WEEKLY TOP TEN: September 15, 2025, 16:00 GMT
- CISA Adds a Newly Exploited CVE to the KEV Catalog
CISA added CVE-2025-5086 (Dassault Systèmes DELMIA Apriso deserialization) to the Known Exploited Vulnerabilities (KEV) catalog, indicating observed in-the-wild exploitation. Federal agencies must remediate by Oct 2, 2025, per BOD 22-01 timelines; private orgs are strongly encouraged to follow suit. The addition shows that attackers are interested in software used in industry and manufacturing, and that insecure deserialization bugs are still useful for them - Microsoft Patch Tuesday: 81 Flaws, 2 Zero-Days
Microsoft’s September Patch Tuesday delivered fixes for 81 vulnerabilities, including two publicly disclosed zero-days. Nine issues were rated critical, with multiple remote code execution paths. Admins were urged to prioritize patching of components with RCE and elevation-of-privilege exposure across Windows client and server releases. The update train also resolved knock-on issues from August updates. Organizations should expedite testing and deployment, particularly on internet-exposed systems and high-value servers. Guidance from Microsoft’s Security Response Center complemented third-party coverage. - Exchange Online Outage Hits Users; Microsoft Says It’s Mitigated
Microsoft confirmed and mitigated a global Exchange Online outage that blocked access to email and calendars. The disruption affected tenants across regions, with users reporting failures in sending/receiving messages and degraded Outlook experiences. Microsoft telemetry guided rollback/mitigation steps; service was restored later the same day with continued monitoring. Customers were advised to inspect Service Health for tenant-specific updates and retry affected operations. Post-incident reviews are expected to detail root cause and corrective actions. - Panama’s Ministry of Economy Confirms Cyber Incident; INC Ransom Gang Claims 1.5TB Theft
Panama’s Ministry of Economy and Finance (MEF) disclosed a cyber incident and investigation after the INC Ransom gang claimed to have stolen 1.5TB of data, including emails and financial documents. The Ministry of Economy and Finance (MEF) has confirmed that standard safeguards are in place to protect personal and institutional data, but forensic work is still ongoing. If the data theft claims prove accurate, the leak could expose sensitive budgeting and policy files. Agencies and partners are urged to monitor for targeted phishing and data abuse. - UK Rail Operator LNER Hit via Supplier Breach; Customer Data Stolen
Britain’s LNER disclosed that a third-party supplier breach led to theft of passenger data. Details were sparse, but the incident fits a recurring pattern of supply-chain compromises affecting transport and public services. Impacted customers may face phishing and identity abuse risks. The report urges vetting of vendor security, enforcing minimum controls (MFA, logging, and segmentation), and prompt notification to data subjects. - CISA Publishes 11 New ICS Advisories
CISA released 11 Industrial Control Systems (ICS) advisories covering vulnerabilities across multiple vendors (e.g., Daikin, Schneider). The advisories provide CVE details, impact, and mitigations. Operators in energy, manufacturing, and building automation should review vendor-specific guidance, apply patches where available, and implement compensating controls (network segmentation, MFA, monitoring). The cadence reflects persistent targeting of OT/ICS environments. - VMSCAPE Spectre Variant Leaks Cloud Hypervisor Secrets
Researchers disclosed VMSCAPE (CVE-2025-40300), a Spectre-class attack enabling a malicious cloud guest to leak secrets from the host hypervisor in default configs—no ROP gadget injection required. The finding raises concerns for multi-tenant cloud isolation and pushes cloud providers to deploy mitigations and performance-balanced defenses. Tenants should track provider guidance, apply updated kernels/firmware, and consider hardened instance types for sensitive workloads. - Kazakhstan Oil “Attack” Turns Out to Be Red-Team Simulation
An alleged Russian APT intrusion into Kazakhstan’s largest oil company was widely discussed—until researchers clarified it was a red team exercise, not a real breach. Dark Reading updated the story to reflect the correction. The incident points out that there should be careful validation before publicizing industrial “attacks,” given market and geopolitical sensitivity. Security teams should expect misinformation and verify sources before taking disruptive actions. - Google Chrome: Stable Channel Security Update
Google pushed a Chrome Stable update (Windows/Mac/Linux) fixing two security bugs, including a critical use-after-free in ServiceWorker (CVE-2025-10200) and a high-severity Mojo issue (CVE-2025-10201). Details remain restricted until most users update, consistent with Google’s disclosure policy. Enterprises should fast-track rollouts, enforce browser version compliance, and watch for exploit attempts against lagging endpoints. - Massive NPM Supply-Chain Attack Hits Popular Packages
Aikido Security has detected a major NPM supply-chain attack that is affecting popular packages such as chalk, debug, and ansi-styles, which collectively receive billions of weekly downloads. The malicious code attempted to hijack wallets through injected logic. The campaign illustrates ongoing risks from developer ecosystem compromises and the blast radius of package manager attacks. Dev teams should pin/verify dependencies, enable provenance (Sigstore/Cosign), and monitor for typosquats and unexpected post-install scripts.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available: