Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 17-23 May
VMware issues urgent security patches to address new bugs
VMware released security patches to fix two sets of flaws that expose its software to data leaks, command execution and denial-of-service (DoS) attacks, with no workarounds available. The most urgent advisory, VMSA-2025-0009, credits NATO for alerting to three flaws in VMware Cloud Foundation.
Flaw CVE-2025-41229 (CVSSv3 8.2) is a directory access issue whereby an attacker with network access to port 443 could access certain internal services. Included are an information disclosure flaw logged as CVE-2025-41230 (CVSSv3 7.5) and a lack of authorization bug identified as CVE-2025-41231 (CVSSv3 7.3). Customers are urged to upgrade to VMware Cloud Foundation version 5.2.1.2.
Also released was bulletin VMSA-2025-0010 documenting four flaws in ESXi, vCenter Server, Workstation and Fusion, highlighting CVE-2025-41225 (CVVSv3 8.8), an authenticated command execution flaw in vCenter.
Hazy Hawk hijacks government and corporate subdomains via abandoned CNAMEs
Hazy Hawk has been detected exploiting forgotten DNS CNAME records pointing to abandoned cloud services. According to Infoblox, attackers locate subdomains with this type of configuration, register the associated cloud resources and thus get the subdomains to point to their malicious infrastructure.
Affected entities include high-profile organizations such as CDC, UNICEF, NYU, the California government, and companies such as Honeywell, Deloitte and Unilever. Once compromised, the subdomains are used to host fake applications, phishing campaigns or redirect users to scam pages. These URLs rank favorably in search engines thanks to the high reputation of the original domain, facilitating the spread of malicious content.
Attackers also use filtering techniques such as TDS to profile visitors based on their location, device and VPN usage.
Supply chain attack: RVTools distributes Bumblebee malware
ZeroDay Labs detected that the RVTools installer had been compromised to distribute the Bumblebee malware. The malicious file included a DLL running from the same directory as the installer, a behavior that was identified by Microsoft Defender as suspicious.
The Bumblebee malware is known to facilitate initial access to compromised systems, allowing the execution of additional payloads and facilitating ransomware attacks. Upon detection, the RVTools website was temporarily taken offline and subsequently restored with a clean version of the installer.
It is recommended to verify the integrity of the installer by checking hashes and that the version.dll file has not been executed from user directories.
Fixed a bug in Auth0-PHP SDK that would allow session hijacking
A bug was detected affecting versions 8.0.0-BETA1 and later of the Auth0-PHP SDK when configured with CookieStore for session storage. The flaw centers on the cryptographic implementation used to secure session cookies.
When CookieStore is used to manage sessions, the authentication tags generated for cookies can be systematically brute-forced, allowing valid authentication credentials to be forged, bypassing intended authentication mechanisms and gaining unauthorized access to protected resources and user accounts without legitimate credentials.
After compromising session cookies, attackers can impersonate legitimate users and perform actions with their privileges. Patched in version 8.14.0, Okta, Auth0's parent company, recommends updating as soon as possible and adopting additional security measures.
Europol and Microsoft dismantle Lumma, the world's largest infostealer
Europol and Microsoft have dismantled Lumma Stealer, an information-stealing malware that infected more than 394,000 Windows computers between March and May 2025. Developed in Russia, Lumma stole credentials, banking data and cryptocurrencies, and was widely used by groups such as Scattered Spider.
The joint operation allowed disabling more than 2 300 malicious domains and taking control of their command and control infrastructure. The U.S. Department of Justice and Japan's Cybercrime Control Center also participated in the operation. Lumma was distributed through phishing campaigns and platforms such as Telegram, noted for its ease of use and ability to evade defenses.
Although its infrastructure has been dismantled, experts warn that infostealers remain a persistent threat in today's landscape.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
