Coinbase, a cryptocurrency exchange with over 100 million customers, has disclosed a significant data breach affecting 69,461 individuals. The breach, which involved cybercriminals working with rogue support agents, led to the theft of customer data and internal documentation. The attackers accessed this data with the help of overseas contractors and support staff who misused their system access. Coinbase confirmed that no customer passwords, private keys, or funds were compromised, but sensitive personal information was exposed.
Details of Stolen Data
The stolen data includes names, addresses, phone numbers, email addresses, masked Social Security numbers, bank account details, and images of government IDs such as driver’s licenses and passports. Account information, including transaction history and balance snapshots, was also taken. While no passwords or private keys were accessed, this data can be used for social engineering attacks, where attackers pose as legitimate sources to deceive customers into transferring funds.
Attack Method and Insider Involvement
The breach occurred when a small group of overseas support staff, who were paid to access internal systems, improperly accessed and stole customer data. Coinbase detected the issue and terminated the involved staff members. Despite this, the data was already exfiltrated, and attackers used it to conduct social engineering schemes, attempting to manipulate customers into sending funds.
Ransom Demand and Coinbase’s Response
After gaining access to the stolen data, the attackers contacted Coinbase on May 11, demanding a $20 million ransom to prevent the release of the data. Coinbase refused to pay the ransom and instead offered a $20 million reward fund for information leading to the capture of the perpetrators. The company has also committed to reimbursing customers who were tricked into transferring funds to the attackers.
Financial Impact and Customer Reimbursement
Coinbase estimates the breach could lead to expenses between $180 million and $400 million for remediation, including customer reimbursements. Although the full financial impact remains uncertain, Coinbase has vowed to reimburse customers who sent funds to the attackers after being deceived in follow-up social engineering attacks. The company is also implementing improved insider-threat detection and automated threat response systems to prevent future breaches.
Customer Protection Measures
Coinbase advises customers to be cautious of scammers impersonating Coinbase employees, stressing that Coinbase will never request sensitive information over the phone. To protect their accounts, customers are encouraged to enable two-factor authentication (2FA) and withdrawal allow-listing, which helps prevent unauthorized transfers. Coinbase further emphasized that these measures are crucial to safeguard against similar social engineering schemes.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Microsoft has confirmed a widespread issue causing some Windows 10 systems to enter BitLocker recovery mode after installing the May 2025 security updates. This problem, affecting a variety of system configurations, has prompted the company to release an out-of-band emergency update to resolve the issue. Affected users, particularly those running Windows 10 22H2, Windows 10 Enterprise LTSC 2021, and Windows 10 IoT Enterprise LTSC 2021 on systems with Intel vPro processors, encountered BitLocker recovery screens following the installation of the KB5058379 update.
The Issue
The issue emerged after the release of the May 2025 security update, KB5058379, as part of Microsoft’s Patch Tuesday updates. Upon installation, certain systems began failing to boot, triggering an automatic repair cycle that demanded the input of a BitLocker recovery key. For many affected users, the Local Security Authority Subsystem Service (LSASS) process unexpectedly terminated, which led to an installation failure event with error code 0x800F0845 in the Windows Event Viewer. This failure caused the device to enter BitLocker recovery mode.
Microsoft acknowledged the problem, noting that a “small number” of systems with BitLocker enabled are being impacted by this issue. Devices with Intel vPro processors (10th generation or later) and Intel Trusted Execution Technology (TXT) enabled are particularly affected. Consumer systems running Windows 10 Home or Pro editions are unlikely to experience this issue, as they typically do not use Intel vPro processors.
Symptoms and Impact
When impacted systems are booted, they may present the BitLocker recovery screen after Windows attempts to start but fails repeatedly. This failure triggers the Automatic Repair process, which requests the BitLocker recovery key for further access. In some cases, this issue causes systems to enter a BitLocker recovery loop, where the device is unable to successfully recover and start up. Others may experience a successful rollback to the previous update after multiple attempts, but the issue remains disruptive.
The error logs in the Event Viewer often show LSASS errors and installation failure events with the 0x800F0845 error code, signaling that the update process was interrupted, causing the device to fail to boot properly.
Temporary Workarounds
Microsoft has suggested a few temporary workarounds for users unable to immediately apply the emergency fix. To bypass the issue, users can attempt to disable Intel’s Trusted Execution Technology (TXT) or Virtualization Technology (VT) in the system BIOS/UEFI. Disabling these features may allow the system to boot normally and provide time for users to install the emergency update.
Emergency Update Released
In response to the issue, Microsoft has released the KB5061768 emergency update via the Microsoft Update Catalog. This update is cumulative, meaning it does not require prior updates to be installed. The emergency patch aims to address the BitLocker recovery loop by fixing the LSASS termination problem caused by the May 2025 security update.
