Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.

Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.
Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed.

Versa Concerto is the centralized management and orchestration platform for Versa Networks' SD-WAN and SASE (Secure Access Service Edge) solutions.

Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes.

The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000.

When examining the leaked files, which contained 3,000 records, BleepingComputer found historic SMS text messages with one-time passcodes for Steam, including the recipient's phone number.

Owned by Valve Corporation, Steam is the world's largest digital distribution platform for PC games, with over 120 million monthly active users.

Valve did not respond to our requests for a comment on the threat actor's claims.

Independent games journalist MellolwOnline1, who is also the creator of the SteamSentinels community group that monitors abuse and fraud in the Steam ecosystem, suggests that the incident is a supply-chain compromise involving Twilio.

MellowOnline1 pointed to technical evidence in the leaked data that indicates real-time SMS log entries from Twilio's backend systems, hypothesizing a compromised admin account or abuse of API keys.

During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox.
The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit.

Dinh Ho Anh Khoa of Viettel Cyber Security was awarded $100,000 for hacking Microsoft SharePoint by leveraging an exploit chain combining an auth bypass and an insecure deserialization flaw.

Palo Alto Networks' Edouard Bochin and Tao Yan also demoed an out-of-bounds write zero-day in Mozilla Firefox, while Gerrard Tai of STAR Labs SG escalated privileges to root on Red Hat Enterprise Linux using a use-after-free bug, and Viettel Cyber Security used another out-of-bounds write for an Oracle VirtualBox guest-to-host escape.

In the AI category, Wiz Research security researchers used a use-after-free zero-day to exploit Redis and Qrious Secure chained four security flaws to hack Nvidia's Triton Inference Server.

On the first day, competitors were awarded $260,000 after successfully exploiting zero-day vulnerabilities in Windows 11, Red Hat Linux, and Oracle VirtualBox, reaching a total of $695,000 earned over the first two days of the contest after demonstrating 20 unique 0-days.

​​​The Pwn2Own Berlin 2025 hacking competition focuses on enterprise technologies, introduces an AI category for the first time, and takes place during the OffensiveCon conference between May 15 and May 17.

​Ivanti has released security updates for its Neurons for ITSM IT service management solution that mitigate a critical authentication bypass vulnerability.

Tracked as CVE-2025-22462, the security flaw can let unauthenticated attackers gain administrative access to unpatched systems in low-complexity attacks, depending on system configuration.

As the company highlighted in a security advisory released today, organizations that followed its guidance are less exposed to attacks.

"Customers who have followed Ivanti's guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment," Ivanti said.

"Customers who have users log into the solution from outside their company network also have a reduced risk to their environment if they ensure that the solution is configured with a DMZ."

Ivanti added that CVE-2025-22462 only impacts on-premises instances running versions 2023.4, 2024.2, 2024.3, and earlier, and said that it found no evidence that the vulnerability is being exploited to target customers.

Product Name Affected Version(s) Resolved Version(s)
Ivanti Neurons for ITSM (on-prem only) 2023.4, 2024.2, and 2024.3 2023.4 May 2025 Security Patch
2024.2 May 2025 Security Patch
2024.3 May 2025 Security Patch
The company also urged customers today to patch a default credentials security flaw (CVE-2025-22460) in its Cloud Services Appliance (CSA) that can let local authenticated attackers escalate privileges on vulnerable systems.

While this vulnerability isn't exploited in the wild either, Ivanti warned that the patch won't be applied correctly after installing today's security updates and asked admins to reinstall from scratch or use these mitigation steps to ensure their network is protected from potential attacks.

A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.
A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.

ClickFix is a social engineering tactic where fake verification systems or application errors are used to trick website visitors into running console commands that install malware.

These attacks have traditionally targeted Windows systems, prompting targets to execute PowerShell scripts from the Windows Run command, resulting in info-stealer malware infections and even ransomware.

However, a 2024 campaign using bogus Google Meet errors also targeted macOS users.

ClickFix targeting Linux users
A more recent campaign spotted by Hunt.io researchers last week is among the first to adapt this social engineering technique for Linux systems.

The attack, which is attributed to the Pakistan-linked threat group APT36 (aka "Transparent Tribe"), utilizes a website that impersonates India's Ministry of Defence with a link to an allegedly official press release.

The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.

All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip."

LockBit dark web site defaced with link to database
As first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database.

From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including:

A 'btc_addresses' table that contains 59,975 unique bitcoin addresses.
A 'builds' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but no private keys, unfortunately. The targeted companies' names are also listed for some of the builds.
A 'builds_configurations' table contains the different configurations used for each build, such as which ESXi servers to skip or files to encrypt.
A 'chats' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th.
Affiliate panel 'chats' table
Affiliate panel 'chats' table
A 'users' table lists 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie spotting that passwords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69, 'MovingBricks69420', and 'Lockbitproud231'.
In a Tox conversation with Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost.

Based on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to have been dumped at some point on April 29th, 2025.

It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link.

​Polish authorities have detained four suspects linked to six DDoS-for-hire platforms, believed to have facilitated thousands of attacks targeting schools, government services, businesses, and gaming platforms worldwide since 2022.

Such platforms are often marketed as legitimate testing tools on the dark web and hacking forums, but are mainly used to disrupt online services, servers, and websites by flooding them with traffic in distributed denial-of-service (DDoS) attacks and causing outages for real users.

The six DDoS services, named Cfxapi, Cfxsecurity, neostress, jetstress, quickdown, and zapcut, have been taken down in a coordinated law enforcement action involving authorities from Germany, the Netherlands, Poland, and the United States.

"In the latest blow to the criminal market for distributed denial of service (DDoS)-for-hire services, Polish authorities have arrested four individuals who allegedly ran a network of platforms used to launch thousands of cyberattacks worldwide," Europol said on Wednesday.

"The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10."

A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub.

The campaign was detected last month and relied on three malicious Go modules that included “highly obfuscated code” for retrieving remote payloads and executing them.

Complete disk destruction
The attack appears designed specifically for Linux-based servers and developer environments, as the destructive payload - a Bash script named done.sh, runs a ‘dd’ command for the file-wiping activity.

Furthermore, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux") before trying to execute.

An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure.

The target is the primary storage volume, /dev/sda, that holds critical system data, user files, databases, and configurations.

“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable” - Socket

The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform:

github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy

Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack.

The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world's biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom.

In a statement shared with BleepingComputer, Hitachi Vantara confirmed the ransomware attack, saying it hired external cybersecurity experts to investigate the incident's impact and is now working on getting all affected systems online.

"On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer.

"Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident.

"We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."

SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers.

Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.

In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google's systems, passing all verifications but pointing to a fraudulent page that collected logins.

Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's

MITRE Vice President Yosry Barsoum has warned that U.S. government funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs expires today, which could lead to widespread disruption across the global cybersecurity industry.

In follow-up activity for Operation Endgame, law enforcement tracked down Smokeloader botnet's customers and detained at least five individuals.

EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.

A newly discovered malicious PyPi package named 'disgrasya' that abuses legitimate WooCommerce stores for validating stolen credit cards has been downloaded over 34,000 times from the open-source package platform.

Oracle has finally acknowledged to some customers that attackers have stolen old client credentials after breaching a

A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers.

Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers