Researchers have convinced ChatGPT to solve CAPTCHAs, even though it's against its policy.

If you’re seeing fewer or different CAPTCHA puzzles in the near future, that’s not because website owners have agreed that they’re annoying, but it might be because they no longer prove that the visitor is human.

For those that forgot what CAPTCHA stands for: Completely Automated Public Turing test to tell Computers and Humans Apart.

The fact that AI bots can bypass CAPTCHA systems is nothing new. Sophisticated bots have been bypassing CAPTCHA systems for years using methods such as optical character recognition (OCR), machine learning, and AI, making traditional CAPTCHA challenges increasingly ineffective.

Most of the openly accessible AI chat agents have been barred from solving CAPTCHAs by their developers. But now researchers say they’ve found a way to get ChatGPT to solve image-based CAPTCHAs. They did this by prompt injection, similar to “social engineering” a chatbot into doing something it would refuse if you asked it outright.

In this case, the researchers convinced ChatGPT-4o that it was solving fake CAPTCHAs.

According to the researchers:

> “This priming step is crucial to the exploit. By having the LLM affirm that the CAPTCHAs were fake and the plan was acceptable, we increased the odds that the agent would comply later.”

This is something I have noticed myself. When I ask an AI to help me analyze malware, it often starts by saying it is not allowed to help me, but once I convince it I’m not going to improve it or make a new version of it, then it’ll often jump right in and assist me in unravelling it. By doing so, it provides information that a cybercriminal could use to make their own version of the malware.

The researchers proceeded by copying the conversation they had with the chatbot into the ChatGPT agent they planned to use.

A chatbot is built to answer questions and follow specific instructions given by a person, meaning it helps with single tasks and relies on constant user input for each step. In contrast, an AI agent acts more like a helper that can understand a big-picture goal (for example, “book me a flight” or “solve this problem”) and can take action on its own, handling multi-step tasks with less guidance needed from the user.

A chatbot relies on the person to provide every answer, click, and decision throughout a CAPTCHA challenge, so it cannot solve CAPTCHAs on its own. In contrast, an AI agent plans tasks, adapts to changes, and acts independently, allowing it to complete the entire CAPTCHA process with minimal user input.

What the researchers found is that the agent had no problems with one-click CAPTCHAs, logic-based CAPTCHAs, and CAPTCHAs based on text-recognition. It had more problems with image-based CAPTCHAs requiring precision (drag-and-drop, rotation, etc.), but managed to solve some of those as well.

Is this a next step in the arms-race, or will the web developers succumb to the fact that AI agents and AI browsers are helping a human to get the information from their website that they need, with or without having to solve a puzzle.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 ChatGPT solves CAPTCHAs if you tell it they&#8217;re fake 

With the emergence of AI-driven attacks and quantum computing, and the explosion of hyperconnected devices, zero trust remains a core strategy for security operations.

15 Years of Zero Trust: Why It Matters More Than Ever

The security landscape now moves at a pace no patch cycle can match. Attackers aren’t waiting for quarterly updates or monthly fixes—they adapt within hours, blending fresh techniques with old, forgotten flaws to create new openings. A vulnerability closed yesterday can become the blueprint for tomorrow’s breach.
This week’s recap explores the trends driving that constant churn: how threat

⚡ Weekly Recap: Chrome 0-Day, AI Hacking Tools, DDR5 Bit-Flips, npm Worm & More

Europol and 18 countries used AI forensics to identify 51 child victims and 60 suspects in a global online abuse investigation.

An international police taskforce has identified 51 children in an operation targeting online child sexual exploitation, Europol confirmed today. The investigation, which brought together officers from 18 countries, also led to 60 suspects facing criminal proceedings.

The task force met at Europol’s headquarters in The Hague, where specialists analysed more than 5,000 pieces of child exploitation material over two weeks. Investigators worked to collect online evidence that could help identify victims and offenders, a process that relied on both traditional policing skills and AI-driven forensic tools to speed up detection.

According to Europol’s press release, the findings have already led to arrests in several countries. National authorities are now pursuing investigations based on 276 intelligence packages prepared during the operation, building on the leads gathered in The Hague.

In many cases, the material under review was stored on servers in one country, distributed through platforms in another, and linked to victims elsewhere. However, investigators reduced the time it normally takes to connect evidence to actual children by combining resources and sharing intelligence in real time.

