Apple Releases Emergency Updates for Actively Exploited ImageIO Flaw; FBI Warns of FSB Actively Exploiting of Cisco Smart Install; Scattered Spider Member Sentenced

Apple has released emergency security updates to address an out-of-bounds write vulnerability (CVE-2025-43300) in the ImageIO framework, affecting macOS, iOS, and iPadOS. The issue is fixed in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8. The vulnerability has been actively exploited. Apple says the impact of the flaw is that "processing a malicious image file may result in memory corruption, ... and [the] issue was addressed with improved bounds checking." This vulnerability is the seventh zero-day Apple has patched this calendar year.

Cisco Talos and the Federal Bureau of Investigation (FBI) have both warned of a state-sponsored cyber espionage group with ties to Russia that is exploiting a seven-year-old vulnerability in Cisco IOS software's Smart Install feature. The flaw (2018-0171) is "an improper input validation issue in the now defunct Smart Install feature of Cisco IOS and Cisco IOS XE software." The attackers are targeting end-of-life devices that have not been patched in the telecommunications, higher education, and manufacturing sectors around the world. Users are urged to apply the patch or disable Smart Install if they cannot patch. According to the FBI's August 20 alert, they "detected Russian FSB cyber actors exploiting Simple Network Management Protocol (SNMP) and end-of-life networking devices running an unpatched vulnerability (CVE-2018-0171) in Cisco Smart Install (SMI) to broadly target entities in the United States and globally." Cisco Talos says the goal of the attackers is to steal data and gain persistent access to vulnerable systems.

Noah Michael Urban has been sentenced to 10 years in prison for his role in cyberattacks related to the threat actor group known as Scattered Spider. Urban has also been ordered to pay approximately $13 million in restitution to his victims. Urban previously pleaded guilty to wire fraud, conspiracy, and aggravated identity theft. Urban, along with several co-conspirators, allegedly used SIM-swapping attacks to steal hundreds of thousands of dollars and used social engineering attacks to trick employees at targeted organizations into divulging account access credentials, and then stole millions in cryptocurrency.

US Director of National Intelligence Tulsi Gabbard published a social media post on August 18, 2025, stating, "The UK has agreed to drop its mandate for Apple to provide a 'back door' that would have enabled access to the protected encrypted data of American citizens." This refers to a formerly secret Technical Capability Notice (TCN) served to Apple in January 2025 under the UK's Investigatory Powers Act, obligating Apple to comply with government requests to break end-to-end-encryption (E2EE) for Advanced Data Protection (ADP). Apple disabled ADP for UK users in February and appealed the order through the Investigatory Powers Tribunal (IPT), supported by civil society groups and privacy advocates; the UK government's first public acknowledgment of the TCN's existence was the IPT's April 2025 judgment that hiding the details was not merited for national security. UK government sources have refused to comment on Gabbard's claim at the time of this writing, but gave statements emphasizing the importance of joint security and intelligence arrangements between the UK and the US.

Telecommunications provider Orange Belgium says a late July 2025 breach compromised data belonging to approximately 850,000 customer accounts. The data the intruders accessed include names, phone numbers, SIM card numbers and personal unblocking key (PUK) codes, which are used to unblock SIM cards that have been locked after too many incorrect PINs have been entered. Orange Belgium provides telecommunications services to people in Belgium and Luxembourg. This incident occurred around the same time as a cyberattack targeting Orange Belgium parent company Orange Group; that breach affected business customers and consumers in France.

In a filing with the Maine Attorney General's Office, the Business Council of New York State (BCNYS) disclosed that a breach of their internal systems in late February 2025 compromised data belonging to more than 47,000 individuals. According to the filing with the Maine AG, BCNYS discovered the breach on August 4, 2025. The stolen information included "full names, Social Security numbers, dates of birth, state identification numbers, financial institution names, financial account and routing number information, payment card numbers, payment card access PINs, payment card expiration dates, taxpayer identification numbers, electronic signature information, medical provider name, medical diagnosis or condition information, prescription information, medical treatment or procedure information, and health insurance information." BCNYS has more than 3,000 member organizations, which together employ more than 1.2 million individuals.

