Cybersecurity

SAP on Tuesday announced the release of 18 new and two updated security notes as part of its April 2025 Security Patch Day, including three notes addressing critical-severity vulnerabilities. The first two critical flaws, tracked as CVE-2025-27429 and CVE-2025-31330 (CVSS score of 9.9) are code injection bugs in S/4HANA (Private Cloud) and Landscape Transformation (Analysis Platform). According to enterprise software security firm Onapsis, however, the CVEs refer to the same security defect and SAP’s patches for them disable the same remote-enabled function module in both products. “If unpatched, the function module accepts any text as input parameter and generates an ABAP report based on this input using the INSERT REPORT statement. For a successful exploit, it only requires S_RFC authorization on the respective function module or on the corresponding function group,” Onapsis explains. Tracked as CVE-2025-30016 (CVSS score of 9.8), the third critical-severity vulnerability is an authentication bypass issue in Financial Consolidation that could allow an unauthenticated attacker to impersonate an administrator user. Of the remaining notes released on SAP’s April 2025 Patch Day, five address high-severity vulnerabilities, including an updated note that resolves an improper authorization in BusinessObjects Business Intelligence platform. SAP also resolved high-severity bugs in NetWeaver Application Server ABAP, Commerce Cloud, and Capital Yield Tax Management. The Commerce Cloud issue, a race condition in Apache Tomcat, can only be exploited if three conditions are met, none of which applies by default. On Tuesday, SAP also released fixes for 10 medium-severity and one low-severity bug in Commerce Cloud, ERP BW Business Content, BusinessObjects, KMC WPC, NetWeaver, Solution Manager, S4CORE entity, and S/4 HANA.

Enterprise governance, risk management and compliance (GRC) solutions provider Anecdotes has raised another $30 million as part of its Series B funding round. Anecdotes announced in January 2024 that it had raised $25 million in a Series B funding round.  On Tuesday it announced that the extended Series B round has brought the company an additional $30 million, which brings the total Series B funding to $55 million and the total raised by the company since its inception to $85 million. The latest investment round was led by DTCP and it will help fuel the company’s global expansion. Anecdotes has developed a platform designed to automatically and continuously collect GRC data from an organization’s tech stack.  It leverages a suite of AI agents to analyze policies for operational gaps and ensure compliance. AI agents also help organizations expand their GRC program and they provide valuable insights. “This investment reinforces our commitment to transforming enterprise GRC—where structured, credible data and AI-enhanced automation enable organizations to proactively manage risk and compliance with confidence,” said Yair Kuznitsov, co-founder and CEO of Anecdotes. “With this funding, we will continue to push the boundaries of what’s possible in enterprise GRC, delivering unparalleled innovation and value to our customers.” Anecdotes was founded in 2020 and it has offices in New York, San Francisco and Tel Aviv.

Spektion emerged from stealth mode on Tuesday with $5 million in seed funding for its software vulnerability management solution. The Austin, Texas-based company has announced the general availability of its platform, which aims to address the shortcomings of traditional vulnerability management solutions.  The Spektion platform delivers continuous vulnerability analysis for an organization’s entire software inventory, leveraging runtime behavior analysis to provide detailed information on real risks, and enabling customers to prioritize and mitigate flaws, even ones that don’t have CVEs or patches. The platform can easily be integrated with other security solutions and Spektion says deployment requires minimal overhead. Spektion was founded by Joe Silva, who previously served as Global CISO of Jones Lang LaSalle (JLL) and Senior VP of Cybersecurity and Fraud at TransUnion. Silva will serve as the company’s CEO. The founding team also includes Josh Skorich, who will serve as CTO, and Julien Maladrie, who will serve as head of R&D. They both also worked at TransUnion, and Maladrie has also held research and offensive security roles at JLL, Symantec and the European Commission.  The $5 million seed funding raised by Spektion comes from LiveOak Ventures, with participation from Tau Ventures and Dauntless Ventures. “We founded Spektion to break the cycle of ineffective vulnerability management. The current approach is reactive, inefficient, and fails to significantly reduce risk, despite considerable resource investments,” said Silva.  He added, “Today’s software vulnerability management for commercial, open source, and homegrown applications is stuck in the same paradigm as early antivirus solutions — relying on static data points that can’t keep pace with the dynamic nature of vulnerabilities and lacking the insights that runtime solutions offer. This outdated approach leaves organizations perpetually vulnerable, just as traditional antivirus eventually proved inadequate against evolving threats such as zero days and sophisticated malware.”

