Skip to main content
  • EN
  • PL
Dariusz Socha | Cybersecurity Architect | NIS2
Better call Dario
+48 515490505 
  • Home
  • About me
  • Contact
  • AI Blog

May 2025

19 Jun, 2025, No comments

May 2025 under the Microscope: Rising Cyber-Threats, Record-Breaking Vulnerabilities and New Target Sectors

Early summer may signal relaxation for many industries, but in cyberspace May was another sizzling month. A surge of critical vulnerabilities and headline-grabbing incidents —from the Marks & Spencer breach to the ConnectWise compromise—proved that adversaries aren’t slowing down.

1. Key Events of May 2025

  • Marks & Spencer pegs cyber-attack cost at £300 million – The retailer revealed that, after a supplier breach, online sales were halted for 46 days; full service restoration is due in July 2025

  • CISA releases 22 ICS advisories in a single day – On 15 May the agency published a record batch of alerts for industrial systems, highlighting OT risk growth

  • Cisco patches CVE-2025-20188 (CVSS 10.0) in Wireless LAN Controllers; a public PoC dropped on 31 May

  • FBI: Play ransomware tops 900 victims – By May the gang had compromised more than 900 organisations

  • Suspected state-sponsored attack on ConnectWise – ScreenConnect provider confirmed a 29 May breach affecting some cloud customers

2. Top Attacks of May 2025

2.1 Marks & Spencer (retail, UK)

  • Vector: spear-phishing a third-party IT vendor → hijacked VPN account

  • Impact: 6-week e-commerce outage, 13 % share-price drop, projected £300 million operating-profit hit

  • Mitigation/Response: review of 600 systems, aggressive network segmentation, accelerated SaaS supplier code audit.

“The attack showed that today the supply chain is weaker than the most expensive firewalls.” – Stuart Machin, CEO, M&S

2.2 Coca-Cola (FMCG manufacturing)

  • Vector: data leak after ransom refusal; Everest ransomware posted samples on 22 May

  • Impact: exposure of 959 employees’ data at a Middle-East distributor; GDPR scrutiny.

  • Recommended controls: immediate password rotation, MFA, isolation of affected HR servers.

2.3 Kettering Health (14 hospitals, USA)

  • Vector: Interlock ransomware, likely RDP exploit

  • Impact: EHR outage, elective surgeries cancelled, switch to paper charts; 941 GB of patient data leaked

  • Mitigation: clinical-network segmentation, ≤ 24 h backup-restore tests, tabletop IR drills.

2.4 ConnectWise (MSP vendor, USA)

  • Vector: ASP.NET exploit in ScreenConnect (suspected APT)

  • Impact: access to some customer instances, supply-chain risk; forced certificate rotation.

  • Recommendations: upgrade to the latest build, monitor ScreenConnect audit logs, deploy YARA for published IoCs.

2.5 Gob.pe – Peruvian government portal

  • Vector: Rhysida ransomware; 5 BTC demanded to keep stolen docs private

  • Impact: temporary service outage, risk of regional tax-data exposure.

  • Counter-actions: government denied core-platform compromise, launched SIEM audit and WAF hardening.

3. New Vulnerabilities and Patches

CVE Criticality Description Recommendations
CVE-2025-20188 10.0 Hard-coded JWT in Cisco IOS XE WLC; unauthenticated RCE Firmware upgrade; ACL blocking AP-download interface
CVE-2025-30065 10.0 Deserialisation flaw in Apache Parquet; RCE via crafted file Upgrade to 1.15.1; file-extension filtering, sandboxed I/O
CVE-2025-3248 9.8 Langflow – unauthorised /validate/code endpoint; full RCE Update ≥ 1.3.0, isolate server in VPC, reverse-proxy with MFA
CVE-2025-29824 7.8 Windows CLFS LPE, zero-day used by Play & RansomEXX Patch Tuesday April + May; disable PipeMagic, EDR click-to-run
CVE-2025-4632 9.8 Samsung MagicINFO 9 path traversal; arbitrary file read Vendor patch, WAF regex “../../../”, restrict WAN interfaces

In May CISA added six flaws to the KEV catalogue (19 May) and three more (15 May)—nine actively exploited vulns to patch within 21 days.

