Security experts are sounding alarms this week as numerous cybersecurity issues emerge, revealing vulnerabilities across various platforms and alarming trends in cybercrime. Kentico’s Xperience Content Management System (CMS) is impacted by a critical vulnerability, tracked as CVE-2025-2748. It has a CVSS score of 6.5 and lets attackers perform stored cross-site scripting (XSS) attacks. For example, the Scallywag operation uses fake WordPress plugins to commit ad fraud, placing a bigger strain on the digital ecosystem.
In October 2023, Microsoft addressed two key security vulnerabilities that received the highest CVSS rating of 10.0. This move is a reminder of the ongoing battle against cyber threats. Meanwhile, the costs of cybercrime are climbing expeditiously. In 2024, victims are expected to fall prey to a shocking $16 billion, while the U.S. Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) received an alarming 859,532 complaints that year. This is a 33% increase in the loss reported since 2023.
Over the weekend, South Korea’s largest mobile operator, SK Telecom, announced the discovery of a “sensitive data leak.” The breach provided the perpetrator with access to sensitive information associated with USIMs. As these incidents unfold, the financial impact of unauthorized trading transactions in Japan has reached nearly ¥100 billion ($700 million) since February 2025.
Vulnerabilities and Threats
Vulnerability of Kentico Xperience CMS (CVE-2025-2748) – A serious threat for all the users and developers. Scored as a CVSS 6.5, it enables a high risk for stored XSS attacks, which can result in maliciously exposing sensitive user information.
Beyond Kentico’s troubles, cyber threats continue to run rampant throughout the digital ecosystem. The Lumma Stealer malware has gained infamy due to its use of many different infection vectors. It presents additional payloads that are capable of causing catastrophic damage to the impacted systems. Cybersecurity professionals are warning users to keep their guard up against these continuing threats.
“These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code,” – Volexity
As the landscape evolves, criminals are employing increasingly sophisticated strategies. Cybercriminals are willing to move heaven and earth to evade endpoint protections. For instance, they leverage the Brute Ratel C4 post-exploitation framework and match techniques such as Heaven’s Gate.
Rise of Fraud Operations
Cyber fraud Scallywag has used this tactic to become one of the heaviest hitters in cyber fraud. They’re exploiting malicious WordPress plugins to execute ad fraud at scale. This operation illustrates the increasingly popular fraud-as-a-service models which have been capitalizing on digital piracy and URL-shortening services. The illicit industry is buoyed by deceptive marketing practices that hide their ulterior motives.
“This duplicitous marketing strategy is common in underground forums – it provides a thin veneer of deniability (to avoid forum bans or legal issues) but fools no one about the true purpose,” – SlashNext
Today, fraud is one of the most lucrative criminal enterprises. A new report from the United Nations Office on Drugs and Crime (UNODC) sheds light on this disturbing phenomenon. According to this new report, cyber fraud now brings in almost $40 billion annually. This astronomical amount helps to illustrate the sheer size and scope of these massive operations.
The shocking stats about cybercrime should be a wake-up call to lawmakers and everyone else that we need better security and a more informed public. In 2024, victims are expected to suffer unsustainable $16 billion in damages. Together, these paint a picture of the persistent and pervasive nature of these threats.
Breaches and Regulatory Challenges
High profile attacks in the past year have exposed weaknesses in prominent companies and agencies. SK Telecom’s disclosure of unauthorized access to sensitive USIM-related information was devastating to the telecommunications sector. As the second largest mobile operator in South Korea, its breach is a blow to public confidence in data privacy and security.
Ubisoft is currently under fire for its enforcement of online connectivity mandates on otherwise single-player, stand-alone titles. The legal action comes on the heels of the first-ever GDPR complaint against the company. Accusations say they require users to be online every single time they try to play any game.
“Even after the complainant explicitly asked why he is forced to be online, Ubisoft failed to disclose why this is going on,” – noyb
Regulatory challenges remain, too, as organizations continue to face challenges keeping up with compliance. Max Schrems criticized recent regulations for their potential inefficacy:
“This regulation could have been a game changer for exercising people’s fundamental rights. Instead, it looks like it will waste thousands of hours in already overworked authorities by prescribing various useless and overly complex procedural steps, which translates to millions in taxpayer money,” – Max Schrems
Today, organizations are dealing with increasingly complicated regulatory environments. As they try to walk this tightrope, the enforcement of GDPR rights is getting more difficult for companies and citizens alike.