How many cybersecurity events were reported between April 21-28, 2025?

In the week between April 21, 2025, midnight and April 28, 2025, midnight we witnessed a total of 19 advisory/vulnerability events and 16 incident/data breach events.

How do the cybersecurity events in week 17 of 2025 compare to week 16?

Advisories are up and incidents are down from the previous week. Advisories increased from 10 in week 16 2025 to 19 in week 17 2025. Incidents decreased from 18 in week 16 2025 to 16 in week 17 2025.

How many individuals were impacted by data breaches in week 17 of 2025?

There were a total of 396,281 impacted individuals across 8 incidents, with the largest breach being the Onsite Mammography data breach exposing data of 357,265 individuals. Since not all incidents report a number of impacted individuals, the real number is definitely higher.

What were the main causes of cybersecurity incidents in week 17 of 2025?

The main causes were: Human bad security behavior (2 incidents), System Misconfiguration Exploits (2 incidents), Third Party Compromise (2 incidents), Unauthorized access (2 incidents), and Malware, Ransomware and Related Attacks (1 incident).

Which industries were most affected by cybersecurity incidents in week 17 of 2025?

The most affected industries were: Government (4 incidents), Healthcare (3 incidents), Telecommunications (2 incidents), followed by IT/Software/Technology, Retail, Transport/Logistics, Consulting/Professional Services, Utilities, Education, and Finance (1 incident each).

What were the notable active exploits reported in week 17 of 2025?

Notable active exploits included: Mail remote code execution flaw, Craft CMS zero-Day vulnerabilities, and Critical SAP NetWeaver vulnerability. There were also active scams including an 'HP Laptop for 123 MKD' Facebook scam stealing personal and card data, and a phone scam spoofing Vatican phone number.

What critical vulnerabilities were reported in week 17 of 2025?

Critical vulnerabilities were reported in: FastCGI lightweight web server development library (CVE-2025-23016), AMD Zen 5 microcode, HPE Performance Cluster Manager, Google Cloud Composer tool, Lantronix Xport, InstaWP Connect WordPress plugin, Infodraw's surveillance software, PyTorch Framework, Commvault Command Center, GitLab, Johnson Controls ICU tool, Siemens TeleControl Server Basic, Schneider Electric Modicon Controllers, IBM Hardware Management Console, Rack Ruby Framework, Nice Linear eMerge E3, Planet Technology network products, Schneider Electric Wiser Home Controller, and Windows 'security related inetpub'.

What is the FastCGI vulnerability (CVE-2025-23016) and which systems does it affect?

CVE-2025-23016 (CVSS score 9.3) is a critical integer overflow vulnerability in the FastCGI library that can lead to heap buffer overflows and remote code execution. The flaw exists in the parameter-parsing code within the 'ReadParams' function, where improper input validation when processing large parameter lengths causes an integer overflow on 32-bit systems. While modern 64-bit servers are immune, many embedded devices and IoT endpoints still using 32-bit systems are vulnerable. The vulnerability affects all FastCGI library versions prior to 2.4.5. PHP-FPM implementations are not affected as they reimplement the FCGI protocol without using the vulnerable library.

How can organizations mitigate the FastCGI vulnerability (CVE-2025-23016)?

Organizations can protect against the FastCGI vulnerability by: 1) Updating to FastCGI library version 2.4.5 or later which contains the fix, 2) Configuring FastCGI to use UNIX sockets instead of TCP where possible to limit access to local processes, 3) Ensuring FastCGI ports are not directly exposed on public networks, and 4) Avoiding insecure configuration examples that might expose FastCGI sockets to untrusted networks. For embedded/IoT devices that don't allow end-user updates, customers should contact vendors to confirm vulnerability status and request patches while isolating affected devices from the public internet.

What were the most significant data breaches in week 17 of 2025?

Significant data breaches included: Onsite Mammography (affecting 357K individuals), WorkComposer employee monitoring app (leaking 21 million screenshots), Grant County Public Utility District (affecting 850 people), Bluestone Bank (affecting 7K individuals), British Ministry of Defence (exposing Special Forces personnel data), and several healthcare-related breaches including The Plastic Surgery Center and Aya Healthcare.

Which organizations experienced ransomware attacks in week 17 of 2025?

Organizations experiencing ransomware attacks included: Adelaide Hospital (via a third party exposing 2,254 sleep study patients' data), Spanish water supplier Aigües de Mataró, Wan Hai Lines shipping company, the local government systems of Abilene, Texas, and DuPage County, Illinois (affecting multiple county departments including the sheriff's office, the 18th Judicial Circuit Court, and the Circuit Court Clerk's office).

What details are known about the DuPage County, Illinois ransomware attack?

The DuPage County ransomware attack was detected on April 28, 2025, causing computer outages at the courthouse and sheriff's office in Wheaton. The attack disrupted several services including Zoom court sessions, postponed many court cases, forced legal personnel to revert to paper court orders, and canceled chancery sales including foreclosures for the week. Critical services remained operational, with no impact to jail operations and in-person court hearings proceeding as scheduled. According to reports, attackers claim to have stolen files including financial records and lawsuits, demanding an undisclosed ransom amount. The FBI and U.S. Secret Service are assisting with the investigation.

Advisory

Critical FastCGI flaw exposes embedded devices to remote code execution

published: April 28, 2025

Take action: Check if you are running FastCGI in your embedded and IoT systems. As a first step, isolate all such devices from the internet and make them accessible only from trusted networks. Then reach out to vendors to check for FastCGI and get a possible vendor issued patch/fix. Finally, where possible, update to FastCGI library version 2.4.5 or later, or reconfigure the system to mitigate exposure.

Learn More

A critical security vulnerability has been discovered in the FastCGI lightweight web server development library, potentially affecting numerous embedded and IoT devices worldwide.

The flaw is tracked as CVE-2025-23016 (CVSS score 9.3), and is an integer overflow vulnerability can lead to heap buffer overflows and remote code execution in vulnerable implementations.

Security researcher Baptiste Mayaud from Synacktiv identified the flaw in January 2025, which was publicly disclosed in mid-April following responsible disclosure to the maintainers. The vulnerability exists in the FastCGI library's parameter-parsing code, specifically within the ReadParams function.

The critical issue occurs due to improper input validation when processing parameter lengths:

nameValue = (char *)Malloc(nameLen + valueLen + 2);

When both nameLen and valueLen are set to very large values (close to 0x7FFFFFFF), the addition operation with the extra 2 bytes causes an integer overflow on 32-bit systems. This results in allocating a buffer far smaller than required for subsequent operations, creating a heap buffer overflow condition.

While many modern servers running in 64-bit mode are immune to this specific vulnerability, a significant number of embedded devices and IoT endpoints still rely on 32-bit systems due to cost and power constraints.

This vulnerability could be exploited to create a heap overflow in FastCGI's parameter parsing, overwrite function pointers in FastCGI's internal stream structure (FCGX_Stream) and redirect execution flow to arbitrary code execution

The vulnerability affects the following versions of the FastCGI library:

All versions prior to 2.4.5

PHP-FPM (PHP FastCGI Process Manager) reimplements the FCGI protocol and does not use the vulnerable FastCGI library, so PHP-FPM deployments are not affected by this specific vulnerability.

Measures to protect against this vulnerability:

Update to FastCGI library version 2.4.5 or later, which contains a fix for this issue
Configure FastCGI communication to use UNIX sockets instead of TCP where possible, limiting access to local processes
Review web server configurations to ensure FastCGI ports are not directly exposed on public networks
Avoid using insecure configuration examples that might expose FastCGI sockets to untrusted networks

Realistically, most embedded and IoT devices do not allow for end-user updating and reconfiguration, so device manufacturers and system integrators are strongly encouraged to update their software stacks and implement secure deployment configurations to mitigate this risk. Customers should reach out to their vendors to confirm whether the embedded devices are using FastCGI and are vulnerable and ask for a patch. In the meantime, they need to isolate their embedded/IoT devices from public internet.

Critical FastCGI flaw exposes embedded devices to remote code execution

Read More
Critical remote code execution flaw reported in MyQ …
Another critical RCE flaw reported in n8n automation …
CISA reports actively exploited of vulnerability in Avtech …
OpenSSL Patches 12 Vulnerabilities Including One Critical RCE
Systemic Design Flaw in MCP Protocol Exposes AI …