How many cybersecurity events were reported between April 21-28, 2025?

In the week between April 21, 2025, midnight and April 28, 2025, midnight we witnessed a total of 19 advisory/vulnerability events and 16 incident/data breach events.

How do the cybersecurity events in week 17 of 2025 compare to week 16?

Advisories are up and incidents are down from the previous week. Advisories increased from 10 in week 16 2025 to 19 in week 17 2025. Incidents decreased from 18 in week 16 2025 to 16 in week 17 2025.

How many individuals were impacted by data breaches in week 17 of 2025?

There were a total of 396,281 impacted individuals across 8 incidents, with the largest breach being the Onsite Mammography data breach exposing data of 357,265 individuals. Since not all incidents report a number of impacted individuals, the real number is definitely higher.

What were the main causes of cybersecurity incidents in week 17 of 2025?

The main causes were: Human bad security behavior (2 incidents), System Misconfiguration Exploits (2 incidents), Third Party Compromise (2 incidents), Unauthorized access (2 incidents), and Malware, Ransomware and Related Attacks (1 incident).

Which industries were most affected by cybersecurity incidents in week 17 of 2025?

The most affected industries were: Government (4 incidents), Healthcare (3 incidents), Telecommunications (2 incidents), followed by IT/Software/Technology, Retail, Transport/Logistics, Consulting/Professional Services, Utilities, Education, and Finance (1 incident each).

What were the notable active exploits reported in week 17 of 2025?

Notable active exploits included: Mail remote code execution flaw, Craft CMS zero-Day vulnerabilities, and Critical SAP NetWeaver vulnerability. There were also active scams including an 'HP Laptop for 123 MKD' Facebook scam stealing personal and card data, and a phone scam spoofing Vatican phone number.

What critical vulnerabilities were reported in week 17 of 2025?

Critical vulnerabilities were reported in: FastCGI lightweight web server development library (CVE-2025-23016), Viasat satellite modems (CVE-2024-6198), AMD Zen 5 microcode, HPE Performance Cluster Manager, Google Cloud Composer tool, Lantronix Xport, InstaWP Connect WordPress plugin, Infodraw's surveillance software, PyTorch Framework, Commvault Command Center, GitLab, Johnson Controls ICU tool, Siemens TeleControl Server Basic, Schneider Electric Modicon Controllers, IBM Hardware Management Console, Rack Ruby Framework, Nice Linear eMerge E3, Planet Technology network products, Schneider Electric Wiser Home Controller, and Windows 'security related inetpub'.

What is the FastCGI vulnerability (CVE-2025-23016) and which systems does it affect?

CVE-2025-23016 (CVSS score 9.3) is a critical integer overflow vulnerability in the FastCGI library that can lead to heap buffer overflows and remote code execution. The flaw exists in the parameter-parsing code within the 'ReadParams' function, where improper input validation when processing large parameter lengths causes an integer overflow on 32-bit systems. While modern 64-bit servers are immune, many embedded devices and IoT endpoints still using 32-bit systems are vulnerable. The vulnerability affects all FastCGI library versions prior to 2.4.5. PHP-FPM implementations are not affected as they reimplement the FCGI protocol without using the vulnerable library.

How can organizations mitigate the FastCGI vulnerability (CVE-2025-23016)?

Organizations can protect against the FastCGI vulnerability by: 1) Updating to FastCGI library version 2.4.5 or later which contains the fix, 2) Configuring FastCGI to use UNIX sockets instead of TCP where possible to limit access to local processes, 3) Ensuring FastCGI ports are not directly exposed on public networks, and 4) Avoiding insecure configuration examples that might expose FastCGI sockets to untrusted networks. For embedded/IoT devices that don't allow end-user updates, customers should contact vendors to confirm vulnerability status and request patches while isolating affected devices from the public internet.

What is the Viasat satellite modem vulnerability (CVE-2024-6198) and how can it be fixed?

