Threat intelligence for May 2025 highlights 77 new vulnerabilities, five active exploits, and increased ransomware activity, with critical issues like CVE-2025-29813 (Azure DevOps Server) and CVE-2025-30386 (Microsoft Office) needing urgent remediation. Ransomware groups such as Safepay and Devman, active exploitation of CISA-listed CVEs, and frequent malware submissions (e.g., Berbew) underscore the need for prioritized patching, asset discovery, and threat-informed defenses. #CVE-2025-29813 #CVE-2025-30386 #Safepay #Devman #Berbew
Keypoints
- Seventy-seven new vulnerabilities were reported in May 2025, including multiple critical flaws across Microsoft, Cisco, Apple, Google, SAP, and VMware.
- CVE-2025-29813 (Azure DevOps Server) has a CVSS of 10.0 and is prioritized due to privilege escalation risk; CVE-2025-30386 in Microsoft Office is flagged as highly likely to be exploited.
- Five ransomware groups—Safepay, Qilin, Play, Akira, and Devman—dominated activity; Safepay conducted 70+ attacks in May and avoids Russian-speaking targets.
- CISA’s Known Exploited Vulnerabilities Catalog lists actively exploited issues such as CVE-2024-38475 (Apache HTTP Server), CVE-2023-44221 (SonicWall), and CVE-2025-20188 (Cisco IOS XE).
- Malware sandbox submissions frequently included Berbew (credential-stealing backdoor) and families Nimzod, Systex, VB, and Autoruns facilitating persistence and lateral movement.
- Recommended practices: prioritize exploited CVEs using threat intelligence, continuous asset discovery, segmentation and MFA for exposed services, and automated patch/config management.
- Organizations should measure exposure metrics (MTTR, unpatched high-risk assets) and simulate exploitation paths to guide remediation priorities.
Read more: https://levelblue.com/blogs/security-essentials/cybersecurity-consulting-and-ransomware-updates-may