Industrial solutions providers Siemens, Schneider Electric and Aveva have released June 2025 Patch Tuesday ICS security advisories.
While most of the vulnerabilities described in the advisories have been patched, only mitigations and workarounds are currently available for some of the flaws.
Siemens published six new advisories this Patch Tuesday. The most important describes CVE-2025-40585, a critical default credentials issue impacting Siemens Energy Services solutions that use the Elspec G5 Digital Fault Recorder (G5DFR).
According to Siemens, this component has default credentials with admin privileges and “a client configuration with remote access could allow an attacker to gain remote control of the G5DFR component and tamper outputs from the device”. Users can mitigate this issue by changing the default credentials from the G5DFR interface.
Critical issues are also described in an advisory for Simatic S7-1500 CPUs. Siemens is working on updates for the product to address dozens of vulnerabilities affecting the GNU/Linux subsystem.
Two advisories cover medium-severity issues in industrial communication devices that use the Sinec OS. The flaws allow an attacker to “perform actions that exceed the permissions of the ‘guest’ role”.
The industrial giant has also informed customers about a Tecnomatix Plant Simulation vulnerability that can lead to arbitrary code execution by tricking a user to open malicious files. The issue was reported by researcher Michael Heinzl, who is often credited by vendors for reporting vulnerabilities whose exploitation involves opening specially crafted files.
Siemens also informed customers about an XSS vulnerability in the Palo Alto Networks virtual firewall present in some Ruggedcom devices. Patches are being prepared by Siemens.
Schneider Electric has published three new advisories this Patch Tuesday. One of them describes XSS and DoS vulnerabilities affecting some Modicon controllers.
Four vulnerabilities have been patched in the EVLink WallBox electric vehicle charging station, including ones that can be exploited for reading or writing arbitrary files, launching XSS attacks, and taking remote control over the charging station.
Schneider has also informed customers about vulnerabilities in the third-party real-time operating system powering Insight Home and Insight Facility products. The products have reached end of life and cannot be updated, but users can implement mitigations to reduce the risk of exploitation.
Aveva has published three new advisories. One of them describes two high-severity DoS vulnerabilities in the PI Data Archive product. The other two advisories cover medium-severity XSS flaws in PI Connector for CygNet and PI Web API.
CISA also published three new advisories on Tuesday. One of them describes high-severity SinoTrack GPS receiver vulnerabilities that can allow an attacker to track vehicles and disconnect power to the fuel pump.
The other advisories describe the impact of a 2022 OpenSSL vulnerability on Hitachi Energy Relion products, and a remote code execution flaw discovered by Heinzl in MicroDicom DICOM Viewer.
ABB published advisories a few days before Patch Tuesday. The company informed customers about a critical EIBPORT vulnerability that leads to information disclosure, as well as flaws in third-party components used by its Welcome IP-Gateway product.
Also on Tuesday, Kaspersky published its ICS threat landscape report for Q1 2025, which shows that the security firm’s products blocked threats on nearly 22% of protected ICS devices.
The report looks at threat sources, regional trends, and the prevalence of various types of malware.
Sports apparel and footwear giant VF Corporation is notifying over 2,800 individuals that their personal information was compromised in a recent credential stuffing attack aimed at The North Face website.
Credential stuffing occurs when threat actors leverage email addresses, usernames, and passwords compromised in a previous data breach to access accounts on a different online service where the same credentials have been used.
According to notification letters VF Corporation sent this week to the impacted individuals, copies of which were submitted to multiple regulators, a threat actor employed this technique on April 23 against a small set of user accounts on thenorthface.com website.
“Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from us) and then used those same credentials to access your account on our website,” the company’s notification letter reads.
VF Corporation says it discovered the suspicious activity on the same day, and informed the Maine Attorney General’s Office that a total of 2,861 user accounts were compromised.
The campaign resulted in the attackers gaining access to the information stored in the compromised accounts, such as names, addresses, email addresses, dates of birth, phone numbers, user preferences, and details on the items purchased on the website.
The company underlines that payment card information was not compromised because it does not store such data on its website.
“We only retain a ‘token’ linked to your payment card, and only our third-party payment card processor keeps payment card details. The token cannot be used to initiate a purchase anywhere other than on our website. Accordingly, your credit card information is not at risk as a result of this incident,” it says.
Google on Monday released a fresh Chrome 137 update to address three vulnerabilities, including a high-severity bug exploited in the wild.
Tracked as CVE-2025-5419, the zero-day is described as an out-of-bounds read and write issue in the V8 JavaScript engine.
“Google is aware that an exploit for CVE-2025-5419 exists in the wild,” the internet giant’s advisory reads. No further details on the security defect or the exploit have been provided.
However, the company credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) for reporting the issue.
TAG researchers previously reported multiple vulnerabilities exploited by commercial surveillance software vendors, including such bugs in Chrome. Flaws in Google’s browser are often exploited by spyware vendors and CVE-2025-5419 could be no different.
