Cybersecurity: Weekly Summary (September 29 - October 05, 2025)

I would describe this week in cybersecurity blogs as a messy, crowded kitchen where everyone’s cooking different things but keeps bumping elbows. There were loud plates clattering about printers, cars, solar farms, and messaging apps. Some posts were technical and crunchy. Others were more like a quiet chat over tea — the kind that makes you remember you forgot to lock the back gate.

The big, ugly bugs in everyday kit

Start with the Brother printer saga. Denis Laskov dug into multi-function printers and found eight vulnerabilities that let you predict default passwords from serial numbers and do other naughty stuff. He didn’t stop at Brother. Fujifilm, Ricoh, Toshiba — all told, 742 models were in the crosshairs. The write-up reads like a slow-motion domino scene. It’s technical, with proof-of-concept bits, but the takeaway is simple: devices we stick in offices and forget about are full of hidden doors.

To me, it feels like finding out every kettle in your building has the same flimsy lid. You can patch the one kettle, sure, but if they all share the same poor design, the problem keeps popping up. Denis’s piece nudges you to think about scale. These aren’t exotic servers. They’re on desks, in supply closets, and they often get a shrug from admins who are busy with bigger fires.

That theme repeats with the Unity runtime problem, again from Denis Laskov. A security engineer, RyotaK, flagged an RCE flaw in Unity’s runtime. All versions, under certain conditions, could let an attacker run code. What made my brow knit was the angle about cars: Unity’s used in automotive UIs and tooling. A gaming engine ending up in vehicles — that’s not a sci-fi headline anymore. It’s like finding a favourite recipe book under the bonnet of your car and realizing it could make the engine cough.

These posts show a pattern: embedded and consumer devices are no longer peripheral. They’re central, and yet their security often lags. You don’t need to be a sysadmin to get nervous. The practical message is the same: patch, inventory, question assumptions. If a device has a serial-number-based default password, treat that like a rusty front door.

Appliances meet policy — who’s responsible?

That tension between tech realities and policy shows up in two very different pieces. Piet De Vaere wrote a sharp critique titled ‘The EU Doesn’t Understand CVD.’ He argues that Coordinated Vulnerability Disclosure in EU policy too often reads like a threat notice for researchers. Instead of treating reporters as partners, some rules paint them as suspects. He’s not being coy here: the current framing risks deterring the very people who find the holes Denis and RyotaK wrote about.

It’s sort of like telling a mechanic they might be arrested for pointing out faulty brakes. You want the mechanic to tell you. You don’t want them to keep quiet because of bureaucratic fear. Piet makes you wonder whether the law is chasing a sense of order while missing how discovery and repair actually happen.

This sits uncomfortably next to the energy piece by Davi Ottenheimer. Davi’s post about solar’s rise in the EU is more than a cheer for rooftop panels. He points out that distributed solar is changing the grid, and fast. That’s good for energy independence — and rough for security. New distributed generation means more endpoints, more vendors, and more firmware yelling for attention. Davi says we need clear rules about who secures what. I’d say he’s right: without clear responsibilities, the grid could become like an apartment block where no one owns the shared hallway light.

Read both and you’ll see the same itch: tech outpaces frameworks. Policy makers scramble to draft neat boxes, while flaws and deployments keep overflowing the labels.

Patches, updates, and the hope of better tools

A few posts this week were slightly more reassuring. Brian Fagioli covered the Windows 11 2025 Update (25H2). It’s interesting for two reasons. One, Microsoft seems to be simplifying upgrades with an enablement-package model — less clunky replacement, more switch-on features. Two, the update emphasizes better vulnerability detection and removal of old components. It’s not glamorous, but it’s the kind of housekeeping that stops a lot of trouble before it starts.

Brian also wrote about Signal’s SPQR upgrade. That’s the Sparse Post Quantum Ratchet — a bit of a mouthful, but the idea is neat. Signal is layering quantum-resistant crypto alongside its existing double ratchet, creating what some folks call a triple ratchet. To me, it feels like putting an extra lock on a safe that already has two. The upgrade is automatic and aims to keep old messages safe from future quantum computers. There’s still uncertainty about whether practical quantum attacks will arrive when people fear they will, but Signal’s move is a forward-looking bet. If you care about private chats, this is worth a read.

