MS Office vulnerabilities, Google confirms Salesforce data breach, Passkey login bypassed...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. We’ve also got the latest CVE information to help you stay ahead of vulnerabilities. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
News & Articles
Microsoft Office Vulnerabilities Let Attackers Execute Malicious Code Remotely
Microsoft released critical security updates, addressing three serious vulnerabilities in Microsoft Office that could allow attackers to execute remote code on affected systems.
The vulnerabilities, tracked as CVE-2025-53731, CVE-2025-53740, and CVE-2025-53730, affect multiple versions of Microsoft Office and pose significant security risks to organisations and individual users worldwide.
The newly disclosed vulnerabilities stem from use-after-free memory corruption issues, classified under CWE-416 in the Common Weakness Enumeration database.
The vulnerabilities affect a comprehensive range of Microsoft Office products, including Microsoft Office 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft 365 Apps for Enterprise across both 32-bit and 64-bit architectures.
Mac users are also at risk, with Microsoft Office LTSC for Mac 2021 and 2024 versions requiring immediate updates. The widespread impact encompasses millions of users across corporate and consumer environments globally.
Microsoft has released comprehensive security updates for all affected Office versions, with update KB5002756 addressing the vulnerabilities in Office 2016 editions.
New downgrade attack can bypass FIDO auth in Microsoft Entra ID
Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking.
These weaker login channels are vulnerable to adversary-in-the-middle phishing attacks that employ tools like Evilginx, enabling attackers to snatch valid session cookies and hijack the accounts.
Although the attack doesn’t prove a vulnerability in FIDO itself, it shows that the system can be bypassed, which is a crucial weakness.
FIDO passkeys are a passwordless authentication method based on the FIDO2 and WebAuthn standards, designed to eliminate the weaknesses of passwords and traditional multi-factor authentication (MFA).
Microsoft shared the following statement regarding Proofpoint’s research.
“The campaign is not the result of a product vulnerability and – instead – relies on a targeted phishing attack. This social engineering technique requires an attacker to convince a user to click on a malicious link, leading to an unsafe site,” a Microsoft spokesperson said.
“We recommend customers deploy phishing-resistant authentication methods, enforced by Conditional Access authentication strength, which prevents this type of attack. We encourage customers practice good computing habits online including exercising caution when clicking on links to unknown web pages.”
Google Confirms Data Breach – Notifying Users Affected By the Cyberattack
After reporting this last week, tech giant Google has now officially acknowledged a significant data breach affecting its corporate Salesforce database, with the company completing email notifications to affected users as of 8th August 2025.
According to Google’s analysis, the attackers gained access through a malicious version of Salesforce’s Data Loader application. During fraudulent phone calls, victims were guided to authorize what appeared to be a legitimate connected app, inadvertently granting the cybercriminals extensive capabilities to access and extract sensitive data. Google emphasised that the breach was contained within “a small window of time before the access was cut off”.
The company assured users that payment information remained secure and that there was no impact on Google Ads data, Merchant Center, Google Analytics, or other advertising products.
Passkey Login Bypassed via WebAuthn Process Manipulation
Researchers at enterprise browser security firm SquareX have demonstrated an attack method that can be used to gain access to an account protected by passkeys.
Passkeys are designed to provide a more secure alternative to passwords, enabling users to log into their account based on a private key stored on the device. Users can sign in using various authentication methods, including PIN, facial recognition, or fingerprint scan.
Unlike passwords, passkeys are considered phishing resistant as a fake website cannot trick users into handing over their passkey.
However, researchers at SquareX showed at DEF CON over the weekend that under certain circumstances passkeys can be bypassed. It’s worth pointing out that the attack does not target passkey cryptography, but rather it shows the potential for a compromised browser environment to manipulate the process that passkeys rely on.
In order to conduct an attack, a threat actor needs to convince the targeted user to install a malicious browser extension. The attacker can, for instance, disguise the malicious extension as a useful tool and upload it to an extension repository.
Latest Vulnerabilities & Exploits
CVE-2025-34154
Critical - UnForm Server Manager
UnForm Server Manager versions prior to 10.1.12 expose an unauthenticated file read
vulnerability via its log file analysis interface. The flaw resides in the arc endpoint, which
accepts a fl parameter to specify the log file to be opened. Due to insufficient input
validation and lack of path sanitisation, attackers can supply relative paths to access
arbitrary files on the host system — including sensitive OS-level files — without
authentication
CVE-2012-10055
Critical - ComSndFTP
ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its
handling of the USER command. By sending a specially crafted username containing
format specifiers, a remote attacker can overwrite a hardcoded function pointer in
memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect
execution flow and bypass DEP protections using a ROP chain, ultimately leading to
arbitrary code execution. The vulnerability is exploitable without authentication and
affects default configurations.
CVE-2011-10018
Critical - myBB
myBB version 1.6.4 was distributed with an unauthorised backdoor embedded in the
source code. The backdoor allowed remote attackers to execute arbitrary PHP code by
injecting payloads into a specially crafted collapsed cookie. This vulnerability was
introduced during packaging and was not part of the intended application logic.
Exploitation requires no authentication and results in full compromise of the web server
under the context of the web application.
CVE-2012-10056
High - PHP Volunteer Management System
PHP Volunteer Management System v1.0.2 contains an arbitrary file upload
vulnerability in its document upload functionality. Authenticated users can upload files
to the mods/documents/uploads/ directory without any restriction on file type or
extension. Because this directory is publicly accessible and lacks execution controls,
attackers can upload a malicious PHP payload and execute it remotely. The application
ships with default credentials, making exploitation trivial. Once authenticated, the
attacker can upload a PHP shell and trigger it via a direct GET request.
Sources: cybersecuritynews.com, Bleeping Computer, SecurityWeek