Once installed, this emergency update should resolve the issue for impacted users, allowing them to bypass the BitLocker recovery screen and restore normal functionality. Microsoft strongly advises affected users to download and install the KB5061768 update immediately to prevent further disruptions.
Steps to Fix the Issue:
Install the Emergency Update: Download and install the KB5061768 update from the Microsoft Update Catalog. This update will fix the issue caused by the KB5058379 update.
Disabling Intel Features: If you cannot immediately install the update, disable Intel Trusted Execution Technology (TXT) and Intel Virtualization Technology (VT) from your system’s BIOS/UEFI settings. Once the update is installed, you can re-enable these features.
Retrieving BitLocker Recovery Key: If you are stuck at the BitLocker recovery prompt, retrieve the recovery key by logging into the BitLocker recovery screen portal using your Microsoft account. You can find detailed instructions on how to retrieve the BitLocker recovery key on Microsoft’s support page.
Historical Context
This isn’t the first time BitLocker recovery issues have occurred following a Windows update. Similar problems were experienced in August 2022 after the release of the KB5012170 update, as well as in July 2024, when another BitLocker recovery issue affected Windows 10, Windows 11, and Windows Server systems. Each time, Microsoft responded with emergency updates to resolve the issue and mitigate further user disruption.
The BitLocker recovery issue caused by the May 2025 security update has disrupted Windows 10 systems, particularly those with Intel vPro processors. Microsoft has released a cumulative emergency update to resolve the issue, and users are urged to install the KB5061768 update to fix the problem and restore their systems to normal operation. Until the patch is applied, disabling Intel TXT and VT in the BIOS/UEFI settings can serve as a temporary workaround. Microsoft continues to investigate the root cause of the issue and will provide further updates as necessary.
As always, it’s important to stay up-to-date with security patches and monitor official Microsoft channels for the latest advisories.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Firefox Patches 2 Zero-Days Exploited at Pwn2Own Berlin with $100K in Rewards
Microsoft Open-Sources Windows Subsystem for Linux at Build 2025
How can Netizen help?
Firefox Patches 2 Zero-Days Exploited at Pwn2Own Berlin with $100K in Rewards
Mozilla has issued critical security updates to address two zero-day vulnerabilities found in its Firefox browser, which were actively exploited during the Pwn2Own Berlin hacking competition. These flaws, identified as CVE-2025-4918 and CVE-2025-4919, have the potential to allow attackers to execute arbitrary code or steal sensitive data. The vulnerabilities were demonstrated by ethical hackers, who were awarded $50,000 each for successfully exploiting the flaws in real-time
Vulnerabilities Overview: The two vulnerabilities, both related to memory corruption and out-of-bounds access in Firefox’s JavaScript engine, were discovered by security researchers at Palo Alto Networks and credited to Edouard Bochin and Tao Yan for CVE-2025-4918, and Manfred Paul for CVE-2025-4919. Below are the technical details of each vulnerability:
CVE-2025-4918 – Out-of-Bounds Access in Promise Objects: This vulnerability stems from improper handling of Promise objects within Firefox’s JavaScript engine. By exploiting the flaw, an attacker can perform an out-of-bounds read or write operation, potentially leading to the exposure of sensitive information or triggering memory corruption. This could then allow an attacker to execute arbitrary code on the targeted system.
CVE-2025-4919 – Out-of-Bounds Access When Optimizing Linear Sums: The second vulnerability, CVE-2025-4919, arises when Firefox optimizes linear sums in JavaScript objects. An attacker could leverage this flaw by causing incorrect array index calculations, leading to out-of-bounds memory access. Like the first vulnerability, this could allow unauthorized data access or memory corruption, potentially leading to code execution.
Both vulnerabilities were demonstrated at Pwn2Own Berlin, a renowned hacking contest where participants attempt to exploit real-world software. The successful exploits of these flaws earned the researchers a total of $100,000 in rewards. Notably, while these vulnerabilities were demonstrated in an attack setting, Mozilla has confirmed that both exploits were confined within Firefox’s sandbox environment. This means the flaws did not allow the attackers to escape the browser’s protective barriers and gain control over the underlying system.
Despite this, the risks associated with these vulnerabilities remain significant, especially considering the widespread use of web browsers as a primary vector for malware distribution. If successfully exploited, these flaws could allow attackers to access sensitive information, disrupt system operations, or potentially deliver malicious payloads.
The vulnerabilities affect several versions of the Firefox browser, including:
All versions prior to Firefox 138.0.4 (including Firefox for Android).
All versions of Firefox Extended Support Release (ESR) prior to 128.10.1 and 115.23.1.
Users are strongly urged to update to the latest Firefox release to mitigate the risk posed by these vulnerabilities.
