Tag: cvss
-
Fortinet confirms zero-day flaw used in attacks against its firewalls
by
in SecurityNewsFortinet has confirmed the existence of a critical authentication bypass vulnerability in specific versions of FortiOS firewalls and FortiProxy secure web gateways. The flaw has been exploited in the wild since early December in what appears to be an indiscriminate and widespread campaign, according to cybersecurity firm Arctic Wolf.The fix for this zero-day is part…
-
Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw
by
in SecurityNewsThe security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, enables unauthenticated remote code execution on affected systems, which cyberattackers are using to plant malware. First seen on darkreading.com Jump to article: www.darkreading.com/cloud-security/cloud-attackers-exploit-max-critical-aviatrix-rce-flaw
-
SonicWall firewall hit with critical authentication bypass vulnerability
by
in SecurityNewsSonicWall is warning customers of a severe vulnerability in its SonicOS SSLVPN with high exploitability that remote attackers could use to bypass authentication.The bug is an improper authentication vulnerability in the SSL VPN authentication mechanism, according to emails sent to customers and published on SonicWall’s official subreddit.”We have identified a high (severity) firewall vulnerability that…
-
Ivanti warns critical RCE flaw in Connect Secure exploited as zero-day
by
in SecurityNews
Tags: advisory, apt, attack, authentication, cve, cvss, cybersecurity, data-breach, exploit, flaw, google, government, group, intelligence, Internet, ivanti, law, mandiant, microsoft, network, rce, remote-code-execution, risk, software, threat, tool, vpn, vulnerability, zero-dayIT software provider Ivanti released patches Wednesday for its Connect Secure SSL VPN appliances to address two memory corruption vulnerabilities, one of which has already been exploited in the wild as a zero-day to compromise devices.The exploited vulnerability, tracked as CVE-2025-0282, is a stack-based buffer overflow rated as critical with a CVSS score of 9.0.…
-
Open source vulnerability scanner found with a serious vulnerability in its own code
by
in SecurityNewsA widely popular open-source tool, Nuclei, used for scanning vulnerabilities and weaknesses in websites, cloud applications, and networks is found to have a high-severity flaw that could potentially allow attackers to execute malicious codes on local systems.The flaw tracked as CVE-2024-43405 is assigned a CVSS score of 7.4 out of 10 and is said to…
-
Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass and Code Execution
by
in SecurityNewsA high-severity security flaw has been disclosed in ProjectDiscovery’s Nuclei, a widely-used open-source vulnerability scanner that, if successfully exploited, could allow attackers to bypass signature checks and potentially execute malicious code.Tracked as CVE-2024-43405, it carries a CVSS score of 7.4 out of a maximum of 10.0. It impacts all versions of Nuclei later than 3.0.0.”The…
-
Das anhaltende Risiko der Remote-Code-Ausführung
by
in SecurityNewsIm Jahr 2023 wurden fast 29.000 Schwachstellen veröffentlicht, 3.800 mehr als im Jahr 2022. Noch beunruhigender als die schiere Menge der Schwachstellen im Jahr 2023 ist, dass mehr als die Hälfte von ihnen mit einem CVSS-Score bewertet wurden, der auf einen hohen oder kritischen Schweregrad hinweist ein Anstieg von 57 % im Vergleich zum ……
-
Best of 2024: CVE-2024-38063: An In-Depth Look at the Critical Remote Code Execution Vulnerability
by
in SecurityNewsIn a recent security advisory, Microsoft disclosed a high-severity vulnerability identified as CVE-2024-38063. This critical Remote Code Execution (RCE) flaw, rated with a CVSS score of 9.8, poses a significant… First seen on securityboulevard.com Jump to article: securityboulevard.com/2024/12/cve-2024-38063-an-in-depth-look-at-the-critical-remote-code-execution-vulnerability-2/
-
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization
by
in SecurityNews
Tags: apache, cve, cvss, flaw, framework, network, rce, remote-code-execution, software, vulnerabilityThe Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions.Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0. It affects versions 2.0.X, 2.1.X, and 2.2.X.”The ObjectSerializationDecoder in Apache MINA uses Java’s First…
-
CVSS Base Score vs Temporal Score: What You Need to Know
by
in SecurityNewsCVSS base scores and temporal scores are not the same. Understanding the distinctions between them is critical for any cybersecurity pro. In the fast-paced and high-stakes world of cybersecurity, there are often more risks than there are mitigation resources. It’s impossible to address every vulnerability immediately. CISOs and other security managers must triage vulnerabilities, establish……
-
Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS, Patch Now
by
in SecurityNewsThe Apache Software Foundation (ASF) has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in the database.The SQL injection vulnerability, tracked as CVE-2024-45387, is rated 9.9 out of 10.0 on the CVSS scoring system.”An SQL…
-
Fortinet Warns of Critical FortiWLM Flaw That Could Lead to Admin Access Exploits
by
in SecurityNewsFortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information.The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0.”A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive…
-
Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected
by
in SecurityNewsThreat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution.The issue, tracked as CVE-2024-53677, carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 (CVE-2023-50164,…
-
Hitachi Authentication Bypass Vulnerability Allows Attackers to Hack the System Remotely
by
in SecurityNewsCritical Authentication Bypass Vulnerability Identified in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer. A severe vulnerability has been discovered in Hitachi’s Infrastructure Analytics Advisor and Ops Center Analyzer, posing a significant security risk to users of these products. The vulnerability, identified as CVE-2024-10205, has a CVSS 3.1 score of 9.4, categorized as >>High.
