May 2025 security update: New flaws & big industry moves

Today’s threat landscape 

Data breaches and social engineering persist

April brought a wave of notable cyber security developments, reflecting the increasing sophistication of attacks and a shifting policy landscape in both corporate and regulatory environments. Among the most high-profile incidents was the data breach confirmed by Hertz, where the successful exploit of zero-day vulnerabilities led to the exposure of sensitive customer data on the dark web. 

Phishing tactics are also evolving, with Proofpoint reporting that 30% of attacks aim to bypass multi-factor authentication, while 25% now target platforms like Microsoft Teams and Dropbox. CERT-SE also warned of increasing phishing attacks against Swedish municipalities. Meanwhile, ransomware remains widespread, though fewer victims are paying. This suggests better preparedness, but shutdowns and financial losses persist. 

Top 3 vulnerabilities 

Critical Erlang/OTP SSH vulnerability demands immediate action 

A critical vulnerability, CVE-2025-32433, has been identified in the Erlang/OTP SSH daemon, allowing unauthenticated remote code execution. Assigned a severity score of 10.0, the flaw is caused by improper handling of pre-authentication SSH protocol messages. Attackers can exploit it to execute commands with the same privileges as the SSH daemon — often root — leading to full system compromise. 

All devices running an SSH server based on the Erlang/OTP SSH library are impacted. The flaw, discovered by researchers at Ruhr University Bochum, was found to be easily exploitable. Organizations must upgrade immediately to Erlang/OTP versions OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. If upgrading isn't possible, restrict access to SSH to trusted IPs or disable the SSH daemon if not required. Immediate action is strongly advised.  

Apple patches two actively exploited flaws  

Apple has recently patched two vulnerabilities used in targeted attacks against individuals. The first, CVE-2025-31200 (CVSSv3 score of 7.5), is a memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio stream in a maliciously crafted media file. The second, CVE-2025-31201 (CVSSv3 score of 6.8), is a vulnerability in the RPAC component that could be used by an attacker with arbitrary read and write capability to bypass Pointer Authentication, leading to arbitrary data access.  

Fixes were issued in iOS / iPadOS / tvOS 18.4.1 and MacOS Sequoia 15.4.1. 

Command injection flaw exploited in SonicWall SMA appliances  

A high-severity OS command injection flaw found in the management interface of SonicWall SMA 100 Series devices allows authenticated attackers to execute code. Initially described as a potential denial-of-service (DoS) in 2021, CVE-2021-20035 (CVSSv3 score of 7.2), has recently been reassessed as a remote code execution vulnerability. Although still limited to authenticated users, factors such as poor password hygiene and well-known password-based attacks make this flaw extremely dangerous.  

The CVE was added to CISA’s known exploited vulnerabilities (KEV) catalog. The flaw impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices. Users are urged to update: 

• Versions 10.2.1.0-17sv and earlier to 10.2.1.1-19sv and higher 
• Versions 10.2.0.7-34sv and earlier to 10.2.0.8-37sv and higher 
• Versions 9.0.0.10-28sv and earlier to 9.0.0.11-31sv and higher 

Industry news 

A global projected increase in security spending 

According to the IDC, global security spending is projected to rise by 12.2% in 2025, driven by the increasing complexity of cyber threats fueled by AI and generative AI. The total spend is expected to reach $377 billion by 2028, with the United States and Western Europe to dominate spending. That said, regions like Latin America, Central & Eastern Europe, and the Middle East & Africa will see the fastest growth, particularly as industries like banking, government, and healthcare ramp up their defenses. 

New European initiatives strive to boost resilience  

The EU’s ProtectEU plan calls for law enforcement access to encrypted data, raising fears of backdoors. Meanwhile, Sweden’s Civil Contingencies Agency (MSB) has launched Cybersäkerhetskollen, a cyber security assessment program designed to measure organizations' cyber security practices and support their improvement efforts. The same agency is also developing a digital platform, set to launch by years’ end, that will allow municipalities, agencies, and companies to share and receive cyber threat warnings in real time. The project aims to bolster collective defense, particularly for smaller, resource-limited communities. 

MITRE CVE funding and renewal 

The MITRE CVE program, crucial for managing cyber security vulnerabilities, faced a funding challenge with its financial support set to expire. This raised concerns about disruptions in vulnerability tracking services. However, updates on our support platform and security feed in Security Center confirm that funding has been extended, ensuring continuity of CVE services. After urgent appeals, including CISA's backing, the funding was renewed with a temporary extension, ensuring the global vulnerability database remains operational for cyber security professionals. 

An updated PCI DSS 4.0.1 with industry input 

PCI DSS 4.0.1 represents a significant shift in cyber security, designed with input from the industry to address evolving threats. This update introduces a risk-based approach, focusing on the unique needs of businesses handling payment card data. PCI DSS 4.0.1 is meant to promote flexibility, allowing organizations to tailor security measures to their risk profiles.