Serious Security Vulnerability Found in WhatsApp
Meta has disclosed a critical security flaw in WhatsApp, CVE-2025-55177, which “may have been exploited in a sophisticated attack against specific targeted users.” The vulnerability stems from incomplete authorization of linked device synchronization messages. This could potentially allow an attacker to process content from an arbitrary URL on a victim’s device. Meta also connected the issue to Apple’s recently patched zero-click vulnerability, CVE-2025-43300, warning that both flaws may have been used in spyware-style attacks. Amnesty International’s security lab suggested the exploit was likely used by commercial surveillanceware vendors, who often target journalists, human rights activists, and political dissidents.
Microsoft Mandates MFA for Azure
Starting October 1, Microsoft will require multi-factor authentication (MFA) for nearly all Azure operations, with the exception of read-only access. This policy applies to Azure CLI, PowerShell, REST API, and Infrastructure as Code (IaC) tools. Extensions are possible until July 1, 2026, for complex environments. Microsoft emphasized that MFA is now a baseline security expectation for cloud users. The company also advised that service accounts in Microsoft Entra ID should migrate to workload identities for enhanced security.
Nissan Confirms Ransomware Attack
Japanese automaker Nissan has revealed that its design subsidiary, Creative Box Inc., was breached by the Qilin ransomware gang. Some design data was leaked, although the full impact remains under investigation. Qilin is known for its aggressive extortion tactics and has previously been linked to fatalities during ransomware-related disruptions.
Baltimore Loses $1.5M in Workday Fraud
The City of Baltimore has admitted that fraudsters diverted $1.5 million in public funds by compromising a vendor’s Workday account and altering their banking details. While nearly half of the funds were recovered, insurers refused to cover the remaining loss, citing lax controls. This case highlights the significant risks of procurement fraud and weak financial system safeguards.
Critical FreePBX Flaw Under Active Exploitation
The open-source FreePBX project has confirmed that a CVSS 10 vulnerability is being actively exploited. The flaw enables remote code execution and database manipulation. An emergency patch has been released for versions 15, 16, and 17. However, older, end-of-life versions remain unpatched. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users to immediately upgrade and monitor for rogue “ampuser” accounts.
Other Cybersecurity Headlines
AWS has detected Russia’s Cozy Bear group attempting to steal Microsoft credentials.
The Pentagon has ended Microsoft’s use of China-based support staff for the Department of Defense (DoD) cloud.
The UK government has faced criticism for weak security reforms following a data leak involving Afghan records.
A researcher who previously hacked McDonald’s’ free-food app is now targeting Chinese restaurant robots.
