A list of topics we covered in the week of July 7 to July 13 of 2025

July 10, 2025 - Deepfake attacks aren't just for recruitment and banking fraud; they've now reached the highest levels of government.

July 10, 2025 - The job applicants' personal information could be accessed by simply guessing a username and using the password “12345.”

July 9, 2025 - Researchers have discovered a campaign of malicious browser extensions that were available in the official Chrome and Edge web stores.

July 8, 2025 - Google says its Gemini AI will soon be able to access your messages, WhatsApp, and utilities on your phone. But we're struggling to see that as a good thing.

July 8, 2025 - If someone is going to negotiate with criminals for you, that person should at least be on your side.

 A week in security (July 7 &#8211; July 13) 

Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks.
The issues impact the Kigen eUICC card. According to the Irish company's website, more than two billion SIMs in IoT devices have been enabled as of December 2020.
The findings come from Security Explorations, a research lab

eSIM Vulnerability in Kigen's eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks

WatchTowr Labs reveals CVE-2025-25257, a critical FortiWeb SQL injection allowing unauthenticated remote code execution. Patch your FortiWeb 7.0,…

WatchTowr Labs reveals CVE-2025-25257, a critical FortiWeb SQL injection allowing unauthenticated remote code execution. Patch your FortiWeb 7.0, 7.2, 7.4, 7.6 devices immediately to prevent full system compromise. Update NOW!

Cybersecurity researchers have uncovered a major weakness, CVE-2025-25257, in a key part of Fortinet’s security software: the FortiWeb Fabric Connector, vital for linking Fortinet’s web application firewall (FortiWeb) with other security tools, enabling dynamic protections.

The vulnerability was initially reported to Fortinet by Kentaro Kawane from GMO Cybersecurity by Ierae. The subsequent demonstration of escalating the vulnerability to full system control was performed and published by watchTowr Labs, and the findings were shared exclusively with Hackread.com.

****What Happened?****

This is an “unauthenticated SQL injection in GUI” flaw, which means attackers can exploit a weakness in the system’s administrative interface without needing a username or password, tricking the FortiWeb system into running their own harmful commands by sending specially designed requests over the internet.

WatchTowr Labs discovered this hidden problem by comparing FortiWeb version 7.6.4 with an older version, 7.6.3. They pinpointed the weakness in the get\_fabric\_user\_by\_token function within the /bin/httpsd program. This function, intended for logins from other Fortinet devices like FortiGate firewalls, failed to properly check incoming information, allowing injection of harmful commands using the Authorisation: Bearer header in requests to /api/fabric/device/status.

Initial attempts were tricky due to limitations like disallowing spaces in commands. However, researchers cleverly bypassed this using MySQL’s comment syntax (/**/). This made the SQL injection successful, even allowing them to fully bypass the login check with a simple 'or'1'='1 command, which returned a “200 OK” message confirming success.

****From Simple Trick to Taking Control****

Researchers managed to escalate this initial SQL injection into Remote Code Execution (RCE). They achieved this using MySQL’s INTO OUTFILE statement to write files directly to the system’s directory. A critical finding was that the database process ran with root privileges, allowing it to place harmful files almost anywhere.

Although direct execution wasn’t possible, they leveraged an existing Python script in the /cgi-bin folder that automatically executed with high privileges. By writing a special Python file (.pth) to a specific Python directory, they could force the system to run their own Python code, demonstrating a complete system compromise.

****Potential Consequences and What to Do****

If exploited, an attacker could gain full control of your FortiWeb device and potentially other connected systems. This risks sensitive data theft, service disruption, or using your systems for further attacks, leading to significant financial, reputational, and legal damage.

To stay protected, immediately update your FortiWeb system to the patched version. If an immediate update isn’t feasible, Fortinet suggests temporarily disabling the HTTP/HTTPS administrative interface as a workaround.

Here are the details of the impacted FortiWeb versions:

*   7.6.0 through 7.6.3 (upgrade to 7.6.4 or newer)

*   7.4.0 through 7.4.7 (upgrade to 7.4.8 or newer)

*   7.2.0 through 7.2.10 (upgrade to 7.2.11 or newer)

*   7.0.0 through 7.0.10 (upgrade to 7.0.11 or newer)

Critical Vulnerability Exposes Fortinet FortiWeb to Full Takeover (CVE-2025-25257)

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability. A vulnerability from the June Microsoft Patch Tuesday allows an attacker to execute a malicious script, forcing the victim’s host to connect to the attacker’s SMB server and authenticate, resulting in gaining SYSTEM privileges. 🔹 Details on how to exploit the vulnerability were published on […]

**About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability.** A vulnerability from the June Microsoft Patch Tuesday allows an attacker to execute a malicious script, forcing the victim’s host to connect to the attacker’s SMB server and authenticate, resulting in gaining SYSTEM privileges.

🔹 Details on how to exploit the vulnerability were published on June 11 (the day after MSPT) on the websites of RedTeam Pentesting and Synacktiv companies.

🔹 Exploits for the vulnerability have been available on GitHub since June 15.

🔹 The PT ESC research team confirmed the exploitability of the vulnerability and, on June 24, published an explainer, exploitation methods, and information on detection techniques.

Install the update and enforce SMB signing on domain controllers and workstations.

No in-the-wild exploitation has been reported yet.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability

Plus: An “explosion” of AI-generated child abuse images is taking over the web, a Russian professional basketball player is arrested on ransomware charges, and more.

WIRED reported this week on public records that show the United States Department of Homeland Security urging local law enforcement around the country to interpret common protest activities and surrounding logistics—including riding a bike, livestreaming a police encounter, or skateboarding—as “violent tactics.” The guidance could influence cops to use everyday behavior as a pretext for police action.

An AI hiring bot used on the McDonald’s “McHire” site exposed tens of millions of job applicants’ personal data because of a group of web-based security vulnerabilities—including use of the classically guessable password “123456” on an administrator account. The site’s chatbot, known as Olivia, was built by the artificial intelligence software firm Paradox.ai. Meanwhile, in the wake of last week’s devastating floods in Texas that killed at least 120 people, conspiracy theories about the extreme weather event have gained enough traction among anti-government extremists, GOP influencers, and others with large platforms to produce real-world consequences like death threats.

Finally, the metadata of the “full raw” surveillance footage captured near Jeffrey Epstein’s cell the night before the disgraced financier was found hanged shows it’s not “raw” footage at all. Instead, according to a WIRED analysis and digital video forensics experts, the full video is made up of two clips, and it was likely processed using powerful editing software.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**4 Young People Arrested Over Cyberattacks Against UK Retailers**

Earlier this year, three retailers in the UK—Harrods, the Co-Op, and M&S—were disrupted by sprawling cyberattacks. Some shelves were left empty for weeks, and M&S executives expect the attacks will cost around £300 million ($407 million) in total. This week, law enforcement officials at the National Crime Agency (NCA), the country’s equivalent of the FBI, announced the arrest of four people as part of investigations into the three attacks.

A 20-year-old female, two males aged 19, and another aged 17 were all arrested at their homes in the West Midlands and London on Thursday morning. One of the 19-year-old males is from Latvia, while the others are from the UK, the NCA says. They are suspected of potential Computer Misuse Act offenses, blackmail, money laundering, and “participating in the activities of an organized crime group,” the NCA said in a statement. The law enforcement agency has not named the individuals arrested or released precise locations of where they are based; however, NCA’s deputy director Paul Foster said the arrests were a “significant step” in its investigations.

The attacks against the three British retailers have been broadly linked, including partially by the NCA, to the loose cybercriminal group Scattered Spider. The hacking group, which first emerged in 2022, is largely made up of young, English-speaking individuals, and has recently been seen targeting retailers, airlines, and the insurance industry across the UK and the US.