Europol said the task force’s model will continue to guide future operations. Its specialists are investing in more advanced forensic techniques and AI-driven tools to process large datasets more efficiently, making it harder for offenders to hide behind encryption, anonymisation, or fragmented storage across multiple platforms.

Cases like this show children are being targeted in online environments where offenders manipulate platforms meant for communication or entertainment. While law enforcement agencies are doing what they should, parents also need to protect their kids by having honest conversations about online risks, setting boundaries, and teaching kids how to report unwanted contact.

1.  1 in 5 Youth Engage in Cybercrime, NCA Finds
2.  Half of Online Child Grooming Cases Now Happen on Snapchat
3.  Online gaming safety for kids: learn how to protect your children
4.  Online Child Exploitation Network 764 Busted; 2 US Leaders Arrested
5.  Top Israeli Cybersecurity Official Arrested in US Child Exploitation Sting

AI Forensics Help Europol Track 51 Children in Global Online Abuse Case

We hear this a lot:
“We’ve got hundreds of service accounts and AI agents running in the background. We didn’t create most of them. We don’t know who owns them. How are we supposed to secure them?”
Every enterprise today runs on more than users. Behind the scenes, thousands of non-human identities, from service accounts to API tokens to AI agents, access systems, move data, and execute tasks

We hear this a lot:

**"We've got hundreds of service accounts and AI agents running in the background. We didn't create most of them. We don't know who owns them. How are we supposed to secure them?"**

Every enterprise today runs on more than users. Behind the scenes, thousands of non-human identities, from service accounts to API tokens to AI agents, access systems, move data, and execute tasks around the clock.

They're not new. But they're multiplying fast. And most weren't built with security in mind.

Traditional identity tools assume intent, context, and ownership. Non-human identities have none of those. They don't log in and out. They don't get offboarded. And with the rise of autonomous agents, they're beginning to make their own decisions, often with broad permissions and little oversight.

It's already creating new blind spots. But we're only at the beginning.

In this post, we'll look at how non-human identity risk is evolving, where most organizations are still exposed, and how an identity security fabric helps security teams get ahead before the scale becomes unmanageable.

**The rise (and risk) of non-human identities**

Cloud-first architectures increased infrastructure complexity and triggered a surge in background identities. As these environments grow, the number of background identities grows with them, many of which get created automatically, without clear ownership or oversight. In many cases, these identities outnumber human users by more than 80 to 1.

What makes that especially risky is how little most teams know about them. NHIs often get created automatically during deployment or provisioning, then disappear from the radar, untracked, unowned, and often over-permissioned.

Service accounts, in particular, are everywhere. They move data between systems, run scheduled jobs, and authenticate headless services. But their sprawl is rarely visible, and their permissions are rarely reviewed. Over time, they become perfect vehicles for lateral movement and privilege escalation.

But service accounts are only part of the picture. As AI adoption grows, a new category of non-human identity introduces even more unpredictable risk.

**Why AI agents behave differently and why that matters**

Unlike most machine identities, AI agents initiate actions on their own; interacting with APIs, querying data, and making decisions autonomously.

That autonomy comes at a cost. AI agents often need access to sensitive data and APIs, but few organizations have guardrails for what they can do or how to revoke that access.

Worse, most AI agents lack clear ownership, follow no standard lifecycle, and offer little visibility into their real-world behavior. They can be deployed by developers, embedded in tools, or called via external APIs. Once live, they can run indefinitely, often with persistent credentials and elevated permissions.

And because they're not tied to a user or session, AI agents are difficult to monitor using traditional identity signals like IP, location, or device context.

**The cost of invisible access**

Secrets get hardcoded. Tokens get reused. Orphaned identities remain active for months, sometimes years.

These risks are not new, but static credentials and wide-open access may have been manageable when you had a few dozen service accounts. But with thousands, or tens of thousands, of NHIs operating independently across cloud services, manual tracking simply doesn't scale.

That's why many security teams are revisiting how they define identity in the first place. Because if an AI agent can authenticate, access data, and make decisions, it _is_ an identity. And if that identity isn't governed, it's a liability.

**Common NHI security challenges**

Understanding that non-human identities represent a growing risk is one thing; managing that risk is another. The core problem is that the tools and processes built for human identity management don't translate to the world of APIs, service accounts, and AI agents. This disconnect creates several distinct and dangerous security challenges that many organizations are only beginning to confront.

**You can't protect what you can't see**

The most fundamental challenge in securing NHIs is visibility. Most security teams don't have a complete inventory of every non-human identity operating in their environment. These identities are often created dynamically by developers or automated systems to serve a specific, temporary function. They get spun up to support a new microservice, run a deployment script, or integrate a third-party application.

Once created, however, they rarely get documented or tracked in a central identity management system. They become "shadow" identities, active and functional, but completely invisible to security and IT. Without a comprehensive view of what NHIs exist, who (or what) created them, and what they are accessing, it's impossible to build a meaningful security strategy. You are left trying to secure an attack surface of an unknown size.

**Why "set it and forget it" is a security liability**

A common practice for developers and operations teams is to assign broad permissions to NHIs to ensure a service or application works without interruption. Think of it as installing an app that asks for access to your camera roll, microphone, and location. You tap "Allow" just to get it working, then forget about it.

It's quicker and more convenient at the moment, but it introduces unnecessary risks. Similarly, assigning overly broad permissions to NHIs might make setup easier, but it creates significant security gaps, leaving your systems vulnerable to exploitation.

The principle of least privilege is often sacrificed for speed and convenience. An NHI might only need to read data from one database table, but it's granted write access to the entire database to avoid future permission-related errors.

This approach creates a massive security liability. These over-permissioned identities become high-value targets for attackers. If a threat actor compromises an NHI with excessive privileges, they can move laterally across systems, escalate their access, and exfiltrate sensitive data without ever needing a human user's credentials.

Because of how rarely NHIs are reviewed or deprovisioned, these permissive accounts can remain active and vulnerable for months or even years, waiting to be exploited.

**No context, no modern controls**

Modern identity security relies on context. When a user logs in, we can verify their identity using signals like their location, device, and network, often prompting for multi-factor authentication (MFA) if something seems unusual. NHIs have none of this context. They are just code executing on a server. They don't have a device, a geographic location, or behavioral patterns that can be easily monitored.

Because they authenticate with static, long-lived credentials, MFA doesn't apply. This means that if a credential is stolen, there is no second factor to stop an attacker from using it. The absence of context-aware access controls makes it incredibly difficult to distinguish between legitimate and malicious NHI activity until it's too late.

**Orphaned identities and digital ghosts**

What happens when the developer who created a service account leaves the company? Or when an application that used a specific API token is decommissioned? In most organizations, the associated NHIs are left behind. These "orphaned" or "lingering" identities remain active, with their permissions intact, but with no owner responsible for their lifecycle.

These digital ghosts are a compliance nightmare and a security risk. They clutter the environment, making it harder to identify legitimate and active identities. More importantly, they represent an abandoned, unmonitored entry point into your systems. An attacker who discovers an orphaned identity with valid credentials has found a perfect backdoor, one that nobody is watching.

**How security teams are regaining control**

Facing an attack surface that is expanding and becoming more autonomous, leading security teams are shifting from reactive fixes to proactive governance. That shift starts with recognizing every credentialed system, script, and agent as an identity worth governing.

**Discover and inventory all NHIs**

Modern identity platforms can scan environments like AWS, GCP, and on-prem infrastructure to surface hidden tokens, unmanaged service accounts, and over-permissioned roles.

These tools replace spreadsheets and guesswork with a real-time, unified inventory of both, human and non-human identities. Without this foundation, governance is just guesswork. With it, security teams can finally move from playing whack-a-mole with service accounts to building real control.

**Triage and tackle high-risk identities first**

With a complete inventory in place, the next step is to shrink the potential blast radius. Not all NHIs pose the same level of risk. The key is to prioritize remediation based on permissions and access. Risk-based privilege management helps identify which identities are dangerously over-permissioned.

From there, teams can systematically right-size access to align with the principle of least privilege. This also involves implementing stronger controls, such as automated rotation for secrets and credentials. For the most powerful NHIs, like autonomous AI agents, it's critical to have "kill switches" that allow for immediate session termination if anomalous behavior is detected.

**Automate governance and lifecycle**

Human identities have lifecycle policies: onboarding, role changes, offboarding. Non-human identities need the same rigor.

