CVE Program Regains Threatened Funding; CISA Urges Caution After Oracle Breach; UK ICO Fines Law Firm for 2022 Data Theft

On April 15, 2025, research non-profit MITRE announced that the US federal government had not renewed its contract, meaning funding for the Common Vulnerabilities and Exposures (CVE) program and Common Weakness Enumeration (CWE) program would expire on April 16, threatening breaks in those programs' services. However, hours after the announcement, the Cybersecurity and Infrastructure Security Agency (CISA) "executed the option period on the contract to ensure there will be no lapse in critical CVE services," extending the contract by 11 months. The following day CVE board members announced the creation of a non-profit CVE Foundation to support the long-term "sustainability and neutrality of a globally relied-upon resource" supplementing the formerly "single government sponsor." MITRE's Vice President Yosry Barsoum stated that lapses in the CVE and CWE programs could cause "deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure." The CVE program has been in place since 1999, serving to "identify, define, and catalog publicly disclosed cybersecurity vulnerabilities" in a standardized system administered by over 450 CVE Numbering Authorities (CNAs) in 40 countries, cataloging over 40,000 new vulnerabilities in 2024 alone.

The Cybersecurity and Infrastructure Security Agency (CISA) has published "Guidance on Credential Risks Associated with Potential Legacy Oracle Cloud Compromise," urging action to protect organizations and individual users from further compromise in light of almost a month of reports of a March 2025 data breach of Oracle Cloud still broadly denied by the company. While the latest statement from Oracle asserts "Oracle Cloud Ñ also known as Oracle Cloud Infrastructure or OCI Ñ has NOT experienced a security breach," the company confirms that usernames and encrypted/hashed passwords were stolen and leaked from two "obsolete" servers, and selections of leaked data have been independently confirmed as genuine by Oracle Cloud customers. CISA's guidance warns of the potential risks of credentials being "exposed, reused across separate, unaffiliated systems, or embedded (i.e., hardcoded into scripts, applications, infrastructure templates, or automation tools)," noting that threat actors might use these credentials for privilege escalation and lateral movement, cloud and identity management access, phishing and business email compromise (BEC), or for resale or targeted intrusions, possibly alongside prior breach information. Organizations should reset passwords; review code, templates, scripts, and configuration files for hardcoded/embedded credentials; monitor authentication logs; enforce phishing-resistant MFA; and review security best practices. Users should update and strengthen passwords; enable phishing-resistant MFA; and be vigilant against phishing attempts. CISA offers a 24/7 Operations Center email address and phone number for reporting incidents and anomalous activity.

The UK Information Commissioner's Office (ICO) has imposed a £60,000 (USD 80,000) fine against DDP Law Ltd following the theft of 32 GB of personal data from its systems.

The incident occurred in June 2022. The DDP was unaware of the data theft until the National Crime Agency notified them that client information has been posted on the dark web. ICO said that DDP had not "put appropriate measures in place to ensure the security of personal information held electronically." According to the penalty notice, "DPP told the Commissioner that, following an analysis of log files by a third party consulting firm, there was evidence to suggest brute force attempts on its network as early as 19 February 2022. This occurred a further 12 times and there were in total 400 attempts to gain access to the network. The brute force incidents were targeted at an administrator account for a legacy case management system É which was only available online sporadically." At the time of the attack, the account was not protected with multi-factor authentication. While DDP was aware their systems were affected by a ransomware attack at the time, they did not believe that any data have been stolen after reviewing firewall and server logs. The firewall logs did not record egress data flows. DDP has said they disagree with the ICOÕs assessment and will appeal the decision.