Mozilla has emphasized that the vulnerabilities did not break out of the Firefox sandbox, a security feature designed to isolate browser processes from the underlying system. This containment effectively mitigated the potential impact of these exploits, as the attacker would not have been able to gain control of the operating system itself. Nonetheless, Mozilla has advised all users to update to the latest version of Firefox to ensure they are protected from these vulnerabilities.
As of now, Mozilla has released updated versions of Firefox that address both vulnerabilities. Users are encouraged to apply the patches immediately to avoid potential exploitation. Firefox users can download the latest update directly from the official Mozilla website or through their browser’s built-in update feature.
By staying informed and promptly applying patches, security teams can mitigate risks and protect their users from the exploitation of vulnerabilities like CVE-2025-4918 and CVE-2025-4919.
Microsoft Open-Sources Windows Subsystem for Linux at Build 2025
In a major move for the development community, Microsoft has officially open-sourced the Windows Subsystem for Linux (WSL), making its source code available on GitHub. This decision marks a significant milestone for a project that began as an experimental feature nearly a decade ago but has since evolved into one of the most popular tools for developers on Windows. While the move is a big step towards greater transparency and collaboration, certain components, such as the kernel driver and filesystem redirection elements, remain closed due to their integral role in Windows.
WSL was first introduced in 2016 at Microsoft’s BUILD conference and became a core feature of Windows 10 in the Anniversary Update. Initially, WSL 1 relied on a compatibility layer to bridge the gap between Linux and Windows, allowing Linux distributions to run directly within Windows without needing a full virtual machine.
The real game-changer came in 2019 with the release of WSL 2, which brought significant improvements. Instead of using a compatibility layer, WSL 2 now incorporates a full Linux kernel running in a lightweight virtual machine. This shift provided a wealth of performance benefits, including the ability to leverage GPU resources, support for systemd, and the ability to run graphical Linux applications seamlessly alongside Windows applications. These advancements made WSL an indispensable tool for developers working across both platforms.
With the open-source release at Build 2025, Microsoft has made the core components of WSL available for inspection and contribution. These include:
Command-line tools: wsl.exe and wslg.exe, which manage the WSL environment and the Linux graphical interface.
Background services: The wslservice.exe service responsible for managing the WSL lifecycle and its networking.
Linux-side daemons: Various background processes that handle networking, daemon launches, and port forwarding within the WSL environment.
By releasing these components, Microsoft is giving developers the ability to examine how WSL works at a deeper level, contribute to its evolution, and even build their own versions or features.
Pierre Boulay, a key figure behind WSL at Microsoft, shared that the decision to open-source WSL was driven by the contributions the community has already made without direct access to the source code. Over the years, many users have added valuable features and fixes to WSL through workarounds and community-driven patches. Microsoft now hopes that by allowing direct code contributions, the pace of innovation will accelerate even further.
“WSL could never have been what it is today without its community,” Boulay noted. “Even without access to WSL’s source code, people have been able to make major contributions that lead to what WSL is now. This is why we’re incredibly excited to open-source WSL today.”
While the core components of WSL have been made available, Microsoft has retained some proprietary elements that are integral to Windows. These include:
Lxcore.sys: The kernel driver used in WSL 1, which is part of the Windows operating system.
P9rdr.sys and p9np.dll: Components responsible for enabling the \\wsl.localhost filesystem redirection, a key feature of how WSL integrates with the Windows file system.
These components remain closed due to their direct involvement with Windows’ kernel and file system, making them too tightly coupled to the operating system’s core functionality to be open-sourced.
The open-sourcing of WSL offers several benefits to the developer community. Developers can now:
Inspect the code: Gain insights into how WSL works under the hood and better understand its internals.
Submit improvements: Propose new features, bug fixes, and optimizations, potentially improving WSL for all users.
Build their own versions: Modify and build customized versions of WSL to suit specific use cases or enterprise environments.
With WSL now open for contributions, the possibility of accelerating the development of WSL features is high. Community contributions have always been at the heart of WSL’s evolution, and now Microsoft is formalizing that process, making it easier for anyone to get involved.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
The Non-classified Internet Protocol Router Network (NIPRNet) is a foundational element of the U.S. Department of Defense’s global IT infrastructure. Though often misunderstood due to its name, NIPRNet is far more than a basic communications network—it is a mission-critical platform that underpins secure information sharing, operational coordination, and government communications across multiple agencies.
What Is NIPRNet?
NIPRNet is the primary network used by the U.S. Department of Defense (DoD) to transmit sensitive but unclassified information. Despite the “non-classified” label, the network supports communications and data access that are vital to national security and defense operations. It is separate from the public internet and built with a strong focus on controlled access and security.
Originally introduced in 1992, NIPRNet has expanded into a worldwide system that serves millions of users, including DoD employees, other federal agencies, and select international partners. Over time, it has become indispensable to the day-to-day functioning of defense and government operations.
How NIPRNet Works
Unlike commercial or public networks, NIPRNet is physically and logically isolated from the internet. It uses encryption, firewalls, strict access controls, and advanced intrusion detection systems to protect its data from interception or unauthorized access. Only credentialed, authorized users can access NIPRNet, and access is often tightly restricted based on clearance levels and organizational roles.
The network supports a range of services, including secure email, voice and video communication, collaboration platforms, file transfers, and access to internal databases.
Key Applications of NIPRNet
NIPRNet is used extensively across defense and government sectors for:
Secure Communication: It provides a reliable and safe channel for exchanging operational messages, directives, and status reports using secure email, messaging apps, and video conferencing tools.
Information Sharing: The network enables collaboration between military branches, federal agencies, and allied partners by allowing authorized access to mission-relevant data.
Database Access: NIPRNet connects users to essential DoD databases, including those for personnel records, medical data, logistics, and more—systems that must remain protected from public exposure.
Enterprise Services: It supports a full suite of enterprise IT services such as DNS, directory services, email hosting, and administrative platforms, all operating within a secure perimeter.
Joint Operations: During multinational or interagency missions, NIPRNet acts as a trusted bridge for real-time coordination between the DoD, civilian government agencies, and partner nations.
The Evolution of NIPRNet
When NIPRNet was first deployed in the early 1990s, it was limited in scope, primarily connecting a small number of military installations. As technology and operational needs evolved, so did the network. Over the last three decades, it has undergone continuous modernization to improve bandwidth, scalability, and cybersecurity protections.
The network’s architecture now supports cloud-hosted services, distributed access points, and rapid data exchange across geographically dispersed commands. NIPRNet’s resilience and reliability have become more critical than ever in an era where cyber threats are increasingly sophisticated and persistent.
NIPRNet vs. Other Government Networks
NIPRNet is often mentioned alongside other key government networks, such as SIPRNet (Secret Internet Protocol Router Network) and JWICS (Joint Worldwide Intelligence Communications System). While SIPRNet handles classified data up to the Secret level, and JWICS supports Top Secret and SCI (Sensitive Compartmented Information) communications, NIPRNet is reserved for unclassified but sensitive operational data.
Despite handling a lower classification of information, NIPRNet must still meet strict security requirements due to the nature of the data it processes—particularly as more military functions move to digital platforms.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
May 2025 — A newly disclosed Chrome vulnerability tracked as CVE-2025-4664 is drawing urgent attention across the security community. The flaw, identified as a case of insufficient policy enforcement in Chrome’s Loader component, allows attackers to bypass same-origin restrictions and exfiltrate sensitive query parameters to third-party domains. Google released a patch for the issue on May 14, 2025, as part of Chrome version 136.0.7103.113, but the vulnerability has already been actively exploited in the wild.
What Is CVE-2025-4664?
CVE-2025-4664 affects how Google Chrome handles the Link HTTP header on sub-resource requests. While most browsers ignore the referrer-policy defined in this context, Chrome uniquely processes it. By setting the referrer-policy to unsafe-url, an attacker can craft a malicious page that forces the browser to include full query parameters in the Referer header when fetching a sub-resource—such as an image—from an attacker-controlled domain.
This subtle behavior opens the door for cross-origin data leaks. If URLs contain sensitive information in the query string—like session tokens, user IDs, or email addresses—those details can be silently leaked. Although the CVSS v3 score is listed as 4.3 (medium severity), the real-world impact can be far more damaging depending on how developers handle authentication and data in URLs.
Active Exploitation and Research Disclosure
The vulnerability was responsibly disclosed by security researcher Vsevolod Kokorin (@slonser_), who also published a proof-of-concept on May 5. Google confirmed that exploits for this vulnerability exist in the wild, though no targeted campaigns have been publicly attributed yet. CVE-2025-4664 follows closely on the heels of another Chrome zero-day, CVE-2025-2783, which was exploited by threat actors earlier this year in espionage operations.
Mitigation and Patching
Google’s security update is now available for Windows, macOS, and Linux users running Chrome version 136.0.7103.113 or later. Users of other Chromium-based browsers—including Microsoft Edge, Brave, Opera, and Vivaldi—should also apply security updates as soon as vendors release patches.
Administrators should verify that Chrome instances across managed environments have been updated and consider implementing enterprise policy controls that restrict outdated versions of the browser. Furthermore, content security policies (CSP) and strict referrer-policy headers should be reviewed and explicitly defined to avoid similar future issues.
What SOC Teams Need to Know
Security Operations Center (SOC) teams should prioritize monitoring for potential abuse of this vulnerability, especially in environments where sensitive data may be passed via URL query parameters. While this is typically considered a poor security practice, it remains common in many web applications—making this vulnerability a viable vector for lateral movement or data leakage.