**‘Explosion’ of AI-Generated Child Abuse Images Could Overwhelm the Web, Experts Warn**

It didn’t take criminals long to start using generative AI to create ultra-realistic child sexual abuse images. Now huge volumes of illegal, AI-created content are being found online, with criminals moving to use the technology to create videos as well as still images. During the first six months of this year, analysts at the Internet Watch Foundation, a UK-based organization that removes child sexual abuse material (CSAM) from the web, identified 1,286 AI-generated videos that show abuse—more than 1,000 of the videos showed the most serious type of abuse.

“There is an incredible risk of AI-generated CSAM leading to an absolute explosion that overwhelms the clear web,” said Derek Ray-Hill, the interim chief executive of the Internet Watch Foundation. Separate figures from the US-based National Center for Missing & Exploited Children (NCMEC) say it has received 485,000 reports of AI CSAM in the first half of this year—up from 67,000 for the entirety of last year. Around 35 tech companies have reported finding AI-generated CSAM on their platforms, NCMEC said.

**Italian Police Arrest an Alleged Member of China’s Silk Typhoon Hacking Group**

In a rare instance of Western law enforcement actually laying hands on an alleged Chinese state-sponsored hacker, Italian police arrested Xu Zewei, a 33-year-old from Shanghai, at an airport in Milan on July 3. The police were acting on a warrant issued by the US Department of Justice seeking Xu’s arrest on hacking charges. Authorities allege he’s a member of the espionage group known as Silk Typhoon or Hafnium, which has carried out widespread data theft from Western governments and private sector companies for years. US prosecutors are specifically accusing Xu of taking part in Silk Typhoon’s hacking that targeted researchers working to develop a Covid-19 vaccine in 2020 and 2021. He’s also alleged to have participated in a far less targeted hacking campaign in which the same group broke into tens of thousands of Microsoft exchange servers around the world, leaving behind backdoors for later reconnaissance. Xu’s lawyer denied the charges, saying it’s a case of mistaken identity, and Xu’s wife also has reportedly said that Xu is an IT technician at the company GTA Semi Conductor.

**Russian Pro Basketball Player Arrested on Ransomware Charges**

In more news of alleged hackers arrested in European airports—and a very unusual case of alleged cybercriminal moonlighting—French police this week detained Russian professional basketball player Daniil Kasatkin in the Charles de Gaulle airport in Paris, accusing him of being part of a ransomware group. Authorities haven’t yet named the ransomware crew they claim Kasatkin was a part of, but say that from 2020 to 2022 it hit close to 900 organizations, including two American government agencies. Kasatkin’s lawyer, Frédéric Bélot, denied the accusations, saying his client is “useless with computers and can't even install an application.” Kasatkin, who played for the pro basketball team MBA Moscow, had traveled to France with his fiancée to propose to her.

**Bodyguards Using Strava Leaked the Detailed Locations of Sweden’s Prime Minister**

Here’s your annual reminder, athletic oversharers of the world, to set your Strava account settings to private. This week, Sweden’s Dagens Nyheter newspaper revealed that seven bodyguards for Swedish government officials left their Strava accounts public, revealing their locations as they carried out 1,400 exercise activities—and in many cases, the locations of the people they were protecting, including the Swedish prime minister, Ulf Kristersson. The leaked locations of the prime minister included hotels where he stayed, private addresses, a family vacation, trips abroad, and his private home, which was intended to be secret. Repeat after me, Strava enthusiasts with security clearances: Go to Settings, tap Privacy Controls, then Activities. Future scandal averted.

4 Arrested Over Scattered Spider Hacking Spree

FBI seizes top piracy sites leaking unreleased and pirated video games with millions of downloads and 170 million dollars in losses for developers and publishers.

The Department of Justice and the FBI’s Atlanta Field Office confirmed today that they have seized and dismantled several notorious online marketplaces distributing pirated video games.

The targeted sites had gained popularity for leaking unreleased titles to millions of users worldwide. Visitors who try to reach these domains now see a federal notice stating **“This website has been seized”** and “**This domain has been seized by the Federal Bureau of Investigation”** instead of download links.

