SecurityWeek’s cybersecurity news roundup provides a concise compilation of noteworthy stories that might have slipped under the radar.
We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.
Each week, we curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.
Here are this week’s stories:
Gladinet vulnerability exploited in the wild
A vulnerability affecting Gladinet’s CentreStack and Triofox products has been exploited in the wild, Huntress warns. CentreStack is a mobile access and secure sharing solution while Triofox is a secure file access solution. Huntress earlier this year discovered exploitation of CVE-2025-30406, a hardcoded machine key issue affecting the products, and it has now detected exploitation of a new vulnerability, CVE-2025-11371, which allows unauthenticated local file inclusion. Gladinet is aware of the issue and is in the process of providing a workaround to customers until a patch is developed.
US universities targeted by payroll pirates
Microsoft has warned that a cybercrime group it tracks as Storm-2657 has been targeting US universities in an effort to hack employee accounts on HR platforms such as Workday. The goal is to divert salary payments to accounts controlled by the attackers. These types of threat actors are known as “payroll pirates”. The attacks seen by Microsoft do not involve exploitation of Workday vulnerabilities. Instead the hackers are leveraging social engineering tactics and the lack of MFA to compromise accounts.
Zimbra vulnerability exploited in attack on Brazilian military
StrikeReady warned that a Zimbra vulnerability tracked as CVE-2025-27915 was exploited earlier this year to target Brazil’s military. The attack involved a malicious ICS calendar file. There do not appear to be other public reports describing exploitation of CVE-2025-27915, which has been described as an XSS flaw allowing an attacker to execute arbitrary JavaScript and perform unauthorized actions on the victim’s Zimbra account, including email redirection and data exfiltration.
Mic-E-Mouse attack
A team of researchers from the University of California have disclosed the details of an attack method they have named Mic-E-Mouse, which leverages the high-performance optical sensors on a mouse to eavesdrop on users. The researchers showed that speech induces subtle surface vibrations that the mouse’s sensor can detect. The audio quality is initially poor, but the researchers showed how it can be processed to improve its quality. On the other hand, accuracy is still low in real world environment tests.
Two arrested in UK over nursery chain hack
Two unnamed individuals, reportedly aged 17 and 22, have been arrested in the UK over a cyberattack that targeted the nursery chain Kido. Hackers stole the names, addresses, and photographs of 8,000 children and started leaking them in order to convince Kido to pay a ransom. The hackers also called impacted parents to increase the pressure on the nursery chain. In response to pushback from other hackers, the children’s images were blurred, and later all the data was taken offline.
Brightstar and Decisely data breaches impact over 100,000
Brightstar and Decisely Insurance Services have each disclosed data breaches impacting more than 100,000 people. IGT and its lottery business Brightstar said unauthorized access was discovered nearly one year ago, but it took until recently to determine what type of data was compromised and who was impacted. Decisely discovered unauthorized access in December 2024 and started notifying affected individuals in June 2025. The data breach at Decisely impacted personal information related to its partner MetLife.
WordPress plugin vulnerability exploited
Hackers have been attempting to exploit CVE-2025-5947, a critical vulnerability in the Service Finder Bookings plugin, to hack WordPress websites. The plugin is part of the premium Service Finder theme, which has been acquired by roughly 6,000 websites. The vulnerability was patched on July 17 and disclosed by Defiant on July 31. Exploitation started on August 1 and Defiant’s Wordfence firewall has already blocked nearly 14,000 attacks.
Honeypot data shows ICS/OT attacks from Russia and Iran
An ICS/OT honeypot run by Forescout, designed to mimic a water treatment plan, has been targeted by a Russia-linked group named TwoNet, which tried to deface the associated HMI, disrupt processes, and manipulate other ICS. TwoNet has been involved in hacktivist attacks, but many of its activities seem driven by profit. Forescout’s honeypots also saw attack attempts that have been linked to Russia and Iran.
OpenAI disrupts ChatGPT abuse
OpenAI has published another report describing the actions it has taken against the malicious use of ChatGPT. The company has seen Russian, Chinese and (North) Korean threat actors abusing its AI assistant for malware development, phishing, scams, and influence operations.
ClayRat Android spyware targets Russia
Zimperium has detailed ClayRat, an Android spyware mainly targeting Russian users. The malware has been distributed through Telegram channels and phishing sites, disguised as popular apps such as WhatsApp, TikTok, and YouTube. Once it has been installed on a device, ClayRat can steal SMS messages, notifications, and call logs, take photos with the infected device’s front camera, and send messages or make calls from the victim’s phone.
Related: In Other News: PQC Adoption, New Android Spyware, FEMA Data Breach
Related: In Other News: LockBit 5.0, Department of War Cybersecurity Framework, OnePlus Vulnerability
Source link
