Cybersecurity Week in Review: May 6

Major Data Breaches and Leaks

Several significant breaches were reported or disclosed during this week. For example, TeleMessage (an encrypted messaging app used by U.S. officials) confirmed a breach: hackers stole customer data, including the contents of some direct messages and group chats from its Signal clone (as well as WhatsApp, Telegram, WeChat). In finance, online broker SogoTrade disclosed that a May 2024 phishing attack exposed records for ~48,700 customers – including names, Social Security numbers, financial account details and tax IDs. In the education sector, Pearson (a large educational publisher) acknowledged a January 2025 cyberattack in which an actor exfiltrated “corporate data and customer information” (primarily older/“legacy” data); importantly, no employee PII was taken. Relatedly, the PowerSchool breach (December 2024) resurfaced this week as several K‑12 school districts (including Toronto’s) reported being extorted with data stolen from 60 million student records.

Other noteworthy leaks included the Alvin Independent School District (Texas), where a June 2024 breach was disclosed affecting 47,606 people: exposed data included names, Social Security and state ID numbers, credit/debit card info, and medical records. In Australia, the Human Rights Commission accidentally indexed 670 private submissions (names, health and religious details, etc.) on the web, exposing sensitive data submitted between April 3 and May 5, 2025.

The table below summarizes these breaches and leaks:

Organization / Service	Data Exposed	Volume/Impact
TeleMessage	Contents of DMs & group chats from its encrypted messaging platform (Signal clone, WhatsApp, Telegram, WeChat)	Customer chat histories (including some communications of US officials) – confidentiality of official messages at risk.
SogoTrade	Names, SSNs, financial account numbers, and tax IDs	~48,700 customers affected – risk of identity theft and financial fraud.
Pearson	Corporate and customer data (mostly legacy records)	Extent undisclosed – potential IP/data loss and reputational harm (no employee PII taken).
PowerSchool	K‑12 student PII (social security numbers, health info, etc.)	~60 million students; breach resolved via ransom in Dec 2024, but extortion attempts resumed in May using the same data.
Alvin ISD (TX)	Personal data: names, SSNs, state IDs, credit/debit, medical info	47,606 people; Fog ransomware gang claimed responsibility.
Aus. HRC	Human rights case submission docs (names, contacts, health, religion, etc.)	670 documents leaked via search index (April–May 2025) – misconfiguration issue.

Significant Cyberattacks and Incidents

Several major attack campaigns and incidents were active during the week. Notably, multiple ransomware groups exploited a recently discovered Windows zero-day (CVE-2025-29824, a privilege-escalation flaw in the CLFS driver) prior to Microsoft’s April patch. Microsoft attributed one large campaign to Storm-2460 (RansomEXX), which used the flaw to load a malicious DLL (“PipeMagic”) on targets in the IT, real estate, finance and retail sectors. Security researchers (Symantec/Broadcom) also identified a second actor (affiliated with Play/Balloonfly ransomware) using the same flaw to deploy the Grixba infostealer on a U.S. organization. In these cases, the attackers initially compromised a network (e.g. via an unpatched Cisco ASA) then pivoted to Windows to leverage CVE-2025-29824 for privilege escalation.

Mirai IoT Botnet Expansion: Researchers reported that cybercriminals actively leveraged old vulnerabilities to conscript IoT devices into Mirai DDoS botnets. Specifically, flaws in GeoVision IP cameras (CVE-2024-6047 and CVE-2024-11120) and in Samsung MagicINFO signage (CVE-2024-7399) were exploited en masse. A newly discovered Mirai strain scanned the Internet for devices with these weaknesses, adding them to its botnet for large-scale network floods.
Law Enforcement Takedowns: Authorities disrupted several cybercrime operations. On May 6, Moldovan police (with Dutch cooperation) arrested a 45-year-old suspected member of DoppelPaymer ransomware for a 2021 attack on the Dutch Research Council (NWO), a breach that caused ~€4.5M in damages. In Poland, police detained four individuals running global DDoS-for-hire services. Ukrainian investigators dismantled a call-center scam that defrauded Latvian victims of roughly $145,000 in fake cryptocurrency investments.

