MS Nuance Settles MOVEit Breach Suit for $8.5M; End of Support for Windows 10 in October 2025; NIST Updates Digital Identity Guidelines

Microsoft subsidiary Nuance has agreed to pay $8.5 million to settle a class action lawsuit over the MOVEit file transfer breach. The proposed settlement, which admits no liability on Nuance's part, is scheduled for a final approval hearing on March 31, 2026. The lawsuit was filed by customers who claim Nuance did not adequately protect personal data that were compromised by attacker exploiting the SQL injection vulnerability in Progress Software's MOVEit file transfer software. Nuance, which was acquired by Microsoft in 2022, is "best known for its medical transcription and speech recognition systems." Nuance was one of many organizations breached through the MOVEit vulnerability; the Nuance breach alone is estimated to have compromised information belonging to 1.225 million people.

Microsoft is reminding customers that support for Windows 10 will end on October 14, 2025, giving users just under two months to decide what to do next. "On October 14, 2025, Windows 10, version 22H2 (Home, Pro, Enterprise, Education, and IoT Enterprise editions) will reach end of servicing. October 14, 2025 will also mark the end of support for Windows 10 2015 LTSB and Windows 10 IoT Enterprise LTSB 2015. The October 2025 monthly security update will be the last update available for these versions. After this date, devices running these versions will no longer receive monthly security and preview updates containing protections from the latest security threats." Microsoft urges users to update to Windows 11 or migrate to Windows 11 in the cloud. Some users may find that their older PCs do not have the capacity to upgrade to Windows 11. However, for the first time, users have the option of enrolling their personal PCs running Windows 10 in the Extended Service Update (ESU) program, which provides support for one additional year. ESU is available for a nominal fee; if you sync Windows 10 settings to the cloud via Windows Backup or pay 1,000 Microsoft reward points, the fee is waived. Note that on October 24, 2025, Microsoft is also ending support for Office 2016 and Office 2019.

The US National Institute of Standards and Technology (NIST) has finalized the latest revision of its Digital Identity Guidelines. The document was first published in 2004, with major revisions published in 2011, 2013, 2017, and now July 2025. The updated document notes that "the composition, models, and availability of identity services have significantly changed, ... as have the considerations and challenges of deploying secure, private, and usable services to users," and centers its guidance on "roles and functions that entities perform as part of the overall digital identity model." Among the expansions and reorganizations, SP-800-63-4 adds a "user-controlled wallet federation model," performance metrics to continuously evaluate digital identity systems, and a subsection addressing AI and ML in digital identity services. In August 2025, NIST also published NISTIR 8584, "Face Analysis Technology Evaluation (FATE) MORPH, Part 4B: Considerations for Implementing Morph Detection in Operations." The document provides information, strategies, and tools for organizations to secure their identity systems against fraudulent morphed photos. Mei Ngan, an author of the report, states, "Morphing attacks are happening, and there are ways to mitigate them [...] The best way is to not allow users the opportunity to submit a manipulated photo for an ID credential in the first place."

Plex has released Plex Media Server (PMS) version 1.42.1.10060 and strongly recommends that users update immediately to apply a fix for a "potential security issue" impacting PMS 1.41.7.x to 1.42.0.x. Plex sent emails to customers who may be running outdated versions of PMS, urging them to update, either through their regular server management page or downloaded directly from the Plex site as a package. Neither a CVE nor a description of the vulnerability appear in the security notice, but Plex states that they were made aware of the flaw through their bug bounty program. BleepingComputer notes that Plex does not often email customers about specific vulnerabilities, possibly further emphasizing the unspecified flaw's severity. Plex estimates their media streaming software has over 25 million users worldwide.

Among 29 CVEs addressed by the August 2025 Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software Security Advisory Bundled Publication, 11 are rated medium severity, 17 are high severity, and one carries CVSS score 10.0. This maximum-severity flaw affects the RADIUS (Remote Authentication Dial-In User Service) subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software versions 7.0.7 and 7.7.0. CVE-2025-20265 allows an unauthenticated remote attacker to inject arbitrary shell commands and execute them at a high privilege level by crafting malicious inputs while entering credentials authenticated at the configured RADIUS server, exploiting a lack of proper handling of user input. Cisco's advisory specifies that exploitation requires "Cisco Secure FMC Software [to] be configured for RADIUS authentication for the web-based management interface, SSH management, or both." Cisco provides a link to instructions for checking whether RADIUS is configured, and notes that while there are no workarounds, customers who have evaluated the impact and applicability of using another type of authentication in their environment besides RADIUS may mitigate risk by instead using, for example, "local user accounts, external LDAP authentication, or SAML single sign-on (SSO)." The flaw was discovered during internal testing, and Cisco Product Security Incident Response Team (PSIRT) has not observed evidence or announcements of active exploitation.

