Vulnerability

Devices with insecure SSH services are everywhere, say infosec duo

Black Hat 'Serendipitous' discovery may have you second guessing your appliances

Black Hat and DEF CON07 Aug 2024 | 10

SAP Core AI bugs allowed access to internal network servers, say researchers

Black Hat Wiz infoseccers able to promote themselves from humble customer to full-blown admin

Black Hat and DEF CON06 Aug 2024 |

UK plans to revamp national cyber defense tools are already in motion

Work aims to build on the success of NCSC's 2016 initiative – and private sector will play a part

Cyber-crime02 Aug 2024 | 8

Ransomware gangs are loving this dumb but deadly make-me-admin ESXi vulnerability

Get those patches applied – all the big dogs are abusing it

VMware Explore30 Jul 2024 | 18

Progress discloses second critical flaw in Telerik Report Server in as many months

These are the kinds of bugs APTs thrive on, just ask the Feds

Patches26 Jul 2024 | 1

You should probably fix this 5-year-old critical Docker vuln fairly sharpish

For some unknown reason, initial patch was omitted from later versions

Patches25 Jul 2024 |

Maximum-severity Cisco vulnerability allows attackers to change admin passwords

You’re going to want to patch this one

Patches18 Jul 2024 | 17

RADIUS networking protocol blasted into submission through MD5-based flaw

If someone can do a little MITM'ing and hash cracking, they can log in with no valid password needed

Research10 Jul 2024 | 11

Latest Ghostscript vulnerability haunts experts as the next big breach enabler

There's also chatter about whether medium severity scare is actually code red nightmare

Research05 Jul 2024 | 25

Traeger security bugs bad news for grillers with neighborly beef

Never risk it when it comes to brisket – make sure those updates are applied

Research03 Jul 2024 | 20

No rest for the wiry as Cisco Nexus switches flip out over latest zero-day

Command injection bug being abused by suspected Chinese spies – patch up

Malware Month02 Jul 2024 | 6

Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk

Full system takeovers on the cards, for those with enough patience to pull it off

Patches01 Jul 2024 | 59

Juniper Networks flings out emergency patches for perfect 10 router vuln

Get 'em while they're hot

Patches01 Jul 2024 | 6

Batten down the hatches, it's time to patch some more MOVEit bugs

Exploit attempts for ‘devastating’ vulnerabilities already underway

Patches26 Jun 2024 | 9

CISA says crooks used Ivanti bugs to snoop around high-risk chemical facilities

Crafty crims broke in but encryption stopped any nastiness

Cyber-crime25 Jun 2024 | 3

Phoenix UEFI flaw puts long list of Intel chips in hot seat

Researchers discuss it in same breath as BlackLotus and MosaicRegressor

Research21 Jun 2024 | 21

That didn't take long: Replacement for SORBS spam blacklist arises ... sort of

Infosec in brief Also: Online adoption cyberstalker nabbed; Tesla trade secrets thief pleads guilty; and a critical ASUS Wi-Fi vuln

Security17 Jun 2024 | 2

Cisco fixes WebEx flaw that allowed government, military meetings to be spied on

Researchers were able to glean data from 10,000 meetings held by top Dutch gov officials

Cyber-crime07 Jun 2024 | 12

Emergency patches released for critical vulns impacting EOL Zyxel NAS boxes

That backdoor's not meant to be there?

Patches05 Jun 2024 | 3

NIST turns to IT consultants to clear National Vulnerability Database backlog

Aims to get CVE logjam cleared by the end of FY 24

CSO03 Jun 2024 | 5

Veeam says critical flaw can't be abused to trash backups

It's still a rough one, so patch up

Patches23 May 2024 | 1

GitHub Enterprise Server patches 10-outta-10 critical hole

On the bright side, someone made up to $30,000+ for finding it

Patches22 May 2024 | 3

Critical Fluent Bit bug affects all major cloud providers, say researchers

Crashes galore, plus especially crafty crims could use it for much worse

Research21 May 2024 | 2

Researchers call out QNAP for dragging its heels on patch development

WatchTowr publishes report claiming vendor failed to issue fixes after four months

Research20 May 2024 | 4

NCSC CTO: Broken market must be fixed to usher in new tech

CYBERUK It may take ten years but vendors must be held accountable for the vulnerabilities they introduce

Security16 May 2024 | 9

NHS Digital hints at exploit sightings of Arcserve UDP vulnerabilities

When PoC code is released within a day of disclosure, it's only a matter of time before attacks kick off

Patches14 May 2024 | 4

The truth about KEV: CISA’s vuln deadlines good influence on private-sector patching

