Krebs on Security: Patch Tuesday, May 2025 Edition
Microsoft on Tuesday released software updates to fix at least 70 vulnerabilities in Windows and related products, including five zero-day flaws that are already seeing active exploitation. Adding to the sense of urgency with this month's patch batch from Redmond are fixes for two other weaknesses that now have public proof-of-concept exploits available. Microsoft and several security firms have disclosed that attackers are exploiting a pair of bugs that allow attackers to elevate their privileges on a vulnerable device. READ MORE...
Twilio denies breach following leak of alleged Steam 2FA codes
Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes. The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000. BleepingComputer found historic SMS text messages with one-time passcodes for Steam, including the recipient's phone number. READ MORE...
Fashion giant Dior discloses cyberattack, warns of data breach
House of Dior, the French luxury fashion brand commonly referred to as Dior, has disclosed a cybersecurity incident that has exposed customer information. A spokesperson for the firm told BleepingComputer that the incident impacts Dior Fashion and Accessories customers. Currently, cybersecurity experts are investigating the incident to determine its scope. "Dior recently discovered that an unauthorized external party accessed some of the data we hold for our customers," stated the spokesperson. READ MORE...
New attack can steal cryptocurrency by planting false memories in AI chatbots
Imagine a world where AI-powered bots can buy or sell cryptocurrency, make investments, and execute software-defined contracts at the blink of an eye, depending on minute-to-minute currency prices, breaking news, or other market-moving events. Then imagine an adversary causing the bot to redirect payments to an account they control by doing nothing more than entering a few sentences into the bot's prompt. READ MORE...
Adobe Patches Big Batch of Critical-Severity Software Flaws
Software maker Adobe has released patches for at least 39 vulnerabilities across a range of products alongside warnings about remote code execution exploit risks. The Patch Tuesday rollout is headlined by a major Adobe ColdFusion update that addresses a wide swatch of code execution and privilege escalation attacks. The Adobe ColdFusion bulletin documents 7 distinct vulnerabilities marked as 'critical.' READ MORE...
Vulnerabilities Patched by Juniper, VMware and Zoom
Juniper Networks, VMware, and Zoom have published a total of ten security advisories describing dozens of vulnerabilities patched across their product portfolios. Juniper on Tuesday announced fixes for nearly 90 bugs in third-party dependencies in Secure Analytics, the virtual appliance that collects security events from network devices, endpoints, and applications. Patches for these issues, most of which were disclosed last year, were included in Secure Analytics version 7.5.0 UP11 IF03. READ MORE...
ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact
Industrial giants Siemens, Schneider Electric and Phoenix Contact have released ICS security advisories on the May 2025 Patch Tuesday. The cybersecurity agencies CISA and CERT@VDE have also published advisories. While most of the vulnerabilities described in the advisories have been patched, only mitigations and workarounds are currently available for some of the flaws. Siemens has published 18 new advisories, including four that cover critical-severity vulnerabilities. READ MORE...
CISA Warns of TeleMessage Vuln Despite Low CVSS Score
The Cybersecurity and Infrastructure Security Agency (CISA) is warning users of a privacy vulnerability under exploitation in the messaging application TeleMessage - the very same one used by Michael Waltz, former national security adviser to President Donald Trump. TeleMessage makes modified versions of popular messaging applications such as Signal, WhatsApp, Telegram, and WeChat. READ MORE...
Ivanti EPMM vulnerabilities exploited in the wild (CVE-2025-4427, CVE-2025-4428)
Attackers have exploited vulnerabilities in open-source libraries to compromise on-prem Ivanti Endpoint Manager Mobile (EPMM) instances of a "very limited" number of customers, Ivanti has confirmed on Tuesday, and urged customers to install a patch as soon as possible. "The investigation is ongoing and Ivanti does not have reliable atomic indicators [of compromise] at this time. Customers should reach out to our Support Team for guidance," the company said. READ MORE...
Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756)
Fortinet has patched a critical vulnerability (CVE-2025-32756) that has been exploited in the wild to compromise FortiVoice phone / conferencing systems, the company's product security incident response team has revealed on Tuesday. CVE-2025-32756 is a stack-based overflow vulnerability that can lead to remote code and command execution by unauthenticated attackers. To trigger it, they only need to send a specially crafted HTTP request to a specific API. READ MORE...
- ...in 1804, the Lewis and Clark Expedition departs to map and explore the Louisiana Purchase.
- ...in 1955, the Warsaw Pact treaty is signed by the Soviet Union and seven other Communist bloc nations.
- ...in 1973, the United States launches its first space station, Skylab.
- On this date, singer-songwriter and Talking Heads founding member David Byrne is born in Dumbarton, Scotland.
