Stay Updated Icon

Subscribe to Our Tech & Career Digest

Join thousands of readers getting the latest insights on tech trends, career tips, and exclusive updates delivered straight to their inbox.

Cybersecurity Under Scrutiny: CVE Funding Woes, Discord Exploits, Data Breaches, and Evolving Threats

5:36 AM   |   16 June 2025

Cybersecurity Under Scrutiny: CVE Funding Woes, Discord Exploits, Data Breaches, and Evolving Threats

Cybersecurity Under Scrutiny: CVE Funding Woes, Discord Exploits, Data Breaches, and Evolving Threats

The digital realm is a constant battleground, where defenders work tirelessly to protect systems and data from an ever-evolving array of threats. Recent developments highlight the multifaceted nature of these challenges, ranging from the foundational infrastructure of vulnerability management to novel attack vectors targeting popular platforms and sophisticated obfuscation techniques used by malicious actors. This report delves into several key areas demanding attention from security professionals, policymakers, and the public alike.

The Uncertain Future of the CVE Program and Calls for Audit

At the heart of global cybersecurity lies the Common Vulnerabilities and Exposures (CVE) program. This initiative provides a standardized naming convention for publicly known cybersecurity vulnerabilities, enabling organizations worldwide to identify, track, and mitigate risks effectively. Coupled with the National Vulnerability Database (NVD), which provides detailed information, severity scores, and impact analyses for these CVEs, it forms a critical pillar of modern vulnerability management.

However, the stability of this essential program has recently come under question. Federal funding for the CVE program reportedly ended in April, creating significant uncertainty about its long-term sustainability. While the Cybersecurity and Infrastructure Security Agency (CISA) has managed to secure funds to keep the program operational for an additional eleven months, this temporary reprieve does little to alleviate concerns about future funding streams.

The potential disruption to the flow of vulnerability data is a grave concern. Governments, businesses, and security researchers globally rely heavily on the timely and accurate information provided by the CVE and NVD programs to understand the threats they face and implement necessary defenses. A breakdown in this system could leave countless entities vulnerable to exploitation by malicious actors who are constantly scanning for newly disclosed weaknesses.

In response to this precarious situation, a pair of influential Congressional Democrats have formally requested a review of the CVE program. Ranking House Homeland Security committee member Bennie Thompson (D-MS) and ranking House Science, Space and Tech committee member Zoe Lofgren (D-CA) have called upon the Government Accountability Office (GAO) to investigate the management and effectiveness of the programs supporting NVD and CVE. Their letter to Comptroller General Eugene Dodaro underscores the critical reliance of both public and private sectors on these databases for mitigating vulnerabilities and executing broader cybersecurity strategies.

The lawmakers' request highlights the interconnectedness of these programs and the various government agencies involved. They specifically asked the GAO to examine:

  • Programs managed by the National Institute of Standards and Technology (NIST) that support vulnerability management data, including the NVD.
  • The CVE program itself, assessing its operational efficiency and effectiveness.
  • The role of the Department of Homeland Security (DHS), CISA's parent agency, in supporting the CVE initiative.
  • The extent to which public and private sector entities depend on the data and services provided by NVD and CVEs.

This demand for an audit comes amidst a broader context of proposed budget cuts and leadership changes at CISA. The current administration has proposed substantial reductions to CISA's budget for the 2026 fiscal year. While House Republicans ultimately approved a smaller reduction ($135 million) than the initial proposal ($495 million), Democrats argue that even this reduced cut is too significant for an agency deemed vital to national security. These budgetary pressures, coupled with recent layoffs and the departure of several senior leaders from CISA, paint a picture of an agency facing significant operational challenges, further amplifying concerns about its ability to support critical functions like the CVE program.

The outcome of the GAO audit and future funding decisions will have far-reaching implications for the global cybersecurity posture. Ensuring the continued, robust operation of the CVE and NVD programs is paramount to enabling effective defense against the myriad threats organizations face daily.

Critical Vulnerabilities and Exploits in the Wild

Beyond the foundational infrastructure, the cybersecurity landscape is defined by the constant discovery and exploitation of vulnerabilities in widely used software and platforms. While numerous flaws are identified weekly, some stand out due to their severity and potential for widespread impact.

Roundcube Cross-Site Scripting Vulnerability (CVE-2024-42009)

One such critical vulnerability recently highlighted affects the open-source webmail platform, Roundcube. Identified as CVE-2024-42009, this flaw is a cross-site scripting (XSS) issue stemming from a desanitization problem within the message body of emails. An attacker can craft a special email message that, when viewed by a victim, executes malicious JavaScript code within their browser.

The consequences of exploiting this vulnerability are significant. A remote attacker who successfully leverages this flaw can potentially steal session cookies, hijack user accounts, and even send emails from the victim's account without their knowledge. Worryingly, reports indicate that this vulnerability is already being actively exploited in the wild, making patching an urgent priority for Roundcube users.

The vulnerability affects Roundcube versions 1.5.7 and earlier, as well as versions 1.6.x through 1.6.7. Users are strongly advised to update to patched versions immediately to mitigate the risk of compromise. This incident serves as a stark reminder that even seemingly innocuous flaws, like those related to input sanitization, can have critical security implications when present in widely used applications.

Discord Invite Link Hijacking for Malware Delivery

Popular communication platforms, due to their large user bases, often become targets for malicious campaigns. Discord, a widely used chat application, has recently been identified as a vector for malware delivery through the exploitation of its invite link functionality.

Security researchers at Check Point Research published findings detailing how scammers are abusing a flaw related to Discord invite links. These links are typically generated to allow users to invite others to join specific servers or chat groups and are often set to expire after a certain period or number of uses.

Check Point discovered that these links, even after their intended expiration, could be repurposed. Attackers with a premium Discord subscription could reuse an expired invite code on their own malicious server. This allows them to hijack the original, legitimate invite link and redirect unsuspecting users who click on it to a different destination than the one they intended to join.

Instead of landing in a legitimate chat group, victims are sent to sites designed to deliver malware. Researchers have observed campaigns using this technique to distribute remote access trojans (RATs) and crypto-stealing malware, allowing attackers to gain unauthorized access to victims' computers and steal sensitive information or digital assets.

This exploitation highlights a subtle but dangerous vulnerability in the platform's link management. Check Point advises Discord administrators to use invite links set to *never* expire as a safer alternative, as these are reportedly much harder for attackers to hijack. This incident underscores the need for users to exercise caution even when clicking on links from seemingly trusted sources and for platform providers to rigorously review the security implications of features like link expiration and reuse.

Data Breaches and Delayed Disclosures

Data breaches remain a persistent threat, exposing sensitive personal and financial information and causing significant harm to individuals and organizations. While the breaches themselves are concerning, the timeline and transparency of disclosure are equally critical aspects of the incident response process.

McLean Mortgage Company Data Breach Notification Delay

A recent incident involving Virginia-based McLean Mortgage Company has drawn attention to the issue of delayed data breach notifications. The company recently informed over 30,000 customers that their data had been stolen in an incident that occurred eight months prior, in October 2024.

McLean Mortgage Company began sending notification letters to affected customers this week. According to the letters, the company became aware of the breach in October 2024 but chose not to inform customers immediately. Instead, they decided to wait until they had completed a thorough review and investigation of the incident. This review reportedly concluded in mid-May, leading to the notifications being sent out nearly nine months after the initial discovery.

The sample breach notification letter provided limited details about the cause of the breach, stating only that "an unauthorized actor gained access" to the company's network and "may have downloaded certain files." The subsequent review determined that the stolen data potentially included highly sensitive information such as full names, Social Security numbers, driver's license numbers, and financial account information.

While McLean's lawyers stated that the company "worked diligently to effectuate notification to potentially affected individuals," the significant delay between discovery and notification raises serious questions about transparency and regulatory compliance. Many jurisdictions have specific timelines within which companies must notify affected individuals and relevant authorities after discovering a data breach, particularly when sensitive personal information is involved.

Delayed notifications can exacerbate the harm to victims, preventing them from taking timely steps to protect themselves from identity theft, financial fraud, or other forms of misuse of their compromised data. McLean Mortgage Company has offered credit-monitoring services to the affected customers, a standard practice following such incidents, but this does not negate the risks individuals faced during the extended period they were unaware of the breach.

This case serves as a reminder of the importance of prompt and transparent communication following a data breach. While investigations are necessary to understand the scope and impact of an incident, excessive delays in notifying affected parties can erode trust and potentially violate legal obligations.

Stylized graphic representing data flowing out of a lock icon
Data breaches continue to pose significant risks to personal information. (Image: Wired)

Evolving Attack Techniques and Tool Misuse

The tools and techniques used by malicious actors are constantly evolving. Attackers often repurpose legitimate tools or develop novel methods to evade detection and achieve their objectives. Recent observations highlight the misuse of pentesting tools and the application of sophisticated obfuscation techniques.

Malicious Use of TeamFiltration Pentesting Tool

Penetration testing tools are designed to help security professionals identify weaknesses in systems and networks by simulating attacks. However, these powerful tools can also be turned against legitimate targets by malicious actors. Researchers at Proofpoint have spotted a campaign where the TeamFiltration pentesting tool is being used for malicious purposes.

