General
      Back to home
      1. Knowledge base
      2. Security updates
      3. General

      June 2025 security update: AI & big industry moves take on cybercrime

      Table of contents

      Today's threat landscape:

      Top 3 vulnerabilities:

      Industry news:

      Today’s threat landscape 

      Cybercriminals are increasingly favoring low-profile tactics like credential theft over traditional ransomware, which is showing a downtrend. In fact, IBM reports an 84% surge in phishing emails delivering infostealers in 2024 compared to the previous year, indicating a strategic pivot toward credential theft and identity attacks. AI and video have also taken greater parts in the threat landscape lately. 

      We’ve seen this play out in a few ways. The ClickFix technique has been employed in malware campaigns distributed via TikTok videos, allowing malware to execute in memory, thereby evading detection. Moreover, AI-generated phishing emails and videos, together with deepfake technologies, are increasingly used to craft highly convincing social engineering attacks, making them more challenging to detect and counter.  

      AI threat detection 

      AI-driven threat detection, post-quantum encryption, and proactive defense strategies are now in focus. AI systems now autonomously identify and mitigate threats while offering human-readable insights. In fact, OpenAI's o3 language model identified a critical zero-day vulnerability (CVE-2025-37899) in the Linux kernel's SMB module, highlighting AI's potential in cyber security research. At the same time, efforts to establish ethical frameworks and technical standards for responsible AI deployment in cyber security, and quantum-safe encryption, are gaining traction.  

      Top 3 vulnerabilities 

      Critical Cisco bug can lead to full control of wireless controllers 

      Cisco has patched a major security flaw, CVE-2025-20188 (CVSS score of 10.0), which affects Cisco’s IOS XE software running on several of its wireless controller products. If left unpatched, attackers could take full control of vulnerable devices remotely. 

      However, this attack only works if a specific feature - Out-of-Band AP Image Download - is turned on. This feature is disabled by default, meaning only users who actively enabled it are at risk. That said, this does not mean you don’t need to update the software. 

      The problem lies in a hidden hard-coded authentication token (called a JWT or JSON Web Token) that was embedded in the software. This token acts like a secret passkey, allowing anyone who knows how to use it to send specially-crafted web requests to the device. 

      Devices affected include: 

      • Catalyst 9800-CL Wireless Controllers for Cloud 
      • Catalyst 9800 Embedded Wireless Controllers 
      • Catalyst 9800 Series Wireless Controllers 
      • Embedded Wireless Controllers on Catalyst Access Points 

      Cisco recommends updating to the latest software immediately. For those who can’t update right away, simply disabling the vulnerable feature is an effective short-term fix. 

      Microsoft patches 78 vulnerabilities - including five zero-days  

      Microsoft rolled out multiple security updates last month, addressing 78 vulnerabilities. These included five zero-day flaws and a severe vulnerability in Azure DevOps Server (CVE-2025-29813), which earned a CVSS score of 10.0. Microsoft urges all users to apply the latest software updates immediately.  

      The vulnerabilities include: 

      • CVE-2025-30397 (CVSS 7.5): targets Microsoft’s scripting engine, which processes code in web browsers like Internet Explorer, and may allow gaining full control of a system. 
      • CVE-2025-30400 (CVSS 7.8): is a flaw in the Desktop Window Manager (DWM), responsible for rendering the Windows interface. If exploited, attackers can gain higher system privileges. 
      • CVE-2025-32709 (CVSS 7.8): affects the Windows networking system (WinSock), marking the third such flaw exploited in a year, possibly tied to state-backed attackers. 
      • CVE-2025-32701 and CVE-2025-32706 (both CVSS 7.8): elevation of privilege bugs that were found in the Common Log File System (CLFS).  

      New VMware vulnerabilities put virtualization systems at risk 

      VMware disclosed, and has patched, several critical security flaws affecting its flagship virtualization products, including ESXi and vCenter Server. The issue stems from how alarms and automated scripts are handled. If a user has the right permissions, they could abuse these features to execute commands, potentially leading to a full system compromise.  

      The most serious flaw, tracked as CVE-2025-41225 (CVSS score of 8.8), allows attackers who are already logged in to vCenter Server to run their own commands. This could give them full control over critical systems used to manage virtual machines. 

      Three other flaws were also addressed: 

      • CVE-2025-41226 (CVSS 6.8): A denial-of-service (DoS) issue in ESXi 
      • CVE-2025-41227 (CVSS 5.5): A denial-of-service (DoS) flaw in Workstation, Fusion, and ESXi 
      • CVE-2025-41228 (CVSS 4.3): A cross-site scripting (XSS) bug in the login pages of ESXi and vCenter Server 

      All major VMware products are impacted, including ESXi 7.0/8.0, vCenter Server 7.0/8.0, Workstation 17.x, and Fusion 13.x. Patches are now available and should be applied immediately. No workarounds exist. 

      Industry news 

      A new database and security metric take center stage 

      The security landscape in Europe has recently seen significant advancements with the launch of the European Vulnerability Database (EUVD) by the EU Agency for Cybersecurity (ENISA). This initiative, mandated by the NIS2 Directive, aims to enhance digital security across the EU by providing a centralized platform for aggregated, reliable, and actionable information on cyber security vulnerabilities affecting Information and Communication Technology (ICT) products and services. 

      The EUVD serves as a critical tool for both public and private sector stakeholders to improve awareness and manage cyber security risks effectively. By consolidating vulnerability information from trusted sources, the database supports the implementation of the Cyber Resilience Act, ensuring that products with digital elements are protected from cyber threats.  

      Concurrently, the U.S. National Institute of Standards and Technology (NIST), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), introduced a proposed metric called Likely Exploited Vulnerabilities (LEV). This metric is designed to estimate the probability of a given vulnerability being exploited in the wild and aims to enhance vulnerability remediation prioritization. 

      Retail sector and political targets under siege 

      The retail industry has faced significant cyberattacks. Marks & Spencer (M&S) confirmed a ransomware incident attributed to the DragonForce group, disrupting online operations and potentially costing the company £300 ($402) million in the 2025/26 financial year. French luxury brand Dior also reported unauthorized access to its customer database, though no financial data was compromised.   

      Italy and Romania also took a hit. The website for the upcoming Italian citizenship referendum was crippled by 21 million access attempts in one day, highlighting vulnerabilities in electoral infrastructure. Moreover, Pro-Russian NoName057 hackers launched a DDoS attack against multiple Romanian government websites, but all sites were rapidly restored.