Critical Vulnerabilities and Patches

Key vulnerabilities were disclosed or addressed, many with significant risks. Notable entries include:

CVE-2025-20188 (Cisco IOS XE) – A critical vulnerability in Cisco’s IOS XE software for wireless controllers that allows attackers to upload arbitrary files and execute commands with root privileges. This issue, with a CVSS score of 10.0, affects Cisco Catalyst 9800 Series Wireless Controllers and can lead to full system compromise if exploited. Cisco has released patches to mitigate this flaw.
CVE-2025-29824 (Microsoft Windows CLFS) – Privilege-escalation bug. Although patched in April, attackers exploited it as a zero-day in early May to facilitate ransomware (PipeMagic) and credential theft.
CVE-2025-31324 (SAP NetWeaver) – An unauthenticated RCE in SAP’s web apps. This flaw has been actively exploited by multiple China-linked APT groups (UNC5221, UNC5174, CL-STA-0048) to breach critical infrastructure (e.g. UK gas/water utilities, U.S. medical manufacturing, Saudi government).
CVE-2025-3248 (Langflow) – An authentication bypass/code-exec in the Langflow AI platform. Researchers warned it is “easily exploitable” and noted that the fix in version 1.3.0 was incomplete; CISA added it to its known-exploited list. Users are urged to update or disable vulnerable versions.
CVE-2025-31251 (AppleJPEG, iOS/macOS) – A memory corruption in Apple’s JPEG engine. Fixed in iOS/iPadOS 18.5 and macOS 15.5 (released May 12).
CVE-2025-24225 (mDNSResponder, iOS/macOS) – A privilege-escalation bug in macOS’s DNS responder. Also fixed in the May 12 updates.
(Additional exploits) The week also saw reports of older flaws (e.g. GeoVision CVE-2024-6047/11120, Samsung CVE-2024-7399) being used in the wild (see above Mirai botnet note).

The table below summarizes critical CVEs and their impacts:

CVE ID	Affected Product	Impact & Notes
CVE-2025-20188	Cisco IOS XE (Wireless Controllers)	Arbitrary file upload, remote code execution (root privileges); patched by Cisco
CVE-2025-29824	Microsoft Windows (CLFS)	Privilege escalation (RCE); exploited by ransomware groups for pre-patch attacks
CVE-2025-31324	SAP NetWeaver (ERP web UI)	Remote code execution (file upload); actively exploited by China-linked APTs (581+ systems breached)
CVE-2025-3248	Langflow AI platform	Authentication bypass/RCE; easily exploitable; users urged to update or disable vulnerable versions
CVE-2025-31251	Apple iOS/macOS (AppleJPEG)	Heap overflow; patched in iOS/iPadOS 18.5, macOS Sequoia 15.5 (May 12)
CVE-2025-24225	Apple iOS/macOS (mDNSResponder)	Privilege escalation; patched in May 12 updates

Miscellaneous

Beyond breaches and advisories, other noteworthy items included security exercises and conferences:

Pwn2Own Berlin 2025 (May 15–17) showcased cutting-edge exploits. On the first day alone, participants earned $260,000 for vulnerabilities in Linux, Docker, VirtualBox, and even AI software. Notably, the first-ever AI-category exploit was demonstrated: a security researcher earned $20,000 by compromising the open-source Chroma AI database. Other high payouts went to exploits of NVIDIA Triton inference servers, Docker Desktop (container escape), and VirtualBox hypervisors. This event highlighted growing focus on AI and cloud platform security.

The NATO “Locked Shields” exercise wrapped up this week (held May 8–12 in Tallinn). It was the 15th edition of the world’s largest live-fire cyber defense drill. Some 4,000 experts from 41 countries (organized in multinational teams) simulated defense of over 8,000 systems against 8,000 cyberattacks. The exercise included new elements like cloud-based scenarios, AI-driven “red” team narratives, and legal/political pressure injects, reflecting real-world complexity.

Other items of interest: the ENISA EUVD launch (see above) as well as industry activity. For example, major cybersecurity firms announced partnerships on threat intelligence sharing, and researchers published new analyses (e.g. Intel’s examination of speculative execution flaws, and academics’ exploration of AI-driven phishing techniques). In cyber policy, the EU NIS2 Working Party continued drafting guidelines for member states, and Australia signaled plans for tougher critical infrastructure standards. Taken together, these developments underscore growing emphasis on proactive defense, intelligence-sharing and regulatory oversight in cybersecurity.

Conclusion

In summary, this week’s cyber developments highlight several trends: attackers continue to weaponize recently patched vulnerabilities (e.g. the Windows CLFS flaw) before fixes fully propagate. Ransomware and data theft remain pervasive across sectors (education, finance, government), with stolen information resurfacing in extortion attempts. The exposure of sensitive personal and corporate data (as in TeleMessage, SogoTrade and PowerSchool) underscores the importance of rapid incident response and robust encryption. On the defensive side, governments and industry are strengthening coordination: sanctions regimes are being reinforced, joint advisories and vulnerability repositories (EUVD) are launched, and exercises like Locked Shields expand in scale. For CISOs and IT leaders, the lesson is clear: maintain up-to-date patching (especially for publicized CVEs), assume breach by monitoring exfiltration, and engage with new information-sharing tools. The rising volume of targeted phishing and malware campaigns also demands continuous user training and threat hunting. Overall, the week’s events reinforce that cybersecurity remains a global, multi-stakeholder challenge – one requiring vigilance, collaboration, and swift adaptation to emerging threats.