iPhone 17 to Include Memory Integrity Enforcement; SonicWall Ransomware Attacks Exploit Old Vulnerability; Patch Tuesday: Microsoft, SAP, Adobe

Apple has announced a security feature dubbed Memory Integrity Enforcement (MIE), incorporated into the forthcoming iPhone 17, designed to protect against memory safety flaws, "which are interchangeable, powerful, and exist throughout the industry," as well as being "the most widely exploited class of software vulnerabilities." Memory safety vulnerabilities have been exploited in "the only system-level iOS attacks [Apple] observe[s] in the wild," those being targeted attacks employing "mercenary spyware." Citing Apple’s ongoing goal to prioritize code and hardware that make it "inherently difficult" to exploit memory corruption flaws, the announcement describes MIE as an always-on protection engineered into the A19 Arm chips, building on Apple’s existing secure memory allocators, Enhanced Memory Tagging Extension (EMTE), and Tag Confidentiality Enforcement. The EMTE specification is also now available in Xcode for Apple developers to incorporate into their software.

Researchers from Rapid7 have noted a surge in ransomware attacks exploiting a known vulnerability (CVE-2024-40766) in SonicWall firewalls. In August 2024, SonicWall released updates to address the improper access control vulnerability for SSLVPN that affected the company's Gen5, Gen6, and Gen7 firewall appliances. In an August 2025 support notice addressing the new round of ransomware attacks, SonicWall writes, "Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset. Resetting passwords was a critical step outlined in the original advisory." The new round of attacks, like those observed last year, appear to be using the Akira ransomware-as-a-service (RaaS).

Earlier this week, Microsoft, SAP, and Adobe released security updates to address multiple vulnerabilities across their product lines. Microsoft released fixes for 86 vulnerabilities in their products, including 13 that are rated critical. None of the Microsoft vulnerabilities addressed this month appears to be under active exploit. SAP released or updated Security Notes for 26 vulnerabilities, including four that are rated critical: an insecure deserialization vulnerability in SAP Netweaver (CVE-2025-42944); an insecure file operations vulnerability in SAP NetWeaver AS Java (CVE-2025-42922); an update to a March 2023 Security Note for a directory traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (CVE-2023-27500); and a missing authentication check in SAP NetWeaver (CVE-2025-42958). Adobe has released updates to address vulnerabilities in nine products, including Adobe Acrobat and Reader, Adobe Commerce, and Adobe ColdFusion.

New York Blood Center Enterprises (NYBCe) has filed reports with US state regulators and begun sending notices to those affected by a data breach that took place between January 20 and January 26, 2025. An investigation alongside third-party cybersecurity partners determined that "an unauthorized party gained access to the NYBCe network and acquired copies of a subset of its files," with information varying by individual but including "names, Social Security numbers, driver’s license or other government identification card numbers and/or financial account information." Between June 30 and August 12, NYBCe analyzed and finalized the list of affected individuals, who number 10,557 in total, per a report to the Texas Attorney General. NYBCe began mailing notification letters on September 5, offering "one year of complimentary credit monitoring and identity theft protection services to individuals whose Social Security number or driver’s license number was involved." However, NYBCe also published a "Notice to Clinical Services Recipients" on their website on September 5, stating, "We do not collect or maintain contact information for individuals for whom we provide clinical services. As a result, we are unable to mail letters to individuals whose information may have been involved." While NYBCe's original announcement on January 29 stated that third-party experts confirmed the attack was a result of ransomware, the notification letters and current statements do not mention ransomware.

The Really Simple Licensing (RSL) Standard would allow "publishers [to] define machine-readable licensing terms for their content, including attribution, pay per crawl, and pay per inference compensation." Based on Really Simple Syndication (RSS), the open content licensing standard adds "licensing and royalty terms to their robots.txt file" to let bots know how to interact with websites. RSL has the support of "leading internet publishers and technology companies, including Reddit, Yahoo, People Inc., Internet Brands, Ziff Davis, Fastly, Quora, O’Reilly Media, and Medium."

