CISA extends MITRE’s funding period to prevent lapse in CVE program.

At a glance.

• CISA extends MITRE’s funding period to prevent lapse in CVE program.
• Maximum-severity RCE flaw affects Erlang’s SSH implementation.
• Major banks limit information sharing following breach of Treasury Department’s OCC.
• Apple patches two zero-days.
• US Justice Department restricts bulk data sharing with certain countries.
• Parent company of major US supermarket chains confirms data breach.
• 4chan goes offline following alleged hack.

CISA extends MITRE’s funding period to prevent lapse in CVE program.

The US Cybersecurity and Infrastructure Security Agency (CISA) has extended its contract with MITRE to ensure the continuity of the nonprofit’s Common Vulnerabilities and Exposures (CVE) program, BleepingComputer reports.

The MITRE Corporation had announced this week that the US government decided not to renew its contract with the nonprofit, leaving the future of its CVE program uncertain. MITRE’s vice president Yosry Barsoum said in a letter to CVE program board members that a lapse would cause “multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”

A CISA spokesperson told BleepingComputer on Wednesday, “The CVE Program is invaluable to [the] cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.”

Maximum-severity RCE flaw affects Erlang’s SSH implementation.

A patch has been issued for a maximum severity vulnerability (CVE-2025-32433) affecting the SSH implementation used by the Erlang programming language. The flaw, which can lead to unauthenticated remote code execution, impacts all devices running the Erlang/OTP SSH daemon. BleepingComputer notes that Erlang is commonly used within telecom infrastructure and high-availability applications due to its fault-tolerance and concurrency.

The researchers who discovered the flaw explain, “The vulnerability allows an attacker to execute arbitrary code in the context of the SSH daemon. If your SSH daemon is running as root, the attacker has full access to your device. Consequently, this vulnerability may lead to full compromise of hosts, allowing for unauthorized access to and manipulation of sensitive data by third parties, or denial-of-service attacks.”

Users are urged to update to the latest version of Erlang/OTP as soon as possible. If a patch can’t be applied immediately, firewall rules can provide a temporary mitigation by restricting access to vulnerable SSH servers.

Major banks limit information sharing following breach of Treasury Department’s OCC.

Bloomberg reports that JP Morgan and the Bank of New York Mellon have limited information sharing with the US Treasury Department’s Office of the Comptroller of the Currency (OCC) following a serious hack of the regulator’s systems. The OCC last week disclosed a “major information security incident” in which hackers gained access to email communications from more than a hundred bank regulators for over a year. Bloomberg says the hackers had “access to highly sensitive information about the financial health of federally regulated financial firms.”

The OCC is still investigating the extent of the breach. An OCC spokesperson told Bloomberg, “This work is ongoing, and the OCC is engaged with its supervised institutions to keep them informed as these investigations progress. OCC’s onsite examiners continue to retain access to bank information as necessary to conduct supervisory activities, while ensuring the security of the data.”

Apple patches two zero-days.

Apple has issued emergency security updates to fix two zero-day flaws that were exploited in “an extremely sophisticated attack against specific targeted individuals on iOS.” One of the vulnerabilities (CVE-2025-31200) affects the CoreAudio framework, which handles audio-related tasks. Apple explains that “[p]rocessing an audio stream in a maliciously crafted media file may result in code execution.”

The second flaw (CVE-2025-31201) affects RPAC and could allow an attacker with arbitrary read and write capability to bypass Pointer Authentication.

US Justice Department restricts bulk data sharing with certain countries.

The US Justice Department has revealed a new Data Security Program establishing “export controls” for bulk data belonging to US citizens, Infosecurity Magazine reports. The initiative, which was enacted by a February 2024 executive order under the Biden administration, prohibits US data brokers from knowingly engaging in transactions with specified countries unless authorized by a license. The DOJ designated six “countries of concern” regarding the purchase of US data: China, Cuba, Iran, North Korea, Russia, and Venezuela.

The program went into effect last week, though the government said it will be lenient for the first ninety days as long as entities are engaging in “good faith efforts” to comply.

Parent company of major US supermarket chains confirms data breach.

Ahold Delhaize USA, the Dutch parent company of Stop & Shop, Hannaford, Food Lion, and Giant Food, confirmed that data was stolen from its business systems during a cyberattack last November, Cybersecurity Dive reports. The company hasn’t disclosed the nature of the stolen data, stating, “Our teams have been working diligently to determine what information may have been affected, and we will notify affected individuals in accordance with our legal obligations.”

The INC ransomware gang on Wednesday took credit for the attack, claiming to have stolen six terabytes of data from Ahold Delhaize. The group says it will soon publish the stolen data on its leak site. Ahold Delhaize hasn’t commented on these claims.

4chan goes offline following alleged hack.

The infamous image board 4chan went offline on Tuesday following an apparent hack that allegedly exposed the site’s PHP source code and email addresses belonging to its anonymous administrators and moderators, TechCrunch reports. Users of a rival image board took credit for the attack, claiming to have had access to 4chan’s systems for over a year. While the authenticity of the data is unconfirmed, TechCrunch spoke with one of 4chan’s janitors who said they were confident that the leaked information was “all real.”

Courts and torts.

US-based airport retail company Paradies Shops has agreed to pay $6.9 million to settle a class-action lawsuit brought by employees whose info was stolen during a 2020 ransomware attack, the Record reports. According to the lawsuit, the attackers stole personal information, including Social Security numbers, belonging to 76,000 current and former employees. The suit alleged that the company was negligent in protecting the data and “purposefully maintained secret the specific vulnerabilities and root causes of the breach.” Paradies denies these claims, but agreed to the settlement because it “concluded that further conduct of the Litigation would be protracted and expensive.”