A vulnerability with a perfect CVSS score of 10.0 has been discovered in Apache Tika, a toolkit used for detecting and extracting metadata from various file types. The flaw allows attackers to trigger XML External Entity (XXE) injections in core parsing modules.
Business impact
This vulnerability allows attackers to read sensitive files on the server or execute remote code, potentially compromising any application that processes user-uploaded documents; this creates severe liability for data privacy breaches.
Recommended action
Ask your Development team: "Do any of our applications use Apache Tika for document processing, and have we upgraded to the patched version to mitigate CVE-2025-66516?"
CISA has added a critical vulnerability in React Server Components to its Known Exploited Vulnerabilities catalog following confirmed active attacks. This flaw allows attackers to execute remote code on servers running vulnerable versions of React, a widely used web framework.
Business impact
If exploited, attackers gain full control over web servers, leading to immediate data theft, service disruption, and potential lateral movement into the internal network; for public companies, this mandates immediate disclosure under SEC rules.
Recommended action
Ask your IT team: "Have we identified all public-facing applications using React Server Components, and have we applied the patch for CVE-2025-55182 immediately as required by CISA?"
Chinese state-backed actors are deploying a new backdoor malware dubbed BRICKSTORM to maintain long-term access to critical infrastructure. The campaign specifically targets VMware environments to exfiltrate credentials and evade detection.
Business impact
A successful compromise could lead to long-term espionage, intellectual property theft, or operational sabotage of critical systems, resulting in national security implications and massive remediation costs.
Recommended action
Ask your SOC team: "Are we monitoring our VMware environments for the specific indicators of compromise associated with the BRICKSTORM malware campaign?"
Researchers have identified new prompt injection vectors in the Model Context Protocol (MCP), which connects LLM applications to external data. These flaws allow attackers to manipulate AI behavior through malicious sampling techniques.
Business impact
Exploitation could cause AI agents to leak proprietary data or execute unauthorized actions, undermining trust in AI initiatives and potentially violating data protection regulations.
Recommended action
Ask your AI Engineering team: "Are we using the Model Context Protocol in our LLM applications, and have we implemented strict input validation to prevent prompt injection attacks?"
The Indian government has retracted a mandate that would have required citizens to install a specific cybersecurity app, following significant backlash over surveillance and privacy concerns. This highlights the tension between national security initiatives and individual privacy rights.
Business impact
For global companies operating in India, this signals a volatile regulatory environment regarding digital privacy and mandatory software, requiring close monitoring of local compliance requirements.
Recommended action
Ask your Legal/Compliance team: "How does the rollback of the India app mandate affect our employee device policies for staff located in India?"
The integration of agentic AI tools into software development pipelines is introducing new supply chain risks. These tools can inadvertently introduce untrusted or malicious content into workflows, which is then treated as trusted code.
Business impact
Malicious code introduced by AI agents could bypass standard security reviews, leading to compromised software releases and downstream attacks on customers.
Recommended action
Ask your DevOps team: "Do we have a verification process for code generated or modified by AI agents before it enters our production codebase?"
CVE: n/a | Compliance: General Enterprise | Source:CyberScoop ↗
U.S. Senators are reviving bipartisan legislation to overhaul healthcare cybersecurity, focusing on updated regulations, grants, and clearer federal roles. This indicates impending regulatory tightening for the healthcare sector.
New U.S. security strategy documents signal a shift in diplomatic posture, casting European allies in a more adversarial light while deprioritizing Russia as a primary villain. This geopolitical shift could impact international data sharing agreements and cross-border cyber cooperation.
Spotlight Rationale: With the Brickstorm malware targeting critical infrastructure and React2Shell exploiting web components, email remains a critical initial access vector. Microsoft's recognition as a Leader in the 2025 Gartner Magic Quadrant for Email Security highlights its relevance in defending against these complex entry points.
Microsoft Defender for Office 365 has been recognized for its innovative capabilities in addressing complex email security challenges. By integrating threat intelligence across the Microsoft ecosystem, it provides defense-in-depth against phishing campaigns that often serve as the delivery mechanism for threats like Brickstorm and credential theft operations.
Actionable Platform Guidance: Organizations using Defender for Office 365 should immediately operationalize "Preset Security Policies" to enforce recommended baselines and use the Configuration Analyzer to identify deviations from best practices.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Microsoft Defender for Office 365
# GUIDANCE: Operationalize Microsoft Defender for Office 365 (Plan 1/2)
# BASED ON: Microsoft 2025 Gartner Leader Announcement & Best Practices
# IMMEDIATE ACTIONS
1. Enable "Preset Security Policies":
- Navigate to Microsoft 365 Defender Portal > Email & Collaboration > Policies & Rules > Threat Policies > Preset Security Policies.
- Enable "Standard protection" for most users and "Strict protection" for high-value targets (executives, admins).
2. Review "Priority Account Protection":
- Ensure your C-suite and critical staff are tagged as Priority Accounts to apply enhanced heuristics and visibility.
3. Configure "User Submission Settings":
- Ensure the "Report Message" add-in is deployed so users can report suspicious emails directly to Microsoft for analysis, feeding the feedback loop.
# VERIFICATION STEPS
1. Run "Configuration Analyzer":
- Use the Configuration Analyzer tool within Threat Policies to compare your current settings against Microsoft's recommended Standard and Strict baselines.
2. Check "Threat Protection Status":
- Review the Threat Protection Status report to confirm that the new policies are actively filtering malicious emails and attachments.
2. YARA Rule for Brickstorm/VMware Backdoor Indicators
3. SIEM Query — Apache Tika XXE Attempt (CVE-2025-66516)
index=security sourcetype="web_server_logs" OR sourcetype="application_logs"
(uri="*tika*" OR app="apache-tika") AND (status=500 OR status=400)
| rex field=_raw "(?XML parser error|External Entity|DOCTYPE)"
| eval risk_score=case(
isnotnull(xml_error), 100,
status==500, 50,
1==1, 0)
| where risk_score >= 50
| table _time, src_ip, dest_ip, uri, xml_error, risk_score
| sort -_time
4. PowerShell Script — Check for React Server Components Usage
$paths = @("C:\Inetpub\wwwroot", "D:\WebApps")
$vulnerablePattern = "react-server-dom-webpack"
foreach ($path in $paths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -Filter "package.json" -ErrorAction SilentlyContinue | ForEach-Object {
$content = Get-Content $_.FullName -Raw
if ($content -match $vulnerablePattern) {
Write-Host "[ALERT] Potential React Server Components usage found in: $($_.FullName)" -ForegroundColor Red
Write-Host "Action: Verify version against CVE-2025-55182" -ForegroundColor Yellow
}
}
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
Healthcare (HIPAA)
QUIET
U.S. Federal Agencies (FISMA)
STEADY
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT