Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 5 September
WhatsApp patches a flaw exploited in zero-day attacks
WhatsApp has fixed a critical zero-click vulnerability (CVE-2025-55177, CVSSv3 of 8.0 according to CISA) that affected its messaging clients on iOS prior to version 2.25.21. 73, WhatsApp Business for iOS (v2.25.21.78), and WhatsApp for Mac (v2.25.21.78).
The flaw, related to incomplete authorization in the synchronization of linked devices, allowed an attacker to process content from an arbitrary URL on the victim's device without user interaction. This vulnerability was exploited in conjunction with an operating system-level flaw on Apple platforms (CVE-2025-43300, CVSSv3 of 8.0 according to CISA) in sophisticated 0-day attacks targeting specific users.
Although no public PoCs or exploits have been published, WhatsApp has issued patches and recommends performing a factory reset of the device and keeping the operating system up to date. The spyware campaign was detected by Donncha Ó Cearbhaill, head of Amnesty International's Security Lab.
Supply chain attack exposes Salesforce data
A supply chain attack against the Salesloft Drift application has compromised Salesforce data from major cybersecurity companies such as Zscaler, Palo Alto Networks, Cloudflare and SpyCloud. The attack, attributed to the UNC6395 group and detected by Google Threat Intelligence Group, was carried out between August 8 and August 18, 2025 by stealing OAuth tokens.
The actors accessed corporate Salesforce environments, exfiltrating sensitive credentials such as AWS keys, passwords and Snowflake database tokens. Among the data exposed were names, emails, phone numbers, job titles and regional details, as well as business and support information in some cases. Salesforce and Salesloft revoked all compromised tokens on August 20 and temporarily removed the app from the AppExchange.
The affected companies confirmed that access was limited to Salesforce data and that their core platforms were not compromised. It is recommended to review OAuth permissions, audit sensitive data and strengthen access controls against the risk of phishing campaigns and social engineering attacks based on the leaked information.
Google denies that Gmail has suffered a massive data breach
Google has categorically denied reports that it had issued a global security alert to its 2.5 billion Gmail users, calling the claims “completely false.” The confusion stemmed from a misinterpretation of a limited incident in June 2025, when the ShinyHunters group accessed an internal Salesforce database using social engineering techniques (vishing), obtaining basic business contact information but without compromising passwords or sensitive data.
Although some media outlets presented it as a massive Gmail breach, Google clarified that its email infrastructure was not affected and that its systems would block more than 99.9% of phishing and malware attempts. The company recommends the use of passkeys and two-step authentication with apps or physical keys, and warns of similar campaigns targeting various sectors.
Citrix Netscaler backdoors exploited as of May 2025
Researcher Kevin Beaumont has disclosed that vulnerability CVE-2025-6543 (CVSSv3 9.2 according to vendor) in Citrix Netscaler was exploited as a 0-day since May 2025 against governments and legal institutions, more than a month before a patch was available. The attackers, allegedly linked to Volt Typhoon, deployed webshells and created backdoors that persist even after applying updates.
The campaign used manipulated requests to execute a Python script that deployed an encrypted PHP webshell. In addition, the attackers manipulated file dates to hide the intrusion. Citrix did not publicly report the existence of these backdoors, limiting the information to customers under confidentiality agreements. Researchers warn that there could still be compromised systems and recommend reviewing Netscaler logs, especially unusual requests and file modifications.
84 Android bugs fixed, including four critical bugs and two actively exploited bugs
Google has released the September 2025 security patch for Android, fixing 84 vulnerabilities, including two actively exploited flaws: CVE-2025-38352 (CVSSv3 7.4, according to CISA; race condition in Linux kernel POSIX timers, allowing privilege escalation and DoS) and CVE-2025-48543 (flaw in Android Runtime allowing malicious apps to evade the sandbox).
Four critical vulnerabilities were also fixed, including CVE-2025-48539, a remote code execution (RCE) in the SYSTEM component that can be triggered via Bluetooth or WiFi without user interaction. The other three (CVE-2025-21450, CVSSv3 9.1 according to Qualcomm; CVE-2025-21483; CVE-2025-27034) affect Qualcomm components, including memory corruption and index validation errors that allow RCE in the baseband modem.
Patches are available for Android 13 through 16, and it is recommended to update to levels 2025-09-01 or 2025-09-05. Devices running Android 12 or earlier should be replaced or use alternative distributions with active support.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
