Alvaro Lopez Ortega / 2025-08-21 Briefing

Created Thu, 21 Aug 2025 00:08:18 +0000 Modified Tue, 02 Sep 2025 02:02:32 +0000
2746 Words

Today’s top news includes significant security updates: Commvault patched critical RCE bugs exploitable via path traversal and API bypass, and Amazon fixed vulnerabilities in its VS Code extension to prevent data leaks. Additionally, the Russian FSB exploited a Cisco bug to access critical infrastructure, raising global security concerns.

▶️ Internet Infrastructure

Commvault Patches Critical RCE Bugs Exploitable via Path Traversal and API Bypass

Commvault patched two critical RCE bug chains on August 20, 2025, after researchers proved exploits; vulnerabilities include session hijacking, path traversal, API bypass, and password decryption, enabling remote code execution.

  • Researchers at watchTowr disclosed proof-of-concept exploits for two unauthenticated remote code execution (RCE) bug chains in Commvault.
  • Patches were released by Commvault on August 20, 2025; SaaS version unaffected.
  • The first chain combines CVE-2025-57791 (session retrieval, CVSS 6.9) and CVE-2025-57790 (path traversal, CVSS 8.7), enabling local admin access and RCE.
  • The second chain involves CVE-2025-57788 (API bypass, CVSS 6.9) and CVE-2025-57789 (full control, CVSS 5.3), exploiting path traversal and password decryption to achieve RCE.
  • Exploits demonstrate that unpatched instances are vulnerable to remote code execution, with some bugs allowing webshell deployment and full system control.

IETF Draft Urges IPv6 Support in DNS to Accelerate IPv4 Deprecation

An IETF draft recommends standardizing IPv6 support in DNS resolvers to promote IPv6 adoption, reduce IPv4 reliance, and address IPv4 scarcity and associated problems.

  • IETF draft proposes making IPv6 support a best practice for DNS resolvers to accelerate IPv4 deprecation
  • Current RFC3901 (2004) mandates IPv4 but leaves IPv6 optional; draft aims to update this
  • Fiebig’s research indicates adopting IPv6 in DNS has no negative impact and may reduce IPv4-related issues and resource scarcity

Russian FSB Exploits Cisco Bug to Access Global Critical Infrastructure

Russian FSB cyber-espionage group exploited a 2018 Cisco Smart Install vulnerability in legacy devices to access critical infrastructure, collecting configs from thousands of devices globally.

  • FBI and Cisco Talos warn Russian FSB actors exploited a 7-year-old Cisco bug (CVE-2018-0171) in end-of-life devices to access critical infrastructure networks.
  • Over the past year, the actors collected configuration files from thousands of US network devices, modifying some to enable unauthorized access.
  • The campaign targets organizations across North America, Asia, Africa, and Europe, focusing on telecommunications, higher education, and manufacturing sectors, with the intent to extract device configurations for strategic use.

TPG Telecom Data Breach Exposes Customer Information After Cyberattack

TPG Telecom’s cyberattack on iiNet involved theft of a single employee login, exposing 280,000 customer emails, 20,000 phone numbers, and 10,000 addresses, with cleanup ongoing.

  • TPG Telecom investigated a cyberattack at its subsidiary iiNet, contained on August 16
  • Attack resulted from theft of a single employee’s login credentials
  • Approximately 280,000 active customer email addresses, 20,000 active landline phone numbers, 10,000 customer usernames, addresses, and 1,700 modem passwords were exposed; additional inactive emails and phone numbers also compromised

AI Crawler Impact and Cloudflare’s Solution for Content Control

AI crawlers scrape content extensively, affecting traffic and revenue; Cloudflare’s AI Audit offers tools for visibility and control over AI crawling activities.

  • AI crawlers scrape content at ratios up to 42000:1 (Anthropic) and 1100:1 (OpenAI), significantly impacting website traffic and content monetization.
  • Google introduced generative AI into search results in mid-2024, causing a 30% decline in clickthrough rates and a 27% increase in AI tool usage replacing traditional search.
  • Cloudflare’s AI Audit provides visibility into crawler activity and granular control, enabling organizations to block or allow specific AI crawlers across webpages.

China’s Great Firewall Disrupts HTTPS Traffic in Major Temporary Outage

China’s Great Firewall temporarily disabled all port 443 traffic for over an hour on August 20, 2025, possibly testing or due to device misconfiguration, affecting global HTTPS connectivity.

  • China’s Great Firewall blocked all TCP port 443 traffic from approximately 00:34 to 01:48 UTC+8 on August 20, 2025
  • The disruption unconditionally injected forged TCP RST+ACK packets, preventing HTTPS and other port 443 services outside China
  • The incident likely involved a new or misconfigured GFW device, with no apparent reason related to censorship or specific events

Google Pixel 10 Pro Fold Debuts First Fully Dust-Resistant Foldable

Google’s Pixel 10 Pro Fold introduces the first fully dust-resistant foldable with IP68 rating, featuring a gear-less hinge that improves durability and dust protection.

  • Google Pixel 10 Pro Fold is the first foldable with an IP68 dust and water resistance rating
  • Features a gear-less hinge design that enhances durability and protection against drops
  • The hinge design prevents dust ingress, addressing a common vulnerability in foldables

▶️ Open Source

AGENTS.md: A Markdown Format for AI Coding Agent Guidance and Project Standardization

AGENTS.md is a Markdown-based format for providing precise, agent-focused project instructions, including setup, code style, testing, and deployment, to facilitate AI coding agent integration across repositories.

  • AGENTS.md is a simple, open format for guiding AI coding agents, used by over 20,000 open-source projects (GitHub link)
  • Provides structured instructions including setup commands (pnpm install, pnpm dev, pnpm test), code style guidelines (TypeScript strict mode, single quotes, no semicolons, functional patterns), and best practices for project onboarding, testing, and PR procedures
  • Supports nested AGENTS.md files for subprojects in monorepos, enabling tailored instructions per package

CachyOS Tops DistroWatch in August 2025 with Gaming-Optimized Performance

CachyOS overtook Mint and MX on DistroWatch in August 2025, offering a highly optimized, customizable Linux distribution with UKUI desktop, supporting multiple desktops, and excelling in gaming performance.

  • CachyOS, an opinionated Arch Linux derivative, became the top-ranked distro on DistroWatch’s popularity chart in August 2025.
  • It features performance-tuned and optimized configurations, including the UKUI desktop, and supports desktops like Xfce, UKUI, and alpha-stage COSMIC.
  • The distribution is noted for its speed, responsiveness, and high compatibility with gaming, with a 4.21% share in the Steam hardware survey.

▶️ Management and Leadership

Lovable CEO Anton Osika Seeks Versatile Curious Builders Over Narrow Skills

Lovable CEO Anton Osika seeks candidates with high learning slope, versatility, curiosity in first principles thinking, and a bias to build, emphasizing adaptability and practical output over specific skills.

  • Lovable CEO Anton Osika co-founded the startup in 2023 and emphasizes hiring generalists over narrow specialists.
  • He prioritizes four traits: slope (ability to learn), breadth (versatility), curiosity (first principles thinking), and bias to build (proven ability to ship).
  • Osika values learning agility and adaptability over current skills, and prefers candidates who demonstrate reasoning from first principles and a track record of creating tangible results.

Leaked Microsoft Compensation Data Reveals Pay Gaps and AI Talent Focus

Leaked spreadsheet reveals Microsoft employee compensation data, with over 850 entries, highlighting pay ranges across teams; the company aims to enhance pay competitiveness to attract AI talent.

  • Over 850 self-reported entries detail Microsoft employee compensation, including salary, bonus, and stock awards.
  • Data covers software engineers in the US, with analysis excluding entries with fewer than three submissions or potential typos.
  • Average base pay varies by team, e.g., Cloud + AI ($204,135), Microsoft AI ($170,456), and Xbox ($168,831).

TikTok Mandates GMV Max AI Tool for Shops Amid Brand Concerns

TikTok requires TikTok Shop brands to adopt GMV Max, an AI-driven ad automation tool, by September 1, 2025, to maximize sales but faces pushback over control and transparency concerns.

  • TikTok mandates brands to use the AI-powered GMV Max tool for TikTok Shop advertising starting September 1, 2025
  • GMV Max automates ad campaign management by optimizing spending, product selection, and ROI targets using an AI algorithm
  • Some brands express dissatisfaction due to reduced control, limited performance insights, and measurement transparency issues

Amazon patches security flaws in Q Developer VS Code extension to prevent data leaks

Amazon quietly patched prompt injection and RCE vulnerabilities in its Q Developer VS Code extension, preventing data leaks and arbitrary code execution through malicious prompts, following researcher disclosures.

  • Amazon fixed security flaws in the Q Developer VS Code extension, addressing prompt injection and remote code execution (RCE) vulnerabilities.
  • The vulnerabilities could allow attackers to leak secrets, including API keys, and execute arbitrary code via malicious prompts.
  • Updates were made to the underlying language server (v1.24.0); restarting the plugin applies the fixes requiring human-in-the-loop approval.