According to a NIST advisory, the exploited zero-day “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page”. It should be noted that the exploitation of out-of-bounds defects often leads to arbitrary code execution.
The latest browser update also addresses CVE-2025-5068, a medium-severity use-after-free in Blink that earned the reporting researcher a $1,000 bug bounty. No reward will be handed out for the zero-day.
The latest Chrome iteration is now rolling out as version 137.0.7151.68/.69 for Windows and macOS, and as version 137.0.7151.68 for Linux.
The Likely Exploited Vulnerabilities (LEV) equations can help augment KEV- and EPSS-based remediation prioritization.
Researchers from CISA and NIST have proposed a new cybersecurity metric designed to calculate the likelihood that a vulnerability has been exploited in the wild.
Peter Mell of NIST and Jonathan Spring of CISA have published a paper describing equations for what they call Likely Exploited Vulnerabilities, or LEV.
Thousands of vulnerabilities are discovered every year in software and hardware, but only a small percentage are ever exploited in the wild.
Knowing which vulnerabilities have been exploited or predicting which flaws are likely to be exploited is important for organizations when trying to prioritize patching.
Known Exploited Vulnerabilities (KEV) lists such as the one maintained by CISA and the Exploit Prediction Scoring System (EPSS), which relies on data to estimate the probability that a vulnerability will be exploited, can be very useful. However, KEV lists may be incomplete and EPSS may be inaccurate.
LEV aims to enhance — not replace — KEV lists and EPSS. This is done through equations that take into account variables such as the first date when an EPSS score is available for a specified vulnerability, the date of the most recent KEV list update, inclusion in KEV, and the EPSS score for a given day (measured across multiple days).
LEV probabilities can be useful for measuring the expected number and proportion of vulnerabilities that threat actors have exploited.
It can also be useful for estimating the comprehensiveness of KEV lists. “Previously, KEV maintainers had no metric to demonstrate how close their list was to including all relevant vulnerabilities,” the researchers explained.
In addition, LEV probabilities can help augment KEV- and EPSS-based vulnerability remediation prioritization — in the case of KEV by identifying higher-probability vulnerabilities that may be missing, and in the case of EPSS by finding vulnerabilities that may be underscored.
While in theory LEV could turn out to be a very useful tool for vulnerability prioritization, the researchers pointed out that collaboration is necessary, and NIST is looking for industry partners “with relevant datasets to empirically measure the performance of LEV probabilities”.
Enterprise management solutions provider Serviceaide has informed the Department of Health and Human Services (HHS) that a data leak impacts the personal and medical information of nearly half a million Catholic Health patients.
California-based Serviceaide, whose solutions are used by organizations worldwide, discovered in November 2024 that an Elasticsearch database maintained for one of its customers, Buffalo, New York-based non-profit healthcare system Catholic Health, had been inadvertently made publicly available.
An investigation showed that the database had been exposed between September 19 and November 5, 2024.
While Serviceaide did not find any evidence that the information was exfiltrated, the company said it cannot definitively rule it out.
According to a data breach notice posted on the Serviceaide website, the exposed information varies for each individual, but it can include name, SSN, date of birth, medical record number, patient account number, medical information, health insurance information, prescription and treatment information, clinical information, healthcare provider details, email or username, and password.
Impacted individuals are being notified and offered 12 months of free credit monitoring and identity theft protection services.
Serviceaide informed the HHS, according to the government organization’s incident tracker, that just over 483,000 individuals are impacted by the data breach.
It’s not uncommon for healthcare data breaches to impact hundreds of thousands of individuals, and some incidents affect millions and even tens of millions.
Apple rolls out iOS and macOS platform updates to fix serious security bugs that could be triggered simply by opening an image or video file.
Apple on Monday pushed out patches for security vulnerabilities across the macOS, iPhone and iPad software stack, warning that code-execution bugs that could be triggered simply by opening a rigged image, video or website.
The new iOS 18.5 update, rolled out alongside patches for iPadOS, covers critical bugs in AppleJPEG and CoreMedia with a major warning from Cupertino that attackers could craft malicious media files to run arbitrary code with the privileges of the targeted app.
The company also documented serious file-parsing vulnerabilities patched in CoreAudio, CoreGraphics, and ImageIO, each capable of crashing apps or leaking data if booby-trapped content is opened.
The iOS 18.5 update also provides cover for at least 9 documented WebKit flaws, some serious enough to lead to exploits that allow a hostile website to execute code or crash the Safari browser engine.
The company also patched a serious ‘mute-button’ flaw in FaceTime that exposes the audio conversation even after muting the microphone.
Beneath the interface, Apple said iOS 18.5 hardens the kernel against two memory-corruption issues and cleans up a libexpat flaw (CVE-2024-8176) that affects a broad range of software projects.