The full list of seized websites includes the following:

*   Nswdl.com
*   Nsw2u.com
*   Ps4pkg.com
*   Ps4pkg.net
*   Mgnetu.com
*   Game-2u.com
*   Bigngame.com

According to the FBI’s press release, from late February through May, an estimated 3.2 million illegal downloads took place through just one of the main services connected to these sites. The financial impact stands at roughly $170 million in losses to publishers and developers.

Screenshot from the now-seized and popular Game-2u.com (Image credit: Hackread.com)

The agency further revealed that for more than four years, these networks distributed early copies of some of the most anticipated games, often days or weeks before their official launch.

The FBI’s move to seize the sites’ domains cuts off access to vast libraries of pirated content and removes infrastructure that supported further distribution. The operation involved support from the Dutch FIOD agency (Fiscal Information and Investigation Service).

Game studios have always complained that leaks hurt their sales, drain the hard work of developers and ruin the excitement they build before a big launch. The FBI says grabbing these early copies for free doesn’t just hit big companies but also affects the people who spend years making the games in the first place.

While the domains are now in government hands, the global fight against online piracy will continue. The people behind these sites could face prosecution once investigators finish their work. For now, some of the internet’s busiest sources for leaked games have gone down, cutting off millions of downloads in the process.

FBI Seizes Major Sites Sharing Unreleased and Pirated Video Games

A new SafetyDetectives study reveals the surprising extent of Google tracking across the web in the US, UK, Switzerland, and Sweden. Discover how Google Analytics, AdSense, and YouTube embeds collect your data, even when using DuckDuckGo.

Google and its tracking of user activity is nothing now but a recent study by SafetyDetectives, conducted across the US, UK, Switzerland, and Sweden, reveals the pervasive nature of Google’s tracking mechanisms across the internet.

The research, shared with Hackread.com, indicates that while privacy-focused search engines like DuckDuckGo can reduce exposure, completely escaping Google’s reach remains a significant challenge. The study simulated locations using a virtual machine and VPN to ensure accurate regional data collection.

The findings reveal that Google’s tracking extends far beyond its own products, embedded deeply within countless websites through tools like Google Analytics, AdSense, and YouTube embeds. This data helps Google build detailed user profiles for targeted advertising and personalisation, the researchers claim.

Source: SafetyDetectives

****Google’s Deep Reach and Content-Specific Tracking****

The study highlights that Google tracking can be reduced by 50% with DuckDuckGo, particularly in countries with stronger privacy regulations like Switzerland and Sweden. For instance, Google Analytics, a tool for website traffic analysis, appeared on only 14%–17% of DuckDuckGo visits in these privacy-focused nations, a notable drop from 45%–53% when using Google Search.

However, the report also found that in the US, over 40% of pages still sent data to Google even when DuckDuckGo was used. In the UK, a slight improvement was observed, with tracking dropping from 47% on Google to 29% with DuckDuckGo. Google Analytics, described as “everywhere,” was detected in one in five DuckDuckGo sessions across all four countries.

The research also pinpointed specific content categories where Google tracking is more prevalent. Such as YouTube and product-related searches consistently triggered a higher likelihood of Google tracking, regardless of the search engine used.

Conversely, visits to platforms like Wikipedia and TikTok showed minimal to no Google tracking. This suggests that the type of content accessed plays a crucial role in the extent of data collection by Google.

****Geographic Differences and Tracker Types****

The study emphasises that location significantly influences the degree of Google tracking. In the US, Google trackers were nearly unavoidable, often present on 100% of websites visited in some tests, even when a privacy-focused alternative like DuckDuckGo was employed.

This was primarily due to embedded analytics and ads on news and commercial sites. In contrast, Sweden and Switzerland demonstrated fewer instances of tracking, with DuckDuckGo proving more effective in blocking trackers, especially on news articles and Wikipedia.

Source: SafetyDetectives

Google Analytics emerged as the most widely used tracker across all four countries, appearing on nearly 50% of visited sites, reflecting its deep integration into web infrastructure. Other prominent trackers included Google Services (APIs, Maps, Fonts, Gtag), which are general services integrating Google’s infrastructure. Their integration was particularly high in Sweden and the US.