Analysts should inspect outbound traffic for unusual image or sub-resource requests made to third-party domains that include referrer headers with query strings. Detection rules within SIEM platforms should be updated to log HTTP requests containing sensitive tokens in referer fields—especially requests originating from browser agents tied to Chrome versions prior to 136.0.7103.113.
Teams should also validate internal web applications for adherence to modern security headers. Sites should avoid using unsafe-url as a default referrer policy and explicitly define strict referrer-policy headers to limit exposure. Developers should be discouraged from placing any sensitive tokens or credentials in the URL path or query string. These should be passed securely using headers or within POST bodies whenever possible.
In organizations where browser management is part of the IT stack, ensure Chrome auto-updates are enforced and that no legacy Chromium-based browsers are permitted to access sensitive internal applications. With known exploits circulating, unmanaged browser instances may represent a weak point in an otherwise hardened perimeter.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Microsoft’s May 2025 Patch Tuesday includes security updates for 72 vulnerabilities, featuring five actively exploited zero-days and two additional publicly disclosed flaws. The update also addresses six critical vulnerabilities, five involving remote code execution (RCE) and one classified as an information disclosure issue.
Breakdown of Vulnerabilities
The vulnerabilities patched this month fall into the following categories:
17 Elevation of Privilege (EoP) vulnerabilities
28 Remote Code Execution (RCE) vulnerabilities
15 Information Disclosure vulnerabilities
7 Denial of Service (DoS) vulnerabilities
2 Security Feature Bypass vulnerabilities
2 Spoofing vulnerabilities
This count does not include vulnerabilities related to Azure, Microsoft Edge, Dataverse, or Mariner, which were addressed earlier this month. Non-security updates released include Windows 11 KB5058411 and KB5058405, and Windows 10 KB5058379.
Zero-Day Vulnerabilities
This month’s Patch Tuesday addresses five zero-day vulnerabilities confirmed to be actively exploited in the wild:
CVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability
Affects: Windows DWM Core Library A use-after-free flaw in the Desktop Window Manager (DWM) allows a local, authorized attacker to elevate privileges to SYSTEM.
CVE-2025-32701 | Windows Common Log File System Driver Elevation of Privilege Vulnerability
Affects: Windows Common Log File System Driver Use-after-free vulnerability enabling local privilege escalation to SYSTEM.
CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerability
Affects: Same driver as CVE-2025-32701 This vulnerability stems from improper input validation, allowing local attackers to elevate to SYSTEM.
CVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Affects: Ancillary Function Driver for WinSock Another use-after-free vulnerability, permitting SYSTEM-level elevation via local exploitation.
Affects: Microsoft Scripting Engine This remote code execution vulnerability arises from a type confusion bug. Exploitation requires tricking a user into clicking a crafted link in Microsoft Edge or Internet Explorer.
Publicly Disclosed Vulnerabilities
CVE-2025-26685 | Microsoft Defender for Identity Spoofing Vulnerability
Affects: Microsoft Defender for Identity Allows unauthenticated LAN-based attackers to spoof identities due to improper authentication validation.
CVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability
Affects: Visual Studio A command injection flaw enabling unauthenticated local RCE through improper handling of special elements in commands.
Other Critical Vulnerabilities
In addition to the zero-days, Microsoft patched several critical vulnerabilities this month. Five are remote code execution flaws across key components, and one involves an information disclosure flaw with a high impact rating. Detailed CVE references for these critical issues have not yet been included in Microsoft’s summary documentation, but their classification as critical indicates high potential for system compromise if left unpatched.
Adobe and Other Vendor Updates
Several major vendors issued important updates in May 2025:
Apple: Released updates for iOS, iPadOS, and macOS
Cisco: Patched a maximum severity bug in IOS XE Wireless LAN Controllers
Fortinet: Addressed multiple flaws, including an actively exploited zero-day in FortiVoice
Google: Fixed 62 Android bugs, including a zero-click RCE in FreeType 2
Intel: Published CPU microcode updates to mitigate Branch Privilege Injection, a vulnerability capable of leaking sensitive data from privileged memory
SAP: Released updates for multiple products, including critical RCE vulnerabilities
SonicWall: Patched a zero-day that had been exploited in active attacks
Recommendations for Users and Administrators
Given the scope and severity of the May updates, especially the five actively exploited vulnerabilities, users and administrators should prioritize patching affected Windows systems immediately. Elevated privilege vulnerabilities—particularly those exploited in the wild—pose a significant threat to enterprise environments and should be addressed with urgency.
Pay special attention to environments running Desktop Window Manager (DWM), systems with network exposure to Edge or Internet Explorer, and any configuration leveraging Microsoft Defender for Identity or Visual Studio. Organizations should validate patch deployment success and closely monitor for any signs of post-exploitation behavior or lateral movement attempts.
Full patch details and associated guidance can be reviewed in Microsoft’s Security Update Guide.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
LockBit Admin Panel Hacked: Leaked Data Offers Rare Insight into Ransomware Operations
Google to Pay $1.375 Billion in Texas Settlement Over Unauthorized Location and Biometric Tracking
How can Netizen help?
