Threat Report May 2025: Hack, Rinse, Repeat

May 2025 was a volcanic month for cybersecurity news, including several large breaches and new critical severity vulnerabilities. The Greenbone blog has already covered some major events, such as new actively exploited vulnerabilities in SAP Netweaver, Commvault Command Center and Ivanti EPMM. In total 4,014 new vulnerabilities were added to MITRE’s CVE (Common Vulnerabilities and Exposures) program. Greenbone added over 2,500 vulnerability tests to the Enterprise Feed, many capable of detecting multiple CVEs.

In this threat report for May 2025, we will round up some of the riskiest new CVEs disclosed this month, review a nation-state backed cyber campaign impacting tech companies around the world, and review how AI is poised to escalate cyber risk with intelligent automation at all stages of the Cyber Kill Chain.

The Inevitable AI-Enabled Attack Cycle: Hack, Rinse, Repeat

AI is now a force multiplier in the cyber attack lifecycle. Threat actors are leveraging AI in two fundamental ways; expediting the conversion of public vulnerability knowledge into exploit tools, and building more convincing social engineering content. Researchers have proposed a long list of additional capabilities that AI can further optimize, including automation of initial access attacks and command-and-control (C2) operations.

Even without AI, skilled human hackers can exfiltrate sensitive information within minutes of initial access. If significant vulnerabilities exist on the LAN side of a victim’s network, manual deployment of ransomware is trivial. In 2017, WannaCry demonstrated that ransomware attacks can be automated and wormable, i.e., capable of spreading between systems autonomously.

According to Norton’s latest Gen Threat Report, data-theft has increased 186% in Q1 2025. As discussed last month, data-theft-related class action filings have risen more than 1,265% over six years. When a victim’s cyber hygiene is non-compliant, multi-million dollar settlements are the norm. The top 10 data-breach class action settlements in 2023 totaled over 515 million dollars; the largest was a 350 million dollar settlement involving T-Mobile. This stolen data is often sold on the dark web, becoming fuel for subsequent cyber attacks. We should expect AI to reach full autonomy at all stages of the Cyber Kill Chain in the near future, resulting in a fully autonomous vicious cycle of exploitation; hack, rinse, repeat.

Russian GRU-Backed Espionage Campaign Hits Global Tech and Logistic Firms

CISA (Cybersecurity and Infrastructure Security Agency) and defense entities from nine other countries have warned of a cyber espionage-oriented campaign. The operation is being conducted by the Russian General Staff Main Intelligence Directorate (GRU), specifically the 85th Main Special Service Center (85th GTsSS), military unit 26165. The group is tracked under several aliases including the well-known FancyBear and APT28.

The full report outlines detailed Tactics, Techniques and Procedures (TTPs) leveraged in the campaign, which includes reconnaissance [TA0043], credential brute forcing [T1110.003], spearphishing to attain credentials and deliver malware [T1566], exploiting trust relationships to gain access [T1199], proxying attacks through compromised devices [T1665] and exploiting known software vulnerabilities – both for initial access [T1190] and privilege escalation [T1068]. The sheer diversity of attack techniques indicates a highly sophisticated threat.

The campaign targets a wide range of small office/home office (SOHO) devices, Microsoft Outlook, RoundCube Webmail and WinRAR as well as undisclosed CVEs in other internet-facing infrastructure – including corporate VPNs and SQL injection flaws. Greenbone includes detection tests for all CVEs referenced in the report. Those CVEs include:

• CVE-2023-23397 (CVSS 9.8): A privilege escalation vulnerability in Microsoft Outlook that leverages replay of captured Net-NTLMv2 hashes.
• CVE-2020-12641 (CVSS 9.8): Allows attackers to execute arbitrary code via shell metacharacters in a Roundcube Webmail configuration setting for `im_convert_path` or `im_identify_path`.
• CVE-2020-35730 (CVSS 5.0): An XSS flaw in Roundcube Webmail via a plain text email message, containing a JavaScript link reference.
• CVE-2021-44026 (CVSS 9.8): An SQL injection flaw in Roundcube via search or search_params.
• CVE-2023-38831 (CVSS 7.8): Allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.

DragonForce Ransomware Spreads its Wings

Emerging in mid-2023, DragonForce transitioned from a hacktivist collective into a financially motivated Ransomware-as-a-Service (RaaS) operation. Fast forward to 2025, and DragonForce has established itself as an apex threat in the ransomware ecosystem.

DragonForce ransomware attacks impacted the following countries:

• United States – 43 confirmed incidents
• United Kingdom – including recent May 2025 breaches of Marks & Spencer, Co-op and Harrods
• Saudi Arabia – a data leak from a major Riyadh construction firm
• Australia – e.g., Yakult Australia
• Singapore – Coca-Cola operations
• Palau – a government breach in March 2024
• Canada – among the top five most attacked nations
• India – has faced increased targeting, particularly in the past month

Campaigns have included exploitation of SimpleHelp remote monitoring and management (RMM) [1], Confluence Server and Data Center [2], Log4Shell (aka Log4J), Microsoft Windows vulnerabilities, as well as various flaws in Ivanti products [3]. Greenbone provides multiple active check and version detection tests for all CVEs identified in DragonForce campaigns.

DragonForce has been observed exploiting:

• CVE-2024-57727, CVE-2024-57728 and CVE-2024-57726 – affecting SimpleHelp RMM
• CVE-2024-21887, CVE-2024-21893 and CVE-2023-46805 – affecting Ivanti Connect Secure and Policy Secure
• CVE-2024-21412 (CVSS 8.1) – affecting the Microsoft Windows OS
• CVE-2022-26134 (CVSS 9.8) – affecting Atlassian Confluence Server and Data Center
• CVE-2021-44228 (CVSS 10) (Log4J, Log4Shell) – affecting the `log4j-core` Java package

In line with the attack trajectory of other prominent ransomware actors, DragonForce is known to use other techniques in addition to breaching public-facing vulnerabilities such as phishing emails, credential theft, brute-force, and credential stuffing attacks on exposed services and remote management (RMM) tools like AnyDesk, Atera, and TeamViewer, for persistence and lateral movement. Therefore, organizations need comprehensive cybersecurity programs that include user awareness training to prevent social engineering attacks and regular penetration testing to simulate real-world adversarial activity.

CVE-2025-32756: Stack-Based Buffer Overflow Vulnerability in Multiple Fortinet Products

CVE-2025-32756 (CVSS 9.8), published on May 13, 2025, is a critical severity stack-based buffer overflow vulnerability [CWE-12] affecting multiple Fortinet products. It allows remote, unauthenticated attackers to execute arbitrary code via a crafted HTTP cookie. The flaw is being actively exploited in the wild – primarily against FortiVoice systems – and is linked to attacks involving malware deployment, credential theft using cron job, and network reconnaissance. Proof-of-concept details are publicly available, and a full technical analysis has been published increasing the risk factor.

Fortinet flaws have a historically high conversion rate for use in ransomware attacks. A total of 18 vulnerabilities in Fortinet products have been added to CISA Known Exploited Vulnerabilities (KEV) list since late 2021 – 11 of these are known to be leveraged by ransomware operators. In addition to CISA, several other national CERT entities have issued alerts, including CERT-EU, the Centre for Cybersecurity Belgium (CCB), and Germany’s CERT-BUND.

The root cause is a missing length check in the `cookieval_unwrap()` function of libhttputil.so. A malicious AuthHash cookie can induce memory corruption to control the return memory address, allowing an attacker to hijack execution flow at the process level. Greenbone Enterprise Feed provides a vulnerability test to detect affected products and almost 1,000 other tests for detecting other vulnerabilities in Fortinet products.

CVE-2025-32756 affects dozens of firmware versions across multiple FortiNet products, including:

• FortiVoice (6.4.0 – 7.2.0)
• FortiMail (7.0.0 – 7.6.2)
• FortiNDR (1.1 – 7.6.0)
• FortiRecorder (6.4.0 – 7.2.3)
• all versions of FortiCamera 1.1 and 2.0 as well as 2.1.0 – 2.1.3

Fortinet advises upgrading to the latest fixed versions immediately. If patching is not feasible, users should disable the HTTP/HTTPS administrative interface to prevent successful attacks.

Trio of SysAid Flaws Now Have CVEs and Public PoC

In May, three critical-severity vulnerabilities were disclosed affecting on-premises SysAid IT Service Management (ITSM) platform. These flaws can be chained, allowing unauthenticated Remote Code Execution (RCE). Full technical details and Proof-of-Concept (PoC) were published by watchTowr. Also, considering that SysAid vulnerabilities have been targeted by ransomware operators in the past, these flaws are especially high risk.

CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777 (each CVSS 9.3) are unauthenticated XML External Entity (XXE) [CWE-611] vulnerabilities, found in the Checkin, Server URL and lshw functions respectively. All allow admin account takeover and arbitrary file read on the victim’s system. SysAid On-Prem versions ≤ 23.3.40 are affected. Notably, the flaws were patched by the vendor in March, but CVE IDs were not reserved or issued. This type of scenario contributes to a less transparent threat landscape for software users, reducing visibility and complicating operational vulnerability management. Greenbone offers detection tests for all aforementioned CVEs.

SysAid has a global presence of over 10,000 customers across 140 countries, including organizations such as Coca-Cola, Panasonic, Adobe, and LG. While it holds a smaller share of the ITSM market compared to larger competitors like ServiceNow or Jira Service Management, it remains a popular solution for mid-sized businesses.

A CVSS 10 in Cisco IOS XE Wireless Controller

CVE-2025-20188 is a new critical-severity (CVSS 10) vulnerability disclosed in May 2025. It affects Cisco’s flagship platform, the Catalyst 9800 Series. Although not known to be actively exploited yet, a full technical walkthrough is now available, which will provide less sophisticated threat actors with a head start.

The root cause of the vulnerability is a hard-coded JSON Web Token (JWT) which could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges via specially crafted HTTP request. Specifically, a hardcoded fallback secret – the string `notfound` – is used to verify the authenticity of a JWT if `/tmp/nginx_jwt_key` is not present.

Although this key file may be generated at certain times, such as when an administrator logs into the management console, it may not be present at certain times, such as immediately after a device reboot or service start.

Crucially, the flaw does not affect all HTTP endpoints – it is limited to the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for WLAN Controllers (WLCs). While Cisco’s advisory claims this service is not enabled by default, Horizon.ai researchers found that it was. Therefore, while there are several conditions affecting the exploitability of CVE-2025-20188, if those conditions are present, exploitation is trivial – and likely affects many organizations.

Cisco has released an advisory which recommends that affected users either upgrade to the patched version, or disable the Out-of-Band AP Image Download feature. Greenbone Enterprise Feed includes a version detection test for identifying affected devices and verifying patch level.

Summary

May 2025 delivered a surge of critical vulnerabilities, major breaches and escalating nation-state activity. It’s important to keep in mind that AI-enhanced attack cycles are destined to become a reality – the chaotic and urgent cybersecurity landscape shows no sign of easing any time soon.

New actively exploited flaws in Cisco, Fortinet, and SysAid products force organizations to maintain vigilant, continuous detection efforts, followed by prioritization and mitigation.

Greenbone’s Enterprise coverage helps security teams see vulnerabilities that threat actors can exploit to stay ahead in a fast-moving threat landscape.