DoubleClick, an ad tracking service, appeared more frequently in Switzerland, while YouTube embeds, allowing videos to be played on other sites, showed higher usage in the US and UK compared to Sweden or Switzerland.

This comprehensive data highlights that even with privacy regulations like GDPR, Google’s embedded services continue to collect user data, making a complete escape difficult for the average internet user.

New Study Shows Google Tracking Persists Even With Privacy Tools

There is no evidence the footage was deceptively manipulated, but ambiguities around how the video was processed may further fuel conspiracy theories about Epstein’s death.

The United States Department of Justice this week released nearly 11 hours of what it described as “full raw” surveillance footage from a camera positioned near Jeffrey Epstein’s prison cell the night before he was found dead. The release was intended to address conspiracy theories about Epstein’s apparent suicide in federal custody. But instead of putting those suspicions to rest, it may fuel them further.

Metadata embedded in the video and analyzed by WIRED and independent video forensics experts shows that rather than being a direct export from the prison’s surveillance system, the footage was modified, likely using the professional editing tool Adobe Premiere Pro. The file appears to have been assembled from at least two source clips, saved multiple times, exported, and then uploaded to the DOJ’s website, where it was presented as “raw” footage.

Experts caution that it’s unclear what exactly was changed, and that the metadata does not prove deceptive manipulation. The video may have simply been processed for public release using available software, with no modifications beyond stitching together two clips. But the absence of a clear explanation for the processing of the file using professional editing software complicates the Justice Department’s narrative. In a case already clouded by suspicion, the ambiguity surrounding how the file was processed is likely to provide fresh fodder for conspiracy theories.

Any aspect of the official story that isn’t fully explained will be co-opted by conspiracy theorists, says Mike Rothschild, an author who writes about conspiracy theories and extremists. “So whatever your flavor of Epstein conspiracy is, the video will help bolster it.”

For months leading up to the joint memo the DOJ and FBI published Monday, attorney general Pam Bondi had promised the release of records related to Epstein, raising expectations that new, potentially incriminating details might surface about the disgraced financier’s death and his ties to powerful individuals. However, rather than revealing new information, the memo largely confirmed conclusions reached years earlier: that Epstein was found in a Manhattan prison cell on August 10, 2019, and died by suicide while awaiting trial on sex trafficking charges.

To support its conclusion, the FBI reviewed surveillance footage overlooking the common area of the Special Housing Unit (SHU) at the Metropolitan Correctional Center (MCC), where Epstein was held. The FBI enhanced the footage by adjusting contrast, color, and sharpness, and released both the enhanced and what it described as the “raw” version. Both versions of the video appear to have been processed using Premiere and include much of the same metadata. According to the FBI, anyone entering the area containing Epstein’s cell during the relevant time frame would have been visible on that camera.

Working with two independent video forensics experts, WIRED examined the 21-gigabyte files released by the DOJ. Using a metadata tool, reporters analyzed both Exchangeable Image File Format (EXIF) and Extensible Metadata Platform (XMP) data to identify signs of postprocessing.

The “raw” file shows clear signs of having been processed using an Adobe product, most likely Premiere, based on metadata that specifically references file extensions used by the video editing software. According to experts, Adobe software, including Premiere and Photoshop, leaves traces in exported files, often embedding metadata that logs which assets were used and what actions were taken during editing. In this case, the metadata indicates the file was saved at least four times over a 23-minute span on May 23, 2025, by a Windows user account called “MJCOLE~1.” The metadata does not show whether the footage was modified before each time it was saved.

The embedded data suggest the video is not a continuous, unaltered export from a surveillance system, but a composite assembled from at least two separate MP4 files. The metadata includes references to Premiere project files and two specific source clips—2025-05-22 21-12-48.mp4 and 2025-05-22 16-35-21.mp4. These entries appear under a metadata section labeled “Ingredients,” part of Adobe’s internal schema for tracking source material used in edited exports. The metadata does not make clear where in the video the two clips were spliced together.

