Weekly security intelligence digest covering the most critical vulnerabilities, threats, and breach news from the past week.
🚨 Critical: CISA Known Exploited Vulnerabilities
These vulnerabilities are being actively exploited in the wild. Immediate action required.
CVE-2025-32432: Craft CMS Code Injection Vulnerability
Vendor/Product: Craft CMS Craft CMS
Description: Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-04-03
Reference: CVE-2025-32432 - NVD
CVE-2025-54068: Laravel Livewire Code Injection Vulnerability
Vendor/Product: Laravel Livewire
Description: Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-04-03
Reference: CVE-2025-54068 - NVD
CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability
Vendor/Product: Apple Multiple Products
Description: Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-04-03
Reference: CVE-2025-43510 - NVD
CVE-2025-43520: Apple Multiple Products Classic Buffer Overflow Vulnerability
Vendor/Product: Apple Multiple Products
Description: Apple watchOS, iOS, iPadOS, macOS, visionOS, tvOS, and iPadOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel memory.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-04-03
Reference: CVE-2025-43520 - NVD
CVE-2025-31277: Apple Multiple Products Buffer Overflow Vulnerability
Vendor/Product: Apple Multiple Products
Description: Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corruption.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Due Date: 2026-04-03
Reference: CVE-2025-31277 - NVD
đź“° This Week’s Security News
FBI warns of Handala hackers using Telegram in malware attacks
The U.S. Federal Bureau of Investigation (FBI) warned network defenders that Iranian hackers linked to the country’s Ministry of Intelligence and Security (MOIS) are using Telegram in malware attacks….
Read more: FBI warns of Handala hackers using Telegram in malware attacks
CISA orders feds to patch DarkSword iOS flaws exploited attacks
CISA ordered U.S. government agencies to patch three iOS vulnerabilities targeted in cryptocurrency theft and cyberespionage attacks using the DarkSword exploit kit. […]…
Read more: CISA orders feds to patch DarkSword iOS flaws exploited attacks
Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors known as TeamPCP, which distributed credential-stealing malware through official releases and GitHub Actions. …
Read more: Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
âś… What You Should Do This Week
- Immediate: Patch CVE-2025-32432, CVE-2025-54068 (actively exploited)
- Verify: Check your systems against CISA KEV catalog
- Monitor: Review Azure AD sign-in logs for suspicious activity
- Audit: Verify MFA is enforced for all privileged accounts
- Backup: Test your disaster recovery procedures
đź’ˇ Expert Analysis
Let’s talk about what’s actually happening this week and why it matters.
The Trivy Breach: When Your Security Tools Attack You
The Trivy vulnerability scanner was compromised this week in a supply-chain attack. Threat actors (TeamPCP) pushed an infostealer straight through official releases and GitHub Actions.
Translation: The exact tool you use to find malware in your code just installed malware in your code.
Here’s what makes this scary:
When I was running data engineering for a pension fund, we spent millions building out “secure” automated pipelines. But the uncomfortable truth is that most organizations give their CI/CD pipelines god-mode access to absolutely everything.
We blindly pull the latest tag from GitHub Actions or official Docker images because we don’t want to deal with broken builds when dependencies update.
But here’s the problem nobody talks about:
If you give a pipeline write access to your cloud environment, and that pipeline blindly downloads a compromised security scanner, you don’t just have a breached repository. You have a breached cloud environment. The attackers didn’t need to steal your developers’ credentials; you literally invited them in and handed them an automated deployment token.
Questions you should be asking:
- Do our GitHub Actions pull the
latestversion or a pinned commit hash? - What permissions does our vulnerability scanner actually run with?
- If our CI/CD pipeline gets poisoned today, what’s the blast radius?
If your answer to that last one is “everything,” you have a massive problem.
The Apple Zero-Days: The Attack Surface You Can’t Say No To
We’ve got a massive batch of memory corruption and classic buffer overflow vulnerabilities (CVE-2025-43510, CVE-2025-43520) hitting iOS, macOS, and iPadOS this week. CISA is ordering federal agencies to patch immediately because hackers are actively using these flaws via the DarkSword exploit kit for cryptocurrency theft and cyberespionage.
