Windows Server 2025 Vulnerable in Active Directory; "Likely Exploited Vulnerabilities" Augments EPSS and KEV; Marks & Spencer Breach May Cost £300M in Profits

In a blog post, Akamai researcher Yuval Gordon describes a privilege elevation vulnerability affecting Windows Server 2025 that can be exploited to compromise users in Active Directory (AD). Dubbed BadSuccessor, "the attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement." There is currently no fix available for this vulnerability. Gordon's write-up includes detection and mitigation strategies.

On May 19, 2025, Peter Mell of the US National Institute of Standards and Technology (NIST) and Jonathan Spring of the US Cybersecurity and Infrastructure Security Agency (CISA) published a white paper proposing a new security calculation dubbed the "Likely Exploited Vulnerabilities" (LEV) metric, using Exploit Prediction Scoring System (EPSS) data and associated variables to provide "a daily-updated probability for each CVE with the likelihood that the CVE has been observed to be exploited in the wild at some point in the past." LEV is meant to augment and refine the use of EPSS and Known Exploited Vulnerabilities (KEV), not to replace them, and the white paper offers initial use cases for LEV: to measure the expected number and proportion of CVEs that have been exploited; to estimate KEV list comprehensiveness; and to enhance the process of prioritizing vulnerabilities for remediation by identifying high priority flaws that may be missing from KEV lists or under-scored by EPSS. The authors note that "collaboration with industry is necessary to provide necessary performance measurements."

British retailer Marks & Spencer (M&S) says it expects to record losses of £300M (US$400M) as a result of a cyberattack that disrupted the company's operations. In a filing with the London Stock Exchange, M&S writes that the "current estimate before mitigation is an impact on Group operating profit of around £300m for 2025/26, which will be reduced through management of costs, insurance and other trading actions." The company says that the effects of the attacks, which include losses in food sales and the unavailability of online retail shopping, are expected to last into July.

19-year-old Matthew Lane of Worcester Massachusetts has been charged and has agreed to plead guilty to "one count each of cyber extortion conspiracy; cyber extortion; unauthorized access to protected computers; and aggravated identity theft" associated with unauthorized access and data theft from two unnamed companies, one "US-based telecommunications company" and one "cloud storage company that served school systems in the United States, Canada, and elsewhere." After working with unknown conspirators in an unsuccessful attempt to extort the telecom company over threats to leak stolen data, Lane used stolen credentials to access the educational cloud storage company's network, exfiltrating student and teacher data to a server leased in Ukraine, threatening to leak "names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information, and passwords, among other data, of more than 60 million students and 10 million teachers," demanding approximately US $2.85M in cryptocurrency. The details of this case align with the breach of PowerSchool's Student Information System via stolen credentials for the PowerSource support platform between August and December 2024. PowerSchool confirmed in early May 2025 that they had paid an undisclosed ransom, but individual schools received extortion demands nonetheless. Lane's mandatory minimum sentence for aggravated identity theft is two years in prison, consecutive with up to five years each for the other three charges, as well as fines.

Critical vulnerabilities have been reported in the Motors WordPress theme and the Crawlomatic plugin for WordPress. A privilege elevation vulnerability in the Motors theme is due to an unverified password change issue. The flaw affects all versions of the Motors theme through 5.6.67. The themes developers released an updated version of Motors on May 14; users are advised to update to Motors version 5.6.68 or newer. "The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1." The flaw affects all versions of the Crawlomatic Multipage Scraper Post Generator plugin through 2.6.8.1; users are advised to update to version 2.6.8.2 or newer.

Broadcom has released a pair of security bulletins to address a total of seven vulnerabilities in VMware Cloud Foundation, VMware ESXi, vCenter Server, Workstation, and Fusion. The first bulletin, VMSA-2025-0009, addresses three flaws in VMware Cloud Foundation, which were reported to Broadcom by the NATO Cyber Security Centre (NCSC): a directory traversal vulnerability, an information disclosure vulnerability, and a missing authorization vulnerability. All three are rated important. The second bulletin, VMSA-2025-0010, addresses four flaws affecting VMware ESXi, vCenter Server, Workstation, and Fusion.

Legislators in the Netherlands have expanded their laws concerning the criminalization of espionage to include cyber espionage and "and other activities carried out on behalf of foreign states that may harm Dutch national interests." According to the Dutch National Coordinator for Security and Counterterrorism, "Legislation already existed that criminalized classic espionage, such as sharing state secrets. But forms and use of espionage are changing. Also, if a person leaks sensitive information to a foreign government that is not a state secret, or if someone secretly carries out actions for a foreign government, this will be punishable from 15 May if it can seriously harm Dutch interests."

In an international effort, Europol's European Cybercrime Centre, Microsoft, the US Department of Justice, Japan's Cybercrime Control Center and tech firms Lumen, Cloudflare, and Bitsight, took down the infrastructure supporting the info stealer known as Lumma. Europol writes, "Between 16 March and 16 May 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. In a coordinated follow-up operation this week, MicrosoftÕs Digital Crimes Unit (DCU), Europol, and international partners have disrupted Lumma's technical infrastructure, cutting off communications between the malicious tool and victims. In addition, over 1,300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes."

On the morning of Tuesday, May 20, The Kettering Health healthcare network in Ohio suffered a cyberattack that has disrupted operations, including cancellations of both inpatient and outpatient elective procedures. Kettering's emergency rooms and clinics have remained open to patients. In addition, Kettering's call center was temporarily unavailable. Some patients reported receiving calls asking for payment card information related to Kettering Health medical expenses; Kettering acknowledged that these were scam calls and noted that "While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice." Kettering Health "operates 14 medical centers in Ohio ... [and] manages emergency centers and over 120 outpatient facilities across western Ohio."

Cellcom, a wireless service provider based in Wisconsin, has disclosed that they experienced a cyber incident that caused service outages and disruptions that began on May 14. The event left Cellcom subscribers in Wisconsin and Upper Michigan without the ability to place phone calls or send text messages. Initially, Cellcom had said the disruption was due to a technical issue. Users reported they were unable to port their mobile phone numbers to other carriers. As of Wednesday, May 21, Cellcom did not have an estimated time for full service recovery.