Hany Farid, a professor at UC Berkeley whose research focuses on digital forensics and misinformation, reviewed the metadata at WIRED’s request. Farid is a recognized expert in the analysis of digital images and the detection of manipulated media, including deepfakes. He has testified in numerous court cases involving digital evidence.

Farid says the metadata raises immediate concerns about chain of custody—the documented handling of digital evidence from collection to presentation in a courtroom. Just like physical evidence, he explains, digital evidence must be handled in a way that preserves its integrity; metadata, while not always precise, can provide important clues about whether that integrity has been compromised.

“If a lawyer brought me this file and asked if it was suitable for court, I’d say no. Go back to the source. Do it right,” Farid says. “Do a direct export from the original system—no monkey business.”

Farid points to another anomaly: The video’s aspect ratio shifts noticeably at several points. “Why am I suddenly seeing a different aspect ratio?” he asks.

Farid cautions that while the metadata clearly shows the video was modified, the changes could be benign—for example, converting footage from a proprietary surveillance format to a standard MP4.

While there may be uncontroversial explanations for the metadata artifacts, such as stitching together multiple days of footage during compilation, or the routine export of surveillance footage to an mp4 format, the FBI did not respond to specific questions about the file’s processing, instead referring WIRED to the DOJ. The DOJ in turn referred inquiries back to the FBI and the Bureau of Prisons. The BOP did not respond to a request for comment.

According to a 2023 report from the DOJ Office of the Inspector General (OIG), MCC, the detention facility where Epstein was found hanged, had around 150 analog surveillance cameras—but starting on July 29, 2019, a technical error prevented roughly half of them from recording, including most inside the SHU.

The system was scheduled for repairs on August 9, the night before Epstein was found dead. But the technician assigned to fix it couldn’t access the necessary equipment because the corrections officer required to escort him was nearing the end of their shift.

As a result, only two cameras were operational near the SHU at the time MCC staff found Epstein hanging in his cell: one covering the common area and stairwells near the entrance to the adjacent 10 South Unit, and another monitoring a ninth-floor elevator bay. Neither captured Epstein’s cell door.

According to the DOJ’s memo, the footage confirms that from the time Epstein was locked in his cell at approximately 8 pm on August 9, 2019, and between around 10:40 pm and 6:30 am the next morning, no one entered the tier where his cell was located. However, the recording includes a notable gap: Approximately one minute of footage is missing, from 11:58:58 pm to 12:00:00 am. The video resumes immediately afterward.

The OIG’s report found no evidence of a conspiracy to kill Epstein. Instead, it documented years of chronic staffing failures and system breakdowns at MCC. The facility was temporarily closed in 2021 after the DOJ essentially deemed conditions unfit for incarceration.

At a press conference on Tuesday, Bondi attributed the missing minute to a flaw in the surveillance system’s daily cycle, claiming that one minute is missing from every night’s recording.

Given the years of high-profile conspiracy theories surrounding Epstein, any perceived inconsistency in the official narrative is likely to draw intense scrutiny. Conspiracy theorist Alex Jones called the DOJ memo “sickening.” “Next the DOJ will say, ‘Actually, Jeffrey Epstein never even existed,’” he wrote in a post on X.

“In the world of conspiracy theories, evidence that disproves something happened becomes proof that something happened,” says Rothschild. He explains that the case of Epstein's death is a good example of this phenomenon. “Every piece of evidence that points to him taking his own life—the negligence of the prison staff, the disrepair of the cameras, the coroner's report—is turned into evidence that he was killed by powerful figures who weren't competent enough to cover up the crime correctly.”

The apparent gaps in the video, Rothschild says, will naturally inflame these suspicions.

One media forensics expert, who reviewed the metadata and agreed with WIRED’s analysis but requested anonymity due to privacy concerns and a desire to avoid having their name publicly associated with anything related to the Epstein case, put it bluntly: “It looks suspicious—but not as suspicious as the DOJ refusing to answer basic questions about it.”

Metadata Shows the FBI’s ‘Raw’ Jeffrey Epstein Prison Video Was Likely Modified

Disclosure: The information in this article highlights Elsner’s Magento development offerings and related solutions.

Imagine slashing shipping costs by 30% while speeding up deliveries, and watching 4-star reviews roll in. That is the power of Magento 2 shipping automation. It is reshaping how stores handle logistics and how customers experience fulfillment.

For store owners, shipping can be a mess. Too many carriers. Too many zones. Too much manual work. Delays hurt satisfaction. Errors kill trust. And rising shipping fees? They crush margins.

**_Did you know that over 56% of cart abandonments happen due to unexpected shipping costs? That is not just lost revenue, it is lost growth._**

Magento 2 automation fixes this. It connects carriers instantly. It prints labels on its own. It keeps customers updated, without requiring your team to do a thing. You save time. Costs drop. Buyers stay happy. No chaos. No guesswork. Just smart, scalable shipping. This post explores how Magento development services, backed by industry leaders like Elsner, help you unlock that transformation without burning through time or budget.

****Why Automate Shipping in Magento 2?****

Manual carrier selection and rate comparison eat time and cash. Errors happen. And if you cannot show live prices at checkout? You risk abandoned carts. This way, adopting shipping automation:

*   Reduces manual order handling by 40‑60%
*   Enables real‑time carrier rate quotes for transparency
*   Gives you multi‑carrier flexibility, FedEx, UPS, USPS, DHL
*   Integrates returns/refunds directly into your backend
*   Empowers smarter fulfilment decisions: pick‑ups, drop‑offs, regional warehouses

Elsner, a Magento 2 development company, configures dynamic rate logic, labels, and notifications to help merchants stay lean and maintain their margins intact.

****The Elsner Edge: Magento 2 Shipping Automation Approach****

**Step**

**What Elsner Does**

**Your Benefit**

**1\. Discovery**

Assess current logistics, carriers, and volumes

Pinpoint bottlenecks & overspent services

**2\. Carrier Setup**

Connect FedEx, USPS, UPS, DHL, live rates

Offer the best rates & options at checkout

**3\. Custom Logic**

Automate carrier/packaging rules

Maximize profit per order

**4\. Label & Tracking**

Print labels, auto‑email tracking info

Save payroll & delight customers

**5\. Returns Flow**

Generate return labels, dashboards

Simplify reverse logistics

**6\. Testing + Training**

QA in staging, train your team

Smooth go‑live, zero confusion

When you hire dedicated Magento developers from Elsner, they enforce best practices in coding, performance, and security.

****Key Shipping Automation Features Worth Deploying****

These features do not just make shipping easier; they turn it into a competitive edge.

****Real-Time Shipping Rate Quotes****

Show live shipping rates at checkout. No estimates. No surprises. Your customer sees accurate pricing based on their address and selected items. This builds trust and reduces cart abandonment instantly.

****Auto Label Printing****

Let your system handle the paperwork. Once an order is placed, the correct shipping label is automatically generated. Your team does not need to click anything. This saves time and reduces the likelihood of human errors.

****Split Shipment Support****

Not everything comes from the same warehouse. Split shipping ensures that items from different locations are shipped simultaneously. Customers receive packages faster. Inventory stays organised across channels.

****Free Shipping Thresholds****

Offer free shipping, but on your terms. Set rules like “Free shipping over $50” and let the system manage it. No need to manually apply coupons or check eligibility. It just works.

****Smart Packing Logic****

Why ship a small item in a giant box? Packing logic calculates dimensions, weight, and box types. This reduces waste. It also cuts costs on shipping and packaging materials.

****Shipping API Plug-ins****

Connect with top carriers like FedEx, UPS, DHL, and USPS. APIs let your store pull real-time data from these services. This includes rates, transit times, and shipping options.

****Tracking Updates****

Customers want updates. Automation sends real-time tracking links via email or SMS. No one on your team needs to copy-paste or follow up manually. Everyone stays in the loop.

****Return Portal Integration****

Make returns easier for everyone. Add a self-service return portal to your store. Customers download pre-paid labels. You manage returns without emails or support tickets piling up.