Leading organizations are automating these processes end-to-end. When a new NHI is created, it's assigned an owner, given scoped permissions, and added to an auditable inventory. When a tool is retired or a developer leaves, associated identities are automatically deprovisioned, closing the door on orphaned accounts and ensuring access doesn't linger indefinitely.

**Why an identity security fabric changes the equation**

Many of the risks tied to non-human identities have less to do with the identities themselves and more to do with the fragmented systems trying to manage them.

Each cloud provider, CI/CD tool, and AI platform handles identity differently. Some use static tokens. Some issue credentials during deploy. Some don't expire access at all. Without a shared system for defining ownership, assigning permissions, and enforcing guardrails, the sprawl grows unchecked.

A unified identity security fabric changes this by consolidating all identities, human and non-human, under a single control plane. And with Okta, that means:

*   Automatically surfacing identities and posture gaps with Identity Security Posture Management (ISPM)
*   Applying least-privilege access with rotation and vaulting for sensitive secrets
*   Defining lifecycle policies for every identity, including agents and service accounts
*   Extending workload identity patterns (short-lived tokens, client credentials) and adaptive access to services and background jobs
*   Governing access to AWS services like Bedrock and Amazon Q, while AWS IAM issues and enforces the underlying agent/workload credentials

Instead of stitching together workarounds, teams can define identity controls once and apply them everywhere. That means fewer blind spots, faster response times, and a smaller attack surface, without needing ten different tools to get there.

**Don't let NHIs become your biggest blind spot**

AI agents and non-human identities are already reshaping your attack surface. They're multiplying faster than most teams can track and too many still operate without clear ownership, strong controls, or any real visibility.

You don't need to rebuild your strategy from the ground up. But you _do_ need to treat non-human identities like what they are: critical access points that deserve the same governance as any user.

With a unified identity platform, security teams can inventory what's running, apply scalable controls, and cut off risky access before it's exploited—not after.

**See how Okta and AWS help organizations bring order to NHI sprawl. \[Download the guide\] to get started.**

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

How to Gain Control of AI Agents and Non-Human Identities

Radware researchers revealed a service-side flaw in OpenAI's ChatGPT. The ShadowLeak attack had used indirect prompt injection to bypass defences and leak sensitive data, but the issue has since been fixed.

A team of security researchers from Cloud Security Solutions provider, Radware, found a way to trick a popular AI tool into giving up a user’s private information. The team, including lead researchers Zvika Babo and Gabi Nakibly, discovered a flaw in OpenAI’s ChatGPT Deep Research agent, a tool that autonomously browses the internet and user documents to create reports. They demonstrated how the agent could be tricked into leaking private data from a user’s Gmail account without their knowledge.

The researchers named the flaw ShadowLeak, describing it as a “zero-click” attack (an attack triggered without the user needing to click on anything), hidden inside a normal-looking email with invisible commands. When a user tells the Deep Research agent to scan their emails, it reads the hidden instructions and, “without user confirmation and without rendering anything in the UI,” sends the user’s private data to a location controlled by the attacker.

****An Invisible Threat****

Unlike past 0-click vulnerabilities like AgentFlayer and EchoLeak, which relied on a user’s web browser, this new method works directly from inside OpenAI’s cloud servers. The researchers called this service-side exfiltration, which makes it much harder to detect with normal security software because it operates entirely behind the scenes. According to the report, it is also “invisible to the user,” as nothing is displayed or rendered.

Image Credit: Radware

The attack uses a method called indirect prompt injection, where malicious commands are hidden inside the data an AI model is designed to process, like an email, and are executed without the user’s knowledge. The malicious email, which could be titled “Restructuring Package – Action Items,” pretends to be a normal message.

Inside, invisible code instructs the agent to find sensitive information and send it to a fake “public employee lookup URL.” The email uses social engineering tricks like asserting “full authorisation” and creating a false sense of urgency to bypass the agent’s safety checks.

The team spent a long trial-and-error phase refining the attack, eventually figuring out how to force the agent to use its own browser.open() tool to execute the malicious command. By telling the agent to encode the stolen information in Base64 as a “security measure,” they were able to make it look harmless and achieve a “100% success rate.”

