Daily Brief

Cybersecurity researchers identified a vulnerability in McDonald's McHire platform, compromising the personal data of over 64 million U.S. job applicants. The McHire chatbot, Olivia, used weak default login credentials ("123456") on its admin panel, leading to unauthorized access. Through an IDOR vulnerability, researchers were able to manipulate the lead_id parameter in API requests to access applicants' personal data, such as chat transcripts and session tokens. The security flaw was found during a cursory review and involved both the weak credentials and the IDOR issue. McDonald's responded within an hour of the vulnerability being reported, and Paradox.ai, the third-party provider, resolved the issue on the same day. Following the incident, Paradox.ai deployed a fix for the IDOR vulnerability and commenced a thorough review of their systems to prevent similar occurrences in the future.

Fortinet's FortiWeb web application firewall has a critical SQL injection vulnerability rated 9.8/10 in severity, identified as CVE-2025-25257. Vulnerability allows unauthenticated remote code execution by exploiting crafted HTTP or HTTPS requests targeting FortiWeb servers. The flaw exists in the FortiWeb's Fabric Connector function (`get_fabric_user_by_token`) which mistakenly processes SQL code from HTTP request headers. Proof-of-concept exploits, capable of opening reverse shells or a web shell, were released by cybersecurity firm WatchTowr and a researcher known as "faulty *ptrrr." Successful exploitation enables attackers to write arbitrary files on affected devices, escalating to remote code execution via misuse of Python scripts on the server. Fortinet has patched the issue in recent FortiWeb versions including 7.6.4, 7.4.8, 7.2.11, and older. Administrators are urged to update immediately as exploitation likelihood increases with the public availability of exploits. There is currently no evidence of active exploitation, but the situation is expected to change as attackers develop and deploy these exploits.

The Gravity Forms plugin, widely used on WordPress sites, was compromised via a supply-chain attack affecting manual downloads from the official site. PatchStack, a security firm, identified malicious features in the plugin allowing remote code execution originating from manually installed versions. The compromised plugin collected metadata like URL, admin path, and plugin details, and sent this data to external host "gravityapi.org/sites." Exploited files within the plugin executed unauthenticated remote functions capable of altering site content and functionality. RocketGenius, the developer behind Gravity Forms, confirmed the issue was isolated to manual downloads between July 10 and 11, affecting certain versions. The malware prevented updates, fetched additional payloads, and enabled unauthorized admin account creation, giving attackers full site access. PatchStack advises affected users to reinstall the plugin using a clean version and check for any signs of further infection. RocketGenius stated that automatic updates and other installation methods via the Gravity API service were not compromised.

CVSS 10.0-rated RCE vulnerability in Wing FTP Server exploited one day after its public disclosure. Over 10,000 customers, including high-profile firms and U.S. Air Force, potentially affected by the exploit. Attackers attempted to utilize the vulnerability by injecting Lua code via null byte manipulation in the username field. Initial attacks showed limited damage due to attackers' poor command execution and lack of sophistication. One attacker was observed looking up how to use curl during the attack, highlighting inexperience. Microsoft Defender intercepted an attempted Trojan download, preventing further harm. Victim organization isolated the compromised server shortly after detection, minimizing impact. Huntress researchers stress the importance of updating to patched version 7.4.4 for security.

NVIDIA has issued guidance to enable System Level Error-Correcting Code (ECC) to protect GDDR6 GPUs from Rowhammer attacks. Recent research demonstrated potential Rowhammer exploits on NVIDIA’s A6000 GPU, highlighting the vulnerability when System-Level ECC is not active. Rowhammer attacks manipulate data by repeatedly accessing memory cells to induce bit flips, affecting data integrity and potentially leading to data corruption or privilege escalation. ECC works by adding redundant bits to data, allowing the system to correct single-bit errors and maintain data accuracy, which is particularly crucial in large-scale AI computations. NVIDIA specifically recommends enabling System-Level ECC on several GPUs including those in data centers, workstations, and embedded or industrial environments. Built-in on-die ECC protection is already present in NVIDIA’s newer GPUs like the Blackwell and Hopper series, thus not requiring manual activation. Two methods to verify if ECC is activated include using an out-of-band approach via BMC and hardware interface software, or an in-band method using the nvidia-smi command-line utility. The real-world exploitation of Rowhammer attacks is complex and challenging due to the need for specific conditions and control, although it remains a significant security concern in multi-tenant cloud environments.

A security vulnerability in OpenVSX could have allowed attackers to compromise over 10 million devices. OpenVSX, essential in the developer toolchain for AI coding assistants like Cursor and Windsurf, contained a critical zero-day flaw allowing full-system access. The flaw enabled unsophisticated attackers to control the marketplace by pushing malicious updates via the @open-vsx account. Security researcher Oren Yomtov of Koi Security discovered the issue, demonstrating its viability through lab-based simulations. Such an attack would enable widespread supply chain disruption, akin to infamous incidents like SolarWinds, affecting even browser-based tools like Gitpod or StackBlitz. The discovered vulnerability underscores the necessity of treating extensions as potential security threats, advocating for zero-trust policies and rigorous oversight in extension management. Yomtov and Koi Security collaborated with the Eclipse Foundation to mitigate the risk, leading to the deployment of a robust fix securing the marketplace.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has reported active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway platforms. Federal agencies have been given just one day to apply critical patches to address this severe vulnerability, indicating the seriousness of the threat. CitrixBleed 2 is a critical memory safety issue allowing unauthenticated attackers access to restricted memory areas in affected NetScaler configurations. Citrix released updates on June 17, prior to third-party revelations about the potential for widespread exploitation. As proof-of-concept exploits became publicly available, hacker activity on forums increased, discussing and refining attack methods using the vulnerability. CISA's directive includes upgrading firmware to secure versions and disconnecting compromised sessions, with a review for suspicious activity. Despite Citrix's initial reports of no evidence of wild exploitation, recent activities and CISA's confirmation suggest that threat actors have successfully developed and deployed exploits. The situation underscores the ongoing risk of known vulnerabilities being weaponized, stressing the importance of timely patch management and security oversight.

Fortinet has patched a critical SQL injection vulnerability in FortiWeb, identified as CVE-2025-25257, with a CVSS score of 9.6. The flaw allows unauthenticated attackers to execute arbitrary SQL commands through crafted HTTP or HTTPS requests. The vulnerability was discovered by Kentaro Kawane and affects versions of FortiWeb linked to its Fabric Connector component. The security gap stems from inadequate input sanitization within the function "get_fabric_user_by_token." Attackers could potentially manipulate SQL queries to export data to files within the system, escalating the attack’s severity. Temporary mitigation includes disabling the HTTP/HTTPS administrative interface until patches are fully applied. Rapid patch application is urged due to historical exploitation of similar vulnerabilities in Fortinet products.

Cybersecurity researchers discovered four security flaws in OpenSynergy's BlueSDK Bluetooth stack that could lead to remote code execution on millions of vehicles. The vulnerabilities, named PerfektBlue, affect multiple automakers including Mercedes-Benz, Volkswagen, and Skoda, with a fourth unnamed OEM also compromised. PerfektBlue vulnerabilities involve critical memory corruption and logical issues that can be exploited to perform actions ranging from tracking GPS coordinates to gaining control of critical vehicle functions. The vulnerabilities allow hackers to exploit the infotainment system remotely, requiring only that the attacker be within Bluetooth range to pair with the system. Infotainment systems, though often considered isolated, can be used as a gateway to more critical functions due to poor isolation and lack of secure communication protocols. Following the responsible disclosure in May 2024, manufacturers issued security patches in September 2024 to address these vulnerabilities. The breach demonstrates that automakers need to enhance the security of vehicle systems to prevent potential exploitation and improve customer safety.

A security flaw in Wing FTP Server, CVE-2025-47812, allows for remote code execution and is currently being actively exploited. The vulnerability scores the maximum CVSS rating of 10.0 due to its ability to let attackers execute system commands with high privileges. Attackers exploit the flaw by mishandling null bytes in the server’s web interface, specifically through user session files allowing arbitrary Lua code injection. The issue, which impacts both user and admin interfaces, has been patched in the latest version 7.4.4 of the software. Following the public disclosure by RCE Security, cybercriminals exploited the vulnerability to conduct reconnaissance, download malicious files, and attempt system persistence. Evidence of exploitation was first spotted on July 1, 2025, a day after public disclosure, showing immediate danger to unpatched systems. Over 8,000 Wing FTP servers are potentially at risk, with significant numbers located in major countries including the U.S., China, Germany, the U.K., and India. Users are urged to apply security updates promptly to mitigate the risk and safeguard their systems against potential breaches.