Each feature adds a direct benefit to both store owners and customers. These are not just conveniences; they are cost-saving, time-saving essentials when scaling with Magento 2. As a Magento B2B agency, Elsner stands out by building modular features that enable agile and scalable custom Magento E-commerce development.

****How Does This Cut Costs & Boost CX?********Staff Time Saved****

Manual shipping takes time. Clicking through orders. Printing labels. Copy-pasting tracking links. All of it adds up. Shipping automation removes most of these steps. You reclaim hours every day. Labour costs drop. Staff focus shifts to value-driven tasks.

****Lower Shipping Fees****

Not all carriers charge the same. Smart automation tools compare shipping rates in real time. They choose the most affordable shipping method. No guesswork. No overpaying. You save on every package.

****Reduced Errors****

Wrong labels mean delayed packages. Or lost inventory. Or angry customers. Auto-generated labels fix this. The system pulls the right info every time. Accuracy jumps. Mis-shipments go down. Reputation goes up.

****Fewer Cart Abandons****

Customers love clarity. Show them exact shipping rates and delivery estimates at checkout. No surprises. This builds confidence. And when buyers feel informed, they check out faster. Abandonment rates drop noticeably.

****Less Return Stress****

Returns do not need to be a headache. Self-service portals handle it. Customers generate return labels on their own. No back-and-forth, long email chains.  No confusion. It simplifies life for both your team and your buyers.

****Analytics Perks****

Know which carrier delivers fastest. Automation tools come with built-in dashboards. Get detailed analytics and make decisions that support the growth of your business. The track failed deliveries or late shipments. Better data leads to better shipping decisions. That is a long-term win.

All these gains are powered by structured Magento enterprise development. When paired with strategic Magento website development services, your store becomes faster, leaner, and far more customer-focused. The outcome? Lower costs. Better experiences. And ROI keeps climbing.

****Migrating from Magento 1? They’ve Got You Covered****

Elsner often helps merchants with Magento 1 to Magento 2 migration. Here’s how shipping automates post‑migration:

*   Port shipping rules, carrier integrations, and custom logic
*   Rebuild checkout flow to support automation
*   Train staff on new shipping toolsets
*   Validate shipping data using Magento migration service best practices

Elsner’s data migration from Magento 1 to 2 experts makes sure shipping history, customer addresses, and tracking numbers get migrated correctly without any loss of data..

****Hiring the Right Expert: Why Elsner Stands Out?****

You could hire Magento programmers on a freelance basis, but here is what you get with Elsner:

*   Certified Magento team with access to full Magento 2 development services
*   Formal QA, version control, UI/UX testing
*   Clear SLAs and support packages
*   Ownership of delivered code and documentation

Need to hire certified Magento developers? You get seasoned pros who follow Magento’s coding standards. Plus, Elsner’s background as a Magento E‑commerce agency spans from startups to enterprise-level operations.

****Post‑Implementation: Measuring Success****

After Elsner deploys shipping automation, use these KPIs to measure improvement:

*   **Fulfilment time** (hrs/order) – target: < 1 hour
*   **Shipping cost/order** – target: –15‑30% YOY
*   **Order accuracy** – target: 99‑100%
*   **Cart abandonment (shipping step)** – target: < 5%
*   **Return requests** – target: lower than industry avg

With their Magento migration service, Elsner ensures a smooth transition while preserving key shipping configurations, so businesses can track and optimise performance from day one.

****Wrapping Up****

Cutting costs and enhancing customer experience might sound like conflicting goals, but with Magento 2 shipping automation, you can do both. Elsner’s Magento development services and seasoned experts make it happen seamlessly. From live shipping rates at checkout to auto‑generated labels and integrated returns, you deliver an elevated experience while trimming logistics spending.

If you want to hire dedicated Magento developers who build shipping systems tailored to your store, look no further. Ready to make shipping your competitive advantage?

Magento 2 Shipping Automation: Cut Costs While Enhancing Customer Experience

Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances.
Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.
"An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in

Tag

#web