LockBit Admin Panel Hacked: Leaked Data Offers Rare Insight into Ransomware Operations
On May 7, an administration panel belonging to the LockBit ransomware-as-a-service (RaaS) operation was compromised, resulting in the public release of internal communications, attacker infrastructure details, and affiliate negotiation records—information with immediate value to law enforcement, incident response teams, and threat intelligence researchers.
The attacker defaced a LockBit admin domain with the message: “Don’t do crime, crime is bad xoxo from Prague,” along with a link to a compressed archive containing data extracted from the compromised server. This includes:
Bitcoin wallet addresses tied to affiliate transactions
Chat logs between affiliates and victims
TOX IDs, usernames, and passwords for 76 registered users
Indicators of infrastructure, malware, and operational procedures
Rapid7’s Christiaan Beek confirmed that the Bitcoin wallet addresses could aid law enforcement in tracing transactions and identifying actors involved in LockBit’s affiliate network. Searchlight Cyber’s Luke Donovan reported that 22 of the leaked user accounts were associated with TOX IDs—metadata commonly reused across dark web forums. Researchers were able to correlate some of these to known threat actor aliases, potentially enabling further attribution or linking affiliate activity across campaigns.
The chat logs—spanning December 2024 to April 2025—expose negotiation tactics in detail. According to Beek, affiliates pressured victims with rapid ransom demands that varied significantly, sometimes requesting amounts as low as $5,000 and in other cases demanding six-figure payments. This range of tactics provides valuable insight for incident responders and negotiators working on live ransomware cases.
Donovan noted similarities between this attack and a prior defacement of the Everest ransomware group’s infrastructure, suggesting the breach may stem from infighting or retaliation within the cybercriminal ecosystem. Though attribution remains speculative, the reused messaging indicates the same threat actor may be behind both compromises.
LockBit has acknowledged the breach but claimed no victim data or decryptors were exposed. The group’s figurehead, known as LockBitSupp—identified by law enforcement as Russian national Dmitry Yuryevich Khoroshev—has publicly offered a reward for information on the identity of the attacker responsible.
While LockBit infrastructure was dealt a significant blow in coordinated takedowns last year, this leak is one of the most substantial windows into their internal operations to date. For security teams and intelligence analysts, the exposed records offer a rare opportunity to better understand affiliate dynamics, operational workflows, and negotiation strategies used in active ransomware campaigns.
Security teams should review the leaked indicators, monitor for reused TOX IDs or wallet addresses, and remain alert to opportunistic attacks or impersonation attempts stemming from the breach.
Google to Pay $1.375 Billion in Texas Settlement Over Unauthorized Location and Biometric Tracking
Google has agreed to pay $1.375 billion to the state of Texas to settle two major lawsuits alleging the unauthorized tracking of users’ physical location and the collection of biometric data, including facial recognition and voiceprints—without user consent. The figure represents the largest privacy-related settlement Google has made with a single U.S. state and far exceeds the amounts it previously paid in similar lawsuits across other jurisdictions.
Filed in 2022 by Texas Attorney General Ken Paxton, the lawsuits accused Google of violating state privacy laws by tracking users’ movements even when location history was turned off, recording incognito searches, and capturing biometric identifiers such as facial geometry and voice profiles without explicit user permission. These practices were allegedly performed through core services like Google Maps, Search, and Photos.
“For years, Google secretly tracked people’s movements, private searches, and even their voiceprints and facial geometry through their products and services,” said Attorney General Paxton. “This $1.375 billion settlement is a major win for Texans’ privacy and tells companies that they will pay for abusing our trust.”
The magnitude of this settlement not only surpasses Google’s $391 million payout to 40 states in 2022, but also its $93 million agreement with California in 2023 and a $29.5 million resolution involving Indiana and Washington. It is on par with the $1.4 billion settlement Meta reached with Texas over similar biometric privacy violations.
In response to regulatory and public pressure, Google has made incremental privacy changes. These include storing Maps Timeline data locally on users’ devices rather than in the cloud and introducing auto-deletion controls for location data when tracking features are enabled.
With increasing regulatory scrutiny from both U.S. and international authorities, this settlement further intensifies pressure on Google, which is already facing antitrust calls to break up key areas of its business. Privacy professionals should view this as a signal to review data handling practices—particularly those involving sensitive categories such as biometrics and geolocation—and ensure compliance with both existing and emerging state-level regulations.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
In cybersecurity, a compliance management system (CMS) is more than a risk mitigation tool—it’s the operational framework that helps security teams enforce, monitor, and report on adherence to regulatory mandates, internal policies, and industry standards. A well-structured CMS centralizes processes and controls to reduce non-compliance exposure and integrates directly into broader cybersecurity risk strategies.
