Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

On June 2, 2025, Hewlett Packard Enterprise (HPE) released fixes for multiple vulnerabilities affecting HPE StoreOnce VSA, an enterprise backup storage solution. The most severe of these was CVE-2025-37093, a critical authentication bypass vulnerability discovered by the Zero Day Initiative (ZDI). The flaw resides in the implementation of the machineAccountCheck method and stems from improper handling of an authentication algorithm.

The management of user access to an organization’s assets, applications, and systems is never static. Users are coming and going, different roles require different access, and for some, privileged access – elevated permissions and access capabilities granted to specific users or groups of users — is needed for mission-critical business functions.

On May 28, 2025, ConnectWise published an advisory disclosing suspicious activity within its environment, attributed to a sophisticated nation-state threat actor known for intelligence collection. The activity reportedly affected a very small number of ScreenConnect customers, all of whom ConnectWise has directly contacted. Details remain limited as the investigation is ongoing.

The IT environment is evolving. Organizations have embraced hybrid work models, expanded their operations and personnel footprints, and digitalized their processes and capabilities. And those in charge of these now sprawling environments must deal with the increasingly complicated task of keeping endpoints, users, and more both operational and secure.

On May 21, 2025, ProjectDiscovery published technical details for multiple vulnerabilities they discovered in Versa Concerto, including authentication bypasses, remote code execution (RCE), and container escapes. Versa Concerto is a centralized management platform used to manage Versa’s SD-WAN and SASE services. It is a Spring Boot-based application deployed via Docker containers and routed through Traefik.

The ways in which people work are changing, and so are the approaches needed to secure modern work. As organizations race to gain the benefits of cloud computing, relax rules around bring-your-own devices, and leverage hybrid-work models that require edge devices such as VPN gateways, the result is an expanding, disparate IT environment. And even worse, users are a part of the attack surface — one threat actors are all too ready and willing to exploit.

Arctic Wolf has recently observed the distribution of a trojanized RVTools installer via a malicious typosquatted domain. The domain matches the legitimate domain, however, the Top Level Domain (TLD) is changed from.com to.org. RVTools is a widely used VMware utility for inventory and configuration reporting, developed by Robware. Once the malicious installer was downloaded, the installer attempts to make outbound connections to known command and control infrastructure.