Issue #156 - June 30, 2025
- Weekly INK
- Jun 30
- 2 min read
Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update
Source: The Hacker News
Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild. The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.
Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover
Source: Security Week
A vulnerability in the Forminator WordPress plugin allows attackers to delete arbitrary files and take over impacted websites. A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more.
Over 260K exposed in St. Louis healthcare hack
Source: Cyber News
Esse Health, one of the largest independent primary care groups in the Midwest, has suffered a hacker attack. Attackers were able to access a trove of sensitive and personal patient data. Unknown attackers penetrated the primary care provider in late April of this year, accessing and stealing files that contained sensitive patient data, Esse Health said in a breach notification sent out to numerous potential victims.
Infrastructure Operators Leaving Control Systems Exposed
Source: Info Risk Today
Heavily-used types of industrial control systems continue to be publicly accessible over the internet, often exposed by critical infrastructure operators in the United States. A risky move to begin with, such exposure can be particularly perilous in light of mounting geopolitical tensions that make the devices high-value targets for nation-state hackers.
Attackers Impersonate Top Brands in Callback Phishing
Source: Dark Reading
Hackers are impersonating Microsoft, PayPal, Docusign, and other familiar brands in callback phishing scams aimed at stealing confidential information or delivering malware. These attacks trade the use of typical fake websites or links used in traditional phishing campaigns for a vector in which the victim calls the attacker on the phone themselves, believing they must handle an important transaction.