TeamFiltration is a tool designed to test the security of Microsoft Entra ID (formerly Azure Active Directory) environments. It can perform actions like user enumeration (identifying valid usernames) and password spraying (attempting a few common passwords against many accounts). Proofpoint researchers observed an unknown threat actor group, dubbed "UNK_SneakyStrike," leveraging TeamFiltration to launch attacks against Entra ID accounts.

The campaign targeted approximately 80,000 accounts across hundreds of organizations, primarily in the US, but also including targets in Ireland and the UK. The attackers utilized the Microsoft Teams API and AWS servers as part of their infrastructure to conduct these attacks. While Proofpoint could not confirm the exact success rate, they believe some attacks were likely successful.

TeamFiltration has been publicly available to penetration testers since 2021. However, Proofpoint's findings indicate that this is the first observed instance of the tool being used maliciously in a widespread campaign. This trend of attackers adopting advanced intrusion tools and platforms is concerning, as it suggests a shift away from less effective, more easily detectable methods.

The malicious use of legitimate tools underscores the importance of not only securing systems against known exploits but also monitoring for suspicious activity that might indicate the misuse of administrative or testing tools. Organizations using Entra ID should review logs for signs of user enumeration or password spraying attempts originating from unexpected sources.

JSF*ck Obfuscation Used for Malicious JavaScript Injection

Website injection attacks, where malicious code is inserted into legitimate websites, are a common threat. Attackers constantly seek new ways to hide their code and evade detection by security tools and human analysts. Palo Alto Networks researchers have discovered a campaign employing a particularly clever and difficult-to-spot obfuscation technique.

The campaign involves injecting malicious JavaScript code into hundreds of thousands of webpages – Palo Alto Networks identified at least 269,552 affected pages. What makes this campaign noteworthy is the method used to obfuscate the injected code. The attackers are using a technique known as JSF*ck.

JSF*ck is an esoteric coding style where JavaScript code is written using only six characters: []()+!. While initially developed as a curiosity or a challenge, it leverages JavaScript's loose type coercion rules to represent any valid JavaScript code using only these characters. For example, the number 0 can be represented as +[], the number 1 as +!+[], and strings can be constructed by coercing arrays and other types.

The resulting code is extremely difficult to read and understand for humans and can sometimes evade signature-based detection systems that look for common malicious patterns. Palo Alto Networks noted that this obfuscation makes the injected code appear innocuous at first glance, lacking typical variable or function names associated with malicious scripts.

The researchers found thousands of websites infected with this type of obfuscated JavaScript. While the specific payload or objective of all these injections wasn't detailed in the brief, such techniques are commonly used for redirecting users to malicious sites, delivering malware, stealing credentials, or displaying unwanted advertisements.

Defenses against standard website injections, such as content security policies (CSPs), regular website integrity checks, and robust web application firewalls (WAFs), should still be effective against this type of attack. However, the high level of obfuscation means that detection and analysis may require more sophisticated techniques, including behavioral analysis and dynamic code execution.

This campaign serves as a powerful illustration of the lengths to which attackers will go to hide their tracks and the importance of layered security defenses and advanced detection capabilities in combating web-based threats.

Abstract graphic representing complex code or data obfuscation
Advanced obfuscation techniques like JSF*ck make malicious code harder to detect. (Image: TechCrunch)

Conclusion: A Dynamic and Challenging Landscape

The cybersecurity landscape remains incredibly dynamic and challenging. The issues highlighted in this report – from the potential instability of critical public infrastructure like the CVE program to the exploitation of popular platforms like Discord, the ongoing problem of data breaches and their handling, and the continuous evolution of attacker tools and techniques – underscore the need for constant vigilance and adaptation.

Ensuring adequate funding and oversight for foundational resources like the CVE and NVD is essential for the entire security ecosystem. Simultaneously, organizations and individuals must stay informed about emerging threats targeting specific applications and platforms they use daily. The delayed notification of the McLean Mortgage breach serves as a reminder of the human impact of security incidents and the importance of timely and transparent communication.

Finally, the malicious use of pentesting tools and sophisticated obfuscation techniques like JSF*ck demonstrate that defenders must look beyond traditional signatures and employ behavioral analysis and advanced threat intelligence to detect and counter modern attacks. As attackers become more creative and resourceful, the cybersecurity community must continue to collaborate, share information, and innovate to stay ahead in this perpetual digital arms race.

Addressing these challenges requires a multi-pronged approach involving government support, industry collaboration, technological innovation, and user education. Only through concerted effort can we hope to build a more resilient and secure digital future.