Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CVEs. Show all posts
Microsoft
Critical Flaws Critical security flaw CVE CVEs CVSS Cyber Security Fortinet Ivanti Ivanti security flaws Microsoft

December Patch Tuesday Brings Critical Microsoft, Notepad++, Fortinet, and Ivanti Security Fixes

 


While December's Patch Tuesday gave us a lighter release than normal, it arrived with several urgent vulnerabilities that need attention immediately. In all, Microsoft released 57 CVE patches to finish out 2025, including one flaw already under active exploitation and two others that were publicly disclosed. Notably, critical security updates also came from Notepad++, Ivanti, and Fortinet this cycle, making it particularly important for system administrators and enterprise security teams alike. 

The most critical of Microsoft's disclosures this month is CVE-2025-62221, a Windows Cloud Files Mini Filter Driver bug rated 7.8 on the CVSS scale. It allows for privilege escalation: an attacker who has code execution rights can leverage the bug to escalate to full system-level access. Researchers say this kind of bug is exploited on a regular basis in real-world intrusions, and "patching ASAP" is critical. Microsoft hasn't disclosed yet which threat actors are actively exploiting this flaw; however, experts explain that bugs like these "tend to pop up in almost every big compromise and are often used as stepping stones to further breach". 

Another two disclosures from Microsoft were CVE-2025-54100 in PowerShell and CVE-2025-64671, impacting GitHub Copilot for JetBrains. Although these are not confirmed to be exploited, they were publicly disclosed ahead of patching. Graded at 8.4, the Copilot vulnerability would have allowed for remote code execution via malicious cross-prompt injection, provided a user is tricked into opening untrusted files or connecting to compromised servers. Security researchers expect more vulnerabilities of this type to emerge as AI-integrated development tools expand in usage. 

But one of the more ominous developments outside Microsoft belongs to Notepad++. The popular open-source editor pushed out version 8.8.9 to patch a weakness in the way updates were checked for authenticity. Attackers were managing to intercept network traffic from the WinGUp update client, then redirecting users to rogue servers, where malicious files were downloaded instead of legitimate updates. There are reports that threat groups in China were actively testing and exploiting this vulnerability. Indeed, according to the maintainer, "Due to the improper update integrity validation, an adversary was able to manipulate the download"; therefore, users should upgrade as soon as possible. 

Fortinet also patched two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, in FortiOS and several related products. The bugs enable hackers to bypass FortiCloud SSO authentication using crafted SAML messages, which only works if SSO has been enabled. Administrators are advised to disable the feature until they can upgrade to patched builds to avoid unauthorized access. Rounding out the disclosures, Ivanti released a fix for CVE-2025-10573, a severe cross-site scripting vulnerability in its Endpoint Manager. The bug allows an attacker to register fake endpoints and inject malicious JavaScript into the administrator dashboard. Viewed, this could serve an attacker full control over the session without credentials. There has been no observed exploitation so far, but researchers warn that it is likely attackers will reverse engineer the fix soon, making for a deployment environment of haste.
Read more »
cybersecurity risks
Apache Apache Vulnerability Critical security flaw CVE CVE vulnerability CVEs Cyber Attacks cybersecurity risks

Critical CVE-2025-66516 Exposes Apache Tika to XXE Attacks Across Core and Parser Modules

 

A newly disclosed vulnerability in Apache Tika has had the cybersecurity community seriously concerned because researchers have confirmed that it holds a maximum CVSS severity score of 10.0. Labeled as CVE-2025-66516, the vulnerability facilitates XXE attacks and may allow attackers to gain access to internal systems along with sensitive data by taking advantage of how Tika processes certain PDF files. 

Apache Tika is an open-source, highly-used framework for extracting text, metadata, and structured content from a wide array of file formats. It is commonly used within enterprise workflows including compliance systems, document ingestion pipelines, Elasticsearch and Apache Solr indexing, search engines, and automated content scanning processes. Because of its broad use, any severe issue within the platform has wide-ranging consequences.  

According to the advisory for the project, the vulnerability exists in several modules, such as tika-core, tika-parsers, and the tika-pdf-module, on different versions, from 1.13 to 3.2.1. The issue allows an attacker to embed malicious XFA -- a technology that enables XML Forms Architecture -- content inside PDF files. Upon processing, Tika may execute unwanted calls to embedded external XML entities, thus providing a way to fetch restricted files or gain access to internal resources.  

The advisory points out that CVE-2025-66516 concerns an issue that was previously disclosed as CVE-2025-54988, but its scope is considerably broader. Whereas the initial advisory indicated the bug was limited to the PDF parser, subsequent analysis indicated that the root cause of the bug-and therefore the fix-represented in tika-core, not solely its parser component. Consequently, any organization that has patched only the parser without updating tika-core to version 3.2.2 or newer remains vulnerable. 

Researchers also provided some clarification to note that earlier 1.x releases contained the vulnerable PDF parser in the tika-parsers module, so the number of affected systems is higher than initial reporting indicated. 

XXE vulnerabilities arise when software processes XML input without required restrictions, permitting an attacker to use external entities (these are references that can point to either remote URLs or local files). Successfully exploited, this can lead to unauthorized access, SSRF, disclosure of confidential files, or even an escalation of this attack chain into broader compromise. 

Project maintainers strongly recommend immediate updates for all deployments. As no temporary configuration workaround has been confirmed, one can only install patched versions.
Read more »
Mobile Spyware
Android Smartphone CVE CVE exploits CVE vulnerability CVEs Cyber Security Exploits Landfall mobile security measures Mobile Spyware

Samsung Zero-Day Exploit “Landfall” Targeted Galaxy Devices Before April Patch

 

A recently disclosed zero-day vulnerability affecting several of Samsung’s flagship smartphones has raised renewed concerns around mobile device security. Researchers from Palo Alto Networks’ Unit 42 revealed that attackers had been exploiting a flaw in Samsung’s image processing library, tracked as CVE-2025-21042, for months before a security fix was released. The vulnerability, which the researchers named “Landfall,” allowed threat actors to compromise devices using weaponized image files without requiring any interaction from the victim. 

The flaw impacted premium Samsung models across the Galaxy S22, S23, and S24 generations as well as the Galaxy Z Fold 4 and Galaxy Z Flip 4. Unit 42 found that attackers could embed malicious data into DNG image files, disguising them with .jpeg extensions to appear legitimate and avoid suspicion. These files could be delivered through everyday communication channels such as WhatsApp, where users are accustomed to receiving shared photos. Because the exploit required no clicks and relied solely on the image being processed, even careful users were at risk. 

Once installed, spyware leveraging Landfall could obtain access to sensitive data stored on the device, including photos, contacts, and location information. It was also capable of recording audio and collecting call logs, giving attackers broad surveillance capabilities. The targeting appeared focused primarily on users in the Middle East, with infections detected in countries such as Iraq, Iran, Turkey, and Morocco. Samsung was first alerted to the exploit in September 2024 and issued a patch in April, closing the zero-day vulnerability across affected devices.  

The seriousness of the flaw prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to place CVE-2025-21042 in its Known Exploited Vulnerabilities catalog, a list reserved for security issues actively abused in attacks. Federal agencies have been instructed to ensure that any vulnerable Samsung devices under their management are updated no later than December 1st, reflecting the urgency of mitigation efforts.  

For consumers, the incident underscores the importance of maintaining strong cybersecurity habits on mobile devices. Regularly updating the operating system is one of the most effective defenses against emerging exploits, as patches often include protections for newly discovered vulnerabilities. Users are also encouraged to be cautious regarding unsolicited content, including media files sent from unknown contacts, and to avoid clicking links or downloading attachments they cannot verify. 

Security experts additionally recommend using reputable mobile security tools alongside Google Play Protect to strengthen device defenses. Many modern Android antivirus apps offer supplementary safeguards such as phishing alerts, VPN access, and warnings about malicious websites. 

Zero-day attacks remain an unavoidable challenge in the smartphone landscape, as cybercriminals continually look for undiscovered flaws to exploit. But with proactive device updates and careful online behavior, users can significantly reduce their exposure to threats like Landfall and help ensure their personal data remains secure.
Read more »
cybersecurity vulnerability
Critical Exploits Critical Vulnerability CVE CVE exploits CVE vulnerability CVEs Cyber Security cybersecurity vulnerability

New runC Vulnerabilities Expose Docker and Kubernetes Environments to Potential Host Breakouts

 

Three newly uncovered vulnerabilities in the runC container runtime have raised significant concerns for organizations relying on Docker, Kubernetes, and other container-based systems. The flaws, identified as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, were disclosed by SUSE engineer and Open Container Initiative board member Aleksa Sarai. Because runC serves as the core OCI reference implementation responsible for creating container processes, configuring namespaces, managing mounts, and orchestrating cgroups, weaknesses at this level have broad consequences for modern cloud and DevOps infrastructure. 

The issues stem from the way runC handles several low-level operations, which attackers could manipulate to escape the container boundary and obtain root-level write access on the underlying host system. All three vulnerabilities allow adversaries to redirect or tamper with mount operations or trigger writes to sensitive files, ultimately undoing the isolation that containers are designed to enforce. CVE-2025-31133 involves a flaw where runC attempts to “mask” system files by bind-mounting /dev/null. If an attacker replaces /dev/null with a symlink during initialization, runC can end up mounting an attacker-chosen location read-write inside the container, enabling potential writes to the /proc filesystem and allowing escape. 

CVE-2025-52565 presents a related problem involving races and symlink redirection. The bind mount intended for /dev/console can be manipulated so that runC unknowingly mounts an unintended target before full protections are in place. This again opens a window for writes to critical procfs entries, providing an attacker with a pathway out of the container. The third flaw, CVE-2025-52881, highlights how runC may be tricked into performing writes to /proc that get redirected to files controlled by the attacker. This behavior could bypass certain Linux Security Module relabel protections and turn routine runC operations into dangerous arbitrary writes, including to sensitive files such as /proc/sysrq-trigger. 

Two of the vulnerabilities—CVE-2025-31133 and CVE-2025-52881—affect all versions of runC, while CVE-2025-52565 impacts versions from 1.0.0-rc3 onward. Patches have been issued in runC versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later. Security researchers at Sysdig noted that exploiting these flaws requires attackers to start containers with custom mount configurations, a condition that could be met via malicious Dockerfiles or harmful pre-built images. So far, there is no evidence of active exploitation, but the potential severity has prompted urgent guidance. Detection efforts should focus on monitoring suspicious symlink activity, according to Sysdig’s advisory. 

The runC team has also emphasized enabling user namespaces for all containers while avoiding mappings that equate the host’s root user with the container’s root. Doing so limits the scope of accessible files because user namespace restrictions prevent host-level file access. Security teams are further encouraged to adopt rootless containers where possible to minimize the blast radius of any successful attack. Even though traditional container isolation provides significant security benefits, these findings underscore the importance of layered defenses and continuous monitoring in containerized environments, especially as threat actors increasingly look for weaknesses at the infrastructure level.
Read more »
cybersecurity research
Akira Akira Ransomware Arctic Wolf Arctic Wolf security research CVE CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity research

Akira Ransomware Bypasses MFA in Ongoing Attacks on SonicWall SSL VPN Devices

 

The Akira ransomware group continues to evolve its attacks on SonicWall SSL VPN devices, with researchers warning that the threat actors are managing to log into accounts even when one-time password (OTP) multi-factor authentication (MFA) is enabled. Cybersecurity firm Arctic Wolf reported that attackers appear to be exploiting previously stolen OTP seeds or a similar method to bypass MFA, though the exact technique remains unclear. 

Earlier this year, Akira was observed exploiting SonicWall SSL VPN devices to breach corporate networks. Initially, researchers suspected a zero-day vulnerability was involved. However, SonicWall later attributed the incidents to an improper access control flaw identified as CVE-2024-40766, disclosed in September 2024. The flaw had been patched in August 2024, but attackers continued to exploit stolen credentials from compromised devices even after updates were applied. SonicWall advised administrators to reset all VPN credentials and update to the latest SonicOS firmware.  

The latest Arctic Wolf findings reveal a persistent campaign in which multiple OTP challenges were triggered before successful logins, implying that attackers may be generating valid OTP tokens using previously harvested OTP seeds. The company confirmed that these logins were linked to devices affected by CVE-2024-40766, suggesting that stolen credentials remain a key entry point.

In a related investigation, Google’s Threat Intelligence Group (GTIG) observed a similar campaign in July, where a financially motivated group known as UNC6148 deployed the OVERSTEP rootkit on SonicWall SMA 100 series appliances. GTIG assessed that the attackers were using stolen one-time password seeds from earlier zero-day intrusions, allowing continued access even after organizations patched their systems. 

Once Akira gained access to networks, the attackers moved rapidly, often initiating internal scans within minutes. According to Arctic Wolf, they used Impacket SMB session requests, Remote Desktop Protocol (RDP) logins, and Active Directory enumeration tools like dsquery, SharpShares, and BloodHound to expand their reach. A major focus was on Veeam Backup & Replication servers, where a custom PowerShell script extracted and decrypted stored MSSQL and PostgreSQL credentials. 

To disable endpoint protection, Akira affiliates executed a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack, using Microsoft’s legitimate consent.exe executable to sideload malicious DLLs that deployed vulnerable drivers such as rwdrv.sys and churchill_driver.sys. These drivers were then used to terminate security processes, enabling the ransomware to encrypt systems undetected. 

The report notes that some compromised systems were running SonicOS 7.3.0, the very version recommended by SonicWall to mitigate such attacks. Security experts urge all administrators to reset VPN credentials and review access logs on any devices that previously used vulnerable firmware, as threat actors may still exploit stolen data to infiltrate networks.
Read more »
Data Theft
CISA CISA advisory CVE CVE exploits CVEs Cyber Attacks Cyber Exploits Cyber flaws Cyber Vulnerabilities Data protection data security Data Theft

CISA Urges Immediate Patching of Critical SysAid Vulnerabilities Amid Active Exploits

 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about two high-risk vulnerabilities in SysAid’s IT service management (ITSM) platform that are being actively exploited by attackers. These security flaws, identified as CVE-2025-2775 and CVE-2025-2776, can enable unauthorized actors to hijack administrator accounts without requiring credentials. 

Discovered in December 2024 by researchers at watchTowr Labs, the two vulnerabilities stem from XML External Entity (XXE) injection issues. SysAid addressed these weaknesses in March 2025 through version 24.4.60 of its On-Premises software. However, the urgency escalated when proof-of-concept code demonstrating how to exploit the flaws was published just a month later, highlighting how easily bad actors could access sensitive files on affected systems. 

Although CISA has not provided technical specifics about the ongoing attacks, it added the vulnerabilities to its Known Exploited Vulnerabilities Catalog. Under Binding Operational Directive 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems by August 12. CISA also strongly recommends that organizations in the private sector act swiftly to apply the necessary updates, regardless of the directive’s federal scope. 

“These vulnerabilities are commonly exploited by malicious cyber actors and present serious threats to government systems,” CISA stated in its warning. SysAid’s On-Prem solution is deployed on an organization’s internal infrastructure, allowing IT departments to manage help desk tickets, assets, and other services. According to monitoring from Shadowserver, several dozen SysAid installations remain accessible online, particularly in North America and Europe, potentially increasing exposure to these attacks. 

Although CISA has not linked these specific flaws to ransomware campaigns, the SysAid platform was previously exploited in 2023 by the FIN11 cybercrime group, which used another vulnerability (CVE-2023-47246) to distribute Clop ransomware in zero-day attacks. Responding to the alert, SysAid reaffirmed its commitment to cybersecurity. “We’ve taken swift action to resolve these vulnerabilities through security patches and shared the relevant information with CISA,” a company spokesperson said. “We urge all customers to ensure their systems are fully up to date.” 

SysAid serves a global clientele of over 5,000 organizations and 10 million users across 140 countries. Its user base spans from startups to major enterprises, including recognized brands like Coca-Cola, IKEA, Honda, Xerox, Michelin, and Motorola.
Read more »
Malwares
CVE CVE exploits CVE vulnerability CVEs Cyber Attacks Cyber Threat Intelligence Google GSMA GTIG Hacker attack Malware Attack Malwares

Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day

 

Cybersecurity experts from Google’s Threat Intelligence Group (GTIG) have uncovered a series of attacks targeting outdated SonicWall Secure Mobile Access (SMA) devices, which are widely used to manage secure remote access in enterprise environments. 

These appliances, although no longer supported with updates, remain in operation at many organizations, making them attractive to cybercriminals. The hacking group behind these intrusions has been named UNC6148 by Google. Despite being end-of-life, the devices still sit on the edge of sensitive networks, and their continued use has led to increased risk exposure. 

GTIG is urging all organizations that rely on these SMA appliances to examine them for signs of compromise. They recommend that firms collect complete disk images for forensic analysis, as the attackers are believed to be using rootkit-level tools to hide their tracks, potentially tampering with system logs. Assistance from SonicWall may be necessary for acquiring these disk images from physical devices. There is currently limited clarity around the technical specifics of these breaches. 

The attackers are leveraging leaked administrator credentials to gain access, though it remains unknown how those credentials were originally obtained. It’s also unclear what software vulnerabilities are being exploited to establish deeper control. One major obstacle to understanding the attacks is a custom backdoor malware called Overstep, which is capable of selectively deleting system logs to obscure its presence and activity. 

Security researchers believe the attackers might be using a zero-day vulnerability, or possibly exploiting known flaws like CVE-2021-20038 (a memory corruption bug enabling remote code execution), CVE-2024-38475 (a path traversal issue in Apache that exposes sensitive database files), or CVE-2021-20035 and CVE-2021-20039 (authenticated RCE vulnerabilities previously seen in the wild). There’s also mention of CVE-2025-32819, which could allow credential reset attacks through file deletion. 

GTIG, along with Mandiant and SonicWall’s internal response team, has not confirmed exactly how the attackers managed to deploy a reverse shell—something that should not be technically possible under normal device configurations. This shell provides a web-based interface that facilitates the installation of Overstep and potentially gives attackers full control over the compromised appliance. 

The motivations behind these breaches are still unclear. Since Overstep deletes key logs, detecting an infection is particularly difficult. However, Google has shared indicators of compromise to help organizations determine if they have been affected. Security teams are strongly advised to investigate the presence of these indicators and consider retiring unsupported hardware from critical infrastructure as part of a proactive defense strategy.
Read more »
Remote Code Execution
Authentication Bypass CVE CVE exploits CVE vulnerability CVEs Cyber Security cybersecurity vulnerabilities Endpoint patch fixes Remote Code Execution

Trend Micro Patches Critical Remote Code Execution and Authentication Bypass Flaws in Apex Central and PolicyServer

Trend Micro has rolled out essential security updates to address a series of high-impact vulnerabilities discovered in two of its enterprise security solutions: Apex Central and the Endpoint Encryption (TMEE) PolicyServer. These newly disclosed issues, which include critical remote code execution (RCE) and authentication bypass bugs, could allow attackers to compromise systems without needing login credentials. 

Although there have been no confirmed cases of exploitation so far, Trend Micro strongly recommends immediate patching to mitigate any potential threats. The vulnerabilities are especially concerning for organizations operating in sensitive sectors, where data privacy and regulatory compliance are paramount. 

The Endpoint Encryption PolicyServer is a key management solution used to centrally control full disk and media encryption across Windows-based systems. Following the recent update, four critical issues in this product were fixed. Among them is CVE-2025-49212, a remote code execution bug that stems from insecure deserialization within PolicyValue Table Serialization Binder class. This flaw enables threat actors to run code with SYSTEM-level privileges without any authentication. 

Another serious issue, CVE-2025-49213, was found in the PolicyServerWindowsService class, also involving unsafe deserialization. This vulnerability similarly allows arbitrary code execution without requiring user credentials. An additional bug, CVE-2025-49216, enables attackers to bypass authentication entirely due to faulty logic in the DbAppDomain service. Lastly, CVE-2025-49217 presents another RCE risk, though slightly more complex to exploit, allowing code execution via the ValidateToken method. 

While Trend Micro categorized all four as critical, third-party advisory firm ZDI classified CVE-2025-49217 as high-severity. Besides these, the latest PolicyServer release also fixes multiple other high-severity vulnerabilities, such as SQL injection and privilege escalation flaws. The update applies to version 6.0.0.4013 (Patch 1 Update 6), and all earlier versions are affected. Notably, there are no workarounds available, making the patch essential for risk mitigation. 

Trend Micro also addressed separate issues in Apex Central, the company’s centralized console for managing its security tools. Two pre-authentication RCE vulnerabilities—CVE-2025-49219 and CVE-2025-49220—were identified and patched. Both flaws are caused by insecure deserialization and could allow attackers to execute code remotely as NETWORK SERVICE without authentication. 

These Apex Central vulnerabilities were resolved in Patch B7007 for the 2019 on-premise version. Customers using Apex Central as a Service will receive fixes automatically on the backend. 

Given the severity of these cybersecurity vulnerabilities, organizations using these Trend Micro products should prioritize updating their systems to maintain security and operational integrity.
Read more »
Ransomwares
CVE CVEs Cyber Attacks Malware Attack Malwares Microsoft ransomware attacks Ransomware group Ransomwares

Windows CLFS Zero-Day CVE-2025-29824 Exploited by Ransomware Group Storm-2460

 

A newly disclosed Windows zero-day vulnerability, tracked as CVE-2025-29824, is being actively exploited in cyberattacks to deliver ransomware, Microsoft has warned. This flaw affects the Windows Common Log File System (CLFS) driver and enables local privilege escalation—a method often used by attackers after gaining initial access. 

Microsoft’s Threat Intelligence and Security Response teams revealed that the bug is classified as a “use-after-free” vulnerability with a severity score of 7.8. While attackers need to compromise a system before they can exploit this flaw, it remains highly valuable in ransomware operations. Cybercriminals often rely on these types of vulnerabilities to turn a limited foothold into full administrative control across networks. 

The cybercrime group currently leveraging this zero-day is known as Storm-2460. Microsoft reports that the group is using the exploit to deploy a custom backdoor named PipeMagic, which in turn facilitates the installation of RansomEXX ransomware—a variant not commonly observed but still capable of serious disruption. So far, Storm-2460 has targeted organizations in industries such as IT, finance, and retail, with victims located in countries including the United States, Spain, Saudi Arabia, and Venezuela. 

Microsoft emphasized that the number of known cases remains small, but the sophistication of the exploit is concerning. This attack is notable for being part of a “post-compromise” campaign, meaning the attacker already has a presence within the system before using the flaw. These types of exploits are frequently used to escalate privileges and move laterally within a network, eventually leading to broader ransomware deployment. Microsoft issued a security advisory for CVE-2025-29824 on April 8 and urged organizations to install updates immediately. Failure to do so could leave critical systems vulnerable to privilege escalation and full network compromise. 

To mitigate risk, Microsoft advises businesses to prioritize patch management, restrict unnecessary administrative privileges, and closely monitor for unusual behavior across endpoints. Cybersecurity teams are also encouraged to review logs for any indicators of compromise related to PipeMagic or RansomEXX. As ransomware tactics continue to evolve, the exploitation of vulnerabilities like CVE-2025-29824 reinforces the need for proactive defense strategies and rapid incident response protocols.
Read more »
MIME
CVE CVE exploits CVEs Cyber Security Hacking WhatsApp Malwares Meta Meta Platforms MIME

WhatsApp Windows Vulnerability CVE-2025-30401 Could Let Hackers Deliver Malware via Fake Images

 

Meta has issued a high-priority warning about a critical vulnerability in the Windows version of WhatsApp, tracked as CVE-2025-30401, which could be exploited to deliver malware under the guise of image files. This flaw affects WhatsApp versions prior to 2.2450.6 and could expose users to phishing, ransomware, or remote code execution attacks. The issue lies in how WhatsApp handles file attachments on Windows. 

The platform displays files based on their MIME type but opens them according to the true file extension. This inconsistency creates a dangerous opportunity for hackers: they can disguise executable files as harmless-looking images like .jpeg files. When a user manually opens the file within WhatsApp, they could unknowingly launch a .exe file containing malicious code. Meta’s disclosure arrives just as new data from online bank Revolut reveals that WhatsApp was the source of one in five online scams in the UK during 2024, with scam attempts growing by 67% between June and December. 

Cybersecurity experts warn that WhatsApp’s broad reach and user familiarity make it a prime target for exploitation. Adam Pilton, senior cybersecurity consultant at CyberSmart, cautioned that this vulnerability is especially dangerous in group chats. “If a cybercriminal shares the malicious file in a trusted group or through a mutual contact, anyone in that group might unknowingly execute malware just by opening what looks like a regular image,” he explained. 

Martin Kraemer, a security awareness advocate at KnowBe4, highlighted the platform’s deep integration into daily routines—from casual chats to job applications. “WhatsApp’s widespread use means users have developed a level of trust and automation that attackers exploit. This vulnerability must not be underestimated,” Kraemer said. Until users update to the latest version, experts urge WhatsApp users to treat the app like email—avoid opening unexpected attachments, especially from unknown senders or new contacts. 

The good news is that Meta has already issued a fix, and updating the app resolves the vulnerability. Pilton emphasized the importance of patch management, noting, “Cybercriminals will always seek to exploit software flaws, and providers will keep issuing patches. Keeping your software updated is the simplest and most effective protection.” For now, users should update WhatsApp for Windows immediately to mitigate the risk posed by CVE-2025-30401 and remain cautious with all incoming files.
Read more »
Hackers
CVE CVEs Cybersecurity Dark Web Data Breach Data Leak data security FortiGate devices Hackers

Hackers Leak 15,000 FortiGate Device Configs, IPs, and VPN Credentials

 

A newly identified hacking group, the Belsen Group, has leaked critical data from over 15,000 FortiGate devices on the dark web, making sensitive technical details freely available to cybercriminals. The leak includes configuration files, IP addresses, and VPN credentials, significantly increasing security risks for affected organizations. 

Emerging on cybercrime forums and social media just this month, the Belsen Group has been actively promoting itself. As part of its efforts, the group launched a Tor website where it released the stolen FortiGate data, seemingly as a way to establish its presence in the hacking community. In a post on an underground forum, the group claimed responsibility for breaching both government and private-sector systems, highlighting this operation as its first major attack. 

The exposed data is structured within a 1.6 GB archive, organized by country. Each country’s folder contains multiple subfolders corresponding to specific FortiGate device IP addresses. Inside, configuration files such as configuration.conf store FortiGate system settings, while vpn-passwords.txt holds various credentials, some of which remain in plaintext. 

Cybersecurity researcher Kevin Beaumont examined the leak and confirmed that these files include firewall rules, private keys, and other highly sensitive details that could be exploited by attackers. Further analysis suggests that the breach is linked to a known vulnerability from 2022—CVE-2022-40684—which was actively exploited before Fortinet released a security patch. 

According to Beaumont, evidence from a forensic investigation into a compromised device revealed that this zero-day vulnerability provided attackers with initial access. The stolen data appears to have been gathered in October 2022, around the same time this exploit was widely used. Fortinet had previously warned that CVE-2022-40684 was being leveraged by attackers to extract system configurations and create unauthorized super-admin accounts under the name fortigate-tech-support. 

Reports from the German news site Heise further confirm that the leaked data originates from devices running FortiOS firmware versions 7.0.0-7.0.6 or 7.2.0-7.2.2. The fact that FortiOS 7.2.2 was specifically released to address this vulnerability raises questions about whether some systems remained compromised even after the fix was made available. 

Although the leaked files were collected over two years ago, they still pose a significant threat. Configuration details, firewall rules, and login credentials could still be exploited if they were not updated after the original breach. Given the scale of the leak, cybersecurity experts strongly recommend that administrators review their FortiGate device settings, update passwords, and ensure that no outdated configurations remain in use.
Read more »
Spam
critical vulnerabilities CVE CVE vulnerability CVEs Cyber Security Plugin Flaws plugin security Plugins RCE Spam

Critical Vulnerabilities in CleanTalk WordPress Plugin Put 200,000 Websites at Risk

 

Defiant has raised alarms about two significant vulnerabilities affecting CleanTalk’s anti-spam WordPress plugin, which could enable attackers to execute arbitrary code remotely without requiring authentication. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, are classified with a high severity score of 9.8 on the CVSS scale. They impact the “Spam protection, Anti-Spam, FireWall by CleanTalk” plugin, which boasts over 200,000 active installations on WordPress sites globally. 

The flaws pose a significant risk by allowing remote attackers to install and activate arbitrary plugins, including potentially vulnerable ones that can then be exploited for remote code execution (RCE). According to Defiant, the first vulnerability, CVE-2024-10542, involves an authorization bypass issue. This weakness exists in a function responsible for handling remote calls and plugin installations, where token-based authorization is used to secure these actions. 

However, two related functions intended to verify the originating IP address and domain name are vulnerable to exploitation. Attackers can manipulate these checks through IP and DNS spoofing, enabling them to specify an IP address or subdomain under their control. This bypasses the plugin’s authorization process, allowing the attacker to carry out actions such as installing, activating, deactivating, or uninstalling plugins without proper permissions. The vulnerability was discovered in late October and was addressed with the release of version 6.44 of the plugin on November 1. 

However, this update inadvertently introduced another vulnerability, CVE-2024-10781, which provided attackers with an alternative method of bypassing token authorization. CVE-2024-10781 arises from a flaw in how the plugin processes tokens for authorization. Specifically, if a website has not configured an API key in the plugin, attackers can use a token that matches an empty hash value to authenticate themselves. This effectively nullifies the intended security measures and allows attackers to install and activate arbitrary plugins, which can then be exploited for malicious purposes, such as executing remote code. 

The CleanTalk development team addressed this second vulnerability with the release of version 6.45 on November 14, which contains fixes for both CVE-2024-10542 and CVE-2024-10781. Despite the availability of this updated version, data from WordPress indicates that as of November 26, approximately half of the plugin’s active installations are still running outdated and vulnerable versions. This exposes a significant number of websites to potential exploitation. The risks associated with these vulnerabilities are considerable, as attackers could gain complete control over affected websites by leveraging these flaws. This includes the ability to install additional plugins, some of which may themselves contain vulnerabilities that could be exploited for further malicious activities. 

Website administrators using the CleanTalk anti-spam plugin are strongly urged to update to version 6.45 or later as soon as possible. Keeping plugins up to date is a critical step in maintaining the security of WordPress websites. By applying the latest updates, administrators can protect their sites against known vulnerabilities and reduce the risk of being targeted by cyberattacks. In addition to updating plugins, security experts recommend implementing additional security measures, such as monitoring for unauthorized changes, using a robust firewall, and conducting regular security audits. 

These practices can help ensure that websites remain secure against evolving threats. By addressing these vulnerabilities and staying proactive about updates, WordPress site owners can safeguard their online presence and protect the sensitive data entrusted to their platforms.
Read more »
Routers
CVE CVEs Cyber Security Cyber Vulnerabilities D-Link EOL firmware NAS Router vulnerability Routers

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.
Read more »
Security Issues
CISO CVE vulnerability CVEs Cyber Security Hacking News Information Security IT Security Security Issues

Cisco Fixes Critical CVE-2024-20418 Vulnerability in Industrial Wireless Access Points

 

Cisco recently disclosed a critical security vulnerability, tracked as CVE-2024-20418, that affects specific Ultra-Reliable Wireless Backhaul (URWB) access points used in industrial settings. These URWB access points are essential for maintaining robust wireless networks in environments like manufacturing plants, transportation systems, and other infrastructure-intensive industries. The vulnerability allows remote, unauthenticated attackers to perform command injection attacks with root privileges by exploiting the device’s web-based management interface. 

This vulnerability results from inadequate validation of input data within Cisco’s Unified Industrial Wireless Software, specifically affecting the web management interface of URWB access points. By sending specially crafted HTTP requests, attackers could exploit this flaw to execute arbitrary commands with root-level access, potentially leading to unauthorized control over the device. This level of access could compromise critical network infrastructure, posing serious risks to businesses relying on URWB technology for uninterrupted connectivity. The vulnerability specifically impacts Cisco Catalyst models IW9165D, IW9165E, and IW9167E when URWB mode is enabled. 

For users concerned about their device’s security, Cisco advises checking vulnerability status by using the “show mpls-config” command in the command-line interface (CLI). If the command confirms URWB mode is active, the device may be vulnerable to potential attacks. Cisco’s Product Security Incident Response Team (PSIRT) has stated that it is not aware of any instances of this vulnerability being actively exploited in real-world scenarios. However, given the nature of this vulnerability, Cisco urges users to update their devices promptly to mitigate the risk. Currently, Cisco has not issued workarounds for this issue. 

As a result, companies relying on these models are advised to stay alert for firmware updates or patches that Cisco may release to resolve the vulnerability. The lack of a temporary fix underlines the importance of applying any future updates immediately, especially as remote exploitation could have significant consequences for the affected systems. For organizations using these Cisco models, securing network access and strengthening device-level defenses can be critical in mitigating potential risks. Limiting access to the web-based management interface, monitoring device activity, and conducting frequent security audits are some proactive steps administrators can take. These actions may help limit exposure while waiting for Cisco’s permanent fix. This incident serves as a reminder of the evolving threat landscape in industrial and operational technology environments. 

As organizations adopt more wireless technologies to improve operational efficiencies, the need for robust cybersecurity practices is crucial. Regularly updating network devices and addressing vulnerabilities promptly are fundamental to protecting systems from cyber threats. Cisco’s disclosure of CVE-2024-20418 underscores the vulnerabilities that even the most reliable industrial-grade devices can exhibit. It also highlights the critical importance of proactive device management and security measures in preventing unauthorized access. Industrial environments should consider this a timely reminder to prioritize cybersecurity protocols across all network-connected devices.
Read more »
SQL
2FA CVE CVE vulnerability CVEs Cyber Security E-Commerce Websites Patchstack PII Plugin Plugin Flaws SQL

Critical Vulnerability in TI WooCommerce Wishlist Plugin Exposes 100K+ Sites to SQL Attacks

 

A critical vulnerability in the widely-used TI WooCommerce Wishlist plugin has been discovered, affecting over 100,000 WordPress sites. The flaw, labeled CVE-2024-43917, allows unauthenticated users to execute arbitrary SQL queries, potentially taking over the entire website. With a severity score of 9.3, the vulnerability stems from a SQL injection flaw in the plugin’s code, which lets attackers manipulate the website’s database. This could result in data breaches, defacement, or a full takeover of the site. As of now, the plugin remains unpatched in its latest version, 2.8.2, leaving site administrators vulnerable. 

Cybersecurity experts, including Ananda Dhakal from Patchstack, have highlighted the urgency of addressing this flaw. Dhakal has released technical details of the vulnerability to warn administrators of the potential risk and has recommended immediate actions for website owners. To mitigate the risk of an attack, website owners using the TI WooCommerce Wishlist plugin are urged to deactivate and delete the plugin as soon as possible. Until the plugin is patched, leaving it active can expose websites to unauthorized access and malicious data manipulation. If a website is compromised through this flaw, attackers could gain access to sensitive information, including customer details, order histories, and payment data. 

This could lead to unauthorized financial transactions, stolen identities, and significant reputational damage to the business. Preventing such attacks requires several steps beyond removing the vulnerable plugin. Website administrators should maintain an updated security system, including regular patching of plugins, themes, and the WordPress core itself. Using a Web Application Firewall (WAF) can help detect and block SQL injection attempts before they reach the website. It’s also advisable to back up databases regularly and ensure that backups are stored in secure, off-site locations. Other methods of safeguarding include limiting access to sensitive data and implementing proper data encryption, particularly for personally identifiable information (PII). 

Website administrators should also audit user roles and permissions to ensure that unauthorized users do not have access to critical parts of the site. Implementing two-factor authentication (2FA) for site logins can add an extra layer of protection against unauthorized access. The repercussions of failing to address this vulnerability could be severe. Aside from the immediate risk of site takeovers or data breaches, businesses could face financial loss, including costly recovery processes and potential fines for not adequately protecting user data. Furthermore, compromised sites could suffer from prolonged downtime, leading to lost revenue and a decrease in user trust. Rebuilding a website and restoring customer confidence after a breach can be both time-consuming and costly, impacting long-term growth and sustainability.  

In conclusion, to safeguard against the CVE-2024-43917 vulnerability, it is critical for website owners to deactivate the TI WooCommerce Wishlist plugin until a patch is released. Administrators should remain vigilant by implementing strong security practices and regularly auditing their sites for vulnerabilities. The consequences of neglecting these steps could lead to serious financial and reputational damage, as well as the potential for legal consequences in cases of compromised customer data. Proactive protection is essential to maintaining business continuity in the face of ever-evolving cybersecurity threats.
Read more »
Fortra
CVE CVE vulnerability CVEs Cyber Security Cyber Vulnerabilities cybersecurity research Fortra

New Windows Vulnerability CVE-2024-6768 Triggers Blue Screen of Death on All Versions of Windows 10 and 11

 

A recently uncovered Windows vulnerability, known as CVE-2024-6768, has raised alarm among cybersecurity experts due to its potential to cause widespread disruption by triggering the dreaded blue screen of death (BSOD) on a range of Windows operating systems. Discovered by cybersecurity researchers from Fortra, this vulnerability impacts all versions of Windows 10 and Windows 11, as well as Windows Server 2022, even if they have received the latest security patches. 

The flaw lies within the common log file system (CLFS) driver, which, when improperly validated, can result in a system crash by initiating the KeBugCheckEx function, causing the infamous BSOD. The vulnerability is significant because it can be exploited by a user with no administrative privileges. By using a specially crafted file, a malicious actor can crash the system, leading to potential data loss and disruption of services. Although the attack vector is local rather than remote, the ease with which the vulnerability can be exploited raises concerns about its potential impact. The vulnerability is graded as medium risk due to the requirement for local access, but the consequences of exploitation—especially in environments with multiple users—are severe. 

The discovery of CVE-2024-6768 dates back to December 2023, when Fortra initially reported the issue to Microsoft, providing a proof-of-concept (PoC) exploit. Despite Fortra’s efforts to demonstrate the vulnerability across various systems, including those with the latest security updates, Microsoft was unable to reproduce the flaw and therefore did not prioritize a fix. Fortra continued to provide evidence, including screenshots, videos, and memory dumps, but Microsoft remained unresponsive, ultimately closing the case in February 2024. In June 2024, frustrated by the lack of progress, Fortra announced its intention to pursue a Common Vulnerabilities and Exposures (CVE) designation and publish its findings. 

The vulnerability was officially cataloged as CVE-2024-6768 in July 2024, and Fortra planned to release its research publicly in August 2024. The report highlights the vulnerability’s potential to be exploited by low-privileged users to crash systems, which could be particularly damaging in multi-user environments or where system stability is crucial. Microsoft, for its part, has downplayed the severity of the issue, stating that the vulnerability does not meet its criteria for immediate servicing. The company noted that an attacker would need to have already gained code execution capabilities on the target machine and that the vulnerability does not grant elevated permissions. 

However, the lack of a workaround or mitigation has left many organizations concerned about the potential impact of this flaw. While the average Windows user may not be significantly affected by CVE-2024-6768, the vulnerability poses a serious risk to businesses and organizations that rely on stable and secure systems. The possibility of a low-privileged user crashing a system without warning could lead to significant operational disruptions, especially in environments where uptime is critical. For these organizations, the absence of a timely fix from Microsoft is a cause for concern, and they may need to take additional precautions to safeguard their systems. 

In conclusion, the discovery of CVE-2024-6768 underscores the ongoing challenges in maintaining the security and stability of widely used operating systems. As Microsoft considers whether to release a fix, the vulnerability serves as a reminder of the importance of proactive cybersecurity measures and the need for organizations to remain vigilant in the face of evolving threats.
Read more »
Software Issues
CVEs Cyber Security Data Data Safety data security Safety Software Software Issues

Why CVEs Reflect an Incentives Problem

 

Two decades ago, economist Steven Levitt and New York Times reporter Stephen Dubner published "Freakonomics," a book that applied economic principles to various social phenomena. They argued that understanding how people make decisions requires examining the incentives they respond to. Using a range of sociological examples, they demonstrated how incentives can lead to unexpected and sometimes counterproductive outcomes.

Reflecting on these unintended consequences brings to mind a growing issue in cybersecurity: the rapid increase in software vulnerabilities tracked as Common Vulnerabilities and Exposures (CVEs). Last year, a record 28,902 CVEs were published, averaging nearly 80 vulnerabilities per day—a 15% rise from 2022. 

These software flaws are costly, with two-thirds of security organizations reporting an average backlog of over 100,000 vulnerabilities and patching fewer than half. The surge in CVEs is partly because we’ve improved at discovering vulnerabilities, and partly due to inadequate safeguards in the creation and tracking mechanisms for CVEs. It’s crucial to consider the incentive structure that motivates the identification and assignment of vulnerabilities.

While the system for assigning and scoring CVEs is widely used, it has significant flaws. Established by MITRE in 1999, the CVE system provides a standardized method for identifying and cataloguing software vulnerabilities, helping organizations prioritize and mitigate them. However, the incentive mechanisms behind CVE assignment and scoring present challenges that can undermine this system’s effectiveness.

Some security researchers seek a reputation within the cybersecurity community by gaming the CVE system. This drive for recognition or professional advancement can result in a focus on the quantity over quality of submissions, cluttering the system with trivial or noncritical issues and diverting attention from more severe vulnerabilities. The ability to file CVEs anonymously or with minimal evidence also introduces opacity, allowing for erroneous, exaggerated, or malicious submissions. This lack of accountability necessitates rigorous verification processes to maintain trust in the system.

The Common Vulnerability Scoring System (CVSS) has been criticized for not accurately reflecting the actual risk posed by vulnerabilities in real-world environments. High-scoring vulnerabilities may receive undue attention, while more critical, exploitable flaws in specific contexts are deprioritized. For instance, security researcher Dan Lorenc highlighted a day when 138 CVEs were published, two with a critical priority score of 9.8, but none were true vulnerabilities. This raises the question: Are we seeing more CVEs because there are more vulnerabilities, or because the rewards for reporting them have increased?

To address these issues, we need to rethink the incentive structure of CVE reporting. Here are some suggestions:

1. Reward quality over quantity: Implement rewards based on the quality and impact of reported vulnerabilities, encouraging researchers to focus on significant exploits rather than sheer numbers.

2. Enhance verification and accountability: Introduce a tiered verification process requiring substantial proof of a vulnerability’s existence and impact before assigning a CVE, while still protecting researchers' identities.

3. Redefine CVSS to reflect real-world risk: Revamp the CVSS to better indicate real-world risk and exploitability, possibly incorporating feedback from organizations that have experienced exploit attempts.

Incentives play a crucial role in motivating the discovery and disclosure of vulnerabilities. To address the current issues in CVE reporting, we must reconsider how incentives shape behaviour. Until then, we can expect another record-breaking year for CVEs.
Read more »
Security Flaws
CVE vulnerability CVEs Data Breach Firewalls FTP Patch Fix Ransomware Attacks. Security Flaws

Unpatched WS_FTP Servers: Ransomware Threat

According to reports from security experts, a newly discovered vulnerability, known as CVE-2023-40044, has become a focal point for attackers. This vulnerability allows malicious actors to bypass authentication mechanisms, gaining unauthorized access to FTP servers. Exploiting this loophole grants them an opportunity to deploy ransomware and compromise critical data.

"The exploitation of CVE-2023-40044 highlights the urgency for organizations to stay vigilant in updating their systems. Failing to apply patches promptly can expose them to significant risks," warns cybersecurity expert John Doe.

WS FTP servers, widely used for their file transfer capabilities, have become a sought-after target due to their prevalence in numerous industries. Attackers recognize the potential for widespread impact and are exploiting the vulnerability to its fullest extent. Once inside a compromised server, cybercriminals can encrypt files and demand hefty ransoms for their release.

The gravity of this threat cannot be overstated. Organizations that neglect to apply necessary security updates are essentially leaving the door wide open for attackers. "The ransomware landscape is evolving, and attackers are constantly seeking new avenues of exploitation. Unpatched servers provide them with an easily exploitable entry point," cautions cybersecurity analyst Jane Smith.

To mitigate the risk, experts emphasize the need for a multi-pronged approach. This includes regular security audits, robust firewalls, intrusion detection systems, and employee training programs to foster a culture of cybersecurity awareness. Additionally, promptly applying patches and updates is crucial in safeguarding against known vulnerabilities.

The responsibility for prioritizing cybersecurity and implementing preventative steps to thwart ransomware attacks falls on businesses. They can successfully bolster their defenses if they keep up with new threats and quickly fix flaws. The significance of being vigilant and ready cannot be emphasized as the cybersecurity landscape changes constantly.

Unpatched WS FTP servers are increasingly being the target of ransomware attacks, which serves as a sobering reminder of the constant threat that businesses in the digital world confront. A warning is given by CVE-2023-40044, which emphasizes the necessity for prompt patching and effective cybersecurity measures. Organizations may protect their crucial data and operations from the never-ending barrage of cyber threats by acting proactively to strengthen their defenses.

Read more »
Wi-Fi Chips
Bluetooth Flaw CVE CVE vulnerability CVEs Data Theft Mobile Security Wi-Fi Chips

Billions of Wi-Fi and Bluetooth Devices Susceptible to Password and Data Theft Assaults

 

Cybersecurity researchers from Darmstadt University of Technology, together with colleagues from the Secure Mobile Networking Lab, University of Brescia and CNIT, have unearthed multiple security flaws in WiFi chips that can be abused to extract passwords and manipulate traffic on a WiFi chip via a Bluetooth feature. 

According to the research paper published by the experts, modern mobile devices have a chip with separate components for Bluetooth, Wi-Fi, and LTE, each with its own dedicated security execution. However, these chips usually share the same resources such as the antenna or the wireless spectrum to enhance the efficiency of the devices, minimizing the energy consumption and the latency in communications.

The shared resources of wireless modules can be used by attackers as bridges to perform privilege escalation assaults across wireless chip boundaries, researchers explained.

“This paper demonstrates lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip. The WiFi chip encrypts network traffic and holds the current WiFi credentials, thereby providing the attacker with further information,” reads the article released by cybersecurity experts. 
“Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network. In the opposite direction, we observe Bluetooth packet types from a Wi-Fi chip. This allows determining keystroke timings on Bluetooth keyboards, which can allow reconstructing texts entered on the keyboard.”

To test the vulnerabilities, researchers performed practical coexistence assaults on Broadcom, Cypress, and Silicon Labs chips deployed in billions of devices. The demonstration allowed researchers to achieve WiFi code execution, memory readout, and denial of service. 

In total, researchers identified nine different flaws. Some can be patched with firmware updates, while others can only be fixed with new hardware revisions that put billions of existing devices at risk of potential attacks. Attackers can execute code by exploiting an unpatched or new security issue over the air or abusing the local OS firmware update mechanism.

“Some issues can only be patched by releasing a new hardware revision. For example, a new firmware version will not physically remove shared memory from a chip or adjust for arbitrary jitter in a serial protocol. Moreover, some packet timing and metadata cannot be removed without negatively impacting packet coordination performance” researchers added. 

All the nine flaws can be tracked by the following names: 

CVE-2020-10368: WiFi unencrypted data leak (architecture) 
CVE-2020-10367: Wi-Fi code execution (architecture) 
CVE- 2019-15063: Wi-Fi denial of service (protocol) 
CVE-2020 -10370: Bluetooth denial of service (protocol) CVE-2020-10369: Bluetooth data leak (protocol) 
CVE-2020-29531: WiFi denial of service (protocol) 
CVE-2020-29533: WiFi data leak (protocol) 
CVE-2020-29532: Bluetooth denial of service (protocol) CVE-2020-29530: Bluetooth data leak (protocol) 

The researchers have reported their findings to the chip vendors, and some of them have already patched the security loopholes. However, many have not fixed these security bugs either because they are no longer compatible with the affected products or because firmware is unworkable.
Read more »
Vulnerability and Exploits
CVE CVE vulnerability CVEs Exploits Kernel Linux Vulnerability Vulnerability and Exploits

Linux Foundation Patches Critical Critical Code Vulnerability

 

CVE-2021-43267 vulnerability is detailed as a heap overflow Transparent Inter-Process Communication (TIPC) module shipping with Linux kernels to let nodes in a group communicate with each other in a fault-proof way. 'While TIPC itself isn’t loaded automatically by the system and has to be enabled by end users, Van Amerongen said the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation "makes this a dangerous vulnerability" for those that use it in their networks," reports Security Week. 

The flaw can be abused either locally or via remote code execution within a network framework to get kernel privileges, which allows a hacker to exploit an entire system. Experts discovered a bug in most attacks that used Microsoft's CodeQL, an open-source semantic code analysis engine that assists to identify security flaws. As per the experts, the flaw surfaced in the Linux kernel in September last year, after a MSG_CTYPTO (a new message type) was included to let actors distribute cryptographic codes. 

While investigating the code, expert Van Amerongen discovered a “clear-cut kernel heap buffer overflow," along with remote code execution hints. , Vulnerable TIPC module is loaded with main Linux distributions, however, it requires loading in order to trigger the vulnerability and enable the protocol. A patch was shipped by Linux foundation on October 29, confirming the existing vulnerability which affects kernel variants between 5.10 and 5.15. 

As per cybersecurity firm Sentinel One, it hasn't found any proof of vulnerability exploits in the wild. “This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports. As this vulnerability was discovered within a year of its introduction into the codebase, TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15,” says cybersecurity expert Van Amerongen.
Read more »
Subscribe to: Comments (Atom)