****The Problem Has Been Fixed****

According to Radware’s blog post, it responsibly reported the issue to OpenAI in June 2025. The vulnerability was fixed by early August and officially acknowledged as resolved by OpenAI on September 3.

Although their proof-of-concept used Gmail, the researchers pointed out that the same technique could also work on other services that connect with the Deep Research tool, such as Google Drive, Microsoft Teams, and GitHub, to steal sensitive business data.

To prevent similar issues, they advise companies to clean up emails before AI tools read them and to constantly monitor what the AI agent is doing to ensure its actions align with the user’s original request.

ShadowLeak Exploit Exposed Gmail Data Through ChatGPT Agent

The UK's spy agency, MI6, has launched a new dark web portal called Silent Courier to securely recruit agents worldwide, particularly from Russia. Learn how this shift to the dark web marks a new era in modern espionage and national security.

The UK’s foreign intelligence service, MI6, has launched a new platform for potential agents to get in touch. Announced on September 19, the platform, called Silent Courier, operates on the dark web and is designed to allow people with sensitive information to safely contact the UK.

The main purpose of Silent Courier is to make it easier for MI6 to find and recruit new spies around the world, especially in places like Russia. Anyone, no matter where they are in the world, who has information about terrorism or hostile intelligence activities can now securely send it to the UK.

Screenshot from the Silent Courier dark web portal

According to a press release from the UK government, the new portal is a key part of a larger plan to improve the country’s security. It comes at a time of a major increase in defence spending, the biggest since the Cold War.

Outgoing MI6 Chief, Sir Richard Moore, announced the platform in Istanbul. In his final public speech as the head of the agency, he said the new portal will help MI6 navigate modern threats. He said, “Our virtual door is open to you,” and invited anyone with information on global instability to get in touch.

Foreign Secretary Yvette Cooper has also commented on the news, saying that the world is changing and threats are growing; therefore, the UK’s intelligence agencies must use the best technology to stay ahead of these challenges and keep the public safe.

Instructions on how to use Silent Courier are available on MI6’s verified YouTube channel. To stay safe, the agency advises people to use a trustworthy VPN and a device not connected to them personally.

This decision represents a major shift in how intelligence agencies operate. For a long time, agencies like MI6 would recruit people through face-to-face meetings and traditional methods

The so-called dark web, accessible through the Tor browser, is designed to hide a user’s location. This makes it a way to protect someone who wants to share secrets, especially if they are in a country with tight surveillance. However, the Tor browser has its own security vulnerabilities, which in some cases can be exploited by hackers for backdoor access or by authorities to deanonymize users.

The UK’s approach follows a similar initiative by the Central Intelligence Agency (CIA) in the United States, which also launched a portal accessible to Russians via the Tor internet browser in May 2022, as reported by _Hackread.com_.

The c initiative aimed to allow Russians who were unhappy with their government’s actions, particularly regarding the war in Ukraine, to securely share secret information with the agency. The CIA also used a series of social media videos in 2023 to recruit Russians.

MI6 Opens Dark Web Portal “Silent Courier” for Russians to Share Secrets

A list of topics we covered in the week of September 15 to September 21 of 2025

September 19, 2025 - OpenAI has fixed a vulnerability in ChatGPT Deep Research after researchers found a prompt injection method to exfiltrate PII.

September 18, 2025 - Microsoft and Cloudflare have delivered a major blow to the fastest growing Phishing-as-a-Service operation called RaccoonO365.

September 18, 2025 - Google has issued a Chrome update to fix four high priority flaws including one zero-day, zero-click vulnerability.

September 18, 2025 - OpenAI is going to try and predict the ages of its users to protect them better, as stories of AI-induced harms in children mount.

September 17, 2025 - Researchers have discovered a large ad fraud campaign on Google Play Store.

 A week in security (September 15 &#8211; September 21) 

The UK-based automaker has been forced to stop vehicle production as a result of the attack—costing JLR tens of millions of dollars and forcing its parts suppliers to lay off workers.

For almost three weeks, the production lines at global car giant Jaguar Land Rover have stood still. Usually busy turning out an estimated 1,000 vehicles per day, staff at multiple JLR factories across Britain have been told to stay at home as the automotive firm responds to a damaging cyberattack. But as its recovery has stretched from days to weeks, the knock-on impacts are being felt at the hundreds of companies that supply JLR with parts and materials and risk turning the attack into a full-blown crisis.