More work to do as most deadlines are missed and worst bugs still take months to fix

Patches07 May 2024 |

CISA says 'no more' to decades-old directory traversal bugs

Recent attacks on healthcare thrust infosec agency into alert mode

CSO06 May 2024 | 13

Chinese government website security is often worryingly bad, say Chinese researchers

Exclusive Bad configurations, insecure versions of jQuery, and crummy cookies are some of myriad problems

Public Sector03 May 2024 | 28

Patch up – 4 critical bugs in ArubaOS lead to remote code execution

Ten vulnerabilities in total for admins to apply

Patches02 May 2024 | 4

Federal frenzy to patch gaping GitLab account takeover hole

Warning comes exactly a year after the vulnerability was introduced

Cyber-crime02 May 2024 | 8

Open source programming language R patches gnarly arbitrary code exec flaw

Updated An ACE in the hole for miscreants

Patches01 May 2024 | 1

Exploit code for Palo Alto Networks zero-day now public

Race on to patch as researchers warn of mass exploitation of directory traversal bug

Security17 Apr 2024 | 3

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Hard-coded credentials last thing you want in home security app

Security15 Apr 2024 | 49

Delinea Secret Server customers should apply latest patches

Updated Attackers could nab an org's most sensitive keys if left unaddressed

Patches15 Apr 2024 | 3

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

BatBadBut hits Erlang, Go, Python, Ruby as well

Patches10 Apr 2024 | 57

Hotel check-in terminal bug spews out access codes for guest rooms

Attacks could be completed in seconds, compromising customer safety

Research05 Apr 2024 | 31

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

CEO addresses whirlwind start to 2024 and how it plans to prevent a repeat

Security04 Apr 2024 | 19

JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat

Updated Vendor takes hardline approach to patch disclosure to new levels

Patches28 Mar 2024 | 14

Nvidia's newborn ChatRTX bot patched for security bugs

Flaws enable privilege escalation and remote code execution

Patches28 Mar 2024 | 1

These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb

One might say this is a wurst case scenario

Patches28 Mar 2024 | 44

Uncle Sam's had it up to here with 'unforgivable' SQL injection flaws

Software slackers urged to up their game

Security26 Mar 2024 | 66

Mozilla fixes $100,000 Firefox zero-days following two-day hackathon

Users may have to upgrade twice to protect their browsers

Security25 Mar 2024 | 9

Microsoft confirms memory leak in March Windows Server security update

Infosec in brief ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

Security25 Mar 2024 | 11

Some 300,000 IPs vulnerable to this Loop DoS attack

Easy to exploit, not yet exploited, not widely patched – pick three

Research24 Mar 2024 | 24

3 million doors open to uninvited guests in keycard exploit

As months go by without fixes, hotels take the scenic route to securing rooms

Research22 Mar 2024 | 53

Hardware-level Apple Silicon vulnerability can leak cryptographic keys

Short of redesigning CPUs, the fix will seriously degrade performance

Research22 Mar 2024 | 22

More than 133,000 Fortinet appliances still vulnerable to month-old critical bug

A huge attack surface for a vulnerability with various PoCs available

Patches18 Mar 2024 | 2

JetBrains is still mad at Rapid7 for the ransomware attacks on its customers

War of words wages on between vendors divided

Patches12 Mar 2024 | 12

Font security 'still a Helvetica of a problem' says Australian graphics outfit Canva

Who knew that unzipping a font archive could unleash a malicious file

Security08 Mar 2024 | 38

JetBrains TeamCity under attack by ransomware thugs after disclosure mess

More than 1,000 servers remain unpatched and vulnerable

Cyber-crime07 Mar 2024 | 11

Apple's trademark tight lips extend to new iPhone, iPad zero-days

Two flaws fixed, one knee bent to the EU, and a budding cybersecurity star feature in iOS 17.4

Patches06 Mar 2024 |

Rapid7 throws JetBrains under the bus for 'uncoordinated vulnerability disclosure'

Updated Exploits began within hours of the original disclosure, so patch now

Patches05 Mar 2024 | 37

Zoom stomps critical privilege escalation bug plus 6 other flaws

All desktop and mobile apps vulnerable to at least one of the vulnerabilities

Patches15 Feb 2024 |

QNAP vulnerability disclosure ends up an utter shambles

Two new flaws, one zero-day, countless different patches, but everything's fine!

Patches13 Feb 2024 | 8

Ivanti discloses fifth vulnerability, doesn't credit researchers who found it

Software company's claim of there being no active exploits also being questioned

Security09 Feb 2024 | 5