Apple Updates and New OS Numbering System; Exploited DELMIA Flaw Added to KEV; FBI: Salesforce Extortion IoCs

Apple has released updates for iOS, iPadOS, macOS, tvOS, watchOS, and visionOS to address multiple vulnerabilities. One of the vulnerabilities (CVE-2025-43300), an out-of-bounds write issue affecting iOS, iPadOS, and macOS, was patched last month, but only for current versions of the operating systems. The updates released on September 15 backport the patch for older versions of affected operating systems. With this set of updates, most users have the option of updating to a numerically sequential version of operating systems, which are in the teens, or leapfrogging ahead to version 26, which reflects the upcoming calendar year and offers a number of new features. Some older iPhones will not be able to update to version 26, and in the words of Dr. Johannes Ullrich, "sticking with the older version will get you all the security fixes (and other bug fixes), but none of the new features and the potential instabilities and compatibility issues."

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in DELMIA Apriso to the Known Exploited Vulnerabilities (KEV) catalog. DELMIA Apriso is manufacturing operations management (MOM) and manufacturing execution system (MES) software made by Dassault Systèmes. The company issued an advisory in June 2025, noting that "a deserialization of untrusted data vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could lead to a remote code execution." Earlier this month, Dr. Johannes Ullrich reported that the Internet Storm Center has been "seeing exploits for DELMIA Apriso related issues." The vulnerability has a mitigation date of October 2, 2025 for US Federal Civilian Executive Branch (FCEB) agencies.

On September 12, 2025, the US Federal Bureau of Investigation's Internet Crime Complaint Center (FBI IC3) issued a "FLASH" security advisory to raise awareness of and "disseminate Indicators of Compromise" (IoCs) associated with two groups of threat actors currently targeting Salesforce platforms for data theft and extortion. The advisory describes each group's attack methods: UNC6040, also known as ShinyHunters, are known to steal Salesforce credentials by voice phishing organizations' IT support staff, then exfiltrating large amounts of data using API queries or by stealing credentials for the Salesforce Data Loader application. UNC6040 has also convinced organizations to integrate malicious apps into Salesforce, bypassing MFA, password resets, and monitoring of logins by authenticating using the app's Salesforce-issued OAuth token. Within days and sometimes months, victims have received emails allegedly from UNC6040, demanding a cryptocurrency ransom to prevent the stolen data being published. UNC6395, also known as Scattered Spider, are known to breach Salesforce instances using compromised OAuth tokens for the Salesloft Drift AI chatbot, also subsequently exfiltrating data. "On August 20, 2025, Salesloft, in collaboration with Salesforce, revoked all active access and refresh tokens with the Drift application, terminating any threat actor access to victims’ Salesforce platforms from the previously connected Salesloft app." The advisory offers IoCs comprising IP addresses, URLs, and user-agent strings. The FBI recommends organizations provide anti-phishing training for call center employees; require phishing resistant MFA; implement authentication, authorization, and accounting (AAA) systems and apply the principle of least privilege; restrict access by IP; monitor API usage, network logs, and browser session activity; and review third-party integrations, including rotating all keys, credentials, and tokens.

As part of their September security update, Samsung has patched a critical out-of-bounds write vulnerability in the libimagecodec.quram.so closed-source image parsing library that affects Android OS versions 13, 14, 15, and 16. The flaw, which can lead to arbitrary code execution, has already been exploited in the wild. The flaw was reported to Samsung on August 13 by the Meta and WhatsApp security teams.

