Apple patches old devices, Entra ID vulnerability gives attackers control, two UK teens arrested for cyber attacks...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. We’ve also got the latest CVE information to help you stay ahead of vulnerabilities. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.Â
News & Articles
Critical Microsoft’s Entra ID Vulnerability Allows Attackers to Gain Complete Administrative Control
A critical vulnerability in Microsoft’s Entra ID could have allowed an attacker to gain complete administrative control over any tenant in Microsoft’s global cloud infrastructure.
The flaw, now patched, was discovered in July 2025 and has been assigned CVE-2025-55241.
The vulnerability, described by the researcher as the most impactful he will probably ever find, resided in a combination of a legacy authentication mechanism and an API validation error.
According to Dirk-jan Mollema’s detailed write-up, the issue allowed an attacker to use a special type of token from their own tenant to impersonate any user, including Global Administrators, in any other customer’s tenant.
The researcher reported the vulnerability to the Microsoft Security Response Center (MSRC) on July 14, 2025, the same day it was discovered. Microsoft acknowledged the severity and deployed a global fix by July 17, 2025.
Apple backports zero-day patches to older iPhones and iPads
Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in “extremely sophisticated” attacks.
This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20.
Tracked as CVE-2025-43300, this vulnerability was discovered by Apple security researchers and is caused by an out-of-bounds write weakness in the Image I/O framework, which enables apps to read and write image file formats.
Apple has now addressed this zero-day flaw in iOS 15.8.5 / 16.7.12, as well as iPadOS 15.8.5 / 16.7.12, with improved bounds checks.
U.K. Arrests Two Teen Scattered Spider Hackers Linked to August 2024 TfL Cyber Attack
Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city’s public transportation agency.
Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London and Owen Flowers, 18, from Walsall, West Midlands were arrested at their home addresses on Tuesday, the National Crime Agency (NCA) said. They are 19 and 18, respectively.
It’s worth noting that Flowers was initially arrested for his alleged involvement in the TfL attack in September 2024, but was subsequently released on bail. The agency said it found evidence of Flowers targeting U.S. healthcare companies, and that he has also been charged with conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and Sutter Health.
Jubair has been charged with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If convicted, he faces a maximum penalty of 95 years in prison.
SonicWall Urges Password Resets After Cloud Backup Breach Affecting Under 5% of Customers
SonicWall is urging customers to reset credentials after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts.
The company said it recently detected suspicious activity targeting the cloud backup service for firewalls, and that unknown threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers.
“While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall,” the company said.
As a result of the incident, the company is urging customers to follow the steps below –
- Login to MySonicWall.com and verify if cloud backups are enabled
- Verify if affected serial numbers have been flagged in the accounts
- Initiate containment and remediation procedures by limiting access to services from WAN, turning off access to HTTP/HTTPS/SSH Management, disabling access to SSL VPN and IPSec VPN, reset passwords and TOTPs saved on the firewall, and review logs and recent configuration changes for unusual activity
In addition, affected customers have also been recommended to import fresh preferences files provided by SonicWall into the firewalls. The new preferences file includes the following changes –
- Randomized password for all local users
- Reset TOTP binding, if enabled
- Randomized IPSec VPN keys
Latest Vulnerabilities & Exploits
CVE-2025-23337
Medium - nVIDIA
NVIDIA HGX & DGX GB200, GB300, B300 contain a vulnerability in the HGX Management
Controller (HMC) that may allow a malicious actor with administrative access on the
BMC to access the HMC as an administrator. A successful exploit of this vulnerability may
lead to code execution, denial of service, escalation of privileges, information disclosure,
and data tampering.
CVE-2025-10631
Medium - itsourcecode Online Petshop Management System
A vulnerability was identified in itsourcecode Online Petshop Management System 1.0.
Impacted is an unknown function of the file addcnp.php of the component Available
Products Page. The manipulation of the argument name/description leads to cross site
scripting. It is possible to initiate the attack remotely. The exploit is publicly available and
might be used.
CVE-2025-10629
Medium - D-Link
A vulnerability was determined in D-Link DIR-852 1.00CN B09. This issue affects the
function ssdpcgi_main of the file htodcs/cgibin of the component Simple Service
Discovery Protocol Service. Executing manipulation of the argument ST can lead to
command injection. The attack may be performed from remote. The exploit has been
publicly disclosed and may be utilized. This vulnerability only affects products that are
no longer supported by the maintainer.
CVE-2025-10628
Medium - D-Link
A vulnerability was found in D-Link DIR-852 1.00CN B09. This vulnerability affects
unknown code of the file /htdocs/cgibin/hedwig.cgi of the component Web Management
Interface. Performing manipulation results in command injection. The attack is possible
to be carried out remotely. The exploit has been made public and could be used. This
vulnerability only affects products that are no longer supported by the maintainer.
Sources:Â CyberSecurityNews, Bleeping Computer, TheHackerNews