April 2025 security update: Geopolitics and exploited vulnerabilities fill headlines

Today's threat landscape

Emerging technology and government action take center stage 

Escalating threats and evolving challenges continue to characterize Europe's cyber security landscape, with particular emphasis on AI. Europol has raised alarms about criminal networks leveraging artificial intelligence on behalf of state actors such as Russia and China to execute intricate cyberattacks targeting governments and critical infrastructure. In response to these developments, the European Commission plans to strengthen security measures and double Europol's staff funding to address the growing threats posed by AI-enhanced organized crime. 

Another significant development is the emergence of advanced attacks on encryption protocols. Governments and law enforcement agencies from countries including the UK, France, and Sweden have proposed measures that would provide for things like backdoors and client-side scanning but which could inadvertently weaken encryption standards. These initiatives include potential bans on encrypted services, raising concerns among privacy advocates about compromised user safety.  

Certifications and directives are also top of mind. The European Union is advancing its cyber security certification frameworks, such as the European Cybersecurity Certification Scheme for Cloud Services (EUCS), to encourage cloud providers to enhance their cyber security policies and Sweden is introducing a new cyber security strategy for 2025–2029 in response to the EU’s NIS2 Directive. 

Top 3 vulnerabilities

An easy-to-exploit Apache Tomcat flaw comes with conditions 

Cybercriminals exploited a recent security flaw in Apache Tomcat, a popular open-source web server, just 30 hours after its public disclosure. This flaw could allow a malicious user to view security-sensitive files or inject arbitrary content into those files by means of a PUT request. It could even allow them to achieve remote code execution.  

This vulnerability, identified as CVE-2025-24813, is present in several versions of Apache Tomcat, including 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0-M1 to 9.0.98. An attack must meet specific conditions to exploit this vulnerability, including some settings enabled by default. The complete list of conditions is available on the official Apache advisory.  

The vulnerability has been resolved in Tomcat versions 9.0.99, 10.1.35, and 11.0.3. As the vulnerability is easy to exploit and requires no authentication, it is important to update Tomcat instances as soon as possible. 

Apple releases a critical patch after zero-day exploitation 

Apple released a security update to address a critical vulnerability in its WebKit web browser engine, which was exploited in highly sophisticated targeted attacks. Apple has not disclosed details about the actors, their objectives or duration of the attacks. However, the company has confirmed that the flaw was exploited using iOS versions earlier than 17.2. 

The vulnerability, identified as CVE-2025-24201, is an out-of-bounds write issue. This flaw allows an attacker to create harmful web content that could bypass the Web Content sandbox, a protective barrier designed to contain potential threats. Apple has improved checks since the exploits to prevent further unauthorized actions and its security update is now available in iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1 on macOS Ventura and macOS Sonoma, and visionOS 2.3.2. 

Cybercriminals strike by exploiting seven Microsoft zero-days  

Microsoft has recently rolled out security updates to address a total of 57 vulnerabilities in its software, six of which are actively exploited zero-day flaws and one of which was publicly exposed. A few of the actively exploited zero days are related to Windows NTFS bugs and most of the flaws have CVSS scores of 7.0 or higher. 

The six actively exploited vulnerabilities are as follows: 

• CVE-2025-24983 (CVSS score: 7.0): a use-after-free vulnerability in the Windows Win32 Kernel Subsystem that allows privilege elevation locally.  

• CVE-2025-24984 (CVSS score: 4.6): an information disclosure vulnerability in Windows NTFS that allows an attacker with physical access to a device to potentially read portions of memory by plugging in a malicious USB drive. 

• CVE-2025-24985 (CVSS score: 7.8): an integer overflow vulnerability in the Windows Fast FAT File System Driver that allows an unauthorized attacker to execute code locally.  

• CVE-2025-24991 (CVSS score: 5.5): an out-of-bounds read vulnerability in Windows NTFS that allows an authorized attacker to disclose information locally.  

• CVE-2025-24993 (CVSS score: 7.8): a heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally.  

• CVE-2025-26633 (CVSS score: 7.0): an improper neutralization vulnerability in the Microsoft Management Console that allows an unauthorized attacker to bypass a security feature locally. 

The publicly disclosed zero-day is: 

• CVE-2025-26630 (CVSS score: 7.8): a Remote Code Execution vulnerability in Microsoft Access caused by a Use After Free memory bug after a user has been tricked into opening a specially crafted Access file. 

Attacks

Cyberattacks escalate across sectors in Europe 

A wave of cyberattacks has swept across Europe, targeting critical infrastructure, businesses, and governmental organizations, underscoring the increasing sophistication and scale of cyber threats. In fact, investigations by Swedish public broadcaster SVT and other European media outlets have identified over 60 politically driven hybrid cyberattacks seeking to destabilize countries such as Sweden, France, Germany, and Poland. 

Sweden 
Flightradar24, a globally popular flight tracking service, suffered a prolonged Distributed Denial of Service (DDoS) attack that lasted over 14 hours, disrupting access to real-time flight tracking data. The Swedish Tax Agency also faced multiple DDoS attacks disrupting digital declarations on opening day. Meanwhile, Sportadmin, a widely used application for sports clubs, was breached by a cybercriminal group that stole and leaked sensitive personal data, including minors' details. Lock giant Assa Abloy was also subjected to a data breach, with a hacker group now threatening to leak stolen information online.  

France 
The Department of Côte-d'Or was hit by a massive cyberattack, likely linked to Russian actors, causing major website and communication disruptions. The attack is one of many targeting European administrations, reflecting rising geopolitical tensions.  

Germany 
The city of Schwerte and its public utility company, Stadtwerke Schwerte GmbH, were targeted in an attack that impaired internal IT systems and customer service functions. Thankfully, essential utilities remained operational.  

Poland
The attack on MSWiA hospital in Krakow disrupted its electronic medical records system, forcing it to revert to paper-based operations while incoming patients had to be redirected to other facilities. Meanwhile, the Polish Space Agency (POLSA) detected unauthorized access to its IT infrastructure, prompting security measures and an investigation into potential foreign involvement. Poland has repeatedly accused Russia of cyber activities aimed at destabilization, though Moscow denies these claims.

With no end in sight to cyberattacks like these, governments and businesses are reinforcing defenses while cyber security agencies emphasize proactive strategies to mitigate growing threats.