Meta has disclosed a major WhatsApp bug — CVE-2025-55177 — that may already have been exploited in highly targeted attacks. The flaw comes from weak checks in linked device synchronization, potentially allowing attackers to push malicious content to a victim’s device.
Meta linked the issue to Apple’s recently patched zero-click CVE-2025-43300, suggesting both may have been used in spyware campaigns. Amnesty International’s Security Lab believes the exploit was likely deployed by commercial surveillance vendors against journalists, activists, and political dissidents.
Microsoft to enforce MFA on Azure
Starting October 1, Microsoft will make multi-factor authentication (MFA) mandatory for almost all Azure operations — including CLI, PowerShell, REST API, and IaC tools. Customers with complex setups can apply for extensions until July 2026.
Microsoft urged organizations to shift service accounts to workload identities, calling MFA the new baseline for cloud security.
Nissan confirms ransomware attack
Japanese automaker Nissan said its design arm, Creative Box Inc., was hit by the Qilin ransomware gang. Some design data has been leaked, though investigators are still assessing the full scope of the breach. Qilin is notorious for aggressive extortion methods and has been tied to major service disruptions in the past.
Baltimore loses $1.5M in fraud
The City of Baltimore disclosed that cybercriminals stole $1.5 million by hijacking a vendor’s Workday account and changing banking details. Nearly half the money was recovered, but insurers declined to cover the rest, citing weak security controls. The incident underscores the risks of procurement fraud in public finance systems.
Critical FreePBX bug under active attack
Developers of FreePBX confirmed attackers are exploiting a CVSS 10 remote code execution flaw. Versions 15, 16, and 17 have been patched, but older builds remain exposed. The U.S. CISA is urging immediate updates and checks for suspicious “ampuser” accounts.
Other cybersecurity developments
- AWS spotted Russia’s Cozy Bear attempting to steal Microsoft credentials.
- The Pentagon ended Microsoft’s use of China-based support staff for Defense Department cloud projects.
- UK government criticized after a damaging Afghan data leak.
- Researcher who once hacked McDonald’s free-food app now testing restaurant robots in China.
