Cyber Brief: Citrix Bleed, Frontier Ransomware, VMware and Outlook Alerts

As the week closes, cybersecurity headlines highlight how supply-chain attacks and exploited vulnerabilities continue to test resilience across industries. For UK SMEs and regulated organisations, today’s focus is on third-party risk, secure configuration, and timely patching - the pillars of modern cyber hygiene.

CISA adds new Citrix Bleed vulnerability to Known Exploited Vulnerabilities list

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-37559 - a remote-code-execution flaw in Citrix NetScaler ADC and Gateway - to its Known Exploited Vulnerabilities (KEV) catalogue. The bug allows unauthenticated attackers to execute arbitrary commands and steal session data. Exploitation evidence shows attackers leveraging it to move laterally into corporate networks.

For UK organisations using Citrix remote-access solutions, this is a critical priority. Patch deployment, session invalidation and credential resets should happen immediately, as exploitation typically precedes disclosure by weeks. Even businesses that outsource remote-access infrastructure must confirm supplier patch levels and access-control changes.

Why it matters: Citrix Bleed compromises were behind several UK service-provider breaches in 2024; closing the window quickly prevents repeat incidents.
Source: CISA

US telecom provider Frontier confirms ransomware incident and service disruption

Frontier Communications has confirmed a ransomware attack that caused network outages across several US states earlier this week. Investigation indicates that customer data was not exfiltrated, but internal systems were encrypted, disrupting operations for days.

For UK firms, this is another reminder that large, well-resourced providers can still be paralysed by ransomware, with downstream effects on partners and clients. Evaluate your own reliance on external telecoms and managed-service partners: ensure you have redundancy plans, contractual incident-notification clauses, and supplier-assurance checks in place.

Why it matters: Ransomware’s reach often extends beyond its primary victim; resilience means planning for the failure of services you don’t directly control.
Source: BleepingComputer

VMware releases patches for critical vCenter Server and ESXi flaws

VMware has issued fixes for multiple high-severity vulnerabilities in vCenter Server and ESXi hypervisors, including CVE-2025-23172 — a heap overflow that could allow remote code execution via the vSAN service. No exploitation has yet been observed, but public proof-of-concept code is circulating.

UK organisations running virtualised infrastructure should apply updates as soon as operationally feasible. Testing in staging environments is advised, but delay exposes hypervisors to compromise that can cascade across entire server estates.

Why it matters: Virtualisation sits at the core of most production networks; securing vCenter and ESXi is foundational to both uptime and compliance.
Source: VMware Security Advisory

Microsoft investigates reports of Outlook for Windows zero-day exploit

Microsoft has acknowledged reports of targeted exploitation against a new Outlook for Windows vulnerability that allows crafted emails to trigger code execution before user interaction. A temporary mitigation via Attack Surface Reduction (ASR) rules and email-filtering policies is recommended while a patch is developed.

UK businesses should review Outlook client versions, enable automatic updates, and reinforce phishing-awareness training. Layered email defences remain the best short-term control until official fixes are released.

Why it matters: Email remains the top attack vector. Proactive monitoring and user education reduce risk even when zero-day patches are pending.
Source: Microsoft Security Response Center

Today’s Key Actions

1. Apply Citrix, VMware and Microsoft patches or mitigations immediately.
2. Audit suppliers and MSPs for third-party patch compliance and incident-reporting clauses.
3. Verify endpoint detection is active and logging across virtualised environments.
4. Rehearse business-continuity steps for telecom or IT-service outages.
5. Communicate patching and response actions to staff to maintain security awareness.

Secarma Insight

This week’s incidents highlight the growing interdependence of software, infrastructure and service providers. A single unpatched product or partner can disrupt hundreds of downstream organisations. At Secarma, our ACT Framework — Advise, Certify, Test — helps you identify those dependencies, verify controls, and validate response plans before an exploit finds them for you.
Get in touch with us to strengthen your patch-governance and supplier-risk management processes.