Svoboda Cybersecurity Brief June 16, 2025

Jun 16, 2025

Washington Post journalists targeted in suspected nation-state cyberattack

A cyberattack on the Washington Post compromised Microsoft email accounts of journalists, particularly those covering national security, economic policy, and China. The breach, discovered on June 13, 2025, is suspected to be the work of a foreign government.
Source: DataBreaches.net

Over 46,000 Grafana instances vulnerable to account takeover (CVE-2025-4123)

46,506 internet-facing Grafana instances remain unpatched against CVE-2025-4123, a client-side open redirect flaw enabling malicious plugin execution and account hijacking. Exploitation requires user interaction but can bypass default CSP protections.
Impact: Attackers can hijack sessions, modify credentials, and perform SSRF if Grafana Image Renderer is installed.
Mitigation: Upgrade to patched versions (10.4.18+, 11.2.9+, etc.) or disable plugin features if unused.
Source: BleepingComputer

Updated resource on U.S. state data breach notification laws (June 2025)

Foley & Lardner released an updated chart summarizing state-specific breach notification requirements for data owners, current as of June 2, 2025. The resource excludes non-owners, HIPAA/GLBA exceptions, and detailed safe harbor provisions for encrypted/public data.
Source: DataBreaches.net

Share this brief: https://svo.bz/HwPU

If you want to support us, you can donate here: Donate