Intro Snapshot
Today’s threat cycle amplifies the message: when core platforms or dev integrations falter, compromise follows. From critical ERP vulnerabilities to OAuth misalignment, each story shows how the seams of trusted infrastructure are now favorite targets. Defense success depends on continually validating, isolating, and reinforcing those seams.
1. SAP S/4HANA 9.9 CVSS RCE Now Exploited in the Wild
Full URL: extracted from Dark Reading
A high-severity code injection flaw (CVE-2025-42957) in SAP’s S/4HANA—scoring 9.9—allows low-privileged users to execute ABAP and compromise the underlying OS. Exploits have already been observed; patching and tighter RFC controls are urgent.
2. CISA Orders Immediate Patching of Sitecore ViewState RCE
Full URL: extracted from THN
CISA directed federal civilian agencies to apply a Sitecore patch (CVE-2025-53690), an RCE flaw via ViewState deserialization using exposed default machine keys. Attackers have already weaponized the vulnerability to implant ‘WEEPSTEEL’ payloads and move laterally.
3. 61% of Organizations Report Insider File Breaches—Losses Average $2.7M
Full URL: https://www.securitymagazine.com/articles/101883-61-of-organizations-experienced-insider-breaches
A Ponemon study via OPSWAT reveals 61% of firms experienced insider-related file breaches, costing ~$2.7 million per incident. While 90% are adopting AI tools for file safety, under 50% trust their ability to handle transfers or third-party shares securely.
4. Hollywood’s Cyber Headlines: Entertainment Under Assault
Full URL: extracted from Cyber Defense Magazine
Media companies remain high-value targets due to weak regulation, third-party supply chains, and massive unprotected audiences. The sector’s vulnerabilities—like leaked episodes—underscore how visibility and lax access can fuel rapid exploitation.
5. UltraViolet Acquires Black Duck’s AppSec Testing Capabilities
Full URL: extracted from Dark Reading
UltraViolet Cyber expanded by integrating Black Duck’s application security testing business, providing DevSecOps pipelines, container assessment, threat modeling, and red teaming—not just detection, but earlier risk reduction across development lifecycles.
Key Takeaways
ERP-level flaws are catastrophic by design; patch speed matters. Default keys remain persistent attack vectors. Insider threats aren’t rare—they’re expensive and escalating. Sector-specific lapses (like in entertainment) spotlight universal risks. Security shift-left matters—testing earlier cuts response cycles significantly.