Issue 82: NVIDIA NVDebug Tool Vulnerability, Jaguar Land Rover confirms Data Theft and Apple Warns Of Mercenary Spyware Attacks
CloudGuard
We help organisations proactively detect and automatically remediate cyber threats in real-time.
Your top stories 12 September 2025:
Welcome back to Critical Chatter. Your weekly round up of current cybersecurity threats, vulnerabilities and active exploits. Curated by your humble SOC team. 👋
NVIDIA NVDebug Tool Vulnerability Let Attackers Escalate Privileges
NVIDIA has released a critical update for its NVDebug tool, addressing three high-severity vulnerabilities that could enable privilege escalation, code execution, and data tampering. All versions prior to 1.7.0 are affected on x86_64 and arm64-SBSA systems.
In combination, these vulnerabilities pose a significant threat: once elevated privileges are achieved, attackers could install malware, exfiltrate sensitive data, or maintain persistence across networks.
Mitigation: The sole recommended fix is to upgrade immediately to NVDebug version 1.7.0 or later, available from the official NVIDIA Developer Tools portal. Users are strongly advised to apply the update without delay to prevent exploitation.
TL;DR: NVIDIA has patched three critical flaws in its NVDebug tool (pre-v1.7.0) that could let attackers escalate privileges, execute arbitrary code and tamper with data. Users are urged to update immediately.
Jaguar Land Rover confirms Data Theft After Recent Cyberattack
Jaguar Land Rover (JLR) has confirmed that attackers stole “some data” in a recent cyberattack that disrupted production and forced staff to stay home. The incident, disclosed on 2 September, severely affected operations and is under investigation with support from the UK National Cyber Security Centre (NCSC).
JLR, owned by Tata Motors since 2008, employs about 39,000 staff, produces over 400,000 vehicles annually, and generates revenue exceeding $38 billion (£29 billion). The company has notified regulators of the data breach and stated that it will contact affected individuals if investigations confirm personal data compromise.
While JLR has not attributed the attack, a group calling itself “Scattered Lapsus$ Hunters” has claimed responsibility via Telegram, posting screenshots of internal SAP systems and alleging ransomware deployment. The group is said to include actors linked to Lapsus$, Scattered Spider, and ShinyHunters, all of which are known for high-profile extortion operations.
This same collective has also been linked to recent large-scale Salesforce data thefts, exploiting stolen Salesloft Drift OAuth tokens to compromise multiple organisations, including Google, Cloudflare, Palo Alto Networks, Zscaler, Tenable, Proofpoint, CyberArk, BeyondTrust, JFrog, Qualys, Workday, Fastly, Cato Networks, HackerOne, BugCrowd and Rubrik.
No CVE identifiers or CVSS scores have been disclosed, as the attack appears to have relied on data theft and ransomware tactics rather than exploiting publicly known software vulnerabilities.
JLR says it is restoring systems “in a controlled and safe manner” and continues forensic investigations into the breach.
TL;DR: Jaguar Land Rover has confirmed a data breach following a major cyberattack disrupting operations, with suspected links to the Scattered Lapsus$ Hunters extortion group.
Recommended by LinkedIn
Apple Warns Of Series Mercenary Spyware Attacks Targeting Users’ Devices
Apple has issued fresh warnings about mercenary spyware attacks targeting high-profile individuals such as journalists, activists, politicians, and diplomats. These operations are highly sophisticated, exceptionally costly, and often linked to state actors or private firms developing surveillance tools.
Examples include Pegasus (NSO Group), Predator, Graphite, and Triangulation. Attacks are rare but global in scope, with Apple having sent threat notifications to users in more than 150 countries since 2021.
Apple does not attribute incidents to specific groups but stresses their advanced nature, short operational lifespan, and difficulty of detection. No CVE identifiers or CVSS scores were disclosed in relation to these attacks.
When Apple detects spyware-related activity, it issues alerts via a banner on account.apple.com and through email/iMessage notifications. These never request links, files, app installations, or account credentials. Users are urged to verify authenticity by signing in directly to their Apple account.
Apple advises notified individuals to seek expert support, for example via Access Now’s Digital Security Helpline, and to avoid altering devices before forensic investigation. Lockdown Mode is recommended for those at high risk, as it restricts exploitable features.
For all users, Apple reinforces standard cyber hygiene: keep software updated, enable two-factor authentication, use strong and unique passwords, install apps only from the App Store, and avoid suspicious links or attachments.
Although most users are unlikely to be targeted, these measures help defend against broader cyber threats while ensuring resilience against advanced spyware campaigns.
TL;DR: Apple is warning users in over 150 countries about targeted mercenary spyware campaigns linked to state-sponsored actors and advises high-risk individuals to enable Lockdown Mode.
📚 LATEST CONTENT
Here's the latest from the CloudGuard content library:
That's all folks!
Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Dafydd Davies (SOC Automation Engineer).
If you like what you've read, subscribe so you don't miss next week's roundup.