Australia's TPG Telecom has disclosed a breach of their iiNet subsidiary compromising data belonging to approximately 280,000 customers. TPG telecom is investigating the incident. The breach appears to affect iiNet's order management system; the intruders likely obtained access to the system through account credentials stolen from an employee. Compromised information includes iiNet email addresses, landline phone numbers, contact names, numbers, and residential addresses. TPG says the incident was "contained" as of August 16. The intruders have been removed from the system and TPG has brought in third-party expertise to help manage incident response. They have also "actively engaged with the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Australian Signals Directorate (ASD), the Office of the Australian Information Commissioner (OAIC) and other relevant authorities in response to this incident."

Maintainers of the Python Package Index (PyPI) have implemented a policy of un-verifying user email addresses whose domains are suspected to have expired based on the Expired Registration Recovery Policy (ERRP) timeline set by the Internet Corporation for Assigned Names and Numbers (ICANN). This change to security posture is intended to protect against "domain resurrection" account takeover leading to supply chain attacks, where attackers purchase expired domains to gain access to email addresses already verified for PyPI accounts. PyPI notes "this is not an imaginary attack," citing the 2022 malicious replacement of the ctx project via account compromise, and the 2023 discovery of a similarly vulnerable widely-used npm package in illustria. PyPI will query the status of domains and un-verify email addresses from domains that have entered the typical 30-day Renewal Grace Period or Redemption Period and may be sold. "Since the initial implementation early June 2025, PyPI has unverified over 1,800 email addresses." All accounts active since January 1, 2024, must have 2FA enabled, and PyPI recommends adding a second verified email address from a major domain to any accounts relying on emails with custom domain names. PyPI is the official third-party repository for Python and the default source used by package manager pip.

Google and Mozilla have both released patches for high-severity vulnerabilities in their browsers. Chrome 139.0.7258.138/.139 for Windows and Mac, and 139.0.7258.138 for Linux, addresses CVE-2025-9132, which allows an attacker to exploit heap corruption via a crafted HTML page due to an out-of-bounds write flaw in the V8 JavaScript and WebAssembly engine. This flaw was discovered by Big Sleep, an AI agent created in 2024 by Google DeepMind and Project Zero. Firefox 142 and Thunderbird 142, as well as Firefox ESR 115.27, ESR 128.14, and ESR 140.2 and Thunderbird ESR 128.14 and ESR 140.2, address nine vulnerabilities, five of which Mozilla considers high-severity. CVE-2025-9187, CVSS score 9.8, and CVE-2025-9184 & CVE-2025-9185, both carrying CVSS score 8.1, are memory safety bugs that could be exploited to execute arbitrary code. CVE-2025-9180 is a same-origin policy bypass in the Graphics: Canvas2D component. The advisory for CVE-2025-9179 may indicate evidence of exploitation: "An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process," but Mozilla does not go into further detail about possible attacks in the wild.

On August 19, Commvault released patches for four flaws affecting Commvault before versions 11.32.102 and 11.36.60, but not affecting Commvault's software as a service (SAAS). The following day, researchers from watchTowr, who discovered and reported the vulnerabilities in April, published analysis showing proof-of-concept exploit chains that could leverage these flaws to achieve pre-authorization remote code execution. The first chain is exploitable against any unpatched Commvault instance and uses CVE-2025-57791, an argument injection vulnerability in CommServe with CVSS score 6.9, and CVE-2025-57790, a path traversal vulnerability with CVSS score 8.7. The second chain only affects unpatched Commvault instances whose encrypted admin password set during installation is still stored in the database; if the admin password has been changed, it becomes stored as a hash, preventing this exploit. This second chain uses CVE-2025-57788, an unauthorized API access flaw with CVSS score 6.9, then CVE-2025-57789, a flaw allowing a remote attacker to exploit the default credential during setup to gain admin control, CVSS score 5.3, and finishes with the same path traversal flaw as the first chain.

Federal authorities have charged Ethan Foltz with aiding and abetting computer intrusions for his role in developing and administering the Rapper Bot distributed denial-of-service (DDoS) for hire botnet. According to a US Justice Department press release, the botnet "primarily compromises devices like Digital Video Recorders (DVRS) or WiFi routers at scale by infecting those devices with specialized malware." The complaint indicates that most of the DDoS attacks measured between two and three terabits per second. Authorities have also seized elements of the botnet's infrastructure.