Then there’s the small, quietly useful stuff. Paul Duncan announced polycvss v0.2.0, a Rust library to parse CVSS vectors across v2, v3, and v4. This is the sort of tool that doesn’t make headlines but makes life easier for people building security pipelines. If you maintain vulnerability tooling, a better parser that’s memory efficient matters. It’s practical infrastructure — less sexy than exploits, but incredibly important.

And if you want firewall-level help at home or small offices, Brandon Lee wrote a guide to Zenarmor for OPNsense. He walks through install, features, and why it’s the plugin to consider in 2025. Application control, web filtering, user-based policies — the list reads like a grown-up upgrade for folks who use OPNsense as the main gateway. It’s useful, and it’s one of those posts you bookmark when you get tired of rattly home routers.

AI, contests, and the weird middle ground

The TCP #105 roundup by Darwin Salazar is one of those posts that scrambles the week’s headlines into a single platter. There’s a £1.5 billion bailout for Jaguar Land Rover after a cyberattack. That’s not a tiny number. It’s made me think about the cost of disruption: when an attack doesn’t just leak data but stops factories, the economic damage is immediate and political.

Darwin also flagged a $4.5 million hacking competition from Wiz Research, and a grab-bag of AI vulnerabilities — Google Gemini, Notion, others. The theme here: AI gets mixed into everything, and bad actors will try to poke at the seams. There are initiatives that help — contests, free endpoint patching offers, AI-driven defensive tools — but they’re patchwork solutions to a widening problem. It’s like trying to shore up a riverbank with sandbags while new channels keep forming upstream.

What I’d say is striking is how AI shows up both as a tool to attack and as a weapon for defense. That duality makes policy and planning harder. You can’t put AI in a single policy box. It’s in products, infrastructures, and in the minds of both researchers and adversaries.

Spycraft, old wounds, and what history tells us

Olga Lautman revisited the Kremlin’s hacks of 2016, the Cozy Bear and Fancy Bear stories. Her reporting is meticulous and reads like a dossier. It’s a reminder that some playbooks don’t change. Spear-phishing, persona-based leaks, and data weaponization are still with us. The past isn’t dead; it echoes. Those campaigns set a template for influence operations that we’re still trying to understand.

There’s an odd coupling here with the more personal tale from Minsuk Kang. He writes about getting a strange KakaoTalk message after failing an exam. Curiosity drew him to a sketchy site promising hacking powers. It’s an almost human vignette in the middle of all the high-tech coverage. It’s a small moment, but it’s honest: people are curious, sometimes reckless, and social engineering exploits that urge action are as potent as ever. The human factor is still the low-hanging fruit for attackers.

When you put Olga’s state-backed sophistication beside Minsuk’s personal curiosity, you see two ends of the threat spectrum. From nation-states to curious individuals, the vectors are varied, but the psychology doesn’t change much: trust, curiosity, laziness, and convenience.

Where it hurts: automotive, energy, and supply chains

Cars and the grid popped up as recurring worry spots. We mentioned Unity runtime in cars. Add to that the JLR bailout in Darwin’s roundup. A cyberattack can freeze production lines, stop dealerships, and cost billions. That makes security a national economic issue, not just an IT expense.

Meanwhile, distributed solar is reshaping who controls power and how it’s delivered. Davi’s post argues that distributed generation is resilience in a way — it’s like money in different piggy banks rather than one giant vault — but it also multiplies the number of doors someone has to kick. He’s calling for clearer rules about who secures what. That’s more than an IT memo. It’s a call for regulatory and contractual clarity.

These sectors — automotive and energy — both highlight one ugly truth: the attack surface grows faster than our attention spans. You install smart meters, inverters, or a new infotainment stack, and suddenly you’ve got more firmware, more vendors, and more complexity. It’s like adding extensions to a house without updating the wiring; eventually, something trips.

Small tools, big ideas

I liked the contrast between big drama and small tools this week. On the drama side: state actors, printers, cars, bailouts. On the small-tools side: polycvss, Zenarmor, upgrade strategies in Windows, and Signal’s SPQR. Those smaller stories matter because they’re where people can actually do something.

