Windows Server Emergency Patches Fix WSUS Bug With PoC Exploit
Microsoft has released out-of-band (OOB) security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code. WSUS is a Microsoft product that enables IT administrators to manage and deliver Windows updates to computers within their network. Tracked as CVE-2025-59287 and patched during this month’s Patch Tuesday, this remote code execution (RCE) security flaw affects only Windows servers with the WSUS Server Role enabled, a feature that isn’t enabled by default. The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. This makes it potentially wormable between WSUS servers.
Source: BleepingComputer

Zero Trust Has a Blind Spot—Your AI Agents
Agentic AI has arrived. From custom GPTs to autonomous copilots, AI agents now act on behalf of users and organizations, or even act as just another teammate, making decisions, accessing systems, and invoking other agents without direct human intervention. But, with this new level of autonomy comes an urgent security question: If AI is doing the work, how do we know when to trust it? In traditional systems, Zero Trust architecture assumes no implicit trust, where every user, endpoint, workload, and service must continuously prove who they are and what they’re authorized to do. However, in the agentic AI world, these principles break down fast. AI agents often operate under inherited credentials, with no registered owner or identity governance. The result is a growing population of agents that may look trusted but actually are not, one of many risks of autonomous AI agents in your infrastructure.
Source: BleepingComputer

3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation
A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads. Active since 2021, the network has published more than 3,000 malicious videos to date, with the volume of such videos tripling since the start of the year. It has been codenamed the YouTube Ghost Network by Check Point. Google has since stepped in to remove a majority of these videos. The campaign leverages hacked accounts and replaces their content with “malicious” videos that are centred around pirated software and Roblox game cheats to infect unsuspecting users searching for them with stealer malware. Some of these videos have racked up hundreds of thousands of views, ranging from 147,000 to 293,000.
Source: TheHackerNews

Toys ‘R’ Us Canada Customer Information Leaked Online
Toy store Toys “R” Us Canada this week notified its customers that a threat actor stole their personal information and leaked it on the dark web. The incident, the company said in notification emails to customers, copies of which have been shared on social media platforms, was discovered on July 30, after the information was posted on “the unindexed internet”. “We immediately hired third-party cybersecurity experts to assist with containment and to investigate the incident. The investigation revealed that the unauthorized third party copied certain records from our customer database which contains personal information,” the notification reads. The compromised information, the company told shoppers, includes names, addresses, email addresses, and phone numbers. It also said it was in the process of notifying the relevant authorities.
Source: SecurityWeek

Pwn2Own WhatsApp Hacker Says Exploit Privately Disclosed to Meta
A total of $1,024,750 has been paid out at the Pwn2Own Ireland 2025 hacking contest organized by Trend Micro’s Zero Day Initiative (ZDI), but the event has been overshadowed by the last-minute withdrawal of a researcher who was scheduled to demonstrate a WhatsApp exploit worth $1 million. The highest reward at Pwn2Own Ireland 2025, $100,000, was paid out for an exploit chain targeting the QNAP Qhora-322 router and the QNAP TS-453E NAS device. Two Samsung Galaxy S25 exploit chains were each rewarded with $50,000, and the same amount was earned for vulnerabilities in Synology ActiveProtect Appliance DP320 and the Sonos Era 300 smart speaker. Participants received up to $40,000 for hacking Ubiquiti cameras, QNAP and Synology NAS devices, Lexmark and Canon printers, and smart home systems such as Phillips Hue Bridge, Amazon Smart Plug, and Home Automation Green.
Source: SecurityWeek