Tag: cve
-
Big hole in big data: Critical deserialization bug in Apache Parquet allows RCE
by
in SecurityNewsNo known exploits yet: Neither Endor Labs nor NIST’s NVD entry reported any exploit attempts using CVE-2025-30065 as of publication of this article. Apache silently pushed a fix with the release of 1.15.1 on March 16, 2025, with a GitHub redirect to changes made in the update.Endor Labs advised prompt patching of the vulnerability, which…
-
CVE-2025-22457: New Critical Ivanti Flaw Could Expose Entire Networks
by
in SecurityNewsOverview of the Vulnerability Ivanti has recently disclosed a significant security vulnerability, identified as CVE-2025-22457, affecting its Connect Secure, Policy Secure, and ZTA Gateway products. While specific details are pending, such vulnerabilities typically involve issues such as remote code execution,… First seen on sensorstechforum.com Jump to article: sensorstechforum.com/cve-2025-22457-critical-ivanti-flaw/
-
CVE-2025-22457: Critical Ivanti Connect Secure Vulnerability
by
in SecurityNewsSummary On April 3, 2025, Ivanti disclosed CVE-2025-22457 that impacts Ivanti Connect Secure VPN appliances, PulseConnect Secure(end of service), Ivanti Policy Secure, and ZTA Gateways. First seen on research.kudelskisecurity.com Jump to article: research.kudelskisecurity.com/2025/04/04/cve-2025-22457-critical-ivanti-connect-secure-vulnerability/
-
Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware
by
in SecurityNewsIvanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure that has come under active exploitation in the wild.The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems.”A stack-based buffer overflow in Ivanti Connect…
-
OpenVPN Flaw Allows Attackers Crash Servers and Run Remote Code
by
in SecurityNewsOpenVPN, a widely-used open-source virtual private network (VPN) software, has recently patched a security vulnerability that could allow attackers to crash servers and potentially execute remote code under certain conditions. The flaw, identified as CVE-2025-2704, affects OpenVPN servers using specific configurations and has been addressed in the newly released version OpenVPN 2.6.14. CVE-2025-2704: Overview The vulnerability is…
-
Apache Traffic Server Flaw Allows Request Smuggling Attacks
by
in SecurityNewsA critical vulnerability has been discovered in Apache Traffic Server (ATS), an open-source caching proxy server. Identified as CVE-2024-53868, this flaw enables attackers to exploit request smuggling via malformed chunked messages. Users of Apache Traffic Server are urged to upgrade to secure versions of the software immediately to mitigate potential risks. CVE-2024-53868 Details The vulnerability was…
-
Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
by
in SecurityNewsA suspected Chinese APT group has exploited CVE-2025-22457 a buffer overflow bug that was previously thought not to be exploitable to compromise appliances … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/04/03/ivanti-vpn-customers-targeted-via-unrecognized-rce-vulnerability-cve-2025-22457/
-
Cisco confirms cyberattacks on Smart Licensing Utility flaw
by
in SecurityNewsCISA earlier this week added CVE-2024-20439, a static credential vulnerability in the license management app, to its known exploited vulnerabilities catalog. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/cisco-confirms-attacks-smart-licensing-utility-vulnerability/744352/
-
Oracle quietly admits data breach, days after lawsuit accused it of cover-up
by
in SecurityNews
Tags: access, attack, authentication, breach, cloud, compliance, credentials, crime, cve, cybersecurity, data, data-breach, endpoint, exploit, finance, fraud, hacker, identity, infrastructure, intelligence, law, oracle, resilience, risk, service, strategy, supply-chain, technology, theft, threat, vulnerabilityLawsuit challenges Oracle’s response: The reports of Oracle’s acknowledgement of the breach come just days after the company was hit with a class action lawsuit over its handling of the security breach.The lawsuit specifically addresses a major security breach discovered in March that reportedly compromised 6 million records containing sensitive authentication-related data from Oracle Cloud…
-
Cisco confirms cyberattacks on Smart Licensing Utility flaw
by
in SecurityNewsCISA earlier this week added CVE-2024-20439, a static credential vulnerability in the Cisco Smart Licensing Utility, to its known exploited vulnerabilities catalog. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/cisco-confirms-attacks-smart-licensing-utility-vulnerability/744352/
-
Oracle quietly admits data breach, days after lawsuit accused it of cover-up
by
in SecurityNews
Tags: access, attack, authentication, breach, cloud, compliance, credentials, crime, cve, cybersecurity, data, data-breach, endpoint, exploit, finance, fraud, hacker, identity, infrastructure, intelligence, law, oracle, resilience, risk, service, strategy, supply-chain, technology, theft, threat, vulnerabilityLawsuit challenges Oracle’s response: The reports of Oracle’s acknowledgement of the breach come just days after the company was hit with a class action lawsuit over its handling of the security breach.The lawsuit specifically addresses a major security breach discovered in March that reportedly compromised 6 million records containing sensitive authentication-related data from Oracle Cloud…
-
Google Quick Share Bug Bypasses Allow Zero-Click File Transfer
by
in SecurityNewsGoogle addresses patch bypasses for CVE-2024-38272 and CVE-2024-38271, part of the previously announced QuickShell silent RCE attack chain against Windows users. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/google-quick-share-bug-bypasses-zero-click-file-transfer
-
Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy
by
