Infosec In Brief
Meta’s WhatsApp has revealed a significant vulnerability that “may have been exploited in a sophisticated attack targeting specific users.”
In a recent security advisory, Meta disclosed CVE-2025-55177, which it stated permits “incomplete authorization of linked device synchronization messages in WhatsApp, potentially allowing an unauthorized user to trigger the processing of content from any arbitrary URL on a victim’s device.”
The security team at Meta mentioned a recently patched zero-click vulnerability in Apple’s system, CVE-2025-43300, suggesting a possible connection and that both flaws “may have been used in a sophisticated attack against targeted individuals.”
Donncha Ó Cearbhaill, head of Amnesty International’s security lab, speculated that the vulnerabilities were likely part of a targeted attack by a commercial surveillance vendor aimed at specific individuals, including journalists and human rights advocates.
This surveillance software is typically intended for monitoring state criminals but has been misused against individuals whom certain governments deem undesirable.
It appears that the $1 million bounty for a zero-click WhatsApp flaw could indeed be justified.
Microsoft Implements MFA Requirement for Azure
Starting October 1, Microsoft plans to enforce multi-factor authentication (MFA) for Azure users, except for those with read-only access.
The advisory from Microsoft stated that “MFA enforcement will gradually commence for accounts logging into Azure CLI, Azure PowerShell, Azure mobile app, IaC tools, and REST API endpoints for any Create, Update, or Delete actions,” while read-only operations will not require MFA.
Nissan Design Studio Targeted by Qilin Ransomware
Nissan has confirmed its design subsidiary, Creative Box Inc., suffered an attack from the Qilin ransomware group. The company acknowledged that some design data has been leaked while ongoing investigations continue.
Baltimore’s Procurement Fraud Costing the City
Baltimore has admitted to losing $1.5 million due to a procurement scam. The city’s Office of the Inspector General recently revealed that a fraudster accessed a vendor’s Workday account, rerouting payments to their own banking account. Although nearly half of the funds have been recovered, the city’s insurers have denied coverage, highlighting the increased scrutiny on financial security measures.
Critical Vulnerability in FreePBX Software
Users of the open-source FreePBX project should prioritize applying a recent emergency patch due to a critical flaw enabling unauthorized database manipulation and remote code execution. The flaw, rated 10 in the CVSS scoring system, has been patched, but some users may have already been compromised. Users are urged to upgrade to the latest supported versions of FreePBX and verify the installed ‘endpoint’ modules for the necessary patches.