A CMS isn’t a single product or dashboard. It’s a coordinated system of technical tools, procedural workflows, and human oversight that together ensure regulatory alignment. For cybersecurity professionals, it can include policy engines, continuous control monitoring (CCM), vulnerability assessments tied to compliance mandates, and tools for documenting security operations in line with frameworks like NIST, ISO 27001, HIPAA, PCI DSS, and others.
Why a CMS Matters in Cybersecurity Operations
Security teams face a sprawling landscape of compliance regulations that evolve with every breach, new technology, and global data transfer law. From GDPR’s data handling rules to sector-specific frameworks like CMMC or SOC 2, keeping up requires more than documentation—it requires constant situational awareness across all systems and users.
Non-compliance isn’t just a legal problem. It introduces significant operational risk, expands an organization’s attack surface, and often correlates with weak security controls. For example, the gap between regulatory obligations and current system configurations can become an exploitable vulnerability. A CMS offers a structured approach for mapping, implementing, and monitoring compliance-related security controls across distributed environments.
Key Components of a CMS for Security Teams
Board-Level Buy-In and Executive Accountability Executive leadership must signal that security compliance is a strategic business priority. Without top-down pressure, even well-architected CMS programs stall during implementation. Boards and CISOs should align on the business risk of non-compliance and allocate appropriate resources, particularly for incident response, vulnerability disclosure handling, and third-party risk assessments.
Security Compliance Leadership This often falls to the CISO, a dedicated compliance officer, or GRC lead. These roles manage the implementation of technical safeguards, policy alignment, audit readiness, and security awareness initiatives across the enterprise. Their task includes ensuring that technical controls map directly to regulatory requirements and that evidence can be produced on demand.
Formalized Compliance Program This is the operational side of a CMS. It includes risk assessments, regular control testing, policy documentation, audit logging, security training, and enforcement. In mature environments, the compliance program is built into the security stack—automating reporting, generating alerts for non-compliance events, and enabling continuous compliance monitoring via integrations with SIEMs, vulnerability scanners, and IAM tools.
Consumer Complaint and Incident Intake Although more common in consumer-facing environments, this function also applies to enterprise cybersecurity—particularly around breach disclosures, right-to-be-forgotten requests, and DSARs (Data Subject Access Requests). Having structured intake and escalation procedures helps reduce legal risk and aligns with breach notification regulations.
Internal and External Audits Audits measure how security controls align with regulatory expectations. Internal audits help security teams identify and close control gaps before external auditors arrive. Mature CMS implementations make audit preparation routine by embedding compliance reporting into daily operations. External audits can validate readiness for certifications or serve as part of vendor assurance efforts.
Continuous Monitoring and Risk Assessment Compliance is not static. Continuous monitoring tools—whether from cloud security posture management (CSPM), configuration management databases (CMDBs), or extended detection and response (XDR)—provide real-time insight into drift from compliance baselines. When controls degrade, these systems alert stakeholders and log incidents for forensic and reporting purposes.
Implementing a CMS: Practical Steps for Security Teams
Baseline Requirements: Begin with a gap analysis—compare your current control set to your regulatory obligations. This forms the foundation of your CMS roadmap.
Tool Selection: Choose GRC platforms, policy engines, and audit support tools that integrate with your SIEM, identity provider, and cloud environments. API compatibility matters more than UI.
Define Ownership: Assign responsibility across teams (IT, legal, HR, dev) for specific compliance objectives. Clarify who maintains control mappings and who handles audit response.
Training and Policy Enforcement: Technical controls only go so far without user behavior alignment. Incorporate role-specific security training and automated policy enforcement where possible.
Audit Readiness: Maintain documentation of system configurations, access controls, incident response procedures, and prior assessment results. Use dashboards and automated compliance scoring where available.
Feedback Loops: Monitor for shifts in the regulatory landscape. Use threat intelligence, vendor updates, and industry groups to anticipate changes and adjust the CMS accordingly.
Final Thoughts
For cybersecurity teams, a CMS isn’t optional—it’s essential infrastructure. It ties together regulatory compliance, operational security, and business continuity into one system of accountability. In an era where compliance violations often signal deeper security failings, a properly implemented CMS is one of the strongest defenses against reputational and regulatory damage.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Cisco has released a critical security update to patch CVE-2025-20188, a zero-click vulnerability with a CVSS score of 10.0 that affects multiple IOS XE Wireless Controller models. The flaw allows unauthenticated remote attackers to upload files and execute arbitrary commands with root privileges on vulnerable devices.
Key Details of CVE-2025-20188
The vulnerability stems from a hard-coded JSON Web Token (JWT) embedded within affected systems. If exploited, an attacker could send crafted HTTPS requests to the AP image download interface and perform file uploads, path traversal, and remote code execution with full system control.
