On May 29, 2025, SentinelOne experienced a global service disruption affecting multiple customer-facing services. During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data. We apologize for the disruption caused by this service interruption.
The root cause of the disruption was a software flaw in an infrastructure control system that removed critical network routes, causing widespread loss of network connectivity within the SentinelOne platform. It was not a security-related event. The majority of SentinelOne services experienced full or partial downtime due to this sudden loss of network connectivity to critical components in all regions.
We’d like to assure our commercial customers that their endpoints were protected throughout the duration of the service disruption and that no SentinelOne security data was lost during the event. Protected endpoint systems themselves did not experience downtime due to this incident. A core design principle of the SentinelOne architecture is to ensure protection and prevention capabilities continue uninterrupted without constant cloud connectivity or human dependency for detection and response – even in the case of service interruptions, of any kind, including events like this one.
On May 13, 2025, FortiGuard Labs published an advisory detailing CVE-2025-32756, which affects a variety of Fortinet products:
FortiCamera
FortiMail
FortiNDR
FortiRecorder
FortiVoice
In their advisory, FortiGuard Labs states that Fortinet has observed this issue being exploited in the wild. The next day, May 14, the vulnerability was added to the CISA KEV catalog.
The vulnerability is described in the advisory as a stack-based buffer overflow in the administrative API that can lead to unauthenticated remote code execution. Given that it’s being exploited in the wild, we figured we’d take a closer look. If you’d rather run the test instead of reading this write-up, coverage is already available in NodeZero.
Russian GRU Unit 29155 is best known for its long list of murder and sabotage ops, which include the Salisbury poisonings in England, arms depot explosions in Czechia, and an attempted coup d’etat in Montenegro. But its activities in cyberspace remained in the shadows — until now. After reviewing a trove of hidden data, The Insider can report that the Kremlin’s most notorious black ops squad also fielded a team of hackers — one that attempted to destabilize Ukraine in the months before Russia’s full-scale invasion.
For members of Russia’s most notorious black ops unit, they look like children. Even their photographs on the FBI’s “wanted” poster show a group of spies born around the time Vladimir Putin came to power in Russia. But then, hacking is a young man’s business.
In August 2024, the U.S. Justice Department indicted Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, Nikolay Korchagin, Amin Stigal and Yuriy Denisov for conducting “large-scale cyber operations to harm computer systems in Ukraine prior to the 2022 Russian invasion,” using malware to wipe data from systems connected to Ukraine’s critical infrastructure, emergency services, even its agricultural industry, and masking their efforts as plausibly deniable acts of “ransomware” – digital blackmail. Their campaign was codenamed “WhisperGate.”
The hackers posted the personal medical data, criminal records, and car registrations of untold numbers of Ukrainians. The hackers also probed computer networks “associated with twenty-six NATO member countries, searching for potential vulnerabilities” and, in October 2022, gained unauthorized access to computers linked to Poland’s transportation sector, which was vital for the inflow and outflow of millions of Ukrainians – and for the transfer of crucial Western weapons systems to Kyiv.
More newsworthy than the superseding indictment of this sextet of hackers was the organization they worked for: Unit 29155 of Russia’s Main Intelligence Directorate of the General Staff, or GRU. In the past decade and a half, this elite team of operatives has been responsible for the Novichok poisonings of Russian ex-spy Sergei Skripal and Bulgarian arms manufacturer Emilian Gebrev, an abortive coup in Montenegro, and a series of explosions of arms and ammunition depots in Bulgaria and Czechia.
Unit 29155 is Russia’s kill and sabotage squad. But now they were being implicated for the first time as state hackers. Moreover, the U.S. government made a compelling case that Unit 29155 was engaged in cyber attacks designed to destabilize Ukraine in advance of Russian tanks and soldiers stealing across the border – if this were true, it would mean that at least one formidable arm of Russian military intelligence knew about a war that other Russian special services were famously kept in the dark about. This hypothesis is consistent with prior findings by The Insider showing that members of 29155 were deployed into Ukraine a few days before the full-scale invasion.
Note: Google Chrome communicated its removal of default trust of Chunghwa Telecom and Netlock in the public forum on May 30, 2025.
The Chrome Root Program Policy states that Certification Authority (CA) certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.
Chrome's confidence in the reliability of Chunghwa Telecom and Netlock as CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year. These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome. To safeguard Chrome’s users, and preserve the integrity of the Chrome Root Store, we are taking the following action.
Upcoming change in Chrome 139 and higher:
Transport Layer Security (TLS) server authentication certificates validating to the following root CA certificates whose earliest Signed Certificate Timestamp (SCT) is dated after July 31, 2025 11:59:59 PM UTC, will no longer be trusted by default.
OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co., Ltd.,C=TW
CN=HiPKI Root CA - G1,O=Chunghwa Telecom Co., Ltd.,C=TW
CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
TLS server authentication certificates validating to the above set of roots whose earliest SCT is on or before July 31, 2025 11:59:59 PM UTC, will be unaffected by this change.
This approach attempts to minimize disruption to existing subscribers using a previously announced Chrome feature to remove default trust based on the SCTs in certificates.
Key Findings:
On May 21, 2025, Europol, FBI, and Microsoft, in collaboration with other public and private sector partners, announced an operation to dismantle the activity of the Lumma infostealer. The malware, considered to be one of the most prolific infostealers, is distributed through a malware-as-a-service model. In addition to its use by common cyber criminals for stealing credentials, Lumma was observed to be part of the arsenal of several prominent threat actor groups, including Scattered Spider, Angry Likho, and CoralRaider.
The Takedown on the Dark Web
According to the reports, the takedown operation began on May 15. On that day, Lumma customers flooded dark web forums that advertise the stealer, complaining they were unable to access the malware’s command and control (C2) servers and management dashboards.
Lovable is accused of failing to fix security flaws that exposed information about users, a growing vulnerability as vibe coding’s popularity surges.
Lovable, the popular vibe coding app that describes itself as the fastest-growing company in Europe, has failed to fix a critical security flaw, despite being notified about it months ago, according to a new report by an employee at a competitor.
The service offered by Lovable, a Swedish startup that bills its product as “the last piece of software,” allows customers without any technical training to instantly create websites and apps using only natural language prompts.
The employee at AI coding assistant company Replit who wrote the report, reviewed by Semafor, says he and a colleague scanned 1,645 Lovable-created web apps that were featured on the company’s site. Of those, 170 allowed anyone to access information about the site’s users, including names, email addresses, financial information and secret API keys for AI services that would allow would-be hackers to run up charges billed to Lovable’s customers.
The vulnerability, which was made public on the National Vulnerabilities Database on Thursday, highlights a growing security problem as artificial intelligence allows anyone to become a software developer. Each new app or website created by novices is a potential sitting duck for hackers with automated tools that target everything connected to the internet. The advent of amateur vibe coding raises new questions about who is responsible for securing consumer products in an era where developers with zero security know-how can build them.
