SAP NetWeaver Critical Unrestricted File Upload Flaw; Malicious Chargers Could Bypass Mobile USB Security; Power Outage in Portugal, Spain, and France; 20th Anniversary of ICS Summit

Twenty years ago, Alan Paller, the founder of the SANS Institute, and Mike Assante, an industry leader shaping critical infrastructure cybersecurity defense, collaborated on their vision of an event to bring together the ICS/OT community of practitioners to share information, approaches, lessons learned, and actionable information that would immediately make a difference as participants returned to work securing essential services, and from these two leaders the SANS ICS Summits were born. Over the 20 years of Summits, the event format has changed to meet attendees where they are in an ever-changing environment of regulation, threats, defense capabilities, technology innovations, and industry dynamic growth. As the summits adapted we saw increasing changes from year to year in the talks delivered, in the inclusion of immersive training courses, competitions, vendors, solution providers, and practitioner what works sessions, all the while remaining in line with the underlying mission of why the Summits were created: Help the defenders of the most critical systems that impact our lives. The 20th anniversary summit is a must-attend event with two days of topic-focused workshops led by SANS instructors covering emerging ICS/OT cybersecurity topics tuned to attendee roles and experience, as well as a full day of asset owner and operator practitioner-delivered talks. These three days of summit will inform, equip, and enable attendees with tactical and strategic actions to immediately pursue. This is not just another ICS cybersecurity conference -- for practitioners fighting the fight, this is your event.

- Tim Conway, SANS Fellow & Summit Co-Chair

https://www.sans.org/cyber-security-training-events/ics-security-summit-2025/

https://www.sans.org/about/awards/assante/

German enterprise software company Systemanalyse Programmentwicklung (SAP) has issued an emergency patch for a vulnerability in SAP NetWeaver Visual Composer Framework 7.50 after researchers from ReliaQuest discovered the flaw under exploitation. CVE-2025-31324, CVSS score 10.0, allows an unauthenticated agent to compromise the "confidentiality, integrity, and availability" of a system by uploading malicious executable binaries, due to a missing authorization check in the SAP NetWeaver Visual Composer Metadata Uploader component. While SAP has made statements disputing successful exploitation, Onapsis and watchTowr have also confirmed active exploitation, observing attackers using the vulnerability to drop web shell backdoors onto vulnerable systems. SAP's April 2025 "Patch Day" update release does not include the fix for CVE-2025-31324, so users must apply the separately released update, or if updates are not possible take mitigation measures: disable Visual Composer, disable the application alias "developmentserver," Forward SAP NetWeaver logs to a centralized system, and review for suspicious files. ReliaQuest notes "SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers."

In a forthcoming paper, researchers from Austria's Graz University of Technology demonstrate three means of bypassing mobile devices' USB security meant to defend against a malicious charger connection, successfully accessing files or achieving code execution on iOS and Android devices from eight major vendors, with two cases even allowing file extraction from locked devices. Dubbed "choicejacking" -- after Brian Krebs's 2011 coined term "juicejacking" for malicious USB charger attacks -- the researchers' attack techniques are effective against the standard juicejacking mitigation of requiring user consent to establish a data connection. The paper states that the researchers' presentation of multiple attack techniques "intends to provoke a more wholistic way of thinking about dual-role USB and connectivity adversaries in mobile platforms." The researchers suggest existing mitigations such as USB data blockers, user authentication for critical security functions, and lockdown mode, and they urge the creation of consent prompts for USB and accessory input devices, stating that "default trust in USB input devices and accessories needs to be cut." Devices running Android 15 and later and iOS/iPadOS 18.4 and later include updated confirmation dialogs requiring additional authentication. Dan Goodin of Ars Technica notes that there have been no documented cases of juicejacking nor choicejacking in the wild.

The governments of Spain and Portugal have declared states of emergency following a massive power outage affecting the Iberian peninsula on Monday, April 28. While there is no clear answer as to what caused the outage in Spain, Portugal, and parts of France, former Portuguese Prime Minister and current European Council president Pedro Sanchez said there is no indication that it was due to a cyberattack. Power is returning in some of the affected areas. The outage disrupted train, metro, and airport services; hospitals have been relying on emergency generators.

On April 25, 2025, UK retailer Marks & Spencer (M&S) posted a further update on the cyber incident reported April 22, 2025. The company states that in addition to the suspension of "Click & Collect" orders and contactless payments, they have now "made the decision to pause taking orders via [the] M&S.com websites and apps," though the website remains up for browsing, and stores remain open. The company is continuing to investigate and restore online and app shopping, and will notify customers if any action is required on their part. Additionally, about 200 agency-employed M&S employees at the Castle Donington clothing and homewares logistics centre have had their work shifts cancelled. The nature and full scope of the incident have not been disclosed.

Johannesburg-based telecommunications company MTN Group disclosed "a cybersecurity incident that resulted in unauthorised access to personal information of some MTN customers in certain markets." MTN says their billing and financial infrastructure appears to be unaffected. The company has reported the incident to law enforcement and is supporting their investigations. MTN has approximately 288 million customers in more than 20 countries.

Houston-based employee benefits administrator VeriSource Services has begun notifying four million individuals that their personal information was compromised in a February 2024 breach. In an August 2024 filing with the US Department of Health and Human Services Office for Civil Rights (HHS OCR) VeriSource said the incident affected about 112,000 individuals; in a notification filed earlier this month with the Maine Attorney general, the number of affected individuals was listed as four million. VeriSource said it took them until the middle of April to determine who was affected by the breach.

In the wake of a cyber incident that rendered servers unresponsive, the city of Abilene, Texas, has temporarily suspended Texas State Public Information Act requirements, which "requires government bodies to release information in response to formal requests." Texas state statute allows a suspension of these requirements in the event of a catastrophe, which is defined as "fire, flood, earthquake, hurricane, tornado, or wind, rain, or snow storm; power failure, transportation failure, or interruption of communication facilities; epidemic; or riot, civil disturbance, enemy attack, or other actual or threatened act of lawlessness or violence."

Threat actors are targeting WooCommerce users in a phishing campaign that uses a phony patch as bait. The security alert arrives as an email urging the users to download a patch for a critical unauthenticated administrative access vulnerability. The message exhorts users to visit a malicious site that is disguised as the WooCommerce website using an internationalized domain name (IDN) homograph attack, which uses characters from other alphabets to appear legitimate. If users download the patch as instructed, the malicious website instead downloads malware that allows the attackers to take control of the user s site.