CVE-2024-6198 (CVSS score 7.7-9.8) is a stack buffer overflow vulnerability in the 'SNORE' web interface of multiple Viasat satellite modem models. The flaw affects the interface accessible through LAN and OTA connections on TCP ports 3030 and 9882. The vulnerability exists in the '/usr/local/SNORE/index.cgi' binary where unsafe 'sscanf()' calls allow attackers to overflow a fixed-size buffer using specially crafted HTTP requests, potentially enabling arbitrary code execution through return-oriented programming techniques. Affected models include RM4100, RM4200, EM4100 (below firmware 3.8.0.4) and RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020 (below firmware 4.3.0.2). Viasat has released fixes in firmware versions 3.8.0.4+ and 4.3.0.2+ respectively. Users should ensure devices are online to receive automatic updates and verify the firmware version through the administrative interface.

What were the most significant data breaches in week 17 of 2025?

Significant data breaches included: Onsite Mammography (affecting 357K individuals), WorkComposer employee monitoring app (leaking 21 million screenshots), Grant County Public Utility District (affecting 850 people), Bluestone Bank (affecting 7K individuals), British Ministry of Defence (exposing Special Forces personnel data), and several healthcare-related breaches including The Plastic Surgery Center and Aya Healthcare.

Which organizations experienced ransomware attacks in week 17 of 2025?

Organizations experiencing ransomware attacks included: Adelaide Hospital (via a third party exposing 2,254 sleep study patients' data), Spanish water supplier Aigües de Mataró, Wan Hai Lines shipping company, the local government systems of Abilene, Texas, and DuPage County, Illinois (affecting multiple county departments including the sheriff's office, the 18th Judicial Circuit Court, and the Circuit Court Clerk's office).

What details are known about the DuPage County, Illinois ransomware attack?

The DuPage County ransomware attack was detected on April 28, 2025, causing computer outages at the courthouse and sheriff's office in Wheaton. The attack disrupted several services including Zoom court sessions, postponed many court cases, forced legal personnel to revert to paper court orders, and canceled chancery sales including foreclosures for the week. Critical services remained operational, with no impact to jail operations and in-person court hearings proceeding as scheduled. According to reports, attackers claim to have stolen files including financial records and lawsuits, demanding an undisclosed ransom amount. The FBI and U.S. Secret Service are assisting with the investigation.

Advisory

Remote Code Execution flaw reported in Viasat Satellite Modems

published: April 28, 2025

Take action: If you are using Viasat sattelite modems, check if they are auto-updated. If not, update them ASAP. Should be fairly easy fix.

Learn More

A vulnerability has been discovered in multiple Viasat satellite modem models, potentially exposing critical communications infrastructure to remote attacks.

The security flaw is tracked as CVE-2024-6198 (CVSS score from 7.7 to 9.8 depending on source), affects the "SNORE" web interface accessible through the device's LAN and OTA interfaces.

The vulnerability stems from a stack buffer overflow in the "SNORE" web interface running on lighttpd over TCP ports 3030 and 9882. The issue exists in the /usr/local/SNORE/index.cgi binary, where HTTP request processing occurs without proper bounds checking.

When handling GET, POST, or DELETE requests, the CGI implementation uses an unsafe call to sscanf() to extract variables from the URI, allowing attackers to overflow a fixed-size buffer by sending specially crafted HTTP requests. For example, a request to:

http://192.168.100.1:9882/snore/blackboxes/AAAAAAAA[512 times]AAAAAA

This overflow gives attackers control over program registers, enabling them to hijack execution flow and potentially execute arbitrary code. Despite the binary employing a non-executable stack, exploitation remains possible through return-oriented programming (ROP) techniques.

The following Viasat modem models are vulnerable:

RM4100, RM4200, EM4100 (firmware versions below 3.8.0.4)
RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020 (firmware versions up to 4.3.0.1)

Viasat has released fixes in the following firmware versions:

Version 3.8.0.4+ for RM4100, RM4200, and EM4100 models
Version 4.3.0.2+ for RM5110, RM5111, RG1000, RG1100, EG1000, and EG1020 models

Users should ensure their devices are online to receive automatic updates from Viasat and verify the updated firmware version through the administrative interface.

Remote Code Execution flaw reported in Viasat Satellite Modems

Read More
Security rearchers discover old critical flaw still active …
Fortinet warns of active exploitation of 2FA Bypass …
SonicWall fixes critical improper access control flaw in …
Cisco reports high-severity flaw in Integrated Management Controller, …
GNU InetUtils telnetd Authentication Bypass Exploited in the …