April 2025 Cybersecurity Roundup: MITRE CVE Crisis and AI's Spearphishing Dominance

April 2025 proved to be a pivotal month in cybersecurity, marked by institutional challenges and technological advancements. The near-collapse of MITRE’s CVE program and AI’s demonstrated superiority over human red teamers in spearphishing campaigns dominated discussions across the security community. These developments signal both systemic vulnerabilities in cybersecurity infrastructure and the accelerating capabilities of offensive AI tools.

Executive Summary

For security leaders needing rapid context, April’s key developments include:

MITRE’s CVE program faced imminent shutdown due to funding issues, threatening global vulnerability tracking¹
AI-powered spearphishing now outperforms elite human red teams according to Hoxhunt research²
UK charity sector reported 30% breach rates in past year according to government data³
Deepfake countermeasures emerging from India provide new defense models against synthetic media scams

MITRE’s CVE Program Crisis

The Cybersecurity and Infrastructure Security Agency (CISA) failed to renew its contract with MITRE to operate the Common Vulnerabilities and Exposures (CVE) program, potentially leaving vulnerability tracking in limbo. The program, which assigns identifiers to publicly disclosed security flaws, faced immediate funding shortfalls that threatened its continued operation. This development raised concerns about how organizations would track and prioritize vulnerabilities without the standardized CVE system.

Security teams have relied on CVE identifiers for patch management and vulnerability scoring through the Common Vulnerability Scoring System (CVSS). The potential loss of this framework would force organizations to develop alternative tracking mechanisms or depend on vendor-specific advisories. MITRE has operated the program since 1999, with over 200,000 vulnerabilities cataloged to date.

AI Surpasses Human Red Teams

Research from Hoxhunt demonstrated that AI systems now exceed human capabilities in crafting effective spearphishing campaigns. The study compared success rates between elite red team operators and AI-generated phishing messages across multiple organizational contexts. AI consistently achieved higher click-through and credential capture rates, particularly in business email compromise (BEC) scenarios.

The AI systems excelled at personalization, leveraging publicly available data to craft context-aware messages. They also demonstrated superior A/B testing capabilities, rapidly iterating message variants based on recipient responses. This development has immediate implications for security awareness training programs, which may need to shift focus from human-generated to AI-generated phishing templates.

Spearphishing Performance Comparison
Metric	Human Red Team	AI System
Click-through Rate	14%	23%
Credential Capture	8%	17%
Response Time	4 hours	12 minutes

UK Charity Sector Vulnerabilities

The UK government’s annual Cyber Security Breaches Survey revealed that 30% of charities reported security incidents in the past year. Many lacked basic security controls, with only 38% having formal incident response plans. The sector’s limited cybersecurity budgets and reliance on legacy systems made them attractive targets for credential harvesting and ransomware attacks.

Smaller charities proved particularly vulnerable, with 25% admitting they took no specific cybersecurity actions following breaches. The data suggests that nonprofit organizations require tailored security guidance that accounts for their resource constraints and volunteer-based operational models.

Deepfake Defense Innovations

Indian cybersecurity teams developed novel detection methods for deepfake extortion scams. These combine metadata analysis with behavioral biometrics to identify synthetic media. The techniques proved particularly effective against sextortion schemes using AI-generated intimate imagery.

One approach analyzes micro-expressions and eye movement patterns in video calls, while another examines file compression artifacts specific to generative AI outputs. These methods achieved 92% accuracy in lab tests against current deepfake generation tools.

Security Implications and Recommendations

The MITRE CVE situation underscores the fragility of cybersecurity infrastructure. Organizations should prepare contingency plans for vulnerability tracking, including:

Expanding internal vulnerability databases
Increasing monitoring of vendor-specific advisories
Developing alternative scoring systems for unregistered vulnerabilities

For AI-driven threats, security teams should:

Update phishing simulations to include AI-generated templates
Enhance mail filtering with AI detection capabilities
Conduct red team exercises using both human and AI adversaries

The charity sector findings highlight the need for scaled security solutions appropriate for resource-constrained organizations. Shared security services and simplified security frameworks could help bridge this gap.

Conclusion

April 2025’s developments reveal cybersecurity at an inflection point. Institutional vulnerabilities like the MITRE CVE crisis contrast with rapid offensive AI advancements, creating both challenges and opportunities for defenders. The security community must adapt to these shifts while maintaining fundamental protections for all organizations, regardless of size or sector.

Tony Anscombe’s monthly security series continues to provide timely analysis of these trends, with the March 2025 edition covering ChatGPT vulnerabilities and ransomware developments⁴. ESET’s ongoing research into threats like RansomHub’s evasion tools and the FamousSparrow APT group offers additional technical insights⁵.