On Friday, the UK government admitted that the cyberattack against JLR was having a “significant impact” on the company and on the “wider automotive supply chain.” The concession came as unions and officials have increasingly warned that thousands of jobs in JLR’s sprawling supply chain could be lost, and some smaller companies could go bankrupt. Reports claim JLR itself may be losing up to £50 million ($67 million) per week in the shutdown. Some firms have reportedly already laid off staff, with the Unite union claiming that workers in the JLR supply chain “are being laid off with reduced or zero pay.” Some have been told to “sign up” for government benefits, the union claims.

“It seems unprecedented in the UK to have that level of disruption because of a cyberattack or ransomware attack,” says Jamie MacColl, a senior research fellow in the cyber and tech research group at the security and defence think tank RUSI. That thousands of jobs could be put at risk, either temporarily or permanently, is “a different order of magnitude” to previous incidents, MacColl says.

JLR, which is owned by India’s Tata Motors, is one of the UK’s biggest employers, with around 32,800 people directly employed in the country. Stats on the company’s website also claim it supports another 104,000 jobs through its UK supply chain and another 62,900 jobs “through wage-induced spending.” Many other suppliers are also based outside of the UK, as well as some overseas factories.

At the start of September, JLR confirmed it had been “impacted” by a cyberattack and that the company was taking “immediate action” and “proactively shutting down our systems,” effectively grinding its factories and production processes to a halt. As the company investigated the attack, it revealed that “some data” has been “affected” but did not specify what that data is.

Despite efforts to get systems back online, the company confirmed on Wednesday that its “pause” in production has been extended to Wednesday, September 24. “We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time,” JLR said in a statement on Wednesday. “We are very sorry for the continued disruption this incident is causing and we will continue to update as the investigation progresses.”

JLR did not respond to questions from WIRED about what systems were disrupted, the financial cost of the cyberattack to suppliers, nor any measures the company was looking at to support businesses.

Almost immediately after the cyberattack, a group on Telegram called Scattered Lapsus$ Hunters, claimed responsibility for the hack. The group name implies a potential collaboration between three loose hacking collectives— Scattered Spider, Lapsus$, and Shiny Hunters—that have been behind some of the most high-profile cyberattacks in recent years. They are often made up of young, English-speaking, cybercriminals who target major businesses.

Building vehicles is a hugely complex process. Hundreds of different companies provide parts, materials, electronics, and more to vehicle manufacturers, and these expansive supply chain networks often rely upon “just-in-time” manufacturing. That means they order parts and services to be delivered in the specific quantities that are needed and exactly when they need them—large stockpiles of parts are unlikely to be held by auto makers.

“The supplier networks that are supplying into these manufacturing plants, they’re all set up for efficiency—economic efficiency, and also logistic efficiency,” says Siraj Ahmed Shaikh, a professor in systems security at Swansea University. “There’s a very carefully orchestrated supply chain,” Shaikh adds, speaking about automotive manufacturing generally. “There’s a critical dependency for those suppliers supplying into this kind of an operation. As soon as there is a disruption at this kind of facility, then all the suppliers get affected.”

One company that makes glass sun roofs has started laying off workers, according to a report in the Telegraph. Meanwhile, another firm told the BBC it has laid off around 40 people so far. French automotive company OPmobility, which employs 38,000 people across 150 sites, told WIRED it is making some changes and monitoring the events. “OPmobility is reconfiguring its production at certain sites as a consequence of the shutdown of its production by one of its customers based in the United Kingdom and depending on the evolution of the situation,” a spokesperson for the firm says.

While it is unclear which specific JLR systems have been impacted by the hackers and what systems JLR took offline proactively, many were likely taken offline to stop the attack from getting worse. “It’s very challenging to ensure containment while you still have connections between various systems,” says Orla Cox, head of EMEA cybersecurity communications at FTI Consulting, which responds to cyberattacks and works on investigations. “Oftentimes as well, there will be dependencies on different systems: You take one down, then it means that it has a knock on effect on another.”