Microsoft says that malware dubbed “PipeMagic” is being actively deployed by a threat actor group to lay the groundwork for launching ransomware attacks. PipeMagic is a modular backdoor that pretends to be a ChatGPT Desktop Application. According to Microsoft, "Beneath its disguise, PipeMagic is a sophisticated malware framework designed for flexibility and persistence. Once deployed, it can dynamically execute payloads while maintaining robust command-and-control (C2) communication via a dedicated networking module. As the malware receives and loads payload modules from C2, it grants the threat actor granular control over code execution on the compromised host. By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging." Microsoft discovered the malware while looking into the exploitation of a use-after-free vulnerability (CVE-2025-29824) in the Windows Common Log File System Driver that allows attackers to escalate privileges. The flaw was disclosed in April 2025.

Researchers from Imperva and Tel Aviv University are warning of a new variant of 2023's HTTP/2 Rapid Reset vulnerability that "tricks the server into resetting its own streams," allowing denial-of-service (DoS) attacks without directly violating protocol. CVE-2025-8671, CVSS score not yet provided, allows an attacker to cause denial of service by exploiting incorrect stream accounting using malformed frames or flow control errors, opening streams and triggering the server to reset them; backend processing continues despite streams being considered closed at the protocol level, ultimately creating "an unbounded number of concurrent streams on a single connection." Vendor-specific CVEs have also been issued for F5, Apache Tomcat, Netty, and IBM, and Jetty is also affected. Imperva notes that mitigation should be a priority, and "defenses must go beyond traditional client-side rate limiting," to include stricter protocol validation, stream state enforcement, anomaly detection and behavioral monitoring, connection-level rate controls, regular updates, and defensive hardening. Deepness Lab notes that more than 60% of top sites use HTTP/2, and the protocol carries approximately a third of global HTTP traffic.

Workday, a Human Resources provider serving over 11,000 organizations and 70 million people worldwide, published a blog post on August 15, 2025, disclosing a data breach of its third-party customer relationship management (CRM) platform. The post indicates that the system was breached by threat actors who impersonated human resources or IT personnel over the phone or by text, and Workday believes this attack is associated with a broader social engineering campaign targeting large organizations. Upon discovery of the breach, Workday "cut the access" immediately and implemented additional preventative safeguards. While Workday states that customer tenants and data within them do not appear to have been accessed, business contact information characterized as "commonly available" was stolen including "names, email addresses, and phone numbers," which could be exploited for future social engineering attempts. The post assures customers that Workday will never request credentials or sensitive information over the phone, indicating that official communications will come only from "trusted support channels." BleepingComputer reports that Workday's email notification to customers revealed that the breach was discovered on August 6. TechCrunch notes that Workday’s blog post was published with a “noindex” tag intended to block search engines from indexing the disclosure.

Researchers from Talos Intelligence have observed malicious cyber activity conducted by an advanced persistent threat (APT) actor with ties to China. The APT group appears to be targeting Taiwanese "web infrastructure entities." The campaign exploits known vulnerabilities in unpatched, internet-exposed servers to gain initial access. From there, the intruders conduct reconnaissance to determine if the compromised server is of value to them. If it is, they "pivot to additional systems in the enterprise to proliferate and conduct malicious activities," including deploying a shellcode loader to help launch Cobalt Strike and other tools.

UK-based telecommunications provider Colt Technology Services disclosed last week that they were experiencing a cyber incident that was causing outages. The incident has disrupted the availability of the company's customer portal and other services. Colt acknowledged that "One of our protective measures involved us proactively taking some systems offline, which has led to the disruption of some of the support services we provide to our customers." Colt has been posting regular updates to their status page to keep customers informed.