Octane, a San Francisco startup working on technology to analyze blockchain smart contracts for vulnerabilities, has raised $6.75 million in a seed funding round led by Archetype and Winklevoss Capital. The company said venture capital firms Gemini, Circle, Legion Capital, Druid Ventures, and Duke Capital Partners also took equity positions. Octane said it is building technology to continuously review on-chain code to detect security weaknesses and recommend one-click fixes.   The company is betting there’s a big market for tooling to help developers secure smart contract applications before and during deployment.  “Flawed blockchain code enables billions in theft across crypto, with vulnerable smart contracts creating an ever-expanding attack surface as more value enters the ecosystem,” said Octane chief executive Giovanni Vignone. Octane said it is using AI and machine learning technologies to “battle-test smart contracts” and a vulnerability detection system to pinpoint niche, protocol-specific bugs alongside typical coding issues.  Octane is also pitching a Code Fix Engine to mitigate vulnerabilities in Solidity smart contracts.  Octane intends to use the new funds to accelerate product development, expand its team, and scale its platform across the crypto development community.

Software maker Adobe on Tuesday released a massive batch of security updates alongside warnings that critical-severity vulnerabilities can be exploited to remotely take control of computer systems. The Adobe Patch Tuesday rollout covers a total of 54 documented bugs and addresses major code execution defects in enterprise-facing products like Adobe ColdFusion, Adobe FrameMaker, Adobe Photoshop and Adobe Commerce. The company called urgent attention to a fix for the ColdFusion web development platform, warning that at least 15 documented vulnerabilities put organizations at risk to arbitrary file system read, arbitrary code execution and security feature bypasses. Adobe ranked eleven of the ColdFusion issues as critical with CVSS scores ranging from 7.5 to 9.1 and described the bugs as improper input validation, deserialization of untrusted data, and authentication weaknesses that could lead to arbitrary code execution or file system reads.  The patches also provide cover for five documented security holes in the Adobe Commerce platform with a note from Adobe that these bugs expose users to privilege escalation, denial-of-service and security bypass attacks. The Adobe ColdFusion and Adobe Commerce software products are oft-targeted by malicious hackers, including nation-state APT groups. The company also urged users of the Adobe Premiere Pro product to immediately apply available fixes to ward off remote code execution attacks. The San Jose, Calif. company also pushed out software fixes for seven vulnerabilities in Adobe After Effects and a pair of critical, code execution issues in the Adobe Media Encoder software.

Microsoft on Tuesday shipped urgent updates for at least 120 Windows vulnerabilities, including a zero-day in the Windows Common Log File System (CLFS) marked as “actively exploited.” The CLFS zero-day, tagged as CVE-2025-29824, allows a local attacker to gain SYSTEM privileges by exploiting a use-after-free bug, Redmond’s security response team warned. The issue carries a CVSS severity score of 7.8/10 and requires only low-level privileges with no user interaction.  Microsoft credited its internal threat intelligence team with discovering the issue, suggesting it was being exploited by professional hacking teams. The software maker said a patch for Windows 10 is not yet available and will be shipped at a later date. In separate documentation, Microsoft blamed a ransomware group for the attacks and said targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia.  “In addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware. Microsoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware,” the company said. Over the last few years, there have been at least 26 documented vulnerabilities in the Windows CLFS subsystem used for data and event logging and Microsoft has responded with a major new security mitigation to block these attacks. The company’s plans include the addition of Hash-based Message Authentication Codes (HMAC) to detect unauthorized modifications to CLFS log files and cover one of the most attractive attack surfaces for APTs and ransomware attacks.

Siemens has published nine new advisories. One advisory urges customers to replace the Sentron 7KT PAC1260 Data Manager with the newer PAC1261. The former is affected by critical vulnerabilities that can allow an attacker to access files and execute arbitrary code, but it will not receive any patches. A critical flaw has also been found in Industrial Edge. The product is affected by a weak authentication issue that “could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user”. Siemens has also notified customers about the recently disclosed IngressNightmare vulnerabilities affecting its Insights Hub Private Cloud solution. The company has also informed customers about high-severity issues patched in Sidis Prime and Solid Edge products, as well as medium-severity bugs in Siemens License Server, ICMP industrial devices, and Mendix Runtime. Schneider Electric has published two new advisories. One describes two high-severity vulnerabilities in ConneXium Network Manager, including one that can allow remote code execution and DoS attacks on engineering workstations. The second advisory covers three medium-severity flaws in Trio Q Licensed Data Radios that could lead to unauthorized access and the exposure of sensitive information. However, exploitation requires physical access. Rockwell Automation has published one advisory to inform customers about nearly a dozen local code execution vulnerabilities affecting its Arena product. Exploitation involves tricking the targeted user into opening a malicious file.  The flaws were discovered by researcher Michael Heinzl, who is often credited by vendors (including Rockwell) for reporting potentially serious vulnerabilities whose exploitation involves opening specially crafted files.   Just before Patch Tuesday, ABB published two new advisories that describe dozens of vulnerabilities found in the past years in third-party components used by its Arctic wireless gateways.