Author: Julia Grits, Netwrix Brand Manager
July 12, 2025
Windows Kerberos CVE-2025-53779 | Privilege Escalation
The essence of the discovered vulnerability lies in a flaw in the Kerberos authentication protocol that allowed a low-privileged user to forge tokens and escalate their access level to that of an Active Directory domain administrator.
The impact is difficult to overestimate, as once inside the network (for example, as a result of a phishing attack), this vulnerability eliminated the need for complex lateral movement and enabled rapid acquisition of domain administrator privileges.
Applying patches to domain controllers (DCs) is a complex task that requires careful preparation. As a result, many organizations fall behind on DC updates. Until patches are applied, even a minor compromise of a user account can instantly escalate into a catastrophic takeover of the entire domain.
What could have prevented it: Netwrix PingCastle
July 14, 2025
Due to a serious flaw in McDonald’s AI-based recruitment chatbot “McHire,” a vulnerability was discovered that could have provided access to the data of potentially more than 64 million job applicants. Given the unexpected scale of the potential exposure and the failure of the AI system, this case cannot be ignored in an annual report.
Complaints began appearing on Reddit that Olivia (the bot) was responding with meaningless messages. This attracted the attention of threat analysts Ian Carroll and Sam Curry, who began investigating the issue in more detail.
The chatbot was implemented using Paradox AI. To log in to the portal as a restaurant administrator responsible for hiring, it was sufficient to use default credentials: 123456:123456. Although the restaurant was a test instance, while working with the console and submitting a “job application,” the researchers discovered the CEM (Candidate Experience Manager) system API, through which they gained access to the bot’s conversations with real candidates.
An Insecure Direct Object Reference (IDOR) vulnerability allowed access to objects containing personally identifiable information (PII), which was stored without encryption.
The API returned:
- Name
- Phone number and address
- Candidate status
- Authorization token for accessing the user interface
What could have prevented it: ResilientX
October 11–14, 2025
Qantas and Vietnam Airlines—two airlines—fell victim to the same attack.
Qantas (Australia) confirmed that data of approximately 5.7 million passengers (names, email addresses, Frequent Flyer numbers) had been copied.
Vietnam Airlines suffered a large-scale leak of customer data—approximately 23 million records, covering the period from 2020 to 2025.
The data was stolen from Salesforce by a hacker group calling itself “Scattered LAPSUS$ Hunters.” The attack lasted an extended period and began with the compromise of a corporate GitHub account belonging to Salesloft, which integrates with Salesforce. The final stage was the publication of the stolen data on the dark web in October after the companies refused to pay a ransom.
The risk associated with compromised user accounts remains the most common cause of data breaches.
What could have prevented it: Netwrix Identity Manager at the source, ResilientX TPRM for integration control
October 30, 2025
Korean automotive manufacturer Hyundai experienced a leak of sensitive customer personal data, including names, driver’s license numbers, addresses, and social security numbers. The exact number of compromised records is unknown, but it potentially affects up to 2.7 million customers in North America. A third-party cybersecurity contractor was engaged to stop the attack.
This case is important not only due to access to sensitive vehicle owner data but also because of the illustrative incident timeline:
- February 22—security breach occurred
- March 1—the company became aware of the incident
- March 2—the breach was remediated
- November—customers began receiving breach notifications
Thus, attackers remained in the system for approximately one week, while public disclosure occurred only eight months later.
According to a company representative, the breach affected approximately 2,000 individuals. It is also worth noting that Hyundai had experienced attacks in previous years: breaches of European divisions were recorded in 2023 and 2024.
What could have prevented it: Netwrix Data Classification, Netwrix Identity Manager, and Wazuh SIEM for overall monitoring
November 5, 2025
Django, one of the most popular Python web frameworks, acknowledged the presence of a critical SQL Injection vulnerability (CVE-2025-64459).
Some Django-based web applications accept parameters from HTTP requests and pass them into filtering mechanisms without proper validation. If an attacker adds special parameters such as _connector or _negated, they can manipulate SQL query logic, causing Django to improperly validate data. This allows attackers to:
- Access other users’ data
- Bypass authentication
- Escalate user privileges
This vulnerability is a classic example of how unsafe use of ORM methods without input validation can lead to serious consequences. Even a relatively simple attack can result in a large-scale data breach and system compromise.
What could have prevented it: Automated security testing (SAST/DAST) integrated into CI/CD, Invicti
November 29, 2025
React: CVE-2025-55182 in the React Server Components mechanism
React Server Components (RSC) are an architectural feature of React that allows part of component rendering to be performed on the server, minimizing the amount of JavaScript code sent to the client.
A vulnerability in the way data sent to React endpoints was decoded allowed unauthenticated remote code execution (RCE). A specially crafted HTTP request triggered unsafe deserialization.
This incident became one of the most significant application-layer events of the year. Within 24 hours of public disclosure, threat analysts observed mass scanning activity by Chinese APT groups and botnets targeting millions of vulnerable Next.js applications.
What could have prevented it: Invicti, Mend.io SCA (Software Composition Analysis)
Summary
A significant number of incidents were recorded in 2025; however, the cases highlighted above stand out due to their scale, the number of affected individuals, and their impact on businesses and the industry as a whole.
What actually works and must be implemented:
- Transparency and reporting: SIEM / XDR / DAM
- Account control: IAM / PAM / Zero Trust
- Understanding and protecting data: DLP / Data Discovery
- Third-party control: Supply Chain Security
- Security at the development stage: SAST / DAST
