Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 14-20 June
Five new bugs detected in libxml2 library
Cybersecurity researchers have detected five new bugs in libxml2. Three of them (CVE-2025-49794 and CVE-2025-49796, both CVSSv3 9.1; and CVE-2025-49795, CVSSv3 7.5) specifically affect the Schematron validation component, corresponding to use-after-free, type confusion and null pointer deviation flaws, respectively.
These flaws could crash applications that process malformed XML documents. The remaining two vulnerabilities were registered as CVE-2025-6021 (CVSSv3 7.5), an integer overflow in the xmlBuildQName function that could lead to buffer overflows, and CVE-2025-6170 (CVSSv3 2.5), a stack-based buffer overflow in the xmllint interactive shell that of arbitrary code. The libxml2 maintainers are considering removing support for Schematron altogether due to the concentration of vulnerabilities in this component, so no security patches have been announced for the time being, with a fix for the CVE-2025-6021 bug being released.
Phishing operation links Russian government to theft of application-specific passwords
Since 2024, Citizen Lab has observed a social engineering operation linked to Russian actors targeting Kremlin critics and dissidents, employing highly personalized emails to extract specific passwords from applications. The attackers send emails that appear to come from known contacts and include supposedly encrypted PDF files, directing victims to pre-filled fake pages to enter credentials and associated MFA tokens.
Two main groups have been identified: Coldriver, linked to the FSB, and Coldwastrel, the latter using similar techniques. Victims include exiled politicians, journalists and NGOs, especially with international connections or networks active in sensitive issues. The campaign is notable for its effectiveness and low technological profile: no advanced malware or exploits, just trust based on sophisticated social engineering.
Personal data of the entire population of Paraguay for sale
A threat actor has offered for sale 7.4 million personal records of Paraguayan citizens on the dark web, corresponding to databases of state agencies. The data, which would affect the entire population of the country, includes names, gender, address, date of birth and identity card number, among others.
Veeam Fixes Critical RCE in Backup & Replication and Additional Vulnerabilities
Veeam has released version 12.3.2 of Backup & Replication (and version 6.3.2 of the Windows agent), including patches for three important vulnerabilities. The most serious, CVE‑2025‑23121, allows remote code execution on the backup server by an authenticated user in the domain (CVSSv3 9.9).
Also fixed are CVE-2025-24286 (CVSSv3 7.2), a flaw that allows backup operators to modify jobs and execute arbitrary code, and CVE-2025-24287 (CVSSv3 6.1), which allows privileged local users to change the contents of folders to execute code with elevated rights.
Affected versions include Backup & Replication 12.3.1 and earlier, as well as Agent for Windows 6.3.1 or earlier. Veeam recommends urgently upgrading to 12.3.2 and 6.3.2 respectively to mitigate these risks.
Analysis of Anubis, ransomware with built-in wiper
The group behind the Anubis ransomware-as-a-service (RaaS) has incorporated a wiper module into its malware, designed to permanently delete the contents of affected files, preventing their recovery even if the ransom is paid. As published by Trend Micro, this feature, enabled via the ‘/WIPEMODE’ parameter, deletes data while leaving file names and file structures intact.
Anubis was first detected in December 2024 and became more active in 2025, announcing in February an affiliate program on the RAMP forum. Its sharing model offers up to 80% of profits to affiliates, which could increase its attack volume. Anubis employs ECIES to encrypt files, which are then given the ‘.anubis’ extension, and launches HTML ransom notes. In addition, it unsuccessfully attempts to modify the wallpaper.
The malware also deletes shadow copies and stops services to maximize the damage. The campaign usually starts with phishing emails.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
