CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

McDonald's Partner and Employee Portals Vulnerabilities Disclosed

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

An ethical hacker discovered multiple vulnerabilities in McDonald's partner and employee portals, exposing sensitive data and allowing unauthorized access. The flaws affected systems used by partners in over 120 countries and enabled access to confidential materials and corporate data. The hacker faced difficulties reporting the issues due to McDonald's lack of a formal security reporting channel. The vulnerabilities included server-side flaws, exposed API keys, and misconfigurations that allowed unauthorized users to elevate privileges and access sensitive information. The hacker also found issues in the OAuth implementation and the Stravito knowledge management platform. McDonald's has since fixed the reported vulnerabilities, but the hacker's friend was terminated for 'security concerns.' The company still lacks a proper security reporting mechanism.

Timeline

  1. 20.08.2025 21:41 1 articles · 1mo ago

    Ethical hacker uncovers multiple vulnerabilities in McDonald's partner and employee portals

    An ethical hacker discovered multiple vulnerabilities in McDonald's partner and employee portals, exposing sensitive data and allowing unauthorized access. The flaws affected systems used by partners in over 120 countries and enabled access to confidential materials and corporate data. The hacker faced difficulties reporting the issues due to McDonald's lack of a formal security reporting channel. The vulnerabilities included server-side flaws, exposed API keys, and misconfigurations that allowed unauthorized users to elevate privileges and access sensitive information. The hacker also found issues in the OAuth implementation and the Stravito knowledge management platform. McDonald's has since fixed the reported vulnerabilities, but the hacker's friend was terminated for 'security concerns.' The company still lacks a proper security reporting mechanism.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SonicWall MySonicWall Breach Exposes Firewall Configuration Files

SonicWall has released a firmware update to remove rootkit malware from SMA 100 series devices, following a breach that exposed firewall configuration backup files. The breach, caused by brute-force attacks, affected less than 5% of customers and may have exposed sensitive information. SonicWall has advised customers to reset credentials and update secrets. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for less than 5% of its customers. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance.

Open in new tab

Cursor IDE autorun flaw allows malicious code execution

A vulnerability in the Cursor AI-powered Integrated Development Environment (IDE) allows automatic execution of tasks in malicious repositories upon opening. This flaw can be exploited to drop malware, hijack developer environments, or steal credentials and API tokens. The issue arises from Cursor disabling the Workspace Trust feature from Visual Studio Code (VS Code), which blocks automatic execution of tasks without explicit consent. This default behavior can be exploited by adding a malicious .vscode/tasks.json file in a publicly shared repository. The flaw affects Cursor's one million users who generate over a billion lines of code daily. The flaw can be exploited to leak sensitive credentials, modify files, or serve as a vector for broader system compromise, placing Cursor users at significant risk from supply-chain attacks. Cursor has decided not to fix the issue, citing the need to maintain AI and other features that depend on the autorun behavior. Users are advised to enable Workspace Trust manually or use a basic text editor for unknown projects.

Open in new tab

Critical vulnerabilities in SAP NetWeaver and related products addressed

SAP has released security updates addressing multiple vulnerabilities, including three critical flaws in NetWeaver and a high-severity issue in S/4HANA. The most severe, CVE-2025-42944, allows unauthenticated attackers to execute arbitrary OS commands via an insecure deserialization vulnerability in the RMI-P4 module. The second critical flaw, CVE-2025-42922, enables authenticated attackers to upload arbitrary files, potentially leading to full system compromise. The third critical vulnerability, CVE-2025-42958, allows unauthorized high-privileged users to access sensitive data and administrative functions. Additionally, a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) was patched, which could permit attackers to delete the content of arbitrary database tables. These vulnerabilities affect SAP NetWeaver, the foundation for various business applications like ERP, CRM, SRM, and SCM, widely deployed in large enterprise networks. The RMI-P4 port, used for internal SAP-to-SAP communication, may be exposed to wider networks due to misconfigurations. SAP products are frequent targets for high-value compromises due to their handling of mission-critical data. Earlier this month, a critical code injection vulnerability (CVE-2025-42957) was exploited in S/4HANA, Business One, and NetWeaver products. SAP has also updated security notes for other high-severity vulnerabilities in Business One, Landscape Transformation Replication Server, and S/4HANA.

Open in new tab

Plex Data Breach Exposes Customer Authentication Details

Plex, a media streaming platform, has suffered a data breach where an unauthorized third party accessed a subset of customer data from one of its databases. The compromised information includes email addresses, usernames, and securely hashed passwords. Plex has advised users to reset their passwords, enable two-factor authentication, and sign out connected devices to secure their accounts. The breach did not include payment card information. Plex has addressed the vulnerability and launched internal reviews to improve security. The company also warns users about potential phishing attacks. This is the second data breach for Plex, prompting users to take immediate action to secure their accounts.

Open in new tab

FreePBX Zero-Day Exploited in the Wild, Emergency Patch Released

A zero-day vulnerability in FreePBX (CVE-2025-57819) is actively exploited in the wild. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. FreePBX versions 15, 16, and 17 are affected. The exploit has been used since at least August 21, 2025, targeting systems with inadequate IP filtering or access control lists (ACLs). Sangoma has released an emergency patch and indicators of compromise (IOCs) to help administrators detect exploitation. Users are advised to upgrade, restrict public access to the administrator control panel, and check for a known issue in the v17 'framework' module that may prevent automated update notification emails. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by September 19, 2025.

Open in new tab