In today’s cybersecurity news…
Microsoft warns of high-severity flaw in hybrid Exchange deployments
This is a vulnerability that could allow attackers to go undetected as they escalate privileges in the Exchange Online cloud environments that connect on-premises Exchange servers to Exchange Online to allow for seamless integration of email and calendar features. “By abusing this shared identity, attackers who control the on-prem Exchange can potentially forge or manipulate trusted tokens or API calls that the cloud side will accept as legitimate, as it implicitly trusts the on-premises server.” The vulnerability “affects Exchange Server 2016 and Exchange Server 2019, as well as Microsoft Exchange Server Subscription Edition, the latest version, which replaces the traditional perpetual license model with a subscription-based one.” No exploitation has yet been seen in-the-wild, but Microsoft has tagged it as “Exploitation More Likely.” CVE-2025-53786
France’s third-largest mobile operator suffers breach
“Bouygues (Boyg) Telecom, one of France’s largest telecom companies and its third-largest mobile operator, announced on Wednesday that it had been hit by a cyberattack that compromised the data of millions of customers.” The attack has been resolved, but a statement released by the company describes “unauthorized access to certain personal data from 6.4 million customer accounts,” although it does not distinguish between mobile customer accounts and fiber-to-home accounts in that tally. This follows another attack last week affecting Orange, which is the largest telecoms provider in France, although Orange did not disclose any breach of customer data. There have been no subsequent reported impacts on Orange customers, either in the retail or enterprise spaces.
Dialysis company’s April attack affects 900,000 people
Following up on a story we covered in April, DaVita, a Denver-based healthcare provider of kidney related care such as dialysis, says that the ransomware attack that occurred in April, did result in access to PII along with, health insurance information and medical information of more than 900,000 people was accessed as part of the 1.5 terabyte haul, claimed by the Interlock ransomware gang. As quoted in The Record, “the attack caused alarm because of the pivotal role DaVita plays for dialysis patients…[in] treating end-stage renal disease which necessitates kidney dialysis three times per week until patients receive a new kidney.
Huge thanks to our sponsor, ThreatLocker
ThreatLocker® is a global leader in Zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com/CISO.
Another video surveillance company is facing problems.
Researchers from security firm Claroty have identified a number of security flaws in video surveillance products from Axis Communications. These could be vulnerable to RCE takeover attacks, specifically through the company’s Axis Device Manager, which manages fleets of cameras, as well as the Axis Camera Station, which is client software used to view camera feeds. Claroty said it found more than 6,500 servers that “expose the proprietary Axis Remoting protocol and its services over the internet, out of which nearly 4,000 are located in the U.S.” The four CVE numbers associated with these flaws range from 4.8 to 9.0 on the CVSS scale and are listed in the show notes to this episode. CVE-2025-30023, CVE-2025-30024, CVE-2025-30024, CVE-2025-30025, CVE-2025-30026
Air France and KLM announce data breaches
The two airlines announced on Wednesday that attackers had “breached a customer service platform and stolen the data of an undisclosed number of customers.” The airlines are part of a French-Dutch multinational airline holding company group, called Air France–KLM Group, whose systems were compromised. Spokespeople emphasize their networks were not affected by the attack, and that customers’ financial and personal information was not affected. BleepingComputer suggests that this incident is “part of a wave of data breaches linked to the ShinyHunters extortion group, which targets Salesforce instances in vishing and social engineering attacks.”
Ghost Calls exploits video chat connectivity to break in
Speaking at BlackHat USA, security researcher Adam Crosser of Praetorian described a post-exploitation command-and-control (C2) evasion method called Ghost Calls. This process abuses TURN servers – these are (Traversal Using Relays around NAT), a networking protocol used by video call, VoIP, and WebRTC services that “helps devices behind NAT firewalls communicate with each other when a direct connection is not possible.” For example, a Zoom or Teams meeting uses temporary TURN credentials, and these can be hijacked to set up a WebRTC tunnel between the attacker and the victim. Ghost Calls uses legitimate credentials, WebRTC, and custom tooling to bypass most existing defenses and anti-abuse measures, without relying on an exploit, allowing operators to blend interactive C2 sessions into normal enterprise traffic patterns, appearing as nothing more than a temporarily joined online meeting. “