13 Jun 2025

Week in review

Greetings,

Next week is Privacy Awareness Week, running from 16 to 22 June. This annual initiative encourages individuals, organisations and government agencies to take privacy seriously and raise awareness about the importance of protecting personal information.

The 2025 theme is “Privacy: It’s Everyone’s Business”, and we’re being asked to shout it from the rooftops! Led by the Office of the Australian Information Commissioner (OAIC), Privacy Awareness Week is supported by state and territory privacy regulators as well as members of the Asia Pacific Privacy Authorities forum.

Privacy is protected both in Australia and internationally through a range of laws. The OAIC primarily administers the Privacy Act 1988, which is the key piece of federal legislation governing the handling of personal information. In addition, each Australian state and territory has its own privacy laws that apply to their public sector agencies.

A recent Help Net Security article highlights the growing threat of Vendor Email Compromise (VEC) attacks, which have led to over $300 million in attempted thefts within a year. VEC attacks involve cyber criminals impersonating trusted vendors to trick employees into actions like transferring funds or disclosing sensitive information. The report found that 72% of employees in large organisations (50,000+ staff) who read a VEC email went on to engage with it, with entry-level sales staff being particularly vulnerable. Industries like telecommunications and energy/utilities saw the highest engagement rates, and prior victims were more likely to be targeted again.

The report also revealed that VEC attacks are significantly underreported—only 1.46% of advanced text-based email threats were flagged to security teams, leaving organisations unaware of many potential breaches. In regions like Europe, the Middle East and Africa, engagement with VEC was 90% higher than with BEC (Business Email Compromise) attacks, yet detection and response lag behind.


Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks
Date: 2025-06-09
Author: The Hacker News

A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks.
Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that allows for remote code execution on Wazuh servers.

Critical Vulnerability Patched in SAP NetWeaver
Date: 2025-06-10
Author: Security Week

[AUSCERT has identified the impacted members (where possible) and contacted them via email]
Enterprise software maker SAP on Tuesday announced the release of 14 new security patches as part of its June 2025 Security Patch Day, including a note addressing a critical-severity vulnerability in NetWeaver.
Tracked as CVE-2025-42989 (CVSS score of 9.6), the critical bug is described as a missing authorization check in the NetWeaver application server for ABAP.

Google patched bug leaking phone numbers tied to accounts
Date: 2025-06-09
Author: Bleeping Computer

A vulnerability allowed researchers to brute-force any Google account's recovery phone number simply by knowing a their profile name and an easily retrieved partial phone number, creating a massive risk for phishing and SIM-swapping attacks.
The attack method involves abusing a now-deprecated JavaScript-disabled version of the Google username recovery form, which lacked modern anti-abuse protections.

Fortinet, Ivanti Patch High-Severity Vulnerabilities
Date: 2025-06-11
Author: Security Week

[See AUSCERT bulletin for Fortinet: https://portal.auscert.org.au/bulletins/ESB-2025.3786]
Fortinet and Ivanti on Tuesday announced fixes for over a dozen vulnerabilities across their product portfolios, including multiple high-severity flaws.
Ivanti released a Workspace Control (IWC) update to address three high-severity bugs that could lead to credential leaks.
Tracked as CVE-2025-5353, CVE-2025-22463, and CVE-2025-22455, the issues exist because of hardcoded keys in IWC versions 10.19.0.0 and prior, which could allow authenticated attackers to decrypt stored SQL credentials and environment passwords.

INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure
Date: 2025-06-11
Author: The Hacker News

INTERPOL on Wednesday announced the dismantling of more than 20,000 malicious IP addresses or domains that have been linked to 69 information-stealing malware variants.
The joint action, codenamed Operation Secure, took place between January and April 2025, and involved law enforcement agencies from 26 countries to identify servers, map physical networks, and execute targeted takedowns.
"These coordinated efforts resulted in the takedown of 79 percent of identified suspicious IP addresses," INTERPOL said in a statement. "Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities."


ESB-2025.3716 – roundcube: CVSS (Max): 9.9

Debian addresses CVE-2025-49113 in Roundcube 1.4.15+dfsg.1-1+deb11u5. This vulnerability allows authenticated attackers to execute arbitrary code via PHP object deserialization.

ESB-2025.3819 – Adobe Commerce and Magento Open Source: CVSS (Max): 9.1

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical and important vulnerabilities.  Exploitation could result in security feature bypass, privilege escalation, and arbitrary code execution.

ESB-2025.3831 – GitLab Community Edition and Enterprise: CVSS (Max): 8.7

GitLab addresses several high-severity vulnerabilities, including HTML injection and cross-site scripting flaws, which could lead to account takeover or unauthorized actions across GitLab Community and Enterprise Editions.

ASB-2025.0104 – Microsoft Windows: CVSS (Max): 8.8

Microsoft's June 2025 Patch Tuesday addressed 66 vulnerabilities, including two actively exploited flaws. CVE-2025-33053 is a one-click WebDAV flaw that lets attackers run code remotely if a user clicks a malicious link.


Stay safe, stay patched and have a good weekend!

The AUSCERT team