WhatsApp has issued a warning about a serious security flaw that may have been used in attacks against specific users. Meta, the company behind the messaging app, revealed the vulnerability in a security advisory last week. The flaw, tracked as CVE-2025-55177, involves incomplete authorization of linked device synchronization messages. This weakness could allow an unrelated user to process content from any URL on a target’s device.
Meta also referenced a zero-click vulnerability recently patched by Apple, CVE-2025-43300, suggesting that both flaws might have been exploited in highly targeted attacks. Experts believe the attacks are sophisticated. Donncha Ó Cearbhaill, head of Amnesty International’s security lab, said the flaws could be used by commercial surveillanceware providers to target specific individuals. Surveillanceware is usually designed to monitor criminals but is increasingly misused against journalists, human rights defenders, and other vulnerable groups. Reports suggest that the reward for exploiting a zero-click WhatsApp flaw could reach $1 million.
Microsoft will require multi-factor authentication (MFA) on all Azure systems starting October 1, except for read-only access. This move aims to improve security for cloud operations. MFA will be enforced for accounts using Azure CLI, PowerShell, mobile apps, Infrastructure-as-Code tools, and REST APIs to perform any create, update, or delete actions. Read-only operations are excluded. Some organizations facing complex environments or technical challenges may request an extension until July 1 next year. Microsoft also recommends migrating user-based service accounts to secure cloud-based accounts with workload identities. Security experts emphasize that MFA significantly reduces hacking risks, making it a crucial measure for Azure users.
Japanese automaker Nissan confirmed that its design subsidiary, Creative Box Inc, was targeted by the Qilin ransomware gang. Nissan said some design data was leaked and an investigation is ongoing. Qilin is known for providing legal advice to criminals using its ransomware and has been linked to severe incidents globally. The attack highlights the increasing sophistication of ransomware groups and the risks they pose to corporate infrastructure.
Baltimore authorities admitted that $1.5 million in city funds were stolen due to a procurement scam. Fraudsters accessed a vendor’s Workday account and changed payment information to their own bank account. The city managed to recover nearly half of the stolen funds, but insurers refused to cover the rest. The incident underscores the importance of robust financial security protocols, especially for government operations.
A critical flaw in FreePBX, an open-source telecom software, is being actively exploited. Discovered on August 21, the vulnerability allowed attackers to manipulate databases and execute remote code. The flaw had the maximum CVSS severity rating of 10. Users are urged to upgrade to the latest supported versions (15, 16, or 17) and ensure the endpoint module is patched. Systems not set for automatic updates or running outdated versions remain at risk. Suspicious ampuser accounts linked to the attack have been detected, emphasizing the urgency for updates. The U.S. Cybersecurity and Infrastructure Security Agency also advises immediate action.
The recent WhatsApp targeted user attack, combined with ransomware and software vulnerabilities, highlights the evolving cybersecurity threats affecting individuals and organizations. Experts urge users to apply updates, enable MFA, and monitor for suspicious activity to reduce exposure to attacks.