GSA Launches USAi.gov AI Sandbox for Federal Agency Model Evaluation

GSA launched USAi.gov as a temporary, shared AI sandbox for federal agencies to evaluate models from OpenAI, Google, and Anthropic, aiming to streamline AI adoption and reduce costs.

  • GSA launched USAi.gov as a cloud-based AI evaluation platform for federal agencies, enabling sandbox experimentation with models from OpenAI, Google, and Anthropic.
  • The platform includes evaluation tools, dashboards, and analytics to help agencies identify effective AI models, aiming to reduce duplication and improve efficiency.
  • GSA CIO David Shive stated the platform’s purpose is to facilitate early AI testing, but GSA Chief Data and AI Officer Zach Whitman indicated it is intended as a temporary measure, with the market expected to address long-term needs.

Google Adjusts Play Store Fees to Comply with EU Regulations

Google modifies Play Store fee structure and policies to satisfy EU regulators, reducing initial fees to 3%, tiered ongoing fees, and offering more developer flexibility, amid mixed industry reactions.

  • Google announced modifications to Play Store fee structure to address EU regulatory concerns and avoid DMA fines.
  • Developers can now choose display links and fee models, including directing users outside Google’s ecosystem.
  • The initial app acquisition fee is reduced to 3% for six months post-install; ongoing fees are tiered—Tier 1 (mandatory) covers essential services, Tier 2 (optional) covers promotion and management.
  • Tiered charges vary by country, e.g., €1.90 in Ireland and €0.20 in Albania for a game download; fees aim to compensate for platform services.
  • Reactions are mixed; Epic Games’ Tim Sweeney calls it “malicious compliance,” while Google warns of potential risks to user safety and app quality.
  • Google plans to update its External Offers Program with revised fees and options, following DMA discussions; the European Commission will assess compliance.

KPMG Unveils AI TaxBot for Rapid Tax Advice Using Multi-LLM RAG Technology

KPMG built a 100-page prompt to develop an AI-driven TaxBot capable of producing tax advice within a day, leveraging RAG and multi-vendor LLMs, significantly improving speed and efficiency.

  • KPMG developed a 100-page prompt to create an agentic TaxBot for rapid tax advice generation
  • The system produces advice in one day instead of two weeks, enhancing efficiency without job losses
  • The TaxBot uses Retrieval-Augmented Generation (RAG), multiple LLMs from OpenAI, Microsoft, Google, Anthropic, and Meta, and requires four to five user inputs

Microsoft fixes security flaw in M365 Copilot without customer notification

Microsoft fixed a security flaw in M365 Copilot on August 18, 2025, enabling content access without audit logs, but did not inform customers, raising transparency concerns.

  • Microsoft did not disclose a patched vulnerability in M365 Copilot that allowed content access without audit logs.
  • The flaw enabled a malicious insider to ask Copilot to summarize files without links, bypassing logging.
  • The issue was fixed on August 18, 2025, but Microsoft classified it as “important” and did not notify customers, affecting audit log integrity.

Salesforce Launches FedRAMP-Authorized Agentforce AI Platform for Government

Salesforce launched Agentforce for Public Sector, a FedRAMP High authorized AI platform with prebuilt bots for government tasks, supporting deployment and low-code customization.

  • Salesforce announced Agentforce for Public Sector, a FedRAMP High authorized AI platform for government use, enabling deployment of prebuilt AI bots.
  • Six prebuilt AI agents include code enforcement, complaint identification, recruitment, job recommendation, benefit application, and complaint filing bots; the first three available at launch, others in October.
  • The platform supports integration with existing Salesforce environments, pulling data from Salesforce Data Cloud and external sources, and offers a low-code environment for custom AI development.

▶️ Technology

Hacker Reveals Critical Security Flaws in McDonald’s Systems

A hacker exposed critical security flaws in McDonald’s online systems, including free food ordering, insecure employee portals, and exposed API keys, highlighting poor security practices and delayed fixes.

  • Hacker “Bobdahacker” identified critical security flaws in McDonald’s staff and partner portals, allowing unauthorized free food orders, admin access to marketing materials, and potential email account compromise.
  • Vulnerabilities included client-side security checks without server validation in the delivery app, insecure access to Feel-Good Design Hub, and flawed OAuth implementation enabling access to employee portals and sensitive documents.
  • McDonald’s took three months to fix some issues, but vulnerabilities persisted, such as plaintext password emails, exposed API keys, and insecure URL modifications; the company lacked a security.txt file for responsible disclosure.

Harvard Unveils Halo X Smart Glasses with AI, Real-Time Insights and Security

Harvard researchers launched Halo X smart glasses with always-on AI listening, cloud processing, and end-to-end encryption, enabling real-time info, conversation summaries, and potential enterprise use.

  • Halo X is a pair of smart glasses designed by Harvard researchers, preorders open at $249 with shipping expected early next year
  • Features include a heads-up display, embedded microphones, Bluetooth audio, cloud-based AI processing, and local storage with end-to-end encryption
  • The glasses continuously listen to conversations, analyze audio via cloud AI models from Google and Perplexity, and can provide summaries, reminders, and real-time responses

Perplexity’s Comet Browser Vulnerable to Prompt Injection Attacks

Perplexity’s Comet browser was vulnerable to prompt injection attacks by processing untrusted web content, leading to potential security breaches; Brave flagged the issue, now reportedly patched.

  • Perplexity’s Comet browser naively processed web pages, executing malicious instructions via prompt injection.
  • Vulnerability involved indirect prompt injection allowing exfiltration of user credentials, demonstrated with a Reddit attack.
  • Brave identified the flaw, which was reportedly patched by Perplexity as of August 13, 2025; Brave cannot confirm complete mitigation due to closed source.

Google Pixel Watch 4 Debuts with Curved Display Faster Charging and Satellite SOS

Google Pixel Watch 4 introduces a curved Acuta 360 display, enhanced brightness, faster charging, and satellite SOS, with a launch in October and a starting price of $349.

  • Google Pixel Watch 4 features a new Acuta 360 curved display with a 16% smaller bezel and 10% more screen area
  • The display offers 3,000 nits brightness, 50% brighter than previous models, matching the Apple Watch Ultra 2
  • It includes a Qualcomm Snapdragon W5 Gen 2 dual-chip architecture, faster charging (25% improvement), and up to 40 hours battery life
  • Introduces standalone SOS Emergency satellite service, allowing space-based signals without a smartphone
  • Redesigned apps with Material 3 design, stronger haptics (15% increase), clearer speaker, raise-to-wake AI, and improved repairability
  • Maintains same pricing as previous year: $349 (41mm) and $399 (45mm), with LTE versions costing $50 more
  • Launch scheduled for October 9, alongside Pixel 10 Pro Fold and Pixel Buds 2a; includes a new charger compatible with faster charging
  • Water-resistant up to 50 meters (IP68), with battery life estimates of 30-40 hours depending on size
  • Fitbit Premium health coaching feature delayed until October 2025; Google emphasizes easier repair options for the watch

Google Pixel Buds 2A Launches with Tensor A1 and Enhanced Features at $129.99

Google Pixel Buds 2A, priced at $129.99, feature Tensor A1 chip, active noise cancellation, AI noise reduction, 7-10 hours battery life, and repairability, with software updates for Pixel Buds Pro 2.

  • Google Pixel Buds 2A launched at $129.99, $30 more than the original Pixel Buds A-series
  • Features include Tensor A1 chip, active noise cancellation, transparency mode, AI-powered wind and background noise reduction, and Gemini access
  • Battery life increased to approximately 7 hours with ANC on, 10 hours off; case provides 20 additional hours; 5-minute charge yields 1 hour of use
  • Improved IP54 water and sweat resistance for buds, IPX4 for case; repairable design allows battery replacement via removable inside insert
  • Software updates for Pixel Buds Pro 2 also planned

Meta AI Implements Hiring Freeze Amid Cost Cuts and Economic Uncertainty

Meta AI implemented a hiring freeze on research and engineering roles as part of cost reductions amid economic uncertainty, with no specified timeline.

  • The article reports on a hiring freeze at Meta AI, affecting AI research and engineering roles.
  • The freeze is part of broader cost-cutting measures amid economic uncertainties.
  • No specific duration or scope of the hiring freeze is disclosed.

Google Pixel 10 Series Unveiled with AI, Foldable Design, and High-End Features

Google’s Pixel 10 lineup, powered by Tensor G5, introduces AI enhancements, foldable design, and multiple storage options, with prices from $799 to $1,799, emphasizing AI, battery, and camera improvements.

  • Google announced Pixel 10 series, including Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, and Pixel 10 Pro Fold, with prices ranging from $799 to $1,799.
  • Devices feature the new Google Tensor G5 chip, optimized for advanced AI, all-day battery life, and high-quality photos and videos; Pixel 10 Pro Fold emphasizes multitasking with a large foldable display.
  • Pixel 10 Pro models include 128GB to 256GB storage options; Pixel 10 Pro Fold offers 256GB; Pixel Watch 4 priced at $399.99; Pixel Buds 2a at $129.