Whenever there’s a hack in any part of a supply chain—whether that is a manufacturer at the top of the pyramid or a firm further down the pipeline—digital connections between companies may be severed to stop attackers from spreading from one network to the next. Connections via VPNs or APIs may be stopped, Cox says. “Some may even take stronger measures such as blocking domains and IP addresses. Then things like email are no longer usable between the two organizations.”

The complexity of digital and physical supply chains, spanning across dozens of businesses and just-in-time production systems, means it is likely that bringing everything back online and up to full-working speed may take time. MacColl, the RUSI researcher, says cybersecurity issues often fail to be debated at the highest level of British politics—but adds this time could be different due to the scale of the disruption. “This incident has the potential to cut through because of the job losses and the fact that MPs in constituencies affected by this will be getting calls,” he says. That breakthrough has already begun.

“This cyberattack is not some mere flicker on a screen, it is fast becoming a cyber-shockwave ripping through our industrial heartlands,” Liam Byrne, a member of Parliament and chair of the House of Commons’ Business and Trade committee said on X. “If government stands back, that shockwave is going to destroy jobs, businesses, and pay packets across Britain.” Other lawmakers have also expressed concerns after speaking with impacted JLR suppliers, and the Unite union has said the British government should intervene with a “furlough” scheme to support workers.

“The recent cyber incident is having a significant impact on Jaguar Land Rover and on the wider automotive supply chain,” the UK’s Department for Business and Trade said in a statement on Friday, following a meeting with automotive industry groups. “The Government, including government cyber experts, are in contact with the company to support the task of restoring production operations, and are working closely with JLR to understand any impacts on the supply chain.”

The attack is likely another incident that demonstrates how fragile supply chains can be when they are faced with disruption. “We do need to shift to a more resilient supply chain and a resilient operation when it comes to things like manufacturing,” says Shaikh, from Swansea University.

Meanwhile, MacColl says that as global tensions are high—with multiple countries taking steps to make sure they are prepared for war—the attack indicates how production can be forced to grind to a halt. “If this is the effect just that criminals can have on our supply chains, then it's quite worrying to think about how unprepared we are for, say, a more coordinated and sustained attack from a potential state adversary,” MacColl says.

A Cyberattack on Jaguar Land Rover Is Causing a Supply Chain Disaster

A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant.
The vulnerability, tracked as CVE-2025-55241, has been assigned the maximum CVSS score of 10.0. It has been described by Microsoft as a privilege escalation flaw in Azure Entra. There is no

A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant.

The vulnerability, tracked as **CVE-2025-55241**, has been assigned the maximum CVSS score of 10.0. It has been described by Microsoft as a privilege escalation flaw in Azure Entra. There is no indication that the issue was exploited in the wild. It has been addressed by the Windows maker as of July 17, 2025, requiring no customer action.

Security researcher Dirk-jan Mollema, who discovered and reported the shortcoming on July 14, said the shortcoming made it possible to compromise every Entra ID tenant in the world, with the likely exception of national cloud deployments.

The problem stems from a combination of two components: the use of service-to-service (S2S) actor tokens issued by the Access Control Service (ACS) and a fatal flaw in the legacy Azure AD Graph API (graph.windows.net) that did not adequately validate the originating tenant, which effectively allowed the tokens to be used for cross-tenant access.

What makes this noteworthy is that the tokens are subject to Microsoft's Conditional Access policies, enabling a bad actor with access to the Graph API to make unauthorized modifications. To make matters worse, the lack of API level logging for the Graph API meant that it could be exploited to access user information stored in Entra ID, group and role details, tenant settings, application permissions, and device information and BitLocker keys synced to Entra ID without leaving any traces.

An impersonation of the Global Administrator could allow an attacker to create new accounts, grant themselves additional permissions, or exfiltrate sensitive data, resulting in a full tenant compromise with access to any service that uses Entra ID for authentication, such as SharePoint Online and Exchange Online.

"It would also provide full access to any resource hosted in Azure, since these resources are controlled from the tenant level and Global Admins can grant themselves rights on Azure subscriptions," Mollema noted.

Microsoft has characterized such instances of cross-tenant access as a case of "High-privileged access" (HPA) that "occurs when an application or service obtains broad access to customer content, allowing it to impersonate other users without providing any proof of user context."

It's worth noting that the Azure AD Graph API has been officially deprecated and retired as of August 31, 2025, with the tech giant urging users to migrate their apps to Microsoft Graph. The initial announcement of the deprecation was made in 2019.