in SecurityNewsTwo CVEs now exist for an actively exploited CrushFTP vulnerability and much of the security industry is using the ‘wrong one’. The post Two CVEs, One Critical Flaw: Inside the CrushFTP Vulnerability Controversy appeared first on SecurityWeek. First seen on securityweek.com Jump to article: www.securityweek.com/details-emerge-on-cve-controversy-around-exploited-crushftp-vulnerability/
-
Attackers are leveraging Cisco Smart Licensing Utility static admin credentials (CVE-2024-20439)
by
in SecurityNewsCVE-2024-20439, a static credential vulnerability in the Cisco Smart Licensing Utility, is being exploited by attackers in the wild, CISA has confirmed on Monday by adding the … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/04/03/attackers-are-leveraging-cisco-smart-licensing-utility-static-admin-credentials-cve-2024-20439/
-
Vite Arbitrary File Read Vulnerability (CVE-2025-31125)
by
in SecurityNewsOverview Recently, NSFOCUS CERT detected that Vite issued a security bulletin to fix the Vite arbitrary file read vulnerability (CVE-2025-31125); Because the Vite development server does not strictly verify the path when processing URL requests, unauthenticated attackers can bypass path access restrictions by constructing special URLs and read arbitrary files on the target server. At…The…
-
Critical Flaw in Google Quick Share Lets Hackers Bypass File Transfer Approval
by
in SecurityNewsCybersecurity researchers have uncovered a new vulnerability in Google’s Quick Share data transfer tool for Windows, potentially allowing attackers to crash the application or send files to a user’s device without their consent. The vulnerability, tracked as CVE-2024-10668 with a… First seen on sensorstechforum.com Jump to article: sensorstechforum.com/cve-2024-10668-google-quick-share-exploit/
-
Details Emerge on CVE Controversy Around Exploited CrushFTP Vulnerability
by
in SecurityNewsTwo CVEs now exist for an actively exploited CrushFTP vulnerability and much of the security industry is using the ‘wrong one’. The post Details Emerge on CVE Controversy Around Exploited CrushFTP Vulnerability appeared first on SecurityWeek. First seen on securityweek.com Jump to article: www.securityweek.com/details-emerge-on-cve-controversy-around-exploited-crushftp-vulnerability/
-
Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent
by
in SecurityNewsCybersecurity researchers have disclosed details of a new vulnerability impacting Google’s Quick Share data transfer utility for Windows that could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target’s device without their approval.The flaw, tracked as CVE-2024-10668 (CVSS score: 5.9), is a bypass for two of the 10 shortcomings that…
-
Cisco Smart Licensing Utility Flaws Allowed Attackers to Gain Admin Access
by
in SecurityNewsCisco has disclosed critical vulnerabilities in its Smart Licensing Utility software, identified as CVE-2024-20439 and CVE-2024-20440, which could allow unauthenticated, remote attackers to gain administrative access or collect sensitive information from compromised systems. These flaws, rated with a severity score of 9.8 in the Common Vulnerability Scoring System (CVSS), pose significant security risks to organizations…
-
U.S. CISA adds Apache Tomcat flaw to its Known Exploited Vulnerabilities catalog
by
in SecurityNewsU.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apache Tomcat flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Apache Tomcat path equivalence vulnerability, tracked as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. The Apache Tomcat vulnerability CVE-2025-24813 was recently disclosed and is being actively exploited just 30…
-
Google fixes GCP flaw that could expose sensitive container images
by
in SecurityNewsrun.services.update and iam.serviceAccounts.actAspermissions they could modify a Cloud Run service and deploy a new revision.”In doing so, they could specify (through malicious code injection) any private container image stored in a victim’s registries, Matan added.According to a Tenable statement to CSO, an attacker could use this vulnerability for data theft or espionage in a real-world…
-
Exploited: Critical Unauthenticated Access Vulnerability in CrushFTP (CVE-2025-2825)
by
in SecurityNewsIn the ever-evolving landscape of web application vulnerabilities, a new critical flaw has emerged. CVE-2025-2825 is a high-severity vulnerability that allows attackers to bypass authentication on CrushFTP servers. This popular enterprise file transfer solution is often used in corporate environments to manage sensitive data, making this vulnerability particularly concerning. Attackers are actively exploiting this flaw……
-
20,000 WordPress Sites at Risk of File Upload Deletion Exploits
by
in SecurityNewsA critical security alert has been issued to WordPress site administrators following the discovery of two high-severity vulnerabilities in the >>WP Ultimate CSV Importer
-
An Improved Detection Signature for the Kubernetes IngressNightmare Vulnerability
by
in SecurityNewsWiz recently published a detailed analysis of a critical vulnerability in the NGINX Ingress admission controller”, what they’ve dubbed IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24514). The vulnerability stems from insufficient input validation during configuration file processing, allowing an attacker to inject arbitrary code into the NGINX process. Wiz’s writeup is excellent and covers the technical nuances…
-
CISA Alerts on Active Exploitation of Apache Tomcat Vulnerability
by
in SecurityNews
Tags: apache, cisa, cve, cyber, cybersecurity, exploit, flaw, infrastructure, open-source, risk, vulnerabilityThe Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert regarding the active exploitation of CVE-2025-24813, a critical vulnerability within Apache Tomcat. This newly identified flaw poses a significant risk to organizations using affected versions of the popular open-source web server. CVE-2025-24813: Apache Tomcat Path Equivalence Vulnerability CVE-2025-24813, classified as a >>Path Equivalence…