What is the time period covered by this cybersecurity report?

This cybersecurity report covers the week between September 22, 2025, midnight and September 29, 2025, midnight, which corresponds to week 39 of 2025.

How many cybersecurity events were reported during week 39 of 2025?

During week 39 of 2025, there were a total of 30 cybersecurity events: 8 advisory or vulnerability events and 22 incident or data breach events. Additionally, 6 practical knowledge items were shared.

How do week 39 numbers compare to week 38 of 2025?

Advisories decreased from 14 in week 38 to 8 in week 39. Incidents increased from 19 in week 38 to 22 in week 39. The number of known impacted individuals significantly decreased from 9.145 million in week 38 to 704 thousand in week 39.

How many individuals were impacted by data breaches in week 39 of 2025?

There were a total of 704,204 impacted individuals across 8 incidents during week 39 of 2025. The actual number is likely higher since not all incidents report the number of impacted individuals.

What was the largest data breach reported in week 39 of 2025?

The largest breach during week 39 was the Harrods luxury department store data breach caused by a third-party incident, which exposed 430,000 individuals.

What were the main causes of cybersecurity incidents in week 39?

The primary causes of incidents were: malware, ransomware and related attacks with 6 incidents, third party compromise with 5 incidents, system misconfiguration exploits with 4 incidents, social engineering and phishing with 1 incident, software vulnerability and SDLC exploits with 1 incident, and unauthorized access with 1 incident.

Which industries were most affected by cybersecurity incidents in week 39?

Healthcare and Consulting or Professional Services were the most affected industries with 4 incidents each, followed by Finance with 3 incidents, IT, Software or Technology and Government with 2 incidents each, and Automotive, Retail, Education, Entertainment or Leisure, Insurance, and Other with 1 incident each.

What notable actively exploited vulnerabilities were reported during week 39?

Several actively exploited vulnerabilities were reported including a Cisco Zero-Day vulnerability in IOS and IOS XE software, vulnerabilities in Cisco ASA and FTD Firewall software, a critical 8-year-old Hikvision Camera flaw, a critical vulnerability in Fortra GoAnywhere, the first malicious MCP Server stealing data from AI-powered email systems, and a phishing campaign targeting Python developers through the PyPI repository.

What were some critical vulnerabilities disclosed in week 39?

Critical vulnerabilities included a GeoServer vulnerability used to attack a Federal Agency Network, a flaw in Salesforce Agentforce enabling data exfiltration, a stored XSS vulnerability in DotNetNuke Platform, a flaw in Libraesva Email Security Gateway exploited by state-sponsored attackers, high severity V8 Engine flaws in Chrome, an installer hijacking vulnerability in Salesforce CLI, a Microsoft Entra ID vulnerability re-scored to a perfect 10 critical allowing global admin control, and a critical flaw in SolarWinds Web Help Desk.

What healthcare organizations were affected by data breaches in week 39?

Healthcare organizations affected included Lorain Emergency Physicians through an ApolloMD ransomware attack, ApolloMD reporting a direct ransomware attack, Veradigm experiencing a data breach, Outcomes One hit by a phishing attack, Archer Health leaking data of almost 150,000 records, Gainwell Technologies affecting over 900 Georgia Medicaid recipients, VIVA Health leaking data of nearly 5,000 Alabama members, Beaumont Bone & Joint Institute hit by ransomware, and Gaylord Healthcare hit by SAFEPAY ransomware.

What major corporate data breaches occurred in week 39?

Major corporate breaches included Harrods luxury department store with 430,000 individuals affected, Stellantis reporting a third-party breach affecting North American customers, Boyd Gaming exposing employee data, Volvo Group North America reporting a third-party ransomware attack, hackers claiming a breach of PNC Financial Services which the bank denied, and ClaimPix auto insurance platform exposing over 5 million records.

Were any government entities affected by cyberattacks in week 39?

Yes, government entities affected included the Lorain County auditor's office hit by ransomware exposing employee and vendor data, and Union County, Ohio hit by ransomware compromising resident data. Additionally, a Federal Agency Network was attacked through a GeoServer vulnerability.

Knowledge

State of (in)security - Week 39, 2025

published: Sept. 29, 2025

Take action: If you are considering using an MCP server, don't. They are extremely insecure and should not be trusted. If you do need them, implement blocking security review on ANY AND ALL IMPLEMENTATION AND CHANGES.

