Summary: Today, Broadcom released a security advisory for five vulnerabilities, the most severe being CVE-2025-22218 in VMWare Aria Operations, can result in an escalation of privileges to the admin user account via cross-site scripting.
The following posts are useful for general awareness of current cyber threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
Critical Infrastructure Resilience
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS security advisories, along with additional alerts, updates, and bulletins:
ICS Advisories:
During the House Committee Hearing held yesterday, four witnesses addressed the escalating threats posed by nation-state actors, particularly from the People’s Republic of China (PRC). They highlighted the increased sophistication and operational capabilities of these threat actors and noted a rise in cyber intrusions targeting U.S. critical infrastructure. Witnesses also cited recent incidents at water utilities.
Cybersecurity firm Tenable recently released an analysis of People’s Republic of China’s (PRC)-affiliated threat actor Salt Typhoon and examines the vulnerabilities and tactics employed by the group. Salt Typhoon has infiltrated at least nine U.S.-based telecommunications companies and has utilized various tactics, primarily exploiting vulnerabilities, to gain access.
Yesterday, CISA and the FBI released a joint advisory that included technical details of at least two exploit chains used by threat actors to break into Ivanti Cloud Service Appliances (CSA). The advisory comes in response to active exploitation in Ivanti CSA of the following vulnerabilities:
The following posts are useful for general awareness of current cyber threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
Critical Infrastructure Resilience
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS security advisories, along with additional alerts, updates, and bulletins:
ICS Advisories:
The following posts are useful for general awareness of current cyber threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
Critical Infrastructure Resilience
Last week, CISA released an update to the joint guidance “Product Security Bad Practices,” originally released in October last year. This guidance gives an overview of exceptionally risky product security practices for software manufacturers who produce software in support of critical infrastructure or national critical functions.
The bad practices are divided into three categories:
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
