Attackers aren’t waiting for patches anymore — they are breaking in before defenses are ready. Trusted security tools are being hijacked to deliver malware. Even after a breach is detected and patched, some attackers stay hidden.
This week’s events show a hard truth: it’s not enough to react after an attack. You have to assume that any system you trust today could fail tomorrow. In a world where AI tools can be used against you and ransomware hits faster than ever, real protection means planning for things to go wrong — and still staying in control.
Check out this week’s update to find important threat news, helpful webinars, useful tools, and tips you can start using right away.
Windows 0-Day Exploited for Ransomware Attacks — A security affecting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets, Microsoft revealed. The flaw, CVE-2025-29824, is a privilege escalation vulnerability that could allow an attacker to obtain SYSTEM privileges. An exploit for the vulnerability has been found to be delivered via a trojan called PipeMagic, with the unknown threat actors, tracked by Microsoft as Storm-2460, conducting credential harvesting and dropping a ransomware payload as part of post-compromise exploitation activities. The exact nature of the payload is unclear, however, the ransom note dropped after encryption included a TOR domain tied to the RansomEXX ransomware family. CVE-2025-29824 was addressed by Microsoft as part of its Patch Tuesday update for April 2025.
In cloud-native environments, the security of your code repositories and development pipelines is critical. Do you know the most pressing risks facing your organization today? By analyzing hundreds of thousands of repositories, the Wiz Threat Research team uncovered key vulnerabilities and attacker strategies in the new 2025 State of Code Security Report.
Key stats include:
Download the report to explore all the findings in detail and learn actionable strategies to protect your organization.
Attackers love software vulnerabilities—they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.
This week’s list includes — CVE-2025-3102 (OttoKit plugin), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-30406 (Gladinet CentreStack), CVE-2025-29824 (Windows Common Log File System), CVE-2024-48887 (Fortinet FortiSwitch), CVE-2024-53150, CVE-2024-53197 (Google Android), CVE-2025-2945 (pgAdmin), CVE-2025-2244 (Bitdefender GravityZone), CVE-2025-31334 (WinRAR), CVE-2025-30401 (WhatsApp for Windows), CVE-2025-23120 (Rockwell Automation Industrial Data Center), CVE-2025-25211, CVE-2025-26689 (Inaba Denki Sangyo CHOCO TEI WATCHER), CVE-2024-4872, CVE-2024-3980 (Hitachi Energy MicroSCADA Pro/X SYS600), CVE-2025-2636 (InstaWP Connect – 1-click WP Staging & Migration plugin), CVE-2025-3439 (Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin), and CVE-2025-31565 (WPSmartContracts plugin).
1️⃣ Learn to Detect and Block Hidden AI Tools in Your SaaS Stack — AI tools are quietly connecting to your SaaS apps — often without Security’s knowledge. Sensitive data is at risk. Manual tracking won’t keep up.
In this session, learn:
Join Dvir Sasson from Reco to get ahead of hidden AI threats.
2️⃣ Learn How to Secure Every Step of Your Identity Lifecycle — Identity is your new attack surface. AI-powered impersonation and deepfakes are breaking traditional defenses. Learn how to secure the full identity lifecycle — from enrollment to daily access to recovery — with phishing-resistant MFA, device trust, and Deepfake Defense™.
Join Beyond Identity and Nametag to stop account takeovers before they start.
Monitoring for Unauthorized Account Activations — Attackers are using a clever trick to stay hidden inside networks: reactivating the built-in Windows Guest account. Normally, this account is disabled and ignored by system admins. But when attackers enable it and set a new password, it blends in as part of the system — making it easy for them to quietly log in, escalate privileges, and even access devices remotely through RDP. Since the Guest account looks normal at first glance, many security teams miss it during reviews.
To catch this tactic early, monitor your security logs closely. Set alerts for Event ID 4722 — this signals when any disabled account is reactivated, including Guest. Also track the use of native Windows tools like net.exe, wmic, and PowerShell for any commands that modify accounts. Pay special attention to any Guest account being added to privileged groups like Administrators or Remote Desktop Users. Cross-check with your endpoint protection or EDR tools to spot changes outside normal maintenance windows.
If you find an active Guest account, assume it’s part of a larger breach. Check for signs of hidden accounts, unauthorized remote access tools, and changes to RDP settings. Regular threat hunting — even just checking that all default accounts are truly disabled — can break an attacker’s persistence before they move deeper into your environment.
Every breach, every evasion technique, and every new tool attackers use is also a learning opportunity. If you’re in cybersecurity today, your advantage isn’t just your tech stack — it’s how quickly you adapt.
Take one tactic you saw in this week’s update — privilege escalation, AI misuse, stealth persistence — and use it as a reason to strengthen a weak spot you’ve been putting off. Defense is a race, but improvement is a choice.
