Microsoft Limits Some MAPP Sharing; MITRE Updates Most Important Hardware Weaknesses; CISA Solicits Comment on "Minimum Elements for a SBOM"

Microsoft's Active Protections Program (MAPP) provides certain software vendors with advance notification of vulnerabilities that will be patched in the upcoming weeks. These notifications have typically included proof-of-concept code, and participants are required to sign NDAs. It now appears that Microsoft will stop sharing proof-of-concept code with organizations in countries that require they share the information with their governments. Instead, the organizations in the countries in question will now receive "a more general written description" of vulnerabilities according to Bloomberg (paywall), which first reported the change in Microsoft's policy. Earlier this year it was suggested that information related to the SharePoint vulnerabilities was leaked prior to the patch release, leading to multiple compromises of vulnerable SharePoint servers around the world. The SharePoint vulnerabilities were initially addressed on July 8, 2025, in Microsoft's Patch Tuesday release for that month. Soon after, Microsoft admitted that the patches did not adequately address the vulnerabilities; they released new updates on July 21.

MITRE has released an updated list of the 2025 CWE™ Most Important Hardware Weaknesses (MIHW), updating the 2021 list. The new list comprises 11 items, including Sensitive Information in Resource Not Removed Before Reuse; Improper Isolation of Shared Resources on System-on-a-Chip (SoC); On-Chip Debug and Test Interface With Improper Access Control; and Hardware Internal or Debug Modes Allow Override of Locks. MITRE writes, "This update incorporates advancements in data collection and analysis, leveraging AI-assisted data collection alongside expert opinions from the Hardware CWE Special Interest Group (SIG), which includes subject matter experts from the hardware design, manufacturing, research, and security domains, as well as academia and government. This approach combines data-driven analysis with collaborative subject matter expertise."

The US Cybersecurity and Infrastructure Security Agency (CISA) is asking for input on draft guidance for software bills of materials (SBOMs). The revised document includes a number of significant changes to the previous version of "Minimum Elements for a SBOM," which the National Telecommunications and Information Administration (NTIA) published in 2021. CISA writes, "Additions introduced in this document (Component Hash, License, Tool Name, and Generation Context) provide information for improved risk-informed decisions regarding software security. This document also updates details around some elements (SBOM Author, Software Producer, Component Version, Software Identifiers, Coverage, and Accommodation of Updates to SBOM Data) to clarify the data expected in SBOMs for more uniform implementations. Other elements (Component Name, Timestamp, Dependency Relationship, Automation Support, Frequency, Known Unknowns, and Distribution and Delivery) update the earlier version of the elements to improve information quality and align with technological developments. This version removes the Access Controls element and incorporates access control considerations in Distribution and Delivery." The updated draft, which "incorporates lessons learned from increased SBOM generation and usage and provides an updated baseline for how software component information is documented and shared," was released for public comment on August 22, 2025; the comment period ends on October 3, 2025.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-43300, a zero-day Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability in the ImageIO framework, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw was disclosed and patched by Apple on August 20, 2025, and added to the KEV the following day. While further details of the exploitation have not been reported, Apple's security advisories state that the company "is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals." Rob Wright, Senior News Director at Dark Reading, notes examples of Apple choosing the term "sophisticated" in advisories related to nation-state threats and spyware. Users must update to iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8 to fix the flaw, and all Federal Civilian Executive Branch (FCEB) agencies must do so by September 11, 2025, per CISA's directive.

Data I/O, a global company providing "advanced data and security programming solutions for flash, flash-memory based intelligent devices and microcontrollers for automotive, Internet-of-Things, medical, wireless, consumer electronics, industrial controls, and other markets," has filed form 8-K with the US Securities and Exchange Commission, disclosing a ransomware attack that took place on August 16, 2025. The company proactively took certain platforms offline upon discovering the attack, also initiating its response protocols, securing its global IT systems, and engaging third-party cybersecurity experts to support recovery and investigation. Data I/O business operations have been disrupted, and while some functions have provisional restoration, there is not yet a timeline for full restoration of "internal/external communications, shipping, receiving, manufacturing production," and other services. The company anticipates third-party fees, restoration costs, and other expenses are "reasonably likely to have a material impact on the Company's results of operations and financial condition." Affected individuals and regulatory authorities will be notified based on the ongoing investigation as the scope, nature, and impact of the attack become clear.

Additional details have surfaced in the investigations of healthcare breaches that took place within the last year. Kidney dialysis provider DaVita notified the US Department of Health and Human Services Office for Civil Rights (HHS OCR) that almost 2.7 million people had sensitive data stolen in a ransomware attack that partially encrypted its network on April 12, 2025, but news sources have since heard from DaVita that the number may be closer to 2.4 million. DaVita says the data stolen may include "name, address, date of birth, social security number, health insurance-related information, and other identifiers internal to DaVita, as well as certain clinical information, such as health condition, other treatment information, and certain dialysis lab test results." Aspire Rural Health System of Michigan has reported to the Office of the Maine Attorney General and is notifying affected individuals that an unauthorized party had access to Aspire's internal network from approximately November 4, 2024, to January 6, 2025. Upon discovering the attack, Aspire initiated containment and began investigating alongside third-party experts, and determined by July 18, 2025 that nearly 140,000 people's personal data had been accessed. Aspire offers an information hotline staffed on weekdays and is offering complimentary credit monitoring membership those affected. CPAP Medical Supplies and Services has begun notifying people “of a data security incident that may affect the privacy of certain individuals’ information.” CPAP Medical became aware in June 2025 that the December 2024 breach affected “identifiable protected health and personal information.” The company has notified the HHS OCR that the incident affects more than 90,000 individuals.

The Maryland Transit Administration (MTA) and the Maryland Department of Information Technology (DoIT) are investigating a cybersecurity incident that has disrupted some elements of MTA's Mobility paratransit services. MRA's core services are operating normally, Mobility paratransit services are operational but are "unable to schedule new trips or rebook existing trips." The incident has also affected the availability of some real-time MTA information and the MTA call center. All previously scheduled Mobility services will be honored; MTA recommends that people requiring new rides contact Call-A-Ride.

The US state of Nevada is experiencing state website and online services outages due to a cybersecurity incident that began over the weekend. The state's main website and the Nevada Department of Public Safety’s website have been unavailable. The outage has also affected online portals and phone lines, leading to the suspension of some in-person services. Dispatch phone lines for Nevada's Highway Patrol and State Police have been unavailable. Emergency services are operational. Officials have not yet said if the outages are due to an attack or another cause.

In March 2025. Davis Lu was "convicted ... of causing intentional damage to protected computers." He had worked as a software developer at Beachwood, Ohio-based Eaton Corp. for nearly 12 years. Roughly a year prior to Lu's firing, a corporate restructuring reduced his responsibilities and access to company systems. In August 2019, Lu began sabotaging his employer’s systems in several ways, including introducing infinite loops, deleting co-worker profiles, and adding a "kill switch" that would lock all users out of the system if his Active Directory access credentials were revoked. When his position was terminated in September 2019, Eaton staff around the world were unable to access the company's network and some company data were deleted. Lu has been sentenced to four years in prison.