6 Jun 2025
Week in review
Greetings,
The Australian Government has enacted new legislation requiring certain organisations to report ransomware and cyber extortion payments within 72 hours. Effective from 30 May 2025, the law applies to businesses with an annual turnover of at least AUD $3 million, as well as all entities within the critical infrastructure sector.
If an organisation is a reporting entity, as defined under Part 3 of the Cyber Security Act 2024, they must submit a report via the Australian Signals Directorate (ASD) at cyber.gov.au/report within 72 hours of making a ransomware or cyber extortion payment or becoming aware that a payment has been made on their behalf.
The regulation covers both monetary and non-monetary payments made in response to ransomware or extortion demands, whether paid directly or via a third party. Reports must include key details such as the nature of the incident, the attacker’s demands, contact information, communications, the payment amount and any other relevant information.
The Department of Home Affairs will work with organisations to support the reporting process, identify challenges, and ensure smooth implementation. While the ASD will not enforce compliance within the first six months, it will support entities in responding to, mitigating, and recovering from cyber incidents.
This legislation aims to increase transparency and strengthen Australia’s cyber resilience by improving visibility of ransomware activity and informing future protective measures.
Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code
Date: 2025-06-03
Author: The Hacker News
[Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.3551/]
Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code.
The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via PHP object deserialization.
Hewlett Packard Enterprise warns of critical StoreOnce auth bypass
Date: 2025-06-03
Author: Bleeping Computer
Hewlett Packard Enterprise (HPE) has issued a security bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication solution.
Among the flaws fixed this time is a critical severity (CVSS v3.1 score: 9.8) authentication bypass vulnerability tracked under CVE-2025-37093, three remote code execution bugs, two directory traversal problems, and a server-side request forgery issue.
Microsoft and CrowdStrike Launch Shared Threat Actor Glossary to Cut Attribution Confusion
Date: 2025-06-03
Author: The Hacker News
Microsoft and CrowdStrike have announced that they are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping.
"By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence," Vasu Jakkal, corporate vice president at Microsoft Security, said.
The initiative is seen as a way to untangle the menagerie of nicknames that private cybersecurity vendors assign to various hacking groups that are broadly categorized as a nation-state, financially motivated, influence operations, private sector offensive actors, and emerging clusters.
New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch
Date: 2025-06-03
Author: The Hacker News
[Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.3591/]
Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild.
The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine.
"Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," reads the description of the bug on the NIST's National Vulnerability Database (NVD).
Exploit details for max severity Cisco IOS XE flaw now public
Date: 2025-05-31
Author: Bleeping Computer
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.2902/]
Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit.
The write-up by Horizon3 researchers does not contain a 'ready-to-run' proof of concept RCE exploit script, but it does provide enough information for a skilled attacker or even an LLM to fill in the missing pieces.
Given the immediate risk of weaponization and widespread use in attacks, it is recommended that impacted users take action now to protect their endpoints.
ESB-2025.3572 – Splunk Universal Forwarder: CVSS (Max): 9.8
Splunk has addressed multiple critical and high-severity third-party package vulnerabilities in Universal Forwarder versions 9.1.9 to 9.4.2.
Users are advised to upgrade to the latest fixed versions and manually remove deprecated binaries if present.
ESB-2025.3573 – Splunk Enterprise: CVSS (Max): 9.8
Splunk has addressed multiple critical and high-severity CVEs by updating or removing third-party packages in Splunk Enterprise versions 9.4.2, 9.3.4, 9.2.6, and 9.1.9.
ESB-2025.3597 – Schneider Electric Wiser Home Automation: CVSS (Max): 9.8
A critical buffer overflow vulnerability in Schneider Electric's Wiser AvatarOn and Cuadro H 5P Socket devices could allow remote code injection or authentication bypass.
As these products are end-of-life, users are advised to disable firmware updates or remove them from service to mitigate risk.
ESB-2025.3659 – Cisco Identity Services Engine (ISE): CVSS (Max): 9.9
A critical vulnerability (CVE-2025-20286) in Cisco Identity Services Engine cloud deployments causes shared static credentials across environments, enabling unauthenticated remote attackers to access or disrupt systems.
Only cloud-based Primary Admin nodes are affected; Cisco has released patches, with no workarounds available.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