-
CVSS 10.0 – Alarmstufe Rot für die Cloud Services Application von Ivanti
by
in SecurityNewsFirst seen on security-insider.de Jump to article: www.security-insider.de/ivanti-cloud-services-sicherheitsupdate-a-af37ebf25237d03e0e394e141d611278/
-
Hackers Exploiting Apache Struts2 Vulnerability to Upload Malicious Payloads
by
in SecurityNewsHackers have begun exploiting a newly discovered vulnerability in Apache Struts2, a widely used open-source framework for developing Java web applications. The vulnerability, assigned the identifier CVE-2024-53677, has a critical CVSS score of 9.5, indicating its potential for severe impact if left unaddressed. Background on the Vulnerability Apache Struts2 announced the vulnerability last week, highlighting…
-
Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection
by
in SecurityNewsA security flaw has been disclosed in OpenWrt’s Attended Sysupgrade (ASU) feature that, if successfully exploited, could have been abused to distribute malicious firmware packages.The vulnerability, tracked as CVE-2024-54143, carries a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK has been credited with discovering and reporting…
-
Maximaler CVSS 10.0 – Sailpoint IdentityIQ enthält hochriskante Schwachstelle
by
in SecurityNewsFirst seen on security-insider.de Jump to article: www.security-insider.de/-kritische-sicherheitsluecke-sailpoints-identityiq-notfall-fix-a-941c95e1e094d9b26d222f656a449fe3/
-
Security researchers find deep flaws in CVSS vulnerability scoring system
by
in SecurityNewsThe industrywide method for assessing the severity of vulnerabilities in software and hardware needs to be revised because it provides potential misleading severity assessment, delegates at Black Hat Europe were told Thursday.The Common Vulnerability Scoring System (CVSS) makes use of various metrics to quantify vulnerability severity. A presentation at Black Hat by cybersecurity experts from…
-
Chinese Hacker Pwns 81K Sophos Devices With Zero-Day Bug
The US State Department has offered a $10 million reward for Guan Tianfeng, who has been accused of developing and testing a critical SQL injection flaw with a CVSS score of 9.8 used in Sophos attacks. First seen on darkreading.com Jump to article: www.darkreading.com/cyberattacks-data-breaches/chinese-hacker-pwns-81k-sophos-devices-with-zero-day-bug
-
OpenWrt Update Flaw Exposed Devices to Malicious Firmware
by
in SecurityNewsEmbedded Device Operating Sytem Had Flaw Allowing Hacers to Bypass Integrity Check. A critical flaw in the updating service of a popular Linux operating system for embedded devices could enable hackers to compromise firmware with malicious images. OpenWrt developers patched the vulnerability, with a CVSS core of 9.3 and tracked as CVE-2024-54143. First seen on…
-
CVE-2024-11205: WPForms Plugin Vulnerability Exposes 6 Million WordPress Sites to Financial Risk
by
in SecurityNewsA critical vulnerability, identified as CVE-2024-11205, was discovered in the WPForms plugin, a popular WordPress form builder used by over 6 million active websites. This vulnerability, which has been assigned a high CVSS score of 8.5, targets businesses relying on WPForms for payment processing and subscription management, especially those using Stripe integration. First seen on…
-
Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console
by
in SecurityNewsVeeam has released security updates to address a critical flaw impacting Service Provider Console (VSPC) that could pave the way for remote code execution on susceptible instances.The vulnerability, tracked as CVE-2024-42448, carries a CVSS score of 9.9 out of a maximum of 10.0. The company noted that the bug was identified during internal testing.”From the…
-
SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer
by
in SecurityNewsThreat actors are using a well-known modular malware loader, SmokeLoader, to exploit known Microsoft Office vulnerabilities and steal sensitive browser credentials.The loader which runs a framework to deploy multiple malware modules, was observed by Fortinet’s FortiGuard Labs in attacks targeting manufacturing, healthcare, and IT companies in Taiwan.”SmokeLoader, known for its ability to deliver other malicious…
-
CVSS-Wert ist unzureichend – Unternehmen schließen nur selten Sicherheitslücken
by
in SecurityNews
Tags: cvssFirst seen on security-insider.de Jump to article: www.security-insider.de/analyse-schwachstellenmanagement-unternehmen-a-2f1a61b367bfe87694e8805a6e9f678b/