CarPlay hack discovered, Cisco patches vulnerabilities, Microsoft 365 phishing attacks on the rise...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. We’ve also got the latest CVE information to help you stay ahead of vulnerabilities. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.Â
News & Articles
Remote CarPlay Hack Puts Drivers at Risk of Distraction and Surveillance
Researchers have disclosed details of a remote CarPlay hack that can allow attackers to spy on drivers or distract them.Â
Runtime application security firm Oligo earlier this year revealed that its researchers had discovered potentially serious vulnerabilities in Apple’s AirPlay wireless communication protocol and the accompanying SDK, warning that they could allow hackers to remotely take over devices.
One of the flaws, tracked as CVE-2025-24132, allows attackers to create wormable zero-click remote code execution exploits that enable them to use compromised devices as a launchpad for additional attacks.
The cybersecurity firm explained that an attacker could conduct wired attacks by connecting to the targeted CarPlay system via USB. However, wireless attacks are also possible, including over Wi-Fi, which leverages the fact that many vendors use default Wi-Fi passwords.
Wireless attacks can also be conducted over Bluetooth. The attacker can pair with the targeted CarPlay system over Bluetooth as long as they are in range. If PIN pairing is enabled, the attacker will likely see the required 4-digit PIN on the screen of the car’s infotainment system. In some cases so-called ‘just works’ pairing is enabled, which allows the attacker to easily connect to the system without any user interaction.
Apple patched CVE-2025-24132 in late April, but only a few vendors have integrated the patch into their products and Oligo is not aware of any car manufacturer applying the patch, which is why it has not made public full technical details.Â
Cisco Patches High-Severity IOS XR Vulnerabilities
Cisco on Wednesday released patches for three vulnerabilities in IOS XR software, as part of its September 2025 security advisory bundled publication.
Tracked as CVE-2025-20248 (CVSS score of 6), the first of the bugs is a high-severity issue in the IOS XR installation process that could allow attackers to bypass image signature verification.
Successful exploitation of the flaw, Cisco explains, could lead to unsigned files being added to an ISO image, which could then be installed and activated on a device.
Because of the potential bypass of the image verification process, Cisco has raised the security impact rating of the advisory from medium to high.Â
Cisco says it is not aware of any of this vulnerability being exploited in the wild. Users are advised to apply the available patches as soon as possible, as hackers are known to have exploited Cisco bugs.Â
Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks
Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft’s Direct Send feature to form a “highly efficient attack pipeline” in recent phishing campaigns, according to new findings from ReliaQuest.
The abuse of Axios was previously flagged by Proofpoint in January 2025, detailing campaigns utilising HTTP clients to send HTTP requests and receive HTTP responses from web servers to conduct account takeover (ATO) attacks on Microsoft 365 environments.
In amplifying Axios abuse through Microsoft Direct Send, the attack aims to weaponise a trusted delivery method to ensure that their messages slip past secure gateways and land in users’ inboxes. Indeed, attacks that paired Axios with Direct Send have been found to achieve a 70% success rate in recent campaigns, surging past non-Axios campaigns with “unparalleled efficiency.”
The findings also follow the discovery of an ongoing campaign that has employed a nascent phishing-as-a-service (PhaaS) offering called Salty 2FA to steal Microsoft login credentials and sidestep MFA by simulating six different methods: SMS authentication, authenticator apps, phone calls, push notifications, backup codes, and hardware tokens.
From MostereRAT to ClickFix: New Malware Campaigns Highlight Rising AI and Phishing Risks
Cybersecurity researchers have disclosed details of a phishing campaign that delivers a stealthy banking malware-turned-remote access trojan called MostereRAT.
The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said.
The findings coincide with the emergence of another campaign that employs “ClickFix-esque techniques” to distribute a commodity information stealer known as MetaStealer to users searching for tools like AnyDesk.
“These types of attacks that require some level of manual interaction from the victim, as they work to ‘fix’ the purported broken process themselves, work in part because they can potentially circumvent security solutions,” Huntress said. “Threat actors are continuing to move the needle in their infection chains, throwing a wrench into detection and prevention.”
Latest Vulnerabilities & Exploits
CVE-2025-39786
High - Linux Kernel
In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7173: fix
channels index for syscalib_mode Fix the index used to look up the channel when
accessing the syscalib_mode attribute. The address field is a 0-based index (same as
scan_index) that it used to access the channel in the ad7173_channels array throughout
the driver. The channels field, on the other hand, may not match the address field
depending on the channel configuration specified in the device tree and could result in
an out-of-bounds access
CVE-2025-39787
High - Linux Kernel
In the Linux kernel, the following vulnerability has been resolved: soc: qcom:
mdt_loader: Ensure we don’t read past the ELF header When the MDT loader is used in
remoteproc, the ELF header is sanitized beforehand, but that’s not necessary the case
for other clients. Validate the size of the firmware buffer to ensure that we don’t read
past the end as we iterate over the header. e_phentsize and e_shentsize are validated as
well, to ensure that the assumptions about step size in the traversal are valid.Â
CVE-2025-43790
High - Liferay Portal
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through
7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12
and 7.4 GA through update 92 allows remote authenticated users to from one virtual
instance to access, create, edit, relate data/object entries/definitions to an object in a
different virtual instance.
CVE-2025-58065
Medium - Flask-AppBuilder
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when
Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database
authentication methods, the password reset endpoint remains registered and
accessible, despite not being displayed in the user interface. This allows an enabled
user to reset their password and be able to create JWT tokens even after the user is
disabled on the authentication provider. Users should upgrade to Flask-AppBuilder
version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually
disable password reset routes in the application configuration; implement additional
access controls at the web server or proxy level to block access to the reset my
password URL; and/or monitor for suspicious password reset attempts from disabled
accounts.Â
Sources:Â SecurityWeek, TheHackerNews