The Zscaler ThreatLabz 2025 Data Risk Report highlights growing vulnerabilities in data security as enterprises adopt AI tools and cloud platforms. Insights from over 1.2 billion blocked transactions between February and December 2024 stress the urgency of improving data protection strategies. Key challenges identified include data leakage through generative AI, persistent risks from email, SaaS applications, and file-sharing services. The report underscores the necessity of a proactive, unified, AI-driven approach to protect sensitive enterprise data. Evolving technology environments are intensifying data security risks, necessitating a reevaluation of current security measures. Enterprises are encouraged to explore Zscaler’s Zero Trust Architecture and AI-enhanced security solutions to mitigate data threats effectively.

Iranian-backed ransomware-as-a-service (RaaS), Pay2Key, has reintroduced itself with new capabilities and strategies, including an increased profit share for cybercriminals targeting the U.S. and Israel. Linked to the Fox Kitten APT group, Pay2Key now incorporates functionalities of the Mimic ransomware, enhancing its destructive potential. The scheme offers an 80% profit share to affiliates who conduct cyber-attacks aligning with Iranian interests, a rise from the previous 70%. Since February 2025, Pay2Key has claimed over 51 successful operations, generating more than $4 million in ransoms and $100,000 in affiliate profits. Pay2Key.I2P operates on the Invisible Internet Project (I2P), marking a significant development in RaaS infrastructure and anonymity. The latest updates include targeting Linux systems, introducing advanced evasion tactics, and removing traces to avoid forensic detection. U.S. cybersecurity agencies have issued warnings regarding potential retaliatory attacks by Iran, highlighting a surge in Iranian cyber activities against U.S. industrial and critical infrastructure sectors. Pay2Key represents a growing convergence of state-sponsored cyber warfare and sophisticated global cybercrime threats, necessitating heightened security vigilance from Western organizations.

The Online Safety Act, enacted in October 2023, is criticized for failing to adequately address the spread of online misinformation and harmful content that is legal. During the summer of 2024, riots fueled by misinformation related to a fatal incident in Southport highlighted the act's shortcomings. MPs warn that social media platforms' algorithms amplify misleading content, which contributed to the unrest and misinformation during the crisis. The Science, Innovation and Technology Committee recommends that the government hold social media companies accountable for content curation and amplification. Recommendations include introducing regulations that cover the dissemination of "legal but harmful" content and ensuring accountability for algorithmic recommendations. The report revealed that false claims regarding the Southport incident reached a wide audience very quickly, partly due to social media algorithms promoting trending topics. The committee calls for a stronger regulatory framework based on principles such as protecting free expression while holding platforms accountable for their roles in content distribution.

The UK's National Crime Agency (NCA) arrested four individuals linked to cyberattacks on Marks & Spencer, Co-op, and Harrods. Suspects consist of two 19-year-old males, a 17-year-old male, and a 20-year-old female from London and the West Midlands. Charges include Computer Misuse Act offenses, blackmail, money laundering, and involvement in organized crime. The cyberattacks, attributed to the group Scattered Spider, led to considerable financial losses, notably a £300M impact on M&S's profits. Marks & Spencer was forced to pause online orders and reset all customer passwords due to compromised customer data. Electronic devices were seized during the arrests to find evidence and possible connections with other conspirators. The arrests may temporarily disrupt the activities of Scattered Spider, as remaining members may go into hiding. Investigations continue with international cooperation to identify and bring all involved parties to justice.

A cybersecurity firm specializing in email and web security used iPads as an incentive for a customer satisfaction survey, which were later stolen from their secure storage. The theft led to the discovery that an ex-convict, hired as Head of Legal, accessed and stole the iPads, resulting in his termination. Post-incident, the company implemented mandatory background checks, requiring employees to upload sensitive documents to a newly created website. The website, developed by a used car salesman friend of the HR manager, was insecure, exposing employee data due to weak, easily guessable passwords embedded in the site’s code. An IT employee, "Boris," discovered the security flaws, but his attempts to report the issue resulted in an aggressive confrontation with HR. The company demanded the website be fixed only after the issue was demonstrated to senior management, without addressing the broader security and ethical implications. Disappointed by the handling of the situation and lack of accountability, Boris chose to leave the company for a new job.