"Applications that were configured for extended access that still depend on Azure AD Graph APIs will not be able to continue using these APIs starting in early September 2025," Microsoft noted back in late June 2025.

Cloud security company Mitiga said a successful exploitation of CVE-2025-55241 can bypass multi-factor authentication (MFA), Conditional Access, and logging, leaving no trail of the incident.

"Attackers could craft these \[actor\] tokens in ways that tricked Entra ID into thinking they were anyone, anywhere," Mitiga's Roei Sherman said. "The vulnerability arose because the legacy API failed to validate the tenant source of the token."

"This meant that an attacker could obtain an Actor token from their own, non-privileged test environment and then use it to impersonate a Global Admin in any other company's tenant. The attacker didn't need any pre-existing access to the target organization."

Previously, Mollema also detailed a high-severity security flaw affecting on-premise versions of Exchange Server (CVE-2025-53786, CVSS score: 8.0) that could allow an attacker to gain elevated privileges under certain conditions. Another piece of research found that Intune certificate misconfigurations (such as spoofable identifiers) can be abused by regular users to perform an ESC1 attack targeting Active Directory environments.

The development comes weeks after Binary Security's Haakon Holm Gulbrandsrud disclosed that the shared API Manager (APIM) instance used to facilitate software-as-a-service (SaaS) connectors can be invoked directly from the Azure Resource Manager to achieve cross-tenant access.

"API Connections allow anyone to fully compromise any other connection worldwide, giving full access to the connected backend," Gulbrandsrud said. "This includes cross-tenant compromise of Key Vaults and Azure SQL databases, as well as any other externally connected service, such as Jira or Salesforce."

It also follows the discovery of several cloud-related flaws and attack methods in recent weeks -

*   An Entra ID OAuth misconfiguration that granted unauthorized access to Microsoft's Engineering Hub Rescue even with a personal Microsoft account, exposing 22 internal services and associated data.
*   An attack that exploits Microsoft OneDrive for Business Known Folder Move (KFM) feature, allowing a bad actor who compromises a Microsoft 365 user with OneDrive sync to gain access to their apps and files synced to SharePoint Online.
*   The leak of Azure AD application credentials in a publicly accessible Application Settings (appsettings.json) file that could have been exploited to authenticate directly against Microsoft's OAuth 2.0 endpoints, and exfiltrate sensitive data, deploy malicious apps, or escalate privileges.
*   A phishing attack containing a link to a rogue OAuth application registered in Microsoft Azure that tricked a user into granting it permissions to extract Amazon Web Services (AWS) access keys for a sandbox environment within the compromised mailbox, allowing unknown actors to enumerate AWS permissions and exploit a trust relationship between the sandbox and production environments to elevate privileges, gain complete control over the organization's AWS infrastructure, and exfiltrate sensitive data.
*   An attack that involves exploiting Server-Side Request Forgery (SSRF) vulnerabilities in web applications to send requests to the AWS EC2 metadata service with the goal of accessing the Instance Metadata Service (IMDS) to compromise cloud resources by retrieving temporary security credentials assigned to the instance's IAM role.
*   A now-patched issue in AWS's Trusted Advisor tool that could be exploited to sidestep S3 Security Checks by tweaking certain storage bucket policies, causing the tool to incorrectly report publicly-exposed S3 buckets as secure, thereby leaving sensitive data exposed to data exfiltration and data breaches.
*   A technique code AWSDoor that modifies IAM configurations related to AWS role and trust policies to set up persistence on AWS environments.

The findings show that even all-too-common misconfigurations in cloud environments can have disastrous consequences for the organizations involved, leading to data theft and other follow-on attacks.

"Techniques such as AccessKey injection, trust policy backdooring, and the use of NotAction policies allow attackers to persist without deploying malware or triggering alarms," RiskInsight researchers Yoann Dequeker and Arnaud Petitcol said in a report published last week.

"Beyond IAM, attackers can leverage AWS resources themselves – such as Lambda functions and EC2 instances – to maintain access. Disabling CloudTrail, modifying event selectors, deploying lifecycle policies for silent S3 deletion, or detaching accounts from AWS Organizations are all techniques that reduce oversight and enable long-term compromise or destruction."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Latest News