Meta Flags Serious WhatsApp Flaw Exploited in Attacks

News Desk

Islamabad: Meta has confirmed a serious WhatsApp vulnerability (CVE-2025-55177) that may have been exploited in targeted attacks. The flaw stems from incomplete authorization in linked device synchronization, potentially allowing an attacker to process arbitrary URLs on a victim’s device.

Meta warned the issue may be connected to Apple’s recently patched zero-click bug (CVE-2025-43300), raising concerns over spyware-style campaigns. Amnesty International suggested commercial surveillanceware vendors likely abused the exploit, particularly against journalists, activists, and dissidents.

Microsoft enforces MFA for Azure
From October 1, Microsoft will mandate multi-factor authentication (MFA) for nearly all Azure operations, including CLI, PowerShell, REST API, and IaC tools. Read-only access is excluded.

Organizations with complex setups may request extensions until July 1, 2026. Service accounts in Entra ID are advised to shift to workload identities. Microsoft stressed MFA is now a baseline requirement for cloud security.

Nissan hit by Qilin ransomware
Japanese automaker Nissan confirmed its design arm, Creative Box Inc., was compromised by the Qilin ransomware group. Some design data was leaked, though the full scope is under review. Qilin is infamous for aggressive extortion and has been tied to severe disruptions, including reported deaths.

Baltimore loses $1.5M to Workday fraud
Baltimore officials revealed fraudsters diverted $1.5 million by hacking a vendor’s Workday account and altering payment details. Nearly half of the money was recovered, but insurers declined to cover the remainder, citing weak internal controls. The incident highlights ongoing risks of procurement fraud.

Critical FreePBX flaw under attack
The FreePBX project confirmed active exploitation of a CVSS 10 vulnerability enabling remote code execution and database compromise. An emergency patch is available for versions 15, 16, and 17, while older versions remain unpatched.

CISA urged immediate updates and monitoring for suspicious “ampuser” accounts linked to the exploit.

Other cybersecurity updates

• AWS detected Russian APT Cozy Bear attempting to steal Microsoft credentials.
• The Pentagon ended Microsoft’s use of China-based staff for DoD cloud support.
• UK government criticized over weak reforms following Afghan data leak.
• Researcher who hacked McDonald’s free-food app now targets Chinese restaurant robots.