Let’s be clear about what this means:
Attackers are exploiting these in the wild. If someone texts a malicious link to your CFO’s unpatched iPhone and they click it, the attacker can write to kernel memory. Game over.
The risk for financial services:
Securing mobile devices is easily the most politically radioactive part of this job. IT will ruthlessly lock down a junior analyst’s laptop, but when a Managing Director refuses to update their iPad because “it changes the interface,” IT caves.
I once had a C-level executive literally yell at me because a forced MDM reboot happened while he was checking Asian markets at 3 AM.
You cannot secure an environment if the people with the most access have the least restrictions.
Mobile Patching: The Uncomfortable Reality
Let’s talk about what you can actually do about these Apple vulnerabilities.
Option 1: Tell users to update their phones
Pros: Easy, makes HR happy.
Cons: They absolutely will not do it.
Option 2: Force reboots via MDM
Pros: The patch gets installed.
Cons: Executives will scream at you when their phone restarts mid-call.
Option 3: Use Azure Conditional Access
Pros: Actually works. Makes it an identity problem, not a device problem.
Cons: Spikes your helpdesk tickets for 48 hours.
Option 4: Make VIP exceptions
Pros: No executives yell at you today.
Cons: You end up in the news tomorrow.
My recommendation: Go with Option 3.
Tie Entra ID directly to device compliance. Oh, you don’t want to install the critical iOS update? That’s totally fine, it’s your personal device. But you can’t read your corporate email, log into Teams, or access any sensitive data until you do. Deal with the complaints. It’s better than explaining to the board why DarkSword drained a hot wallet.
The Shadow IT Problem: Laravel and Craft CMS
CVE-2025-32432 (Craft CMS) and CVE-2025-54068 (Laravel Livewire) hit the KEV list this week. Both are code injection vulnerabilities allowing unauthenticated remote command execution.
Most enterprise financial infrastructure isn’t running on Craft CMS. But if your marketing or HR departments have ever hired an outside agency, pay attention.
The pattern:
Marketing decides IT is moving too slow. They take a corporate credit card, hire a boutique agency to build a promotional website or an investor relations portal, and launch it on an unmanaged hosting provider.
The agency spins up a Laravel app, hands over the keys, and disappears. Two years later, nobody has patched the framework.
And here’s the kicker:
Because it’s “just a marketing site,” it doesn’t get the same security scrutiny as your core trading apps. No regular scanning. No patching schedule. Just a vendor-built PHP app sitting on a subdomain with your company’s logo on it.
When these get popped—and they will—attackers use them to serve phishing pages to your actual clients, who trust the domain.
What you should do:
Stop trying to ban these frameworks; people will just route around you.
- Build a “paved road” using isolated Azure App Service environments.
- Let Marketing deploy whatever PHP framework they want, but restrict outbound traffic.
- Tie the environment into your central logging.
- If (when) the app gets compromised, it’s contained in a sandbox and can’t pivot into your actual network.
What Actually Matters This Week
Two critical PHP framework RCEs. A massive supply chain breach in a trusted security tool. And a barrage of actively exploited Apple zero-days.
The pattern:
The tools we trust (Trivy) and the devices we make exceptions for (executive iPhones) are exactly where the attackers are focusing their energy.
The solution isn’t complicated:
Pin your GitHub Actions. Stop making VIP exceptions for mobile patching. Find your rogue marketing sites. Have an incident response plan that assumes your pipeline will eventually pull down malware.
Security in the real world is incredibly messy. Most of the time, there are no perfect answers, just varying degrees of acceptable risk.
“Assume breach and limit the blast radius.” That’s achievable.
Need help untangling your GitHub Actions permissions or setting up Conditional Access policies that won’t break your trading floor? I spent five years securing a $124B pension fund. Let’s talk - first call is free.
📬 Stay Updated
Subscribe to receive weekly security digests directly in your inbox.
Questions or feedback? Contact us
GRC Vitrix provides cloud security and compliance intelligence for financial services professionals. This digest is curated from publicly available sources including CISA, Microsoft MSRC, and industry news.