Major Incidents or Breaches

  • A vulnerability in McHire, McDonald’s chatbot job application platform, exposed chat histories and personal data of over 64 million job applicants in the United States due to weak authentication (“123456” password) and insecure API design.
  • The developer account for the WordPress Gravity Forms plugin was compromised, leading to backdoored plugin installers being distributed via the official website in a supply-chain attack.
  • A critical vulnerability (CVE-2025-47812) in Wing FTP Server is being actively exploited in the wild, allowing attackers to execute arbitrary commands with root or system privileges.

Newly Discovered Vulnerabilities

  • Fortinet patched a critical SQL injection vulnerability (CVE-2025-25257) in FortiWeb that allows unauthenticated attackers to execute arbitrary database commands. Proof-of-concept exploits for this vulnerability have been publicly released.
  • Security researchers disclosed four vulnerabilities in OpenSynergy’s BlueSDK Bluetooth stack (“PerfektBlue”), which could allow remote code execution on millions of vehicles (including Mercedes, Skoda, and Volkswagen) and over a billion industrial, medical, mobile, and consumer devices.
  • The U.S. CISA confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway, mandating federal agencies to patch within 24 hours.
  • A zero-day vulnerability in OpenVSX, a popular extension marketplace, was discovered and patched. The flaw could have enabled attackers to compromise millions of developer machines via a supply chain attack.
  • Microsoft disclosed new attack techniques targeting AMD CPUs.
  • NVIDIA issued guidance recommending activation of System Level Error-Correcting Code (ECC) to mitigate Rowhammer attacks on GPUs with GDDR6 memory. Researchers demonstrated Rowhammer-based “GPUHammer” attacks that can degrade machine learning model accuracy.

Notable Threat Actor Activity

  • The Iranian-backed Pay2Key ransomware-as-a-service operation has resurfaced, offering affiliates an increased profit share (80%) for attacks targeting Western organisations, particularly in the US and Israel. This follows recent geopolitical tensions involving Iran, Israel, and the US.
  • The Indian APT group DoNot is actively targeting government entities.

Trends, Tools, or Tactics of Interest

  • Researchers at Netcraft highlighted that AI-generated search engine summaries are inadvertently directing users to phishing sites when queried for legitimate login pages, posing a new phishing risk vector.
  • SentinelOne reported evolution in the ZuRu macOS malware family.
  • The 2025 Data Risk Report notes heightened data loss risks from AI-powered tools, with calls for unified, AI-driven data security strategies.
  • Cyber-insurance premiums are declining from previous highs, though comprehensive coverage remains vital for risk management.
  • There is increased emphasis on integrating cybersecurity into financial sector digital transformation strategies.
  • Discussion of passwordless authentication mechanisms—specifically passkeys using public key cryptography—to address the inherent risks of shared secrets in traditional password systems.

Regulatory or Policy Developments

  • The European Union unveiled a voluntary AI Code of Practice to help businesses comply with the phased rollout of the EU AI Act.
  • The Irish Data Privacy Commission opened a new investigation into TikTok regarding the transfer of user data to China under EU privacy regulations.
  • Google did not release a scheduled July 2025 Android security patch, breaking a ten-year streak of monthly updates.