Other notable fixes include an issue in Baseband (CVE-2025-31214) that allows attackers in a privileged network position to intercept traffic on the new iPhone 16e line; a privilege escalation bug in mDNSResponder (CVE-2025-31222); an issue in Notes that expose data from a locked iPhone screen; and security gaps in FrontBoard, iCloud Document Sharing, and Mail Addressing.
Microsoft security chief Charlie Bell says the SFI’s 28 objectives are “near completion” and that 11 others have made “significant progress.”
Microsoft, touting what it calls “the largest cybersecurity engineering project in history,” says it has moved every Microsoft Account and Entra ID token‑signing key into hardware security modules or Azure confidential VMs with automatic rotation, an overhaul meant to block the key‑theft tactic that fueled an embarrassing nation‑state breach at Redmond.
Just 18 months after rolling out a Secure Future Initiative in response to the hack and a scathing US government report that followed, Microsoft security chief Charlie Bell said five of the program’s 28 objectives are “near completion” and that 11 others have made “significant progress.”
In addition to the headline fix to put all Microsoft Account and Entra ID token‑signing keys in hardware security modules or Azure confidential virtual machines, Bell said more than 90 percent of Microsoft’s internal productivity accounts have moved to phishing‑resistant multi factor authentication and that 90 percent of first‑party identity tokens are validated through a newly hardened software‑development kit.
Bell Ambulance and Alabama Ophthalmology Associates have suffered data breaches affecting over 100,000 people after being targeted in ransomware attacks.
One of them is Milwaukee, WI-based Bell Ambulance, which provides ambulance services in the area. The company revealed last week in a data security notice that it detected a network intrusion on February 13, 2025.
An investigation showed that hackers gained access to files containing information such as name, date of birth, SSN, and driver’s license number, as well as financial, medical and health insurance information.
Bell Ambulance did not say in its public notice how many individuals are impacted, but the Department of Health and Human Services (HHS) data breach tracker revealed on Monday that 114,000 people are affected.
The Medusa ransomware group announced hacking Bell Ambulance in early March, claiming to have stolen more than 200 Gb of data from its systems.
The second healthcare organization to confirm a data breach impacting more than 100,000 people is Birmingham, AL-based ophthalmology practice Alabama Ophthalmology Associates.
SK Telecom, South Korea’s largest telecom company, disclosed a data leak involving a malware infection.
SK Telecom is South Korea’s largest wireless carrier — it has tens of millions of subscribers and holds roughly half of the local market.
The company revealed on Tuesday in a Korean-language statement posted on its website that it detected an intrusion on April 19. An investigation showed that the attackers deployed malware and managed to obtain personal information belonging to customers.
Following the incident, SK Telecom is offering customers a free SIM protection service designed to prevent SIM swapping, which suggests that the leaked data could be leveraged for such activities.
A new attack technique named Policy Puppetry can break the protections of major gen-AI models to produce harmful outputs.
Combined with AI, polymorphic phishing emails have become highly sophisticated, creating more personalized and evasive messages that result in higher attack success rates.
A threat actor claims to offer a zero-day exploit for an unauthenticated remote code execution vulnerability in Fortinet firewalls.
DaVita has not named the ransomware group behind the incident or share details on the attacker’s ransom demands
The Rhysida ransomware gang claims to have stolen 2.5 Tb of files from the Oregon Department of Environmental Quality.
In the past months Microsoft has seen multiple campaigns involving Node.js to deliver malware and other malicious payloads.
Microsoft on Tuesday issued a warning over the increasing use of Node.js for the delivery of malware and other malicious payloads.
The tech giant has been seeing such attacks aimed at its customers since October 2024 and some of the observed campaigns are still active in April 2025.
A vulnerability impacting multiple ESET products has been exploited by an APT group to load malicious DLL libraries and silently deploy malware, Kaspersky reports.
The issue, tracked as CVE-2024-11859, is described as a DLL search order hijacking flaw that could be exploited by attackers with administrative privileges for arbitrary code execution.
A 20-year-old man believed to be a member of the cybercrime ring known as Scattered Spider has pleaded guilty to charges brought against him in Florida and California.
Noah Urban of Palm Coast, Florida, was arrested in January 2024 and charges against him were unsealed by US authorities in November 2024, when four others believed to be members of Scattered Spider were named.
Medical testing services provider Laboratory Services Cooperative (LSC) is notifying 1.6 million individuals that their personal information was stolen in an October 2024 data breach.
As part of the cyberattack, which was identified on October 27, a threat actor accessed LSC’s network and accessed and exfiltrated certain files containing patient and employee information.
A fresh post on the Kraken ransomware group’s leak website refers to data stolen in a 2022 cyberattack, Cisco says.
The data, a list of credentials apparently exfiltrated from Cisco’s systems, appeared over the weekend on a new data leak site operated by the Kraken ransomware group.
“Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time,” a Cisco spokesperson said, responding to a SecurityWeek inquiry.
A threat actor has infected the website of Casio UK and 16 other victims with a web skimmer that altered the payment flow to harvest and exfiltrate visitors’ information, web security provider Jscrambler reports.
