Lots of critical patches for Fortinet, Microsoft, Apple and Adobe, an update on the M&S cyber attack and Dior targeted...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Fortinet Releases Multiple Security Advisories
Fortinet has released security advisories to two critical vulnerabilities. The security advisories address one critical vulnerability in FortiOS, FortiProxy and FortiSwitchManager, and an exploited vulnerability in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera.
- Fortinet FortiOS – 7.6.0, 7.4.4 through 7.4.6
- Fortinet FortiProxy – 7.6.0 through 7.6.1
- Fortinet FortiSwitch Manager – 7.2.5
- FortiCamera – all versions, 2.0 all versions, 2.1.0 through 2.1.3
- FortiRecorder – 6.4.0 through 6.4.5, 7.0.0 through 7.0.5, 7.2.0 through 7.2.3
- FortiMail – 7.0.0 through 7.0.8, 7.2.0 through 7.2.7, 7.4.0 through 7.4.4, 7.6.0 through 7.6.2
- FortiNDR – 1.1 all versions, 1.2 all versions, 1.3 all versions, 1.4 all versions, 1.5 all versions, 7.0.0 through 7.0.6, 7.1 all versions, 7.2.0 through 7.2.4, 7.4.0 through 7.4.7,7.6.0
- FortiVoice – 6.4.0 through 6.4.10, 7.0.0 through 7.0.6, 7.2.0
CVE-2025-32756 is a ‘stack-based buffer overflow’ vulnerability with a CVSSv3 score of 9.6. Successful exploitation could allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests. CVE-2025-22252 is an ‘authentication for critical function’ vulnerability with a CVSSv3 score of 9.0 in FortiOS, FortiProxy, and FortiSwitchManager products that are configured to use TACACS+ with ASCII authentication. Successful exploitation could allow an attacker with limited privileges to bypass authentication and gain administrator access to the device. Affected organisations are encouraged to review Fortinet’s Security Advisories and apply the relevant updates as soon as practicable.
Microsoft Releases May 2025 Security Updates
Microsoft has released security updates to address 72 vulnerabilities in Microsoft products. The updates include five critical and 66 important severity vulnerabilities. In this month’s updates, Microsoft has addressed five zero-day vulnerabilities being exploited in the wild. Microsoft has reported that the following vulnerabilities are under active exploitation:
- CVE-2025-30400 – Microsoft DWM Core Library Elevation of Privilege Vulnerability
- CVE-2025-32701 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CVE-2025-32706 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CVE-2025-32709 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- CVE-2025-30397 – Scripting Engine Memory Corruption Vulnerability
Microsoft Patch Tuesday, May edition includes updates for vulnerabilities in Windows Routing and Remote Access Service (RRAS), Windows Virtual Machine Bus, Windows Installer, Windows Drivers, Windows File Server, Azure, Windows Win32K – GRFX, Microsoft Scripting Engine, and more. Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, and Remote Code Execution (RCE). This month’s release notes cover multiple Microsoft product families and products/versions affected hence, affected organisations are encouraged to review Microsoft’s May 2025 Security Updates and apply the relevant updates as soon as practicable.
Cyber Attacks
M&S says customer data stolen in cyberattack, forces password resets
Marks and Spencer (M&S) confirms that customer data was stolen in a cyberattack last month, when ransomware was used to encrypt servers. The attack occurred on 22nd April 2025, significantly impacting business operations on the retailer’s 1,400 stores, forcing it to stop accepting online orders.
The attacks were conducted by DragonForce ransomware affiliates utilizing Scattered Spider social engineering tactics to breach Marks and Spencer’s network. During the attack, the threat actors encrypted VMware ESXi virtual machines hosted on the company’s servers. Since then, M&S has been investigating the attack and confirmed that the intruders stole sensitive personal information belonging to customers. This was announced by M&S CEO, Stuart Machin, who posted a letter on the retailer’s official Facebook page. “As we continue to manage the current cyber incident, we have written to customers today to let them know that unfortunately, some personal customer information has been taken,” states Machin. “Importantly, there is no evidence that the information has been shared, and it does not include usable card or payment details, or account passwords, so there is no need for customers to take any action”.
