Cybersecurity is no longer a defensive line item. It's the operating backbone of trust. And right now, the boardroom isn't asking "if we'll be targeted," but "when and how often?" The velocity of threats we're facing this May is unlike anything we've seen—and the adversaries aren't waiting. They're already inside.
Top Exploits and Incidents (May 9–12)
SAP NetWeaver RCE (CVE-2025-31324): Hundreds of enterprises hit by Chinese threat actors leveraging this zero-day to execute webshells and C2 frameworks. If your ERP is vulnerable, it's not an operational risk—it's a systemic breach vector.
SonicWall SMA 100 Vulnerabilities (CVE-2025-2775 to -2777): Actively exploited, enabling XXE attacks pre-auth. Remote work infrastructure once seen as a post-COVID enabler is now a double-edged sword. Patch. Monitor. Lock it down.
Play Ransomware via Windows CVE-2025-29824: Another double-extortion campaign, leveraging CLFS driver for privilege escalation and initial access via compromised Cisco ASA gear. If you're still running unpatched systems and haven't adopted Zero Trust, you're rolling the dice.
AirPlay Wormables (CVE-2025-24252, -24132): Zero-click RCE over public Wi-Fi. Apple's walled garden just got a reality check. Airborne threats are real. Segment your networks, and assume compromise in public spaces.
Fake WordPress Security Plugin: Supply chain attacks are now bypassing firewalls via your CMS. If you're not vetting every plugin in your stack, someone else is doing it—for malicious reasons.
AI: Our Superpower and Our Risk
AI is the new cyber arms race. And here's what we're seeing:
- Shadow AI is exploding inside companies. Only 37% of orgs vet AI tools before deployment. If you don't know where your data is going, neither do your compliance auditors.
- GCHQ warns of digital divides: Nation-state actors are scaling faster than enterprise defenses. Generative AI is now a weaponized phishing tool.
- Cisco's AI-native security model? It's the blueprint. We need to embed AI into our detection fabric, not bolt it on. The next phase isn't about SIEM—it's about smart SIEM.
Geopolitics: Cyber is Statecraft Now
- Volt Typhoon and Salt Typhoon are pre-positioning inside U.S. infrastructure. Not for fun. For eventual disruption in a Taiwan scenario. This is digital pre-war posturing.
- Russia is fragmenting the internet—digital balkanization is here. Your security models must localize or they'll break under regional constraints.
- EU's privacy coin ban is coming. That'll drive cybercriminals deeper underground and make attribution harder. You need broader blockchain intelligence, not just endpoint visibility.
What I'm Advising My CISO Peers To Do Now
Immediate Actions:
- Patch like it's your job—because it is. Automate it. Prioritize SAP, SonicWall, and Windows CVEs now.
- Go Zero Trust. It's not a strategy. It's a survival model.
- Audit your supply chain. Then audit your audit process.
- Control AI usage. If employees are feeding IP into ChatGPT or Claude without DLP? You've already lost the battle.
- Test your IR plan against double-extortion ransomware. Every exec should know the playbook.
Strategic Moves:
- Build AI-native SOCs. We're ingesting petabytes of data. AI is the only way to parse that in real time.
- Factor geopolitics into cyber risk. You don't need to be in the crosshairs to catch the bullet. Prepare your infrastructure like it is the target.
- Get ahead of compliance. U.S. Cyber Trust Mark, EU wallet bans—regulatory tsunami is inbound.
- Upskill your people. AI security isn't just a buzzword. It's a full-time job now.
- Engineer for resilience. MVC (Minimum Viable Company) planning isn't optional anymore.
Threat Actor Snapshot
Play Ransomware (Balloonfly): Zero-days. ASA exploits. PipeMagic loaders. You know what to do—patch, detect, isolate.
Chinese State Groups: SAP exploitation. Phishing at LLM scale. They're living off the land inside your routers.
APT28 (Russia): Sophisticated phishing. AI-enhanced social engineering. European institutions are getting hammered.
What's Coming
- AI-Augmented RaaS is going long-tail. FunkSec and Interlock are next-gen LockBits, but leaner and meaner.
- Burpference-style AI vuln discovery is democratizing offensive ops. Expect more CMS and IoT attacks—fast and frequent.
- Nation-state proxies (think hacktivist mercs) are muddying attribution. Don't chase flags. Chase TTPs.
- Global security frameworks will fracture. Prepare for localized enforcement and infrastructure splintering.
Bottom line:
This isn't business as usual. It's asymmetric warfare at machine speed. And your strategy can't be last quarter's playbook.
CISOs, you have the mandate—and now the data. Get aggressive about defense. Because the adversaries already are.
Let's stay sharp. Let's stay ahead.