This issue impacts the following Cisco products when running vulnerable firmware and with the Out-of-Band AP Image Download feature enabled:
Catalyst 9800-CL Wireless Controllers for Cloud
Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches
Catalyst 9800 Series Wireless Controllers
Embedded Wireless Controller on Catalyst Access Points
Importantly, the Out-of-Band AP Image Download feature is disabled by default, limiting risk for systems where it remains off.
Exploitation Requirements and Recommendations
According to Cisco’s advisory, successful exploitation requires the targeted device to have the vulnerable feature manually enabled. Cisco recommends the following actions:
Immediate Upgrade: Apply the latest security patches released on May 8, 2025.
Temporary Mitigation: Disable the Out-of-Band AP Image Download feature if upgrades are not immediately possible.
Cisco notes that disabling the feature does not disrupt AP functionality, as image downloads will fall back to CAPWAP (Control and Provisioning of Wireless Access Points), which is not impacted by this flaw.
Discovery and Impact
The flaw was discovered during internal security testing by a member of Cisco’s Advanced Security Initiatives Group (ASIG), identified only as X.B. At this time, there is no evidence that CVE-2025-20188 has been exploited in the wild.
This vulnerability is categorized under CWE-798: Use of Hard-coded Credentials, a common weakness that can lead to severe breaches when present in production software.
What SOC Teams Need to Know
Security operations teams should treat CVE-2025-20188 as a top-priority vulnerability due to its unauthenticated, remote code execution impact and critical CVSS score of 10.0. Although the exploit path relies on the Out-of-Band AP Image Download feature being enabled (which is disabled by default), environments with custom configurations or legacy setups may unknowingly be at risk. SOC teams should immediately audit all Cisco IOS XE wireless controllers for exposure, confirm the feature is disabled if patching is delayed, and begin log analysis for any suspicious HTTPS activity targeting the AP image download interface. It is also recommended to set up alerts for configuration changes that may enable the vulnerable feature and verify integrity of critical system files.
CVE-2025-20188 presents a serious risk for organizations using Cisco IOS XE-based wireless controllers with the vulnerable image download feature enabled. Administrators are urged to update affected systems immediately or disable the vulnerable feature to prevent potential remote compromise.
Cisco’s full advisory and mitigation steps are available here:
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
After more than five years of legal proceedings, a U.S. federal jury has ordered Israeli spyware vendor NSO Group to pay over $167 million in punitive damages—and nearly half a million in compensatory damages—to WhatsApp for its role in a 2019 cyberattack that targeted more than 1,400 users through a vulnerability in the app’s audio calling feature.
The case stems from a lawsuit filed in October 2019 by WhatsApp, which accused NSO of using its servers to deliver spyware to journalists, dissidents, and human rights defenders across the globe. The malware campaign exploited a now-patched vulnerability to install NSO’s Pegasus spyware, even if the recipient didn’t answer the call.
On Tuesday, the jury awarded $167,254,000 in punitive damages and $444,719 in compensatory damages—close to what WhatsApp had requested for the costs of incident response, patch development, and user protection.
“This ruling is an important step forward for privacy and security,” said WhatsApp spokesperson Zade Alsawah. “Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry.”
NSO Group said it is considering its legal options. “We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” said spokesperson Gil Lainer.
Broader Impact on the Spyware Industry
The decision follows a December 2024 ruling by Judge Phyllis Hamilton, who found NSO Group liable for violating the Computer Fraud and Abuse Act (CFAA), California’s Comprehensive Computer Data Access and Fraud Act, and WhatsApp’s own terms of service. That ruling cleared the way for this week’s jury trial on damages.
Will Cathcart, head of WhatsApp, has long positioned the case as a pivotal battle for user privacy. In a 2019 op-ed in The Washington Post, he called the lawsuit a “wake-up call” about how commercial surveillance tools are being misused by governments to target civil society.
“This should serve as a wake-up call for technology companies, governments and all internet users,” Cathcart wrote. “Tools that enable surveillance into our private lives are being abused.”
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab who has extensively investigated NSO Group, said the ruling sends a strong message.
“NSO makes many millions helping dictators hack people. After years of delay tactics, it only took the jury a day’s deliberation to see through it,” he told TechCrunch. “Aside from the huge punitive damages, the bigger impact is the blow to NSO’s efforts to hide their business activities.”
A Precedent-Setting Case
The verdict marks the first time a spyware vendor has been successfully sued by a U.S. tech company for targeting its users. It’s also a rare instance where a court has awarded significant financial damages in a cyber intrusion case—one that many privacy advocates hope will be a turning point for accountability in the surveillance-for-hire industry.
Whether NSO Group follows through with an appeal remains to be seen, but the case has already reshaped the conversation around private spyware use and the responsibilities of those who develop and sell these tools.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Netizen Blog and News 
You must be logged in to post a comment.