, some only have mitigations or workarounds available. These advisories are crucial for organizations relying on ICS infrastructure. 

Adobe’s Patch Tuesday rollout includes fixes for at least 39 vulnerabilities across various products. A significant update addresses seven critical flaws in Adobe ColdFusion, which could lead to arbitrary file system reads, code execution, and privilege escalation. These vulnerabilities carry a CVSS score of 9.1 out of 10, highlighting their severity. 

This month’s Patch Tuesday highlights the importance of timely updates across a broad spectrum of software and hardware. Organizations are urged to prioritize patching these vulnerabilities to safeguard against active threats.

Investigators discover undocumented communications devices inside Chinese-made power inverters. 

U.S. energy officials are investigating Chinese-made inverters and batteries after discovering undocumented communication devices inside them, Reuters reports. These components—used widely in solar panels, batteries, and EV chargers—could bypass firewalls and pose risks to the power grid. Experts warn they could enable remote disruptions or even destruction of infrastructure. While such devices are built for remote maintenance, some found had hidden capabilities not listed in manuals. The U.S. Department of Energy is working to tighten transparency and supply chain security. As tensions with China grow, utilities and lawmakers are pushing to limit reliance on Chinese technology in critical infrastructure. Some nations, like Lithuania and Estonia, are already taking steps to ban or restrict Chinese inverters to protect energy systems from foreign control.

A newly discovered Branch Privilege Injection flaw affects Intel CPUs. 

A newly discovered Branch Privilege Injection flaw affects all Intel CPUs from the 9th generation onward. Researchers at ETH Zurich found that speculative execution in Intel’s branch predictors can leak sensitive kernel data to user-level attackers by exploiting race conditions during privilege switches. Their exploit bypasses Spectre v2 mitigations and successfully reads protected data like hashed passwords. Non-Intel CPUs tested, including AMD and ARM, were not vulnerable. Intel CPUs before 9th gen may still be at risk from older Spectre variants.

A UK retailer may claim up to £100mn from its cyber insurers after a major cyberattack.  

UK retailer Marks & Spencer may claim up to £100mn from its cyber insurers after a major cyberattack compromised some customer data and disrupted operations for nearly three weeks, the Financial Times reports. Allianz is expected to cover at least the first £10mn, with Beazley also potentially liable. While M&S confirmed that no payment details or passwords were exposed, personal data like contact info and order history may have been. The attack halted online sales and caused supply issues in food stores, with estimated losses exceeding £60mn. Since disclosing the breach on April 22, M&S shares have dropped 16%, wiping £1.3bn off its market value. The company’s policy, arranged by WTW, is expected to cover both direct and third-party losses. Experts warn premiums could rise if M&S fails to show stronger risk management in future renewals.

A Kosovo national has been extradited to the U.S. for allegedly running an illegal online marketplace. 

Liridon Masurica, a 33-year-old Kosovo national, has been extradited to the U.S. for allegedly running BlackDB.cc, an illegal online marketplace selling stolen account data and personal information. Known online as ‘blackdb,’ Masurica is accused of enabling fraud schemes including tax fraud and identity theft. Arrested in December, he appeared in a Tampa court and remains in custody. Kosovo authorities seized digital devices and cryptocurrency during the arrest. If convicted, Masurica faces up to 55 years in prison.

CISA will continue alerts on its website following industry backlash. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reversed its decision to scale back cybersecurity alerts on its website, following backlash and confusion from the cyber community. Initially, CISA announced it would prioritize social media, particularly X (formerly Twitter), for updates, claiming it would “enhance user experience.” Critics argued this shift could limit access to critical information, including threat alerts and vulnerability disclosures. CISA’s website has long been a trusted source for urgent cyber threat guidance, especially as the agency faces budget cuts and staffing shortages. The move raised concerns about transparency and reliance on private platforms for public safety information. Under scrutiny from Congress and amid potential $500 million budget reductions, CISA has paused changes to reassess how best to communicate with stakeholders, while maintaining its commitment to .gov platforms for verified alerts.

 

 

Next, we’ve got our Industry Voices segment. We are joined by STORM Guidance’s CEO Neil Hare-Brown to discuss Cyber Incident Response (CIR) retainer service provision. We’ll be right back.

Welcome back. You can find a link for more information in our show notes. 

Shoring up the future of the CVE program. 

In late March, MITRE marked the 25th anniversary of the CVE program — the cornerstone of global vulnerability tracking and every security pro’s favorite database to grumble about while secretly relying on it daily. For a brief, jittery moment in April, it looked like this quarter-century run might come to an abrupt, awkward end. The reason? A leaked memo revealed that the Cybersecurity and Infrastructure Security Agency (CISA) had not renewed MITRE’s funding contract. The memo gave everyone a very specific countdown: about 36 hours until the lights went out.

Cue the cyber community’s version of a group gasp. Analysts, vendors, and researchers — all highly trained to manage risk — suddenly found themselves in a digital doomsday scenario. “It was the 11th hour, 59th minute,” said one expert. “It gave a doomsday feel.” Then, just 17 hours later, CISA reversed course and issued an 11-month contract extension. Crisis averted. Sort of.

The near-miss did more than rattle nerves; it kicked off a rapid rethink of who should control, fund, and future-proof one of the internet’s most essential public services. Enter a cast of new players: Europe beta-launched its own EU Vulnerability Database (EUVD), Luxembourg’s CIRCL debuted the Global CVE Allocation System (GCVE), and several CVE board members introduced plans for a new CVE Foundation — a privately funded alternative aimed at global resilience and governance beyond a single U.S. agency.

That last move stirred controversy. Former CISA Director Jen Easterly publicly criticized CVE Foundation board members for secretly building a rival while still overseeing the current program, calling it a conflict of interest. Meanwhile, supporters argue that relying on a single funder — especially one with a volatile budget and shifting political winds — is just bad business. “You want resiliency,” said one expert, “not a cliffhanger every fiscal year.”

As for MITRE, they’re staying the course, grateful for the “overwhelming support” and committed to keeping CVE running smoothly, contract drama notwithstanding. Still, the takeaway was clear: the CVE program may be a public good, but it’s not immune to bureaucratic entropy. Whether it evolves into a broader, more distributed model or continues under its current stewardship, one thing is certain — no one wants to live in a world without it. 

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.