Cyber Brief: CISA Patches, NCSC Guidance and Supply-Chain Risks

Today’s developments show how fast real-world exploits are moving — from new CISA advisories to a global data breach and fresh supply-chain risks. For UK organisations, the message is clear: strong patch governance and supplier oversight are what keep incidents from becoming crises.

CISA adds exploited XWiki and VMware vulnerabilities to KEV catalogue

The Cybersecurity and Infrastructure Security Agency (CISA) has added two newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) list: a remote-code-execution flaw in XWiki (CVE-2025-24893) and a privilege-escalation bug in VMware Aria Operations / VMware Tools (CVE-2025-41244). Both are being leveraged in the wild. CISA has instructed US federal agencies to patch by early November, while VMware and XWiki have published updates and mitigation guidance. These vulnerabilities allow attackers to execute arbitrary code or escalate privileges, making them prime targets for lateral movement once inside a network.

For UK SMEs and regulated sectors, KEV inclusion signals active exploitation — treat these as patch-immediately issues. Review whether affected software exists in your environment or through third-party suppliers, and document remediation to demonstrate compliance with regulators or customers. Ensuring your patching cadence matches the real threat tempo is the simplest way to avoid emergency response later.

Why it matters: When a vulnerability enters the KEV list, it’s already weaponised. Rapid validation and patching prevent it from becoming your next incident.
Source: SecurityWeek

NCSC launches Code of Practice for secure engineering systems

The UK National Cyber Security Centre (NCSC) has released a new Code of Practice designed to embed cybersecurity alongside safety in engineering environments such as energy, transport and manufacturing. The guidance defines twelve principles covering governance, risk assessment, supply-chain management and resilience testing, encouraging engineers and security specialists to collaborate early in project lifecycles rather than bolt controls on afterwards.

This move aligns with growing regulatory focus on operational technology and critical-infrastructure protection. For UK organisations, adopting the Code voluntarily provides tangible evidence of security-by-design to insurers, auditors and customers. Even smaller suppliers feeding into large infrastructure projects can map their existing processes against the twelve principles to identify quick wins — for instance, integrating cyber-resilience reviews into standard safety audits.

Why it matters: Engineering and digital systems are converging; embedding security in design now avoids costly retrofits later.
Source: NCSC

Conduent confirms data breach impacting more than 10 million individuals

Business-process and IT-services provider Conduent has disclosed that attackers accessed and exfiltrated personal and health-related data belonging to over 10 million people worldwide. The incident, first detected earlier this month, affected systems supporting clients in healthcare, payroll and government services. Conduent stated that forensic investigation and notification processes are under way and that affected customers have been informed.

While based in the US, Conduent operates across Europe, including contracts with UK public-sector bodies and service suppliers. For UK organisations, this incident highlights the reality of downstream exposure: when a key service provider is compromised, your data and customers may still be at risk even if your own defences hold. Review data-processing agreements, ensure suppliers maintain incident-reporting timelines, and confirm they have secure segregation between clients.

Why it matters: Third-party breaches are now among the fastest-growing causes of data exposure. Knowing where your data lives and how suppliers protect it is essential to operational resilience.
Source: SecurityWeek

PhantomRaven campaign targets open-source developers via malicious npm packages

Researchers have detailed a new supply-chain attack named “PhantomRaven” that flooded the npm repository with credential-stealing packages using “remote dynamic dependencies.” The malware triggers during installation, fetching secondary scripts that harvest tokens and environment variables from development machines and CI/CD pipelines. All identified packages have been removed, but analysts warn that copycat campaigns are likely.

For UK development teams and SaaS providers, this is a call to tighten software-supply-chain controls. Implement allow-lists for dependencies, lock versions, and run Software Composition Analysis (SCA) tools within build pipelines. Network egress filtering from build servers can block external script downloads, and rotating credentials regularly limits damage if any secrets were exposed.

Why it matters: Supply-chain compromise doesn’t require exploiting your infrastructure — it just needs one poisoned dependency. Continuous validation of your build process is critical to trust in every release.
Source: The Register

🔍 Today’s Key Actions

1. Patch now: Prioritise XWiki and VMware fixes and verify no residual exposure.
2. Map supplier dependencies: Check which vendors handle your data and confirm breach-notification procedures.
3. Secure development pipelines: Introduce dependency allow-lists and SCA scanning.
4. Adopt design governance: Align engineering and security practices with the new NCSC Code of Practice.
5. Review incident readiness: Ensure contact trees and escalation steps are current for supplier or patch emergencies.

💬 Secarma Insight

Cyber resilience is not about predicting every incident — it’s about responding faster than the impact can spread. At Secarma, our ACT Framework — Advise, Certify, Test — helps organisations convert daily advisories into measurable improvements.
Get in touch with us to review today’s findings, prioritise actions, and strengthen your defences before the next exploit cycle begins.