A trivial surveillance password created an opening at one of the world’s most prominent institutions. Intruders gained awareness and timed their move because credential policy failed. This analysis delivers the signals, mitigations, and governance disciplines that stop repeats: rotation, MFA, segmentation, PAM for service accounts, and continuous validation for VMS and NVR stacks—without resorting to list spam or generic advice.
Microsoft Outlook has disabled inline SVG image rendering after attackers exploited the feature in phishing campaigns, marking another step in tightening email security.
Mozilla’s new policy for Firefox extensions mandates that developers clearly disclose any data collection or transmission, obtain user consent and categorize the data types. This marks a major shift in add-on privacy, placing transparency at the heart of the browser-extension ecosystem.
CISA warned that multiple federal agencies still haven’t fully patched Cisco ASA/FTD devices despite active exploitation. Because the campaign targets the VPN web server and enables device takeover, teams must apply fixes for CVE-2025-20333/20362, follow ED 25-03 inventory and validation steps, and disconnect end-of-support hardware. This analysis explains impact, attack flow, high-signal detection, and fast remediation so defenders can reduce edge-device risk without slowing operations.
A WhatsApp API flaw allowed researchers to enumerate 3.5 billion accounts by abusing weak rate-limiting in the contact-discovery endpoint, exposing global phone-number mappings and public profile metadata that adversaries could weaponize for large-scale phishing, impersonation and SIM-swap attacks.
SIM farms expose how weak KYC and SMS OTP let fraud scale. Raids seized SIM boxes and tens of thousands of cards. Here’s how carriers and brands can actually fix it.
Apache OpenOffice 4.1.16 fixes seven vulnerabilities that allowed silent external content loading and possible memory corruption during CSV import. Update immediately, restrict DDE and Calc external data sources, and replace templates that embed remote URLs. Verify the new prompts and monitor document-triggered network fetches
Hackers breached the official Xubuntu website and replaced legitimate download links with malware-infected files. The incident highlights the growing risk of supply-chain compromises targeting open-source Linux distributions.
Sixty-four South Koreans were repatriated from Cambodia and are now under investigation for alleged involvement in large-scale online scam networks. Their return follows a scandal involving a student’s death, prompting Seoul to launch a crackdown on illicit recruitment and fraud operations.
A public PoC for CVE-2025-59287 exploits an unsafe deserialization flaw in WSUS. Administrators must deploy Microsoft’s October 2025 updates and hunt for indicators of compromise immediately.