Tag: flaw
-
SolarWinds Web Help Desk Vulnerability Allows Remote Code Execution
A critical vulnerability in SolarWinds Web Help Desk has been identified. It could allow attackers to execute arbitrary code on affected systems. The vulnerability tracked as CVE-2024-28988 was discovered by the Trend Micro Zero Day Initiative (ZDI) team during their investigation into a previous security flaw. CVE-2024-28988: Java Deserialization Flaw The vulnerability stems from a…
-
Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser
Microsoft has disclosed details about a now-patched security flaw in Apple’s Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user’s privacy preferences and access data.The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133. It was addressed by Apple as part of…
-
CISA Seeks Feedback on Upcoming Product Security Flaws Guidance
CISA is asking for feedback on future guidance outlining bad security practices in product development as part of its Secure by Design initiative First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/cisa-product-security-flaws/
-
WeChat devs introduced security flaws when they modded TLS, say researchers
No attacks possible, but enough issues to cause concern First seen on theregister.com Jump to article: www.theregister.com/2024/10/17/wechat_devs_modded_tls_introducing/
-
VMware fixes high-severity SQL injection flaw CVE-2024-38814 in HCX
VMware fixes a high-severity SQL injection flaw in HCX allowing non-admin users to remotely execute code on the HCX manager. VMWare warns to address a remote code execution vulnerability, tracked as CVE-2024-38814 (CVSS score of 8.8), in its HCX application mobility platform. The vulnerability is an authenticated SQL injection vulnerability in HCX, it was privately…
-
Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk
A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.”A security issue First seen…
-
Critical Veeam Vulnerability CVE-2024-40711 Exploited by Ransomware Groups
Veeam has addressed a severe vulnerability in its widely utilized Backup & Replication tool, CVE-2024-40711. This critical flaw has a staggering Common Vulnerability Scoring System (CVSS) score of 9.8. Ransomware gangs have already begun exploiting this Veeam vulnerability, particularly deploying Akira and Fog ransomware in targeted attacks. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/critical-veeam-vulnerability-2/
-
70% of exploited flaws disclosed in 2023 were zero-days
Mandiant security analysts warn of a worrying new trend of threat actors demonstrating a better capability to discover and exploit zero-day vulnerabilities in software. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/google-70-percent-of-exploited-flaws-disclosed-in-2023-were-zero-days/
-
Code Execution, Data Tampering Flaw in Nvidia NeMo Gen-AI Framework
Artificial intelligence tech giant Nvidia issues a warning for code execution and data tampering security problems in the NeMo platform. The post Code Execution, Data Tampering Flaw in Nvidia NeMo Gen-AI Framework appeared first on SecurityWeek. First seen on securityweek.com Jump to article: www.securityweek.com/code-execution-data-tampering-flaw-in-nvidia-nemo-gen-ai-framework/
-
CISA Warns of Active Exploitation in SolarWinds Help Desk Software Vulnerability
Tags: cisa, credentials, cve, cybersecurity, exploit, flaw, infrastructure, kev, software, vulnerabilityThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting SolarWinds Web Help Desk (WHD) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.Tracked as CVE-2024-28987 (CVSS score: 9.1), the vulnerability relates to a case of hard-coded credentials that could be abused to gain First…
-
Vulnerability Recap 10/15/24 Patch Tuesday Posts 117 Vulnerabilities
We take a look at the past week’s exploited vulnerabilities, including previous Ivanti and Veeam flaws, and also cover critical Patch Tuesday fixes. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/vulnerability-recap-october-15-2024/
-
WordPress plugin Jetpack fixes nearly decade-old critical security flaw
First seen on therecord.media Jump to article: therecord.media/wordpress-jetpack-plugin-fixes-flaw
-
Zero-day flaw behind Rackspace breach still a mystery
More than two weeks after threat actors exploited a zero-day vulnerability in a third-party utility to breach Rackspace, the details about the flaw and the utility remain unknown. First seen on techtarget.com Jump to article: www.techtarget.com/searchsecurity/news/366613555/Zero-day-flaw-behind-Rackspace-breach-still-a-mystery
-
The Rise of Zero-Day Vulnerabilities: Why Traditional Security Solutions Fall Short
In recent years, the number and sophistication of zero-day vulnerabilities have surged, posing a critical threat to organizations of all sizes. A zero-day vulnerability is a security flaw in software that is unknown to the vendor and remains unpatched at the time of discovery. Attackers exploit these flaws before any defensive measures can be implemented,…
-
WordPress Jetpack plugin critical flaw impacts 27 million sites
WordPress Jetpack plugin issued an update to fix a critical flaw allowing logged-in users to view form submissions by others on the same site. The maintainers of the WordPress Jetpack plugin have addressed a critical vulnerability that could allow logged-in users to access forms submitted by other users on the same site. Jetpack is a…
-
Earth Simnavaz Exploits Windows Kernel Flaw CVE-2024-30088 in Attacks on Critical Infrastructure
Trend Micro researchers have uncovered a series of advanced cyberattacks carried out by the threat group Earth Simnavaz, also known as APT34 or OilRig. This Iranian-linked cyber espionage group has... First seen on securityonline.info Jump to article: securityonline.info/earth-simnavaz-exploits-windows-kernel-flaw-cve-2024-30088-in-attacks-on-critical-infrastructure/
-
Serious Adversaries Circle Ivanti CSA Zero-Day Flaws
Suspected nation-state actors are spotted stringing together three different zero-days in the Ivanti Cloud Services Application to gain persistent access to a targeted system. First seen on darkreading.com Jump to article: www.darkreading.com/cyberattacks-data-breaches/serious-adversaries-circle-ivanti-csa-flaws
-
Jetpack fixes critical information disclosure flaw existing since 2016
WordPress plugin Jetpack released a critical security update earlier today, addressing a vulnerability that allowed a logged-in user to access forms submitted by other visitors to the site. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/jetpack-fixes-critical-information-disclosure-flaw-existing-since-2016/
-
Tens of thousands of IPs vulnerable to Fortinet flaw dubbed ‘must patch’ by feds
The Shadowserver Foundation put the figure at around 87,000 for a vulnerability rated as critical and first discovered in February. First seen on cyberscoop.com Jump to article: cyberscoop.com/ips-vulnerable-fortinet-flaw-must-patch/
-
Zero-day Flaws Exposed EV Chargers to Shutdowns and Data Theft
NCC Group experts share details of how they exploited critical zero-day vulnerabilities in Phoenix Contact EV chargers (electric… First seen on hackread.com Jump to article: hackread.com/zero-day-flaws-ev-chargers-to-shutdowns-data-theft/
-
Researchers Win $70K for Reporting Zero-Day Flaws in EV Chargers
NCC Group experts share details of how they exploited critical zero-day vulnerabilities in Phoenix Contact EV chargers (electric… First seen on hackread.com Jump to article: hackread.com/researchers-win-reporting-ev-chargers-zero-day-flaws/
-
Thousands Of Fortinet Instances Vulnerable To Actively Exploited Flaw
First seen on packetstormsecurity.com Jump to article: packetstormsecurity.com/news/view/36467/Thousands-Of-Fortinet-Instances-Vulnerable-To-Actively-Exploited-Flaw.html
-
Thousands of Fortinet instances vulnerable to actively exploited flaw
No excuses for not patching this nine-month-old issue First seen on theregister.com Jump to article: www.theregister.com/2024/10/14/fortinet_vulnerability/
-
Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration
A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.That’s according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to…
-
pac4j Java Framework Vulnerable to RCE Attacks
A critical security vulnerability has been discovered in the popular Java framework pac4j. The vulnerability specifically affects versions before 4.0 of the pac4j-core module. This vulnerability, identified as CVE-2023-25581, exposes systems to potential remote code execution (RCE) attacks due to a flaw in the deserialization process. Vulnerability Details CVE-2023-25581 The issue stems from a […]…