This security roundup details several concurrent threats impacting diverse sectors. Gladinet’s CentreStack and Triofox products have been exploited in the wild due to two vulnerabilities: CVE-2025-30406, a hardcoded machine key issue allowing attackers to bypass authentication or escalate privileges, and CVE-2025-11371, an unauthenticated local file inclusion vulnerability enabling arbitrary file access or code execution. Gladinet is developing patches but currently offers workarounds. Industrial Control Systems (ICS) honeypots mimicking water treatment plants have been targeted by Russia-linked threat actor TwoNet and Iranian groups, attempting to deface HMIs and disrupt processes, indicating ongoing hostile activity against critical infrastructure. ClayRat Android spyware, primarily targeting Russian users, is distributed through Telegram channels and phishing sites masquerading as popular apps. Once installed, it exfiltrates SMS, notifications, call logs, and can remotely control device functions. Additional threats include payroll fraud against US universities via social engineering and lack of MFA, exploitation of a Zimbra XSS vulnerability (CVE-2025-27915) to compromise Brazilian military email accounts, and active exploitation of a critical WordPress plugin vulnerability (CVE-2025-5947) affecting approximately 6,000 sites. These incidents demonstrate a broad attack surface spanning cloud file-sharing solutions, industrial environments, mobile platforms, and web applications. The exploitation methods range from technical vulnerabilities to social engineering, emphasizing the need for layered defenses. The absence of CVSS scores for some vulnerabilities requires severity assessment based on impact and exploitability. The combined threat landscape underscores risks to confidentiality, integrity, and availability across multiple sectors and geographies.

European organizations face multifaceted risks from these threats. Enterprises using Gladinet CentreStack or Triofox for secure file sharing may suffer unauthorized data access, credential compromise, or lateral movement within networks, potentially leading to data breaches or ransomware. Industrial operators in Europe with ICS/OT environments similar to the targeted honeypots risk operational disruption, safety hazards, and reputational damage if adversaries succeed in manipulating control systems. The ClayRat spyware threat, while primarily targeting Russia, signals the potential for mobile espionage campaigns that could expand geographically, threatening sensitive communications and privacy of European users. The payroll fraud tactics highlight the ongoing risk of social engineering attacks exploiting weak authentication, which could affect HR and finance departments across Europe. Exploitation of web application vulnerabilities like the WordPress plugin flaw could lead to website defacements, data theft, or malware distribution, impacting European businesses relying on these platforms. Overall, these threats could result in financial losses, regulatory penalties under GDPR, operational downtime, and erosion of stakeholder trust. The geopolitical context, especially concerning Russian-linked ICS attacks and spyware, increases the risk for European critical infrastructure and government entities.

European organizations should implement the following specific measures: 1) For Gladinet products, immediately apply any vendor-provided workarounds and monitor for updates; restrict network access to management interfaces and audit logs for suspicious activity. 2) ICS operators must enhance network segmentation, deploy anomaly detection tailored for OT environments, and conduct regular security assessments and incident response drills focused on ICS threats. 3) Mobile device management (MDM) solutions should be used to restrict installation of unauthorized apps, especially from unofficial sources like Telegram channels; implement endpoint detection and response (EDR) on mobile devices to detect spyware behaviors. 4) Strengthen authentication by enforcing multi-factor authentication (MFA) on all critical systems, especially HR and payroll platforms, to mitigate social engineering risks. 5) Web administrators should promptly apply patches for vulnerable plugins like Service Finder Bookings and use web application firewalls (WAFs) to block exploitation attempts. 6) Conduct targeted user awareness training on phishing and social engineering, emphasizing risks related to payroll fraud and spyware distribution channels. 7) Monitor threat intelligence feeds for indicators related to TwoNet and other ICS threat actors to proactively defend critical infrastructure. 8) Establish incident response plans that include coordination with law enforcement and information sharing with sector-specific ISACs. These tailored actions go beyond generic advice by addressing the specific vulnerabilities, attack vectors, and threat actors described.