Despite these assurances, all customers with active M&S accounts will be prompted to reset their password the next time they attempt to log in via the website or app. M&S said it would notify all impacted customers accordingly and promised to share more details when those become available.
Fashion giant Dior discloses cyberattack, warns of data breach
House of Dior, the French luxury fashion brand commonly referred to as Dior, has disclosed a cybersecurity incident that has exposed customer information. A spokesperson for the firm said that the incident impacts Dior Fashion and Accessories customers. Currently, cybersecurity experts are investigating the incident to determine its scope. “The House of Dior recently discovered that an unauthorized external party accessed some of the data we hold for our Dior Fashion and Accessories customers,” stated the spokesperson. “We immediately took steps to contain this incident. The teams at Dior, supported by leading cybersecurity experts, continue to investigate and respond to the incident”.
Dior clarified that the incident did not expose account passwords or payment card information, as these were stored in a different database that remained unaffected. “No passwords or payment information, including bank account or payment card information, were in the database affected in the incident. We are working to notify relevant regulators and customers in line with applicable law. The confidentiality and security of our customers’ data is an absolute priority for the House of Dior. We sincerely regret any concern or inconvenience this matter may cause our customers”.
Although Dior did not specify the number of customers and the regions impacted, there is a notification confirming its South Korean website being affected. There also some reports about Chinese customers receiving data breach notifications from the fashion house. According to screenshots of the notices shared online, the incident was discovered on May 7, involving unauthorized personnel access, and exposed the information such as Full name, Gender, Phone number, Email address, Postal address, Purchase history.
In Other News...
Apple Releases Security Updates for Multiple Products
Apple has released nine security advisories to address multiple vulnerabilities in iOS, iPadOS, macOS Ventura, macOS Sonoma, macOS Sequoia, watchOS, tvOS, visionOS and Safari.
- iOS – all prior to 18.5
- iPadOS – all prior to 18.5
- macOS Sequoia – all prior to 15.5
- macOS Sonoma – all prior to 14.7.6
- macOS Ventura – all prior to 13.7.6
- watchOS – all prior to 11.5
- tvOS – all prior to 18.5
- visionOS – all prior to 2.5
- Safari – all prior to 18.5
Apple has released software updates to address multiple security vulnerabilities that could lead to memory corruption or privilege escalation. CVE-2025-31219 is a vulnerability that impacts the memory handling in Kernel that could allow an attacker to cause unexpected system termination or kernel memory corruption. CVE-2025-31223 and CVE-2025-31238 vulnerabilities in WebKit may lead to memory corruption during the processing of maliciously crafted web content. CVE-2025-31222 is a correctness issue in mDNSResponder that may allow an attacker to escalate privileges and gain SYSTEM privileges under certain conditions. Affected organisations are encouraged to review Apple security releases and apply the relevant updates.
Adobe Patches Big Batch of Critical-Severity Software Flaws
Software maker Adobe has released patches for at least 39 vulnerabilities across a range of products alongside warnings about remote code execution exploit risks and successful exploitation of these vulnerabilities may lead to privilege escalation and arbitrary code execution.
The Patch Tuesday rollout is headlined by a major Adobe ColdFusion update that addresses a wide swatch of code execution and privilege escalation attacks. The Adobe ColdFusion bulletin documents 7 distinct vulnerabilities marked as ‘critical’ and Adobe warned that these could lead to arbitrary file system read, arbitrary code execution and privilege escalation. The critical bugs carry a CVSS severity score of 9.1/10. The widely deployed Adobe Photoshop software was also updated to fix three critical-severity bugs with code execution risks and the company also flagged a critical bug in Adobe Illustrator that should be patched with urgency.
The company also fixed critical code execution software defects in Adobe Lightroom, Adobe Dreamweaver, Adobe Connect and Adobe InDesign and confirmed that successful exploitation could lead to arbitrary code execution and application denial-of-service attacks. The company also flagged critical-severity bugs in Adobe Substance 3D Painter, Adobe Bridge and Adobe Dimension. The Adobe patches landed on the same day Microsoft called attention to five zero-days being exploited in the wild.