Researchers from Oasis Security have identified a critical vulnerability in the Cursor AI code editor "that enables the automatic execution of malicious code upon opening a repository." The problem results from Cursor shipping with the Workslace Trust security setting disabled by default. Oasis writes that in this state, "when a user opens such a repository in Cursor, even for simple browsing, arbitrary code can be run in their environment. This has the potential to leak sensitive credentials, modify files, or serve as a vector for broader system compromise." Suggested mitigations include enabling Workspace Trust in Cursor, opening unknown repositories in a different editor, and auditing repositories before opening them.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a summary of the agency's plans for the Common Vulnerabilities and Exposures (CVE) program. Funding has been a major concern since the program's federal contract nearly lapsed in April 2025. While CISA is considering alternative "diversified funding" sources, the agency contends that the CVE Program should not be privatized but must remain a public good with CISA in an active stewardship role, affording transparency, freedom from conflicts of interest, and independence from certain financial pressures and influences. Other goals included in the document are to ensure the advisory board and partnerships are "more diversified and international," to modernize and automate its services, to engage in transparent communication, to invest in record quality and enrichment, and to focus on improvements for CVE Numbering Authorities of Last Resort (CNA-LRs), who assign CVE IDs beyond the scope of other CNAs. Nick Andersen, CISA's recently-appointed Executive Assistant Director for Cybersecurity, also expressed at the Billington Cybersecurity Summit in Washington that the agency is eager for Congress to provide any extension of the 2015 Cybersecurity Information Sharing Act, "which provides incentives for private entities to voluntarily share digital threat intelligence with the federal government."

The California state legislature passed two bills this week, both of which, if signed into law, will protect residents' rights to additional control over how they use the internet. Assembly Bill 566 requires businesses developing or maintaining web browsers to include a setting that allows users to "opt out of the sale and sharing of [their] personal information" by businesses, also requiring that the setting be "easy for a reasonable person to locate and configure." While the California Consumer Privacy Act of 2018 (CCPA) and California Privacy Rights Act of 2020 (CPRA) protect residents' rights to send this and other types of opt-out signals, technology and software companies have not previously been required to provide the means to send the signal. AB655 also contains a subdivision including mobile operating systems in this requirement pending additional regulations by the California Privacy Protection Agency. Assembly Bill 1414, passed on Wednesday, September 10, provides renting tenants the ability to opt out of bulk billing for "wired internet, cellular, or satellite service that is offered in connection with the tenancy," allowing tenants to deduct the subscription price from their rent if this is violated, and also prohibiting landlords from retaliating should a tenant choose to opt out.

Starting in October, Microsoft "will begin automatically installing the Microsoft 365 Copilot app on Windows devices that have the Microsoft 365 desktop client apps." The app will appear in the Start Menu and will be enabled by default. However, admins may opt out through the Apps Admin Center. Microsoft expects to have the Microsoft 365 Copilot app rolled out to all applicable devices by mid-November 2025. The app will notably not be installed on devices within the European Economic Area (EEA).

Germany's Bundesministerium des Innern (BMI), Federal Ministry of the Interior, has announced the launch of the European Union's new biometric border security plan, the European Entry-Exit System (EES), starting on October 12. At that time, the EES will be introduced at Düsseldorf Airport. Following the initial launch, the EES will be introduced at Frankfurt am Main Airport and Munich Airport, and then rolled out to other airports and external maritime ports by April 9, 2026. The EES applies to individuals who are not citizens of the Schengen area, a group of 29 European countries that have abolished border controls at common borders. The EES will retain non-Schengen travelers' data, including "four fingerprints and a biometric facial image."

Fairmont Federal Credit Union (FFCU) is notifying nearly 200,000 individuals that their personal information was stolen in an October 2023 breach. FFCU, which operates nine branches in West Virginia, became aware of the breach in January 2024 and launched an investigation that concluded in August 2025. The intruders had access to FFCU's systems between September 30 and October 18, 2023. The notification letters, which were sent last week, say that "one or more of the files accessed and/or acquired by the unauthorized party ... may contain personal information including, full name, date of birth, address, Social Security number, U.S. Alien registration number, passport number, driver’s license or state ID number, military ID number, Tax ID number, non-U.S. national identification number, financial account number, routing number, financial institution name, credit card/debit card number, security code/PIN number, credit card/debit card expiration date, IRS PIN number, treatment information/diagnosis, prescription information, provider name, MRN/patient ID, Medicare/Medicaid number, health insurance policy/subscriber number, other health insurance information, treatment cost information, full access credentials, security questions and answers, and digital signatures." According to documents filed with Maine's Attorney General's Office, the breach affects 187,038 people.