4. Statistics

  • 900 confirmed Play ransomware victims (FBI, May 2025)

  • 70 vulnerabilities (including 5 zero-days) fixed by Microsoft on 14 May Patch Tuesday

  • 22 ICS advisories issued by CISA on 15 May—single-day record

  • 9 new KEV entries in one week (15–19 May), the fastest pace in 2025

  • 97 billion+ exploitation attempts logged by FortiGuard in 2025; YoY increase 42 %

  • 4 days – median ransomware dwell time (Sophos Active Adversary Report 2025)

5. Forecasts & Recommendations (June–August 2025)

Trend Watch-For Why It Matters
IT supply-chain exploitation MSP vendors, open-source libs (Parquet, Langflow) ConnectWise and AI-lib attacks show effortless pivot to hundreds of customers
Logistics & transport attacks GRU campaign targeting logistics (CISA alert 21 May) Supply-chain disruption rivaling ransomware losses
Automated phishing (CoGUI, RedFox) 580 million mails YTD; new Malware-as-a-Service Higher success rates, lower campaign costs
Healthcare ransomware surge Interlock, Medusa, Play—shorter dwell time Critical services, high payment pressure
AI-assisted offense & defense LLM-driven phishing; code-anomaly detection Arms race—invest in AI SecOps

6. Action Checklist (June 2025)

  • Patch critical CVEs 2025-20188, 30065, 3248 within 7 days.

  • Audit MSP suppliers for MFA and ScreenConnect logging.

  • Run EHR/ERP outage drill – Kettering lesson: manual fallback.

  • Verify offline backups – especially OT/WLC systems.

  • Block macros & scripts in Office; enforce code-signing.

  • Track KEV catalogue – auto-alerts, 21-day patch SLA.

  • Phishing & BEC training – CoGUI/smishing scenarios, 30-day tests.

7. Worth Reading

  • Fortinet 2025 Global Threat Landscape Report – 97 bn exploit attempts, Cybercrime-as-a-Service boom

  • Sophos Active Adversary Report 2025 – 4-day median dwell time across 355 incidents

  • CISA/FBI “#StopRansomware: Play” – TTPs and 900 victims, 24 h patch guidance

  • CISA ICS Advisories 15-05-2025 – 22 new OT/SCADA bulletins

Sources

  1. Reuters, “Britain’s M&S says cyberattack to cost $400 million”, 21 May 2025

  2. M&S internal memo leak (via FT), 21 May 2025

  3. CyberNews, “Hackers leaked Coca-Cola data after ransom threat”, 22 May 2025

  4. BleepingComputer, “ConnectWise breached in cyberattack…”, 29 May 2025

  5. BleepingComputer, “Kettering Health hit by system-wide outage…”, 21 May 2025

  6. SecurityWeek, “Ransomware gang leaks alleged Kettering Health data”, 5 Jun 2025

  7. The Record, “Peru denies ransomware attack following Rhysida claims”, 6 May 2025

  8. BleepingComputer, “Exploit details for max-severity Cisco IOS XE flaw…”, 31 May 2025

  9. BleepingComputer, “Play ransomware exploited Windows logging flaw…”, 7 May 2025

  10. BleepingComputer, “PoC released for Apache Parquet CVE-2025-30065”, 6 May 2025

  11. BleepingComputer, “Critical Langflow RCE flaw exploited…”, 6 May 2025

  12. NVD/NIST, CVE-2025-4632 entry, 22 May 2025

  13. CISA, “Adds six KEVs”, 19 May 2025

  14. CISA, “Adds three KEVs”, 15 May 2025

  15. CISA, “22 Industrial Control Systems Advisories”, 15 May 2025

  16. CISA/FBI, “#StopRansomware: Play Ransomware”, 4 Jun 2025 (update)

  17. KrebsOnSecurity, “Patch Tuesday, May 2025 Edition”, 14 May 2025

  18. Fortinet, “2025 Global Threat Landscape Report”, 5 May 2025

  19. Sophos, “Active Adversary Report 2025”, 2 Apr 2025

  20. CISA Alert, “Russian GRU targeting logistics…”, 21 May 2025

Recent Posts

  • May 2025
    19 Jun, 2025


  • Home
  • About me
  • Contact
  • AI Blog