What CISOs Need to Know Now

Each month brings new evidence that cybersecurity is not just about reacting to incidents but anticipating them. The May 2025 threat landscape highlights the growing need for strategic vigilance, actionable intelligence, and timely intervention. With seventy-seven new vulnerabilities, five active exploits, and an uptick in ransomware activity, the month reinforces one clear message: the risk is real, and the window to act is now. For detailed technical insights, refer to the accompanying PowerPoint briefing available here.

Critical CVEs Demand Immediate Attention

Microsoft issued updates for Azure, Windows, Office, and Remote Desktop Services, including eight critical vulnerabilities. CVE-2025-29813, affecting Azure DevOps Server with a perfect CVSS score of 10.0, is among the most urgent due to its potential for privilege escalation. Other notable vulnerabilities include CVE-2025-30386 in Microsoft Office, which is considered highly likely to be exploited.

Security disclosures from other major vendors added to the urgency. Apple addressed flaws in its new baseband modem and iOS core services. Google patched vulnerabilities in Android and Chrome, some already under active attack. Cisco corrected thirty-five flaws, including one affecting wireless controllers with a CVSS score of 10.0. SAP and VMware also patched high-impact issues, with SAP reporting ongoing exploitation activity linked to espionage and ransomware actors.

Ransomware Groups Continue to Evolve

Five ransomware groups dominated the landscape this month: Safepay, Qilin, Play, Akira, and Devman. Safepay, first observed in September 2024, launched over seventy attacks in May alone. It uses tools similar to LockBit and avoids encrypting systems in Russian-speaking countries. Devman is a newer threat actor first seen in April 2025 and appears to be a rebrand or spin-off of a former Qilin affiliate. These groups continue to exploit weaknesses in remote access infrastructure and outdated software, emphasizing the need for robust access controls and regular vulnerability assessments.

Exploited Vulnerabilities Already in the Wild

CISA’s Known Exploited Vulnerabilities Catalog listed several new threats, including CVE-2024-38475 in Apache HTTP Server, CVE-2023-44221 in SonicWall appliances, and CVE-2025-20188 in Cisco IOS XE. These vulnerabilities are being actively used by threat actors, and organizations with exposure must patch immediately or implement mitigation strategies.

Malware Submissions Reveal Continued Risk

Sandbox data shows ongoing use of malware designed to gain persistent access and steal sensitive information. Berbew, a Windows backdoor trojan, was frequently submitted and remains a key concern due to its credential theft capabilities. Other malware families observed include Nimzod, Systex, VB, and Autoruns, all of which support lateral movement and data exfiltration.

1. Prioritize Exploitable CVEs, Not Just Critical Ones

While CVSS scores are helpful, they don’t tell the whole story. Use threat intelligence feeds and the CISA Known Exploited Vulnerabilities Catalog to identify vulnerabilities that are actively being used by attackers. CVE-2025-29813 and CVE-2025-30386, for example, are flagged as “Exploitation More Likely” and should be treated as urgent.

2. Implement Continuous Asset Discovery

Ensure you have full visibility into your environment, including shadow IT and unmanaged assets. Unknown assets are often the weak links attackers exploit first.

3. Integrate Threat Intelligence into Vulnerability Prioritization

Layer CVE severity with real-time threat intelligence to assess the business impact of each vulnerability. For instance, vulnerabilities tied to ransomware groups like Safepay or Devman should be fast-tracked for remediation.

4. Segment and Harden Exposed Services

Threat actors are leveraging vulnerable services exposed to the internet (e.g., VPNs, webmail, device controllers). Isolate these assets, enforce multi-factor authentication, and limit access by geo or IP as needed.

5. Automate Patch and Configuration Management

Set up workflows to automatically push updates for high-risk software—especially Microsoft, Cisco, and browser-related services. Automation reduces lag time between patch release and implementation.

6. Measure and Report on Exposure Trends

Track key exposure metrics such as mean time to remediate (MTTR), number of high-risk assets unpatched, and the percentage of assets with known exploited vulnerabilities. Use these to brief leadership and drive accountability.

7. Expand Beyond CVEs: Include Misconfigurations and Weak Defaults

Exposure is not just about missing patches. Review firewall rules, identity and access configurations, logging settings, and cloud permissions to uncover silent risk.

8. Simulate Exploitation Paths

Use attack path modeling or red team exercises to map out how a known CVE could be chained with other weaknesses. This helps prioritize fixes based on the real-world likelihood of breach.

Final Thought

The May threat landscape confirms that the threats are not theoretical. They are here, active, and increasingly sophisticated. Organizations that combine smart patching, user education, and proactive monitoring will be best positioned to reduce risk and respond effectively. If your team needs support interpreting this intelligence or translating it into action, LevelBlue is ready to help.

The content provided herein is for general informational purposes only and should not be construed as legal, regulatory, compliance, or cybersecurity advice. Organizations should consult their own legal, compliance, or cybersecurity professionals regarding specific obligations and risk management strategies. While LevelBlue’s Managed Threat Detection and Response solutions are designed to support threat detection and response at the endpoint level, they are not a substitute for comprehensive network monitoring, vulnerability management, or a full cybersecurity program.