Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT
Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system. The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system. “This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system,” the company said in a Wednesday advisory.
Education giant Pearson hit by cyberattack exposing customer data
Education giant Pearson suffered a cyberattack, allowing threat actors to steal corporate data and customer information, BleepingComputer has learned. Pearson is a UK-based education company and one of the world’s largest providers of academic publishing, digital learning tools, and standardized assessments. The company works with schools, universities, and individuals in over 70 countries through its print and online services. In a statement to BleepingComputer, Pearson confirmed they suffered a cyberattack and that data was stolen, but stated it was mostly “legacy data.”
Weaponizing Facebook Ads: Inside the Multi-Stage Malware Campaign Exploiting Cryptocurrency Brands
A persistent malvertising campaign is plaguing Facebook, leveraging the reputations of well-known cryptocurrency exchanges to lure victims into a maze of malware. Since Bitdefender Labs started investigating, this evolving threat has posed a serious risk by deploying cleverly disguised front-end scripts and custom payloads on users’ devices, all under the guise of legitimate cryptocurrency platforms and influencers. This report unveils how the attackers use advanced evasion tactics, mass brand impersonation, and sophisticated user-tracking methods to bypass conventional defenses and maintain a large pool of victims.
Pakistani Firm Shipped Fentanyl Analogs, Scams to US
A Texas firm recently charged with conspiring to distribute synthetic opioids in the United States is at the center of a vast network of companies in the U.S. and Pakistan whose employees are accused of using online ads to scam westerners seeking help with trademarks, book writing, mobile app development and logo designs, a new investigation reveals. In an indictment (PDF) unsealed last month, the U.S. Department of Justice said Dallas-based eWorldTrade “operated an online business-to-business marketplace that facilitated the distribution of synthetic opioids such as isotonitazene and carfentanyl, both significantly more potent than fentanyl.”
Google Deploys On-Device AI to Thwart Scams on Chrome and Android
Google has begun integrating Gemini Nano, its on-device large language model (LLM), into the latest version of the Chrome browser to combat online spam, scams and phishing campaigns. As it released its latest version of its browser, Chrome 137, Google announced that it was experimenting with the on-device LLM as an additional layer of protection in the Enhanced Protection mode of the new browser version’s Safe Browsing service. Chrome’s Enhanced Protection mode is the highest level of Google Safe Browsing and the company claims it provides twice the safeguard against phishing and scams compared to Standard Protection mode.
The NCSC wants developers to get serious on software security
The NCSC’s new Software Security Code of Practice is a “clear call to developers” to beef up secure by design practices, according to a senior cybersecurity expert. James Neilson, SVP International at OPSWAT, said the new rules introduced by the security agency will play a key role in encouraging organizations to build more secure software solutions. “This new code is a welcome move,” he said. “It isn’t just a checklist — it’s a call to get serious about end-to-end security. A software supply chain is only as strong as its weakest link.”
