SecurityWeek reports that updates have been issued by Sophos to address five Sophos Firewall flaws including a critical arbitrary file writing issue, tracked as CVE-2025-6704, and a critical SQL injection bug, tracked as CVE-2025-7624, which could be leveraged to facilitate remote code execution.
BleepingComputer reports that vulnerable SysAid IT service management software instances impacted by the unauthenticated XML External Entity bugs, tracked as CVE-2025-2775 and CVE-2025-2776, were noted by the Cybersecurity and Infrastructure Security Agency to be subjected to ongoing intrusions.
Chinese state-sponsored threat operations Linen Typhoon, also known as APT27, Emissary Panda, and Bronze Union, and Violet Typhoon, also known as APT31, Judgment Panda, and Bronze Vinewood, as well as the suspected China-based hacking group Storm-2603 have been targeting vulnerable internet-exposed Microsoft SharePoint servers impacted by the flaws, tracked as CVE-2025-53770 and CVE-2025-53771, since earlier this month, reports The Hacker News.
Hewlett Packard Enterprise has fixed a pair of security bugs affecting Instant On Access Points, which could be chained to facilitate administrative access and malicious command injections, reports The Hacker News.
Updates have been released by major VPN service provider ExpressVPN to resolve a vulnerability impacting its Windows client that resulted in the exposure of its users' IP addresses, according to BleepingComputer.
Fast Five
Selected by the SC Media Editorial team every Tuesday.
Sign up now for the top five issues cybersecurity pros need to know this week.