Learn More

In the week between Sept. 22, 2025, midnight and Sept. 29, 2025, midnight we witnessed a total of:

8 advisory/vulnerability events
22 incident/data breach events

Week over Week comparison of week 39 2025 vs week 38 2025:

We also shared 6 practical knowledge items

Total impacted individuals via the events of the week

There were a total of 704,204 impacted individuals across 8 incidents, with the largest breach being the Harrods luxury department store reports data breach caused by third-party incident incident exposing 430,000 individuals. Since not all incidents report a number of impacted individuals, the real number is definitely higher than that.

Cause breakdown of incidents

Cause	Number of incidents
Malware, Ransomware and Related Attacks	6
Third Party Compromise	5
System Misconfiguration Exploits	4
Social Engineering and Phishing	1
Software Vulnerability and SDLC Exploits	1
Unauthorized access	1

Industry breakdown of incidents

Industry	Number of incidents
Healthcare	4
Consulting/Professional Services	4
Finance	3
IT/Software/Technology	2
Government	2
Automotive	1
Retail	1
Education	1
Entertainment/Leisure	1
Insurance	1
Other	1

Read the Event Details of the Week

Knowledge

active exploit | Cisco patches actively exploited Zero-Day vulnerability in IOS and IOS XE software
active exploit | Cisco warns of actively exploited vulnerabilities in ASA and FTD Firewall software
active exploit | Critical 8 years old Hikvision Camera flaw actively exploited again
active exploit | Critical vulnerability in Fortra GoAnywhere actively exploited
active exploit | First malicious MCP Server discovered, stealing data from AI-Powered email systems
active exploit | Python developers targeted in phishing campaign against PyPI repository

Vulnerabilities

critical vulnerability | CISA provides details of Federal Agency Network attack through GeoServer vulnerability
critical vulnerability | Critical flaw in Salesforce Agentforce enables data exfiltration through AI agent exploitation
critical vulnerability | Critical stored XSS vulnerability reported in DotNetNuke Platform
critical vulnerability | Flaw in Libraesva Email Security Gateway exploited by State-Sponsored attackers
critical vulnerability | Google releases security update for Chrome patching high severity V8 Engine flaws
critical vulnerability | Installer hijacking vulnerability reported in Salesforce CLI, allows SYSTEM-Level Access
critical vulnerability | Microsoft Entra ID vulnerability re-scored to perfecrt 10 critical, allows global admin control on all tenants
critical vulnerability | SolarWinds releases emergency hotfix for critical flaw in Web Help Desk

Incidents

data breach | Lorain Emergency Physicians report third party breach through the ransomware attack on ApolloMD
data breach | Qilin ransomware gang steals data of Korean funds after breaching IT subcontractor
data breach | Lorain County auditor's office hit by ransomware attack exposing employee and vendor data
data breach | Researcher reports vulnerability exposing user data in the "Cancel the Hate" App
data breach | Auto insurance platform ClaimPix exposes over 5 million records containing sensitive personal documents
data breach | Brightstar Lottery Group data breach exposes personal information
data breach | Harrods luxury department store reports data breach caused by third-party incident
data breach | Stellantis reports third-party data breach affecting North American customers
data breach | Boyd Gaming hit by cyberattack exposing employee data
data breach | Healthcare management firm ApolloMD reports ransomware attack exposing patient data
data breach | Healthcare tech company Veradigm data breach exposed patient data
data breach | Health technology company Outcomes One hit by phishing attack, reports data breach
data breach | Archer Health leaks data of patients, exposes almost 150,000 Records
data breach | Ransomware gang targets Kido nursery chain, exposing data of 8,000 children
data breach | Volvo Group North America reports data breach after third-party ransomware attack
data breach | Union County, Ohio hit by ransomware attack compromising resident data
data breach | Hackers claim breach of PNC Financial Services, the bank denies
data breach | Gainwell Technologies reports data breach affecting over 900 Georgia medicaid recipients
data breach | VIVA Health leaks data of nearly 5,000 Alabama members
data breach | Cloud Misconfiguration exposes 273,000 records of Indian bank transfer records
ransomware | Texas orthopedic clinic Beaumont Bone & Joint Institute hit by ransomware attack
ransomware | Gaylord Healthcare hit by SAFEPAY ransomware attack exposing patient data

Read More
State of (in)security - Week 43, 2024
Two Engineering and Transparency Lessons from the suspected …
State of (in)security - Week 24, 2025
State of (in)security - Week 4, 2026
State of (in)security - Week 18, 2025