European Union Vulnerability Database Launches; Security Updates: Microsoft, Adobe, Juniper, VMWare, and Zoom

The European Union Agency for Cybersecurity's (ENISA's) European Vulnerability Database (EUVD) launched officially on Tuesday, May 13, after its announcement in June, 2024 as part of the EU's Network and Information Systems Directive 2 (NIS2). The dashboard provides three lists: critical vulnerabilities, exploited vulnerabilities, and vulnerabilities coordinated by the EU's CSIRTs network. The EUVD is an analog to the US Department of Homeland Security's Common Vulnerabilities and Exposures (CVE) program, and is itself a CVE Numbering Authority (CNA). Just under a month prior to the launch of the EUVD, the CVE program received an 11-month extension to its funding from the US Cybersecurity and Infrastructure Security Agency (CISA), when supporting research non-profit MITRE announced that funding would expire within 24 hours, leaving the fate of the program uncertain. ENISA has stated that it is "in contact with MITRE to understand the impact and next steps following the announcement on the funding to the Common Vulnerabilities and Exposures Program."

On Tuesday. May 13, Microsoft released updates to address about 70 security issues. Of those, 11 are rated critical. Five of the vulnerabilities, all rated important, have been actively exploited, and another two have proof-of-concept exploits available. The actively exploited flaws include four privilege elevation vulnerabilities: two affecting the Windows Common Log File System, another in Windows Ancillary Function Driver, and the fourth in the Desktop Window Manager library for Windows. The fifth is a remote code execution vulnerability in the Microsoft Scripting Engine.

Other vendors that released security updates this week include Adobe, Juniper, VMware, and Zoom. Adobe released fixes for nearly 40 security issues across their product line, including seven critical vulnerabilities affecting ColdFusion, three critical vulnerabilities in Photoshop, and additional critical flaws in Adobe Illustrator, Lightroom, Dreamweaver, Connect, InDesign, Substance 3D Painter, Bridge, and Dimension. Juniper has addressed nearly 90 vulnerabilities in Juniper Networks Juniper Secure Analytics from 7.5.0 before 7.5.0 UP11 IF02; users are urged to update to 7.5.0 UP11 IF03. VMware released two advisories: one for a high-severity cross-site scripting vulnerability in the VMware Aria automation appliance and another for a medium-severity insecure file handling vulnerability in VMware Tools. Zoom released advisories to address nine vulnerabilities, including a "time-of-check time-of-use race condition in some Zoom Workplace Apps [that] may allow an authenticated user to conduct an escalation of privilege via local access."

Gartner's May 2025 Infrastructure, Operations & Cloud Strategies Conference in Sydney, Australia included a session by VP Analyst Craig Lawson titled "We Can't Patch Our Way Out of Threat Debt." Lawson suggests that organizations are better protected through measured "cohabitation" with unpatched systems whose flaws can be ameliorated by collaborative planning and corrective controls, using patching as one deliberate control, rather than through arbitrary immediate implementation of every patch. Fear of "threat debt," summarized by The Register as "a measure of technical debt focused on known but unfixed security exposures," may lead organizations to devote resources to rapidly applying patches that do not yield improved defenses and may sometimes cause unintended damage. Lawson states that "nobody has ever out-patched threat actors at scale," noting that attackers exploit only between eight and nine percent of vulnerabilities and may avoid critical-severity flaws and zero-days. He proposes that all teams with a stake in an organization's security posture, including IT operations, security teams, and applications teams, collaborate on a tailored plan for compensating controls and triaged patching, developing a "cohabitation metric" and determining the "individual treatment" needed: "You don't make a population healthy by giving everyone an aspirin."

Google has updated the Chrome table Channel for Desktop to version 136.0.7103.113/.114 for Windows, Mac and 136.0.7103.113 for Linux to address four security issues, including one (CVE-2025-4664) for which an exploit exists in the wild. According to the NIST CVE detail, the high-severity vulnerability is due to an "insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 [that] allowed a remote attacker to leak cross-origin data via a crafted HTML page." The vulnerability is one of two that were externally reported to Google. The second is a high-severity issue related to an "incorrect handle provided in unspecified circumstances in Mojo."

Android 16 will include integrated Advanced Protection, a lockdown feature which was previously available for Google account holders, and which will now be available as "a device-level security setting." Advanced protection for Android also "securely backs up device logs in a privacy-preserving and tamper-resistant way, accessible only to the user. These logs enable a forensic analysis if a device compromise is ever suspected.Ó Google is introducing a host of additional security features in Android, including AI-enhanced scam detection tools for Google Messages that operate on Android devices, and restrictions on dangerous actions when users are on calls with people who are not on their contact lists. Android will also see a pilot of improved in-call security for banking apps.

On May 13, 2025, UK retailer Marks & Spencer (M&S) filed an updated statement with the London Stock Exchange (LSE) to disclose that the cyber incident first reported on April 22, 2025 led to customer data being stolen. The update states "the data does not include useable payment or card details, which we do not hold on our systems, and it does not include any account passwords. There is no evidence that this data has been shared." An FAQ page on the company's website clarifies that "The personal data taken could include contact details - such as name, email address, addresses, telephone number - date of birth, online order history, household information and 'masked' payment card details used for online purchases. For clarity and reassurance, M&S does not hold full payment card details on its systems, which is why we use the term 'masked'." Customer reference numbers for M&S credit card or Spark Pay services may also have been taken, but these are not payment details. Customers will be prompted at their next visit or login to reset their M&S account password "for extra peace of mind," though the company says there is no need to take any action. M&S recommends customers take caution with links in messages, use strong and unique passwords, update devices regularly, and consult the UK National Cyber Security Centre (NCSC) website. The Record reports information from the Financial Times that M&S may file a cyber insurance claim of £100 million (US $133 million). Researchers at Google Threat Intelligence Group also believe the threat actor suspected to be responsible for the recent attacks on multiple UK retailers may now be targeting US companies.

Austrian privacy non-profit noyb - European Center for Digital Rights ("None Of Your Business") sent a cease-and-desist letter on May 14, 2025, "giving Meta the opportunity to avoid litigation," asserting that the company's treatment of EU citizens' data for AI training represents breaches of requirements and infringements on rights set out in the General Data Protection Regulation (GDPR). Max Schrems, Chairperson of noyb, denounces Meta's use of an opt-out system rather than the GDPR's required "freely given, specific, informed and unambiguous" opt-in for users to consent to their data being used. Meta will additionally require users who already opted out in 2024 to opt out a second time. The company claims "legitimate interest" to justify collection of data without consent, but Schrems notes that "The European Court of Justice has already held that Meta cannot claim a 'legitimate interest' in targeting users with advertising," contrasting the claim with an unambiguous "legitimate interest" of banks recording CCTV security footage. Schrems also believes the nature of Meta's social media platforms and AI models will make them unlikely to be capable of complying with GDPR rights "like the right to be forgotten, the right to have incorrect data rectified or to give users access to their data in an AI system." noyb urges that Meta ask users for opt-in consent to avoid the possible consequences of injunctions, such as deletion of the offending AI system and increased damage claims by users, and of class action lawsuits with possible damages in Euros estimated in the billions. Schrems criticizes national Data Protection Authorities (DPAs) for shifting the burden of responsibility onto users to opt out rather than working to regulate companies conducting AI training without consent. Meta characterizes noyb as part of "a vocal minority of activist groups" encouraging regulation that interferes with Europe's place in the "global AI race," while noyb contends it is "absurd to argue that Meta needs the personal data of everyone that uses Facebook or Instagram in the past 20 years to train AI."

Industry stakeholders testified before a US House Homeland Security Committee's Subcommittee on Cybersecurity and Infrastructure Protection hearing, urging legislators to renew the 2015 Cybersecurity Information Sharing Act. The law, which "allows industry to voluntarily share information about cybersecurity threats with the government, with liability safeguards in place that prevent firms from incurring legal actions that may arise from sharing sensitive data," is set to expire in September 2025.

In a filing with the US Securities and Exchange Commission, North Carolina-based steel producer Nucor Corporation disclosed "a cybersecurity incident involving unauthorized third party access to certain information technology systems." As a result of the incident, Nucor took some of its systems offline, which has led to temporary suspension of operations at several locations. Nucor bills itself as "North America's largest steel manufacturer and recycler."