CVE-2025-4664 proves that even trusted browsers are not immune to catastrophic zero-day vulnerabilities.

Cross-origin data is up for grabs if you haven't updated Chrome or Chromium.

Patch immediately: Reset the phone and make sure not to install any app by Meta.

Secure Boot bypass for laptops, embedded and medical devices, and car ECUs: technical details and exploit. Security researcher Nikolaj Schlej shared yesterday a new and quite effective (even trivial) way to bypass Secure Boot in Insyde H20 UEFI BIOS. The vulnerability, CVE-2025-4275, was named Hydroph0bia by the author. Most ARM-based laptops from Acer, HP, Lenovo, Huawei, Samsung, and Dell use this BIOS and are therefore affected. This product is also ported to multiple systems for IoT, SCADA, and critical infrastructure. Insyde H20 continuously presents its solutions for communication devices, robotics, and manufacturing equipment. Car components, as well as other areas in digital mobility (aviation, maritime, and railroad), also use Insyde H20 Secure Boot as part of ARM-based and other UEFI-compatible systems. So, check your SBOMs and make sure your product is not affected.

👤Most sensitive data be encrypted by organizations that handle it? Yes, absolutely. Is it always encrypted?

🔥Unfortunately, not like in the recent SK Telecom HSS breach, USIM keys were reportedly stored in plain format without proper protection.

💻 Now, what happens when the stolen data is encrypted?
Time plays in the hacker’s favour. If the data has long-term value, they may invest effort in decrypting it, and that's exactly what seems to have happened here:

📂 A dataset of over 70 million AT&T customer records (some say 86 million) began circulating on cybercrime forums in mid-May 2025:

🔻Full names, birthdates, phone numbers, emails, and addresses.
🔻Around 44 million Social Security Numbers, now fully decrypted!

It’s believed the dataset originates from earlier breaches (possibly 2021), where the SSNs were encrypted. But now it’s been fully decrypted, repackaged, and released as a clean structured identity database.

🧨 Which is bad… This data has lifelong fraud potential!
Hackers can use it to bypass most legacy validation and KYC processes, from SIM swap attacks to full-scale identity theft, fraudulent loans, etc.

⚠️ A not so quiet side effect: a reminder that static data was never meant to prove identity. SSNs and similar identifiers were never meant to be authentication factors, but they’ve been treated as such for decades.

Please keep in mind:
🔻SSN + DOB + Address + Else ≠ Identity proof
🔻Any system relying on static identity data is open to impersonation and abuse.

A possible malware distribution mechanism.

An interesting thread.