Apple has published security bulletins announcing fixes for two flaws, one in the CoreAudio framework and one in the Reconfigurable Processing Architecture Core (RPAC) component, both of which have reportedly been exploited as zero days "against specific targeted individuals on iOS." CVE-2025-31200, CVSS score 7.5, would allow an attacker using a maliciously crafted media file to execute code when the Core Audio framework is processing the audio stream, due to a memory corruption vulnerability. Discovery of this flaw is credited to the Google Threat Analysis team and is addressed in the update by "improved bounds checking." CVE-2025-31201, CVSS score 6.8, would allow an attacker with arbitrary read and write capability to bypass Pointer Authentication (PAC) due to a flaw in RPAC. This flaw was discovered by Apple, and is addressed in the update by removing the vulnerable code. Devices affected by these vulnerabilities are: iPhone XS and later; iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later; machines running macOS Sequoia; all models of Apple TV HD and Apple TV 4K; and Apple Vision Pro. The flaws are fixed in iOS 18.4.1, iPadOS 18.4.1, tvOS 18.4.1, macOS Sequoia 15.4.1, and visionOS 2.4.1.

Landmark Admin, a US provider of administrative systems for insurance companies, is now informing regulators and affected individuals that a data breach first disclosed in October 2024 actually involved the theft of data belonging to over 1.6 million people, more than twice the originally estimated number. Landmark's IT vendor detected the breach and data exfiltration in May 2024, and immediately disconnected the affected systems and all remote network access. Investigation indicated that unauthorized system access occurred using valid credentials via the VPN. Landmark then detected a second breach and data exfiltration in June 2024, and further investigation showed that unauthorized access had occurred from May 13 to June 17, 2024, including encryption of systems by the threat actor. While information varies by individual, the stolen data may include: "full name; address; Social Security number; tax identification number; driversÕ license number/government-issued identification card number; picture of driversÕ license number/government issued identification card; bank account and routing number; medical and/or health information; health insurance policy number; health claim, date of birth, life and annuity policy information, life insurance policy application, and insurance benefit payment amount and payees." Landmark's subsequent security measures include new hardened servers; a new firewall; a new external IP address from a new ISP; new domain controllers, account naming conventions, and passwords; use of BitLocker; reimaging and updates for printers, network switches, and IoT devices; and a strengthened security posture including training, restriction to points of access, and MFA. The compromised system was disconnected and replaced rather than reconnected. Landmark is offering credit monitoring, identity theft protection services, and a $1 million insurance reimbursement policy to affected individuals.

Citing security concerns, Microsoft writes that ActiveX, which made its debut nearly 30 years ago, will be blocked by default in Microsoft 365 starting this month. The new default configuration, "disable all controls without notification," will replace the previous default setting, "prompt me before enabling all controls with minimal restrictions." When users open a file containing ActiveX controls, they will see a message notifying them that the file contains blocked content with an option to learn more. "When ActiveX is disabled, you will no longer be able to create or interact with ActiveX objects in Microsoft 365 files. Some existing ActiveX objects will still be visible as a static image, but it will not be possible to interact with them." Users who want to enable ActiveX controls can make that change in the Trust Center.

Researchers from Check Point have detected active exploit of a recently-disclosed vulnerability in Microsoft NTLM (NT LAN Manager). The flaw, CVE-2025-24054, is a hash disclosure spoofing vulnerability. The attacks exploiting the flaw began just over a week after Microsoft released a fix on March 11, 2025. Check Point says the attackers' first targets included government and private organizations in Poland and Romania.

Researchers Fabian BŠumer, Marcel Maehren, Marcus Brinkmann, and Jšrg Schwenk from Ruhr University Bochum in Germany have discovered a critical vulnerability in the Erlang/OTP SSH implementation that could be exploited to achieve unauthenticated remote code execution. The researchers note that "If your application uses Erlang/OTP SSH to provide remote access, assume you are affected." The flaw could allow attackers to access and manipulate sensitive data or create denial-of-service conditions. The issue is fixed in OTP-27.3.3, OTP-26.2.5.11 and OTP-25.3.2.20; as a workaround, users can prevent access to vulnerable SSH servers with firewall rules.

Citing evidence of active exploitation, the US Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in SonicWall Secure Mobile Access (SMA) 100 Series appliances to the Known Exploited Vulnerabilities (KEV) catalog. The authenticated arbitrary command execution vulnerability was initially disclosed in September 2021, at which time SonicWall released updates to address the issue. SonicWall has updated the original advisory to include a warning about the active exploitation and an updated CVSS score.