Betting customers data breached, McDonalds leaks job hunter data, BitLocker vulnerability discovered...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server.
For the first time in 2025, Microsoft’s Patch Tuesday updates did not bundle fixes for exploited security vulnerabilities, but the company acknowledged one of the addressed flaws had been publicly known.
The patches resolve a whopping 130 vulnerabilities, along with 10 other non-Microsoft CVEs that affect Visual Studio, AMD, and its Chromium-based Edge browser. Of these, 10 are rated Critical and the remaining are all rated Important in severity. The 11-month streak of patching at least one zero-day that was exploited in the wild ended this month,” Satnam Narang, Senior Staff Research Engineer at Tenable, said.
Fifty-three of these shortcomings are classified as privilege escalation bugs followed by 42 as remote code execution, 17 as information disclosure, and 8 as security feature bypasses. These patches are in addition to two other flaws addressed by the company in the Edge browser since the release of last month’s Patch Tuesday update. The vulnerability that’s listed as publicly known is an information disclosure flaw in Microsoft SQL Server (CVE-2025-49719, CVSS score: 7.5) that could permit an unauthorized attacker to leak uninitialized memory.
Windows BitLocker Bypass Vulnerability Let Attackers Bypass Security Feature.
A critical security vulnerability in Windows BitLocker enables attackers to bypass the encryption feature through a sophisticated time-of-check time-of-use (TOCTOU) race condition attack.
Designated as CVE-2025-48818, this vulnerability affects multiple Windows versions and carries an Important severity rating with a CVSS score of 6.8.
The flaw allows unauthorized attackers with physical access to circumvent BitLocker Device Encryption, potentially exposing sensitive encrypted data on target systems. CVE-2025-48818 represents a time-of-check time-of-use race condition classified under CWE-367, which exploits the temporal gap between security verification and resource utilization. The vulnerability specifically targets the BitLocker Device Encryption feature, Microsoft‘s full-disk encryption solution designed to protect data at rest. The attack vector requires physical access (AV:P) to the target system, with low attack complexity (AC:L) and no user interaction required (UI:N).
Cyber Attacks
Up to 800,000 Betfair and Paddy Power customers hit by data breach
Irish customers of Betfair and Paddy Power have been notified in recent days of a data breach at the Flutter-owned brands, which has impacted as many as 800,000 users in Ireland and Britain.
The betting sites “recently detected that an unauthorised third party” gained access to “limited betting account information” relating to some of its customers, the company said in an email to customers.
Paddy Power and Betfair are owned by Dublin-based Flutter Entertainment, which had 4.2 million average monthly users across its four betting brands in Ireland and Britain, generating $3.6 billion (€3.07 billion) in revenue, according to its annual report. It is the world’s biggest publicly listed betting company, with a market capitalisation of $50.6 billion.
McDonald’s AI Hiring Bot With Password ‘123456’ Leaks Millions of Job-Seekers Data
A severe security vulnerability in McDonald’s AI-powered hiring system has exposed the personal information of potentially 64 million job applicants to unauthorized access. Security researchers Ian Carroll and Sam Curry discovered that the McHire platform, built by artificial intelligence software firm Paradox.ai, suffered from elementary security flaws that allowed hackers to access applicant databases using credentials as simple as the username and password “123456.”
The breach highlights critical cybersecurity failures in AI-driven recruitment systems and raises serious concerns about data protection in automated hiring processes.
In Other News...
ChatGPT Tricked into Disclosing Windows Home, Pro, and Enterprise Editions Keys
A sophisticated jailbreak technique that bypasses ChatGPT’s protective guardrails, tricking the AI into revealing valid Windows product keys through a cleverly disguised guessing game.
This breakthrough highlights critical vulnerabilities in current AI content moderation systems and raises concerns about the robustness of guardrail implementations against social engineering attacks. 0din reports that the attack exploits fundamental weaknesses in how AI models process contextual information and apply content restrictions. Guardrails are protective mechanisms designed to prevent AI systems from sharing sensitive information such as serial numbers, product keys, and confidential data.
ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs
A high-severity security flaw has been disclosed in ServiceNow’s platform that, if successfully exploited, could result in data exposure and exfiltration.
The vulnerability, tracked as CVE-2025-3648 (CVSS score: 8.2), has been described as a case of data inference in Now Platform through conditional access control list (ACL) rules. It has been codenamed Count(er) Strike.
“A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization,” ServiceNow said in a bulletin. “Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. Cybersecurity company Varonis, which discovered and reported the flaw in February 2024, said it could have been exploited by malicious actors to obtain unauthorized access to sensitive information, including personally identifiable information (PII) and credentials.