Geek-Guy.com

869 search results for "Vulnerability"

BSides Las Vegas 2024, cybersecurity education, Global Security News, Infosecurity Education, Security Bloggers Network, Security BSides

BSidesLV24 – GroundFloor – Discover The Hidden Vulnerability Intelligence Within CISA’s KEV Catalog

Author/Presenter: Glenn Thorpe Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel. Permalink The post BSidesLV24 – GroundFloor – Discover The Hidden Vulnerability Intelligence Within CISA’s KEV Catalog appeared first on…

Read more →

Browser Security, Cyberattacks, Vulnerabilities, Exploits, Global Security News

Google patches Chrome vulnerability used for account takeover and MFA bypass

Chrome users are advised to update their browser immediately to fix a critical vulnerability that is being exploited to launch account takeover attacks. In some environments, this could even give attackers the ability to bypass multi-factor authentication (MFA). The recently-reported vulnerability, one of four fixed in a Wednesday update, is tracked as CVE-2025-4664 and affects…

Read more →

Exploits, Global Security News

New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy

Google on Wednesday released updates to address four security issues in its Chrome web browser, including one for which it said there exists an exploit in the wild. The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS score: 4.3), has been characterized as a case of insufficient policy enforcement in a component called Loader. “Insufficient policy enforcement…

Read more →

Europe, Global Security News, Security, Threat and Vulnerability Management, Vulnerabilities

New EU vulnerability database will complement CVE program, not compete with it, says ENISA

From this week, the global technology industry has a new database to check for the latest software security flaws: the European Union Vulnerability Database (EUVD). Made operational by the European Union Agency for Cybersecurity (ENISA) to fulfil the EU’s NIS2 cybersecurity Directive, EUVD joins a small but important group of global vulnerability tracking platforms headed…

Read more →

Global Security News

Beyond Vulnerability Management – Can You CVE What I CVE?

The Vulnerability Treadmill The reactive nature of vulnerability management, combined with delays from policy and process, strains security teams. Capacity is limited and patching everything immediately is a struggle. Our Vulnerability Operation Center (VOC) dataset analysis identified 1,337,797 unique findings (security issues) across 68,500 unique customer assets. 32,585 of them were distinct

Read more →

Exploits, Global Security News, Security Practices, Threat and Vulnerability Management

CVE funding crisis offers chance for vulnerability remediation rethink

A recent funding crisis involving the Common Vulnerabilities and Exposures (CVE) program sent a wave of panic through the cybersecurity community, raising questions among security professionals about how the potential dissolution of the program would impact their approaches to security triage. The CVE program, which provides a publicly available archive of disclosed vulnerabilities, is highly…

Read more →

Android, Cybersecurity, Exploits, Global Security News, Google, Mobile, Mobile Security, security patch, Technology, vulnerabilities

Google addresses 1 actively exploited vulnerability in May’s Android security update

Google addressed 47 vulnerabilities affecting Android devices in its May security update, including an actively exploited software defect that was first disclosed in March. Google said the high-severity vulnerability, CVE-2025-27363, “may be under limited, targeted exploitation.” The out-of-bounds write defect in FreeType versions 2.13.0 and below may result in arbitrary code execution, Facebook said in…

Read more →

Endpoint Protection, Risk Management, Security, Vulnerabilities, Exploits, Global Security News

4 big mistakes you’re probably still making in vulnerability management…and how to fix them

Let’s be honest folks, vulnerability management isn’t the same game it was five years ago. But if you’re still running periodic scans, ‘offering’ updates vs enforcing, and chasing CVSS scores like they’re all that matters, you’re playing by outdated rules. Today’s environments are fast, fragmented, and full of moving targets; all while attackers are evolving…

Read more →

Application Security, Zero-Day Vulnerabilities, Exploits, Global Security News

SAP NetWeaver customers urged to deploy patch for critical zero-day vulnerability

Attackers have been exploiting a critical zero-day vulnerability in the Visual Composer component of the SAP NetWeaver application server since early this week. SAP released an out-of-band fix that’s available through its support portal and it should be applied immediately, especially on systems that are directly exposed to the internet. “Unauthenticated attackers can abuse built-in…

Read more →

Exploits, Global Security News, Security Bloggers Network

Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help

Timely vulnerability remediation is an ongoing challenge for organizations as they struggle to prioritize the exposures that represent the greatest risk to their operations. Existing scoring systems are invaluable but can lack context. Here’s how Tenable’s Vulnerability Watch classification system can help. Background Over the past six years working in Tenable’s research organization, I’ve watched…

Read more →

CVE, Cybercrime, Cybersecurity, Exploits, Global Security News, Research, SAP, Threats, vulnerabilities, zero days

SAP zero-day vulnerability under widespread active exploitation

Threat hunters and security researchers have observed widespread exploitation of a zero-day vulnerability affecting SAP NetWeaver systems. The unrestricted file upload vulnerability — CVE-2025-31324 — has a base score of 10 on the CVSS scale and allows attackers to upload files directly to the system without authorization.  The software defect, which affects the SAP Visual…

Read more →

Exploits, Global Security News

Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers

Cybersecurity researchers have disclosed three security flaws in the Rack Ruby web server interface that, if successfully exploited, could enable attackers to gain unauthorized access to files, