In today’s cybersecurity news…
Exploit for maximum severity Cisco IOS XE flaw now public
Following up on a story we covered at the start of May, details are now becoming available regarding the upload flaw, which suggests a working exploit may be available soon. As quoted in BleepingComputer, “a write-up by Horizon3 researchers does not contain a ‘ready-to-run’ proof of concept RCE exploit script, but it does provide enough information for a skilled attacker or even an LLM to fill in the missing pieces.” Given the immediate risk of weaponization and widespread use in attacks, it is recommended that impacted users act now to protect their endpoints. This flaw impacts software for wireless LAN controllers.
Senators ask for reinstatement of cyber review board to work on Salt Typhoon investigation
Four Senate Democrats have sent a letter to Homeland Security Secretary Kristi Noem asking her to reestablish the Cyber Safety Review Board (CSRB) whose 20 board members were dismissed days after the President’s inauguration in January. The senators’ letter describes the dismissal as “depriving the public of a fuller accounting of the origin, scope, scale, and severity of” the Salt Typhoon compromises. They add that the dismissals are “particularly confounding in light of the administration’s repeated insistence… on the need to leverage private sector and external expertise in government.”
Australian ransomware victims now must report their payments
The country has made good on parts of a Cybersecurity bill introduced to its Parliament in October of last year and has become “the first country in the world to require victims of ransomware attacks to declare to the government any extortion payments made on their behalf to cybercriminals.” The law applies to organizations with an annual turnover greater than AUS $3 million ($1.93 million) as well as some critical infrastructure sector organizations. Reports must be made to the Australian Signals Directorate (ASD) within 72 hours or be penalized 60 penalty units within the Australian civil penalty system.
U.S. intelligence employee arrested for alleged selling of classified info
The arrest was made by the FBI on Thursday. Nathan Laatsch, 28, of Alexandria, VA, worked in the Insider Threat Division unit and had top secret security clearance. He is now accused of attempting to provide classified information to a foreign government, the Justice Department said. Operating on a tip, an FBI agent, masquerading as a foreign government official, “arranged a drop at a public park in northern Virginia around May 1, where surveillance observed Laatsch leave a thumb drive at the specified location.” The drive contained a “decent sample size” of classified data and was meant to demonstrate the range of the types of products he could obtain and share with his level of access.
Huge thanks to our sponsor, Conveyor
It means the AI agent goes beyond just sharing NDA-gated documents like a SOC 2 with customers or answering security questionnaires.
Conveyor’s AI Agent, Sue, handles the entire security review process from start to finish.
She answers every customer request from sales, completes every questionnaire and executes every communications and coordination task in-between. It’s perfect for B2B infosec teams sick of manual security review work.
Check it out at www.conveyor.com.
Hackers exploiting critical flaw in vBulletin forum software
There are actually two flaws, with CVE numbers and CVSS v3 scores of 10.0 and 9.0 respectively, and the affect open-source forum software vBulletin. One of these has been confirmed as actively exploited in the wild. The flaws are an API method invocation and a remote code execution (RCE) via template engine abuse. They affect vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 when the platform runs on PHP 8.1 or later. Patches were released last year, meaning the danger lies with sites that have not upgraded. CVE-2025-48827 and CVE-2025-4882
Microsoft reminds users Authenticator cutoff is July 1
Following up on our coverage of Microsoft’s ousting of its Authenticator app in favor of Edge, the company is now issuing warnings “that the password autofill feature is being deprecated in July, suggesting users move to Microsoft Edge instead.” The warning clearly states that users should export saved passwords before July 1 or switch to Microsoft Edge. A transition to Edge, the company says is basically a one-click action.
ConnectWise warns of nation-state attack on its ScreenConnect customers
The company says it “recently learned of suspicious activity… [that it believes] …was tied to a sophisticated nation state actor.” This activity affected a very small number of ScreenConnect customers. ScreenConnect is IT remote management and monitoring software used by governments and large businesses. According to The Record, “hackers have frequently targeted vulnerabilities in the software, using it as a jumping off point for ransomware attacks and data thefts.” ConnectWise said it has launched an investigation with forensic experts from Mandiant.
Good-guy leaker outs Conti kingpins in ransomware data dump
According to The Register, an individual with the handle, GangExposed has “exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names.” The data includes chat logs, personal videos, and ransom negotiations connected to a couple of the most notorious cyber extortion gangs. Speaking with The Register via Signal, the individual claims he is not interested in the $10 million bounty that is being offered for information about one key Conti leader, but that he takes pleasure in thinking he can rid society of at least some of these gang leaders and members. As quoted in The Register, GangExposed calls himself an “independent anonymous investigator” without any formal IT background. “My toolkit,” he says, “includes classical intelligence analysis, logic, factual research, OSINT methodology, human psychology, and the ability to piece together puzzles that others don’t even notice.”