Weekly One-Shot: May 11 - May 17, 2025

This week's threats and trends.

Author

J.W. Croley
May 17, 2025

In partnership with

Before we dive in, I would like to thank all of you for supporting us with your subscription! My goal is to bring both actionable insights and easy-to-digest information regarding cybersecurity threats to non-tech and technical professionals alike. If this sounds like something that would help someone you know, please share the newsletter!

The Daily Newsletter for Intellectually Curious Readers

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

Cybersecurity never sleeps—and just like a good thriller, the moment you get comfortable, something new pops out of the shadows. This week didn’t disappoint. From zero-days in everyday apps to botnets hiding in digital signage and ransomware creeping in through your ERP software, attackers reminded us just how creative and relentless they can be.

But don’t stress—we’ve decoded the chaos and lined up the week’s biggest threats so you can stay sharp, stay informed, and stay ahead of the next twist.

Let’s break down this week in cybersecurity.

🔎 This week in Cybersecurity 🔎

1. Samsung MagicINFO Vulnerability Enables Mirai Botnet Deployment (CVE-2025-4632)
Hackers are exploiting Samsung’s MagicINFO system used in digital signage to drop Mirai botnet payloads, transforming lobby displays into attack launchpads.
May 15 Newsletter

2. Apple iOS and macOS Vulnerabilities Require Urgent Patching
New vulnerabilities allow malicious image and video files to execute code on iPhones and Macs—patch now, or risk compromise via nothing more than a rogue GIF.
May 13 Newsletter

3. Google Chrome Zero-Day (CVE-2024-7965) Actively Exploited
A critical Chrome vulnerability is being used to run arbitrary code via specially crafted HTML. It’s already being exploited—update your browser.
May 15 Newsletter

4. Microsoft Messaging App Zero-Day Used in Espionage Campaign
Nation-state actors exploited a previously unknown vulnerability in a messaging platform to spy on Kurdish military forces.
May 13 Newsletter

5. Scattered Spider Targets US Retail with Social Engineering Attacks
The persistent Scattered Spider group has expanded phishing and social engineering attacks against the retail sector—time to retrain frontline teams.
May 15 Newsletter

6. JPEG Jitters: Ransomware Delivered via Malicious Image Files
Attackers are embedding ransomware into JPEG images, making casual downloads from untrusted sources a serious risk.
May 13 Newsletter

7. ASUS DriverHub Flaw Allowed Admin-Level Command Execution
ASUS patched a flaw in its DriverHub utility that allowed malicious websites to gain full control over affected systems.
May 13 Newsletter

8. WordPress WPML Plugin Vulnerability (CVE-2024-6386)
A flaw in the WPML plugin allows unauthenticated file uploads, giving attackers a foothold in WordPress environments.
May 15 Newsletter

9. Node.js Vulnerabilities Allow Service Disruption
Several vulnerabilities in Node.js could allow attackers to crash or disrupt backend applications, affecting availability.
May 15 Newsletter

10. FBI Warns of Botnets Leveraging Obsolete Routers
EoL routers are being hijacked into botnets, becoming launch platforms for cybercrime—check your hardware.
May 13 Newsletter

11. LockBit Ransomware Gang Hacked—Admin Panel Leaked
In a rare turn of events, the LockBit gang got hacked, exposing victim data and internal comms. Good for intelligence, bad for them.
May 13 Newsletter

🔥 Biggest Threat This Week 🔥

SAP NetWeaver Exploitation (CVE-2025-31324)
SAP’s NetWeaver Visual Composer is once again in the spotlight—for all the wrong reasons. Ransomware crews are actively exploiting CVE-2025-31324 to drop payloads like PipeMagic and Brute Ratel, gaining full control over vulnerable enterprise systems. With over 1,200 exposed instances still online, the threat is anything but theoretical.

  • Risk Level: Critical

  • MITRE Tactics: Initial Access, Execution, Privilege Escalation

  • Action Steps:

    • Apply all available SAP patches immediately

    • Restrict access to /developmentserver/metadatauploader

    • Monitor system behavior for suspicious uploads or persistence mechanisms
      May 15 Newsletter

Training Recommendation

🛠️ Training Recommendation 🛠️

Hack The Box – Enterprise Web Application Exploitation
As ransomware crews exploit web interfaces like SAP’s NetWeaver portal, defenders need to think like attackers. This course dives deep into real-world web application flaws and shows you how they’re exploited in the wild. If you’ve got an ERP system or custom app exposed to the internet, you can’t afford to skip this one.

Wrapping Up:

From ransomware in enterprise software and botnets in digital signage, to critical zero-days in widely used platforms, this week’s threats reinforce the need for immediate patching, network segmentation, and strong phishing defenses.

Whether it’s nation-state espionage or a phony WordPress plugin, assume nothing is safe and validate everything.

(P.S. Supporting our partners helps keep this newsletter running!)

Start learning AI in 2025

Keeping up with AI is hard – we get it!

That’s why over 1M professionals read Superhuman AI to stay ahead.

  • Get daily AI news, tools, and tutorials

  • Learn new AI skills you can use at work in 3 mins a day

  • Become 10X more productive