In this weeks news, a series of serious cybersecurity incidents have affected major organisations across retail, enterprise software, and national infrastructure. From attempted breaches at the Co-operative Group to a high-impact ransomware attack on Marks and Spencer.
At the same time, critical vulnerabilities in widely used platforms like SAP NetWeaver, Commvault, and SonicWall have been actively exploited, placing pressure on businesses to respond rapidly and reinforce their defences.
Co-op Shuts Down IT Systems to Contain Cyberattack Attempt
The Co-operative Group has taken precautionary measures by shutting down parts of its IT infrastructure following an attempted cyberattack, making it the second major UK retailer affected by cyber threats in recent days, after Marks & Spencer.
The incident led to the temporary suspension of back-office and call centre operations, including virtual desktops and stock monitoring systems. Despite these disruptions, Co-op’s food stores, funeral services, and e-commerce platforms continue to operate normally. The company has confirmed that no customer data has been compromised and is collaborating with the National Cyber Security Centre to investigate the breach.
This event underscores the increasing cybersecurity challenges faced by retailers, especially in the wake of sophisticated attacks like the one recently experienced by Marks & Spencer.
View SourceMarks and Spencer Hit by Scattered Spider Ransomware Attack, Disrupting Operations and Causing Financial Losses
British retailer Marks & Spencer (M&S) has suffered a significant cyberattack attributed to the hacking group Scattered Spider, leading to widespread operational disruptions and financial losses.
The attack, which began in February 2025, involved the theft of sensitive credentials, including the NTDS.dit file from M&S’s Active Directory, allowing the attackers to move laterally within the network.
On April 24, the attackers deployed the DragonForce ransomware, targeting M&S’s VMware ESXi infrastructure, effectively crippling virtual machines and backend systems. As a result, M&S suspended all online orders across its UK, Ireland, and some international platforms, and experienced disruptions to contactless payments, gift card transactions, and click & collect services.
The incident has led to daily losses exceeding £3 million and a significant drop in the company’s stock market value. M&S is collaborating with cybersecurity firms, including CrowdStrike, Microsoft, and Fenix24, as well as the National Cyber Security Centre and the National Crime Agency, to investigate and mitigate the breach.
View SourceCommvault Confirms Active Exploitation of Critical Command Center Vulnerability
Commvault has confirmed that threat actors have exploited a critical vulnerability (CVE-2025-34028) in its Command Center software, which allows unauthenticated remote code execution.
The flaw, rated 9.0 on the CVSS scale, affects versions 11.38.0 through 11.38.19 and has been patched in versions 11.38.20 and 11.38.25. The vulnerability stems from an unfiltered endpoint (“deployWebpackage.do”) that can be abused to deploy malicious packages, leading to full system compromise.
Commvault urges all customers to update immediately to mitigate the risk.
View SourceSonicWall Warns of Active Exploitation of Two Critical Vulnerabilities
SonicWall has issued alerts regarding two critical vulnerabilities that have been actively exploited in the wild.
The first, CVE-2025-23006, is a zero-day vulnerability in the Secure Mobile Access (SMA) 1000 series appliances, allowing attackers with access to the internal interface to execute arbitrary code. The second, CVE-2024-53704, is an authentication bypass flaw in SonicOS firewalls, which began to be exploited shortly after proof-of-concept code was published.
Both vulnerabilities have been patched, and SonicWall strongly advises customers to apply the updates immediately to mitigate potential risks.
View SourceNebulous Mantis Targets NATO-Linked Entities with Multi-Stage Malware Attacks
Cybersecurity researchers have identified a Russian-speaking cyber espionage group, Nebulous Mantis, actively targeting NATO-linked organisations using a sophisticated multi-stage malware campaign.
The group employs the RomCom Remote Access Trojan (RAT), which utilises advanced evasion techniques such as living-off-the-land tactics and encrypted command-and-control communications.
Nebulous Mantis, also known by aliases including CIGAR, Cuba, Storm-0978, Tropical Scorpius, UNC2596, and Void Rabisu, has been conducting spear-phishing campaigns since mid-2022, deploying weaponised documents to infiltrate critical infrastructure, government agencies, and defence organisations associated with NATO.
The group’s use of bulletproof hosting and evolving infrastructure underscores the persistent and adaptive nature of state-aligned cyber threats.
View SourceSAP Urges Immediate Patching of Critical NetWeaver Zero-Day Vulnerability Exploited in Active Attacks
SAP has released an emergency patch for a critical zero-day vulnerability in its NetWeaver platform, identified as CVE-2025-31324 with a maximum CVSS score of 10.0.
This flaw resides in the Visual Composer Metadata Uploader component and allows unauthenticated attackers to upload malicious files, leading to potential remote code execution and full system compromise.
Security firm ReliaQuest discovered the exploitation of this vulnerability in the wild, noting that attackers are deploying JSP-based web shells via the ‘/developmentserver/metadatauploader’ endpoint to maintain persistent access and deliver additional payloads.
Despite some affected systems running the latest patches, they were still compromised, indicating the severity and stealth of the attacks.
SAP has updated its April 2025 Security Patch Day advisory to address this issue and strongly recommends that all customers apply the necessary patches immediately to mitigate the risk.
View SourceCritical AirPlay Vulnerabilities Enable Zero-Click Attacks on Apple and Third-Party Devices
A set of 23 critical vulnerabilities, collectively known as “AirBorne,” have been discovered in Apple’s AirPlay protocol and SDK, exposing both Apple and numerous third-party devices to potential zero-click remote code execution (RCE) attacks.
These flaws allow attackers on the same Wi-Fi network to hijack devices without user interaction, potentially leading to malware deployment, data exfiltration, and surveillance via devices with microphones. Particularly concerning are two “wormable” vulnerabilities that could facilitate rapid malware propagation across networks.
While Apple has released patches for its own devices, many third-party products, including smart TVs, speakers, and CarPlay systems, remain vulnerable due to inconsistent update practices by manufacturers.
Security experts advise users to update their devices promptly and ensure Wi-Fi networks are secured with strong, unique passwords to mitigate these risks.
View SourceIf you’re ready to chat about how we can help protect your business from cyber threats, contact us using the form below 👇.