How many cybersecurity events occurred in the week of September 15-22, 2025?

During the week of September 15-22, 2025, there were a total of 33 cybersecurity events: 14 advisory/vulnerability events and 19 incident/data breach events.

How did cybersecurity incidents change compared to the previous week?

Comparing week 38 to week 37 of 2025: Advisories increased from 13 to 14 (up by 1), while incidents decreased from 26 to 19 (down by 7). However, the number of impacted individuals increased significantly from 520,000 to 9.145 million.

What was the largest data breach of the week and how many people were affected?

The largest breach was the Shiny Hunters ransomware gang's claimed breach of Kering's Luxury Brands, which exposed data of 7,400,000 individuals. Overall, 9,145,640 individuals were impacted across 7 incidents during the week.

What were the most common causes of cybersecurity incidents this week?

The top causes of incidents were: Malware, Ransomware and Related Attacks (5 incidents), Unauthorized access (3 incidents), followed by Third Party Compromise, Social Engineering and Phishing, and Human bad security behavior (2 incidents each).

Which industry was most affected by cybersecurity incidents?

Healthcare was the most affected industry with 7 incidents, followed by IT/Software/Technology and Finance with 2 incidents each. Other affected industries included Food and Beverage, Government, Insurance, Automotive, Retail, Aviation, and Consulting/Professional Services with 1 incident each.

What types of critical vulnerabilities were reported this week?

Critical vulnerabilities were reported in various systems including Apple iOS/macOS updates, WordPress plugins, Apache HTTP Server, Nokia management platforms, FlowiseAI, Kubernetes tools, Google Chrome (with one actively exploited), and multiple enterprise systems like WatchGuard Firebox and Fortra's GoAnywhere MFT.

What major ransomware attacks occurred during this week?

Major ransomware attacks included: Shiny Hunters gang's breach of Kering's Luxury Brands (7.4M affected), Goshen Medical Center attack (456,385 patients affected), Medical Associates of Brevard hit by BianLian ransomware (246,711 patients), Everest gang's claimed breach of BMW, and attacks on Family & Community Services and SonicWall MySonicWall platform.

Were there any notable breaches in the financial or technology sectors?

Yes, notable breaches included: Former FinWise Bank employee breaching data of 689,000 customers, Google confirming a breach of their Law Enforcement Request System with a fraudulent account created, and an arrested hacker claiming Scattered Spider gang breached Crypto.com (though this incident was not officially reported).

What was the most critical vulnerability discovered recently in Microsoft's cloud services?

Microsoft reclassified a critical vulnerability in Entra ID (CVE-2025-55241) with a maximum CVSS score of 10.0 that could have compromised virtually every tenant globally. Discovered by Dutch researcher Dirk-jan Mollema in July 2025, the flaw involved undocumented 'Actor tokens' and a validation issue in the Azure AD Graph API. Attackers could bypass MFA, Conditional Access, and logging while achieving full tenant compromise. Microsoft fixed the issue within 3 days of reporting (July 14-17, 2025) with no evidence of exploitation in the wild.

What recent ransomware attack affected a government entity and what sensitive data was compromised?

The Lorain County Board of Commissioners in Ohio reported a ransomware attack discovered on May 23, 2025, claimed by the Global ransomware gang. The attack compromised sensitive financial information including Social Security numbers, bank account numbers, and routing numbers of county employees and vendors. The breach primarily impacted files in the County Auditor's Office, though other departments also reported issues. The ransomware group threatened to release stolen data unless ransom demands were met, claiming possession of 'lots of private information, bank accounts and more.'

What critical vulnerability was discovered in SolarWinds Web Help Desk and why is it particularly concerning?

SolarWinds patched CVE-2025-26399 (CVSS score 9.8), a critical unauthenticated remote code execution vulnerability in Web Help Desk that allows attackers to execute arbitrary commands with SYSTEM privileges without authentication. This flaw is particularly concerning because it represents the third iteration of attempts to fix the same underlying security issue - it's a patch bypass of CVE-2024-28988, which was itself a bypass of CVE-2024-28986 originally addressed in August 2024. All versions up to 12.8.7 are affected, requiring upgrade to version 12.8.7 Hotfix 1 (HF1). While not currently exploited in the wild, security experts warn of high likelihood of future exploitation attempts.

Advisory

SolarWinds releases emergency hotfix for critical flaw in Web Help Desk

published: Sept. 23, 2025

Take action: If you're running SolarWinds Web Help Desk, immediately update to version 12.8.7 Hotfix 1 (HF1). By it's very nature, Web Help Desk may be exposed to the Internet, so you are probably exposed. If you can't update right away, isolate the Web Help Desk from the internet until you can apply the patch.

Learn More

SolarWinds has patched a critical security vulnerability in its Web Help Desk that allows attackers to execute arbitrary commands on the host machine without requiring authentication.

This flaw, tracked as CVE-2025-26399 (CVSS score 9.8), is an unauthenticated AjaxProxy deserialization remote code execution vulnerability caused by insufficient validation of user-supplied data. When successfully exploited, this flaw allows remote attackers to execute code in the context of SYSTEM privileges, leading to complete compromise of affected Web Help Desk instances.

CVE-2025-26399 represents the third iteration of attempts to address the same underlying security flaw. The vulnerability is a patch bypass of CVE-2024-28988 (CVSS score 9.8), which itself was a bypass of CVE-2024-28986 (CVSS score 9.8) that was originally addressed by SolarWinds in August 2024.

Affected versions of SolarWinds Web Help Desk are 12.8.7 and all previous versions.

The fixed software release is SolarWinds Web Help Desk 12.8.7 Hotfix 1 (HF1)

Organizations that had previously installed version 12.8.7 must download and apply Hotfix 1 to fully remediate the vulnerability, as the original 12.8.7 release remains vulnerable to this specific attack vector.

Currently, there is no evidence of CVE-2025-26399 being actively exploited in the wild. Security experts emphasize the high likelihood of future exploitation attempts, given the history of the underlying vulnerability family.

Organizations that cannot immediately upgrade should implement network-level controls to restrict access to the Web Help Desk interface, ensuring it is not exposed to the entire internet.

SolarWinds releases emergency hotfix for critical flaw in Web Help Desk