Welcome to your ONSEC Cyber Daily dose for May 20th. Today, we're diving into a sea of vulnerabilities and warnings that are making waves across the globe. First up, iPhone users, beware! A critical flaw has been discovered in Apple's AirPlay feature, putting 1.8 billion users at risk. Meanwhile, the UK is shining a spotlight on AI and cybersecurity, issuing new codes for software security and highlighting the growing AI cybersecurity divide. The healthcare sector is also under the microscope, facing growing cyber threats amid an expanding attack surface. And in a surprising twist, even your toaster could be a cybersecurity risk, with UK households being warned of potential cyber attacks via their toasters. In other news, the CISA is discontinuing cybersecurity alerts on official webpages, and Google Chrome users are being warned of high severity vulnerabilities. The EU is also stepping up its game, staking out digital sovereignty with a new vulnerability database. On the patching front, we have updates from Microsoft, Mozilla, and others addressing critical vulnerabilities. And for those interested in the intersection of tech and society, don't miss our podcast recommendations, including discussions on AI companions and the loneliness epidemic, cybersecurity scares, and the future of private 5G networks. Stay tuned for more details on these stories and more in today's ONSEC Cyber Daily. Stay safe, stay informed.

Exploits Alert

1. Security Warning Issued for 1.8 Billion iPhone Users Over AirPlay Flaws: Critical vulnerabilities have been discovered in Apple's AirPlay feature, leading to an urgent warning for all iPhone users. These flaws could potentially expose users to cyber threats. Source: Channel News
2. AI and Cybersecurity Under the Spotlight: UK Publishes New Codes for Software Security: The UK has published new codes for software security and warns of a potential AI cybersecurity divide. These guidelines aim to enhance the security of AI systems and reduce vulnerabilities. Source: Crowell
3. Healthcare Sector Faces Growing Cyber Threats Amid Expanding Attack Surface: The healthcare sector is facing increasing cyber threats due to an expanding attack surface. This highlights the need for robust cybersecurity measures and vulnerability management. Source: MSSP Alert
4. CISA to Discontinue Cybersecurity Alerts & Advisories on Official Webpages: CISA has announced that it will discontinue cybersecurity alerts and advisories on its official webpages. This decision has raised concerns about the accessibility of vulnerability data. Source: Cybersecurity News
5. Warning issued to UK households with a toaster: Experts have warned that some toasters could leave homeowners vulnerable to a cyber attack. This unusual threat highlights the increasing range of devices that can be targeted by cyber criminals. Source: Express UK

Vulnerabilities & Patches

1. CVE-2025-30397 – Microsoft Scripting Engine RCE: Microsoft has released a patch for a critical vulnerability in its Scripting Engine. The flaw could allow for remote code execution if exploited. Users are urged to apply the patch immediately. Source: Industry Analysts, Inc.
2. CVE-2025-4391 – Crawlomatic WordPress Plugin RCE: A critical 9.8 RCE flaw in the Crawlomatic WordPress plugin has been patched. The flaw involved missing file type validation in the “echo_generate_feaured_image()” function. Users are advised to update to the latest version. Source: SC Media
3. CVE-2025-4918 & CVE-2025-4919 – Mozilla Firefox Bugs: Mozilla has patched two vulnerabilities in Firefox that were discovered by security researchers. The bugs could have been exploited for malicious purposes, and users are advised to update their browsers. Source: Candid.Technology
4. CVE-2024-12987 – DrayTek Gateway Devices: A command injection vulnerability in the Apmcfgupload endpoint for DrayTek Gateway devices has been patched. Users are urged to update their devices to the latest firmware. Source: Systemtek
5. CVE-2025-30911 – RomethemeKit For Elementor Plugin: A remote code execution vulnerability in the RomethemeKit for Elementor plugin has been patched. The vendor, Rometheme, was notified of the issue and has released a fix. Users are advised to update to the latest version. Source: Infosecurity Magazine

Podcasts

1. Mark Zuckerberg's Vision: AI Companions and the Loneliness Epidemic: This podcast explores Mark Zuckerberg's vision of AI companions and their potential role in addressing the loneliness epidemic. The discussion is led by Tom Eston, a renowned figure in the cybersecurity field. Source: Security Boulevard.
2. ICYMI: Cybersecurity Scare: Bloomberg Businessweek's podcast episode titled "ICYMI: Cybersecurity Scare" features Wendi Whitmore, Chief Intelligence Officer, discussing the latest cybersecurity threats and how to mitigate them. Source: Bloomberg.
3. CIO Podcast – Episode 95: Private 5G Networks with Christian Lindmark: The 95th episode of the CIO podcast hosted by Healthcare IT Today features Christian Lindmark, CTO at Stanford Health Care, discussing the implementation and benefits of private 5G networks in healthcare. Source: Healthcare IT Today.

Final Words

And that's a wrap for today's edition of 'ONSEC Cyber Daily'. From the vulnerabilities in Apple's AirPlay to the critical flaws in Google Chrome, we've covered a lot of ground today. It's clear that the digital landscape is ever-evolving, and staying informed is our best defense. Remember, cybersecurity isn't just about protecting your own devices and data, it's about safeguarding our interconnected digital world. So, if you found today's newsletter helpful, why not share it with your friends and colleagues? You never know, the information you share today could prevent a cyber attack tomorrow. Stay safe, stay informed, and keep sharing the knowledge. See you in the next edition of 'ONSEC Cyber Daily'.

ONSEC.io | LinkedIn

ONSEC.io | 1,839 followers on LinkedIn. Information security audits and penetration testing by a team of experts with an average experience of more than 7 years | ONSEC.io - is a penetration testing & in-depth security audit company with more than 13 years of experience on the market. Our team has already helped more than 300 companies be aware about possible system's vulnerabilities, including Republic, DMarket, LegionFarm, Parallels, Xsolla, Acronis, Manyсhat, Global Fashion Group and others. Our main goal is to increase the customer security level by finding and fixing security issues as well as improve security awareness inside the company, including developers, DevOps, and other teams to build a sustainable engineering culture with security knowledge.

LinkedIn

x.com

X (formerly Twitter)