Paul’s polycvss release is one of those stabilizing moves. Better CVSS parsing helps triage teams prioritize and track vulnerabilities across multiple standards. Brandon’s Zenarmor guide is practical when you want better control at the edge. Both are grassroots improvements that slowly raise the floor for defenders.

And yes, Microsoft’s enablement package idea in 25H2 is annoyingly boring but useful. It’s administrative work that prevents a million little misconfigurations. Not flashy, but necessary, like cleaning your gutters before the first storm.

Where authors agree and where they don’t

There’s a clear consensus that tech is moving too fast for current security practices. From Denis Laskov flagging device vulnerabilities to Davi Ottenheimer noting solar’s rise, everyone seems to be waving the same caution flag: more endpoints, more trouble.

Where they argue is how to fix it. Piet De Vaere wants better CVD policy — clearer, more encouraging to researchers. Davi wants regulatory clarity for energy actors. Governments and companies may not see eye to eye on which regulations help versus which ones constrain research. Policy folks want neat boxes. Researchers want fewer legal traps. Vendors want clear liability lines. It’s a negotiation without a manual.

Another mild disagreement is about the timing of futuristic threats. Signal’s SPQR moves against quantum risk now. Some bloggers treat quantum as an abstract future worry; others see it as an urgent one. I’d say the conservative move is to harden early when an upgrade is low-friction. Signal’s decision to roll SPQR automatically is the kind of practical step that buys future peace of mind.

Little human bits that matter

A few posts are reminders that people make systems run — and break. Minsuk’s KakaoTalk story feels ordinary and important. Social engineering exploits don’t need fancy crypto or nation-state budgets. Someone curious clicks a link and the rest is downhill. I keep thinking about the person who cleans the office printers or sets up the solar inverter. Their choices matter.

And then the cosy-sounding but sharp bug bounty and contest news from Darwin shows another side: there’s money and prestige to be had for digging hard. Competitions can surface talent and create better tools. They’re part of the ecosystem too.

A few practical nudges

If you’re skimming and want a quick mental checklist from these posts:

• Inventory your devices. Printers, appliances, inverters — list them and check for manufacturer updates. Denis’s work is a wake-up call for that.
• Patch Windows and check the new management options in 25H2 if you’re in a corporate shop. Brian’s write-up shows there’s some admin relief tucked into this release.
• Consider quantum-safe options for really sensitive chats. Signal’s SPQR is worth a look, and it’s rolling out automatically.
• Encourage clear disclosure practices. Read Piet’s take and think about how your org treats external researchers.
• If you manage a small network, try OPNsense with Zenarmor. It’s a practical step that increases control.
• For developers and toolmakers, glance at polycvss. Small libs like this are the hidden glue of better security tooling.

I’ll admit I repeat myself a bit here — because these are the things that keep showing up. Device sprawl. Policy mismatch. Human curiosity. Tools that quietly help. It’s like hearing the same tune in different keys.

If one thread ties a lot of these posts together, it’s the idea that security is a shared responsibility that’s still missing shared language. Researchers, vendors, regulators, and end users all talk about the same problems. They do not always agree on words or who holds the broom. That gap shows up as slow patching, confusing liability, and products rushed into the wild.

If you want the nitty-gritty proofs and examples, the authors do a good job with their own flavors. Read Denis Laskov for the printer and Unity details. Glance at Piet De Vaere if you want the policy teeth. Davi Ottenheimer gives the energy angle. Brian Fagioli is the place for Windows and Signal changes. Darwin Salazar bundles the weekly news neatly. Paul Duncan and Brandon Lee are the fix-it folks with tools you can use. And Olga Lautman and Minsuk Kang remind you of the human and geopolitical stakes.

There’s plenty more to chew on in each post. So if you like poking at the edges — and who doesn’t, really — go click through. Some pieces are technical, some are political, some just tell a human story. Like finding a map in an old jacket pocket, each one points to places you might not have looked. Read them if you want the details. Or don’t. But then, don’t be surprised when a printer in the stairwell starts acting like it’s smarter than your router.