Network monitoring company FastNetMon recently detected a DDoS attack targeting the website of an unnamed western-European "DDoS scrubbing provider" with a sustained UDP flood of 1.5 billion packets per second (Bpps, or Gpps for gigapackets), stating "what makes this case remarkable is the sheer number of distributed sources and the abuse of everyday networking devices." The source of the attack was compromised customer-premises equipment such as IoT devices and MicroTik routers "spread across 11,000 unique networks worldwide," and was mitigated by the scrubbing provider's own facility. FastNetMon's founder, Pavel Odintsov, contends, "The industry must act to implement detection logic at the ISP level to stop outgoing attacks before they scale." Rupert Goodwins, writing for The Register, argues that DDoS attacks are troublingly overlooked, and effective defenses must be infrastructural: "Until a way is found to disable the compromised nodes that generate the packets, DDoS will continue. Put simply, these nodes are broken, dangerous, and have to be detected and taken offline." Within the week preceding FastNetMon's news, Cloudflare blocked a 5.1Bpps volumetric DDoS attack, which is the highest ever recorded as of this writing.

The UK Information Commissioner's Office (ICO) has published a press release highlighting increasing risk to schools from cyberattacks carried out by students. Analysis of 215 education sector data breaches "caused by insider attacks" between January 2022 and August 2024 reveals that more than half of those incidents were caused by students. ICO Principal Cyber Specialist Heather Toomey commented to highlight that mitigating this poorly-understood "insider threat" in education must involve intercepting students who may push cyber boundaries for casual reasons without grasping potential serious consequences: "It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists." The ICO's outlook is twofold, first noting that schools must improve their cybersecurity procedures: 23% of the surveyed incidents were caused by poor data protection practices, including data being accessed without legitimate need, devices being left unattended, and students being allowed to use staff devices; 30% were caused by credentials being stolen, with "students guessing weak passwords or finding them jotted down on bits of paper." The second recommendation is to parents, encouraging conversations about online activity and the consequences of cybercrime. The ICO notes a statistic from the National Crime Agency (NCA) estimating that "one in five children aged 10 to 16 have been found to engage in illegal activity online," and links to the NCA's Cyber Choices program, which provides resources for young people, guardians, and teachers aimed at "Explaining the difference between legal and illegal cyber activity; Encouraging individuals to make informed choices in their use of technology; Increasing awareness of the Computer Misuse Act 1990; [and] Promoting positive, legal cyber opportunities."

The US Department of Defense (DoD) has released the final version of a rule requiring federal contractors to comply with the Cybersecurity Maturity Model Certification (CMMC) program. The final rule, which amends the Defense Federal Acquisition Regulation Supplement, was published in the Federal Register on Wednesday, September 10; the new CMMC program will be rolled out starting November 10, 2025. All federal defense contractors, also known as the defense industrial base (DIB), will be required to comply with one of three CMMC levels, depending on the level of information they will be handling. DefenseScoop describes the three levels of compliance: "The revised framework allows contractors to self-assess their cybersecurity compliance if they are handling less sensitive FCI categorized under CMMC Level 1 or CMMC Level 2. More sensitive CUI data denoted as CMMC Level 2 will require a verification check done by a certified third-party assessor organization (C3PAO), while CUI documents considered CMMC Level 3 will require certification from the Defense Industrial Base Cybersecurity Assessment Center (DIPAC)."

UK rail operator London North Eastern Railway (LNER) has disclosed a data security breach that compromised customer data, including contact information and some travel details. The incident occurred on the system of an as-yet unidentified third-party supplier. LNER says the incident has not affected ticket sales or train operations. They do caution customers to be wary "of unsolicited communications, especially those asking for personal information. If in doubt, do not respond." LNER is a "government-owned company that runs east coast services between London and Scotland."