This week’s Risk Radar examines the operational impact of credential compromise in a major breach, the emergence of active exploitation against previously patched enterprise software, and a high-risk mobile vulnerability affecting Apple iOS devices.
‍

The common thread is exposure created by trusted systems and credentials, whether through privileged access misuse, overlooked patching gaps, or vulnerable endpoint devices.
When these factors converge, organisations face increased risk of large-scale disruption, data loss, and lateral attack propagation across environments.

‍

Credential Compromise: Stryker Breach Update

An update this week on the Stryker breach has confirmed that a compromised administrative account was the primary entry point for attackers. The incident resulted in more than 80,000 devices being wiped and approximately 50 terabytes of data being exfiltrated from the organisation.

Both Microsoft and CISA have issued guidance in response, focusing on strengthening identity security and reducing the risk of similar platform-level attacks. This type of attack highlights a growing trend where threat actors prioritise privileged access to maximise operational impact.

In many cases, once administrative credentials are compromised, attackers can bypass traditional security controls, escalate privileges, and move laterally across environments with minimal resistance. This significantly increases the potential blast radius of an incident.

What this means in practice:
Organisations should prioritise the protection of administrative accounts by enforcing multi-factor authentication (MFA) and implementing robust privileged access management (PAM) controls.

Regular reviews of access permissions are critical to ensure that accounts are not over-privileged. Limiting administrative access to only what is operationally necessary can significantly reduce the impact of credential compromise.

‍

Vulnerability Exposure: SharePoint Exploit Activity

A previously patched SharePoint vulnerability has now been observed being actively exploited in the wild. Although the patch was released in January, organisations remain at risk where updates have not been fully applied or verified.

The vulnerability affects both on-premise and hybrid SharePoint deployments and allows for remote code execution via an unauthenticated serialized request. Given SharePoint’s role as a core collaboration platform, the potential impact of exploitation is significant.

This development reinforces a persistent issue in vulnerability management, where patch availability does not always translate into effective remediation across all systems.

What this means in practice:
Organisations using SharePoint should immediately verify that all environments, including on-premise and hybrid deployments, have been fully patched and are not relying solely on assumed or automated updates.

Security teams should also ensure that asset visibility and patch validation processes are in place to confirm that critical vulnerabilities are effectively remediated across the entire estate.

‍

Endpoint Risk: Apple iOS “Dark Sword” Vulnerability

A newly identified vulnerability in Apple iOS, affecting versions 18.4 to 18.7, has been labelled “Dark Sword” by Google’s Threat Intelligence Group. The vulnerability enables attackers to extract sensitive data from affected devices, including passwords, cookies, and location information.

Given the widespread use of iOS devices in enterprise environments, this vulnerability introduces a potential pathway for attackers to gather intelligence and support further attacks against organisational systems.

If exploited, compromised mobile devices could act as entry points for broader intrusion activity, particularly in environments where mobile endpoints are integrated into corporate networks.

What this means in practice:
Organisations should ensure that all Apple devices are updated to the latest supported iOS versions as a priority.

Security teams should also assess the exposure of mobile devices within their environment and consider additional controls around device management, monitoring, and access to sensitive systems.

‍

Closing Perspective

This week’s developments highlight three interconnected sources of cyber risk: privileged credential compromise, incomplete vulnerability remediation, and insecure endpoint devices.
Each represents a different but equally critical attack surface within modern enterprise environments.

Threat actors continue to prioritise access and scale, exploiting administrative privileges, unpatched systems, and endpoint vulnerabilities to maximise impact. At the same time, gaps in patch validation and device management create persistent exposure across organisations.

Operational discipline remains the key differentiator. Strengthen identity controls, verify patching across all systems, and ensure endpoint security extends to mobile devices.

Execution speed and verification continue to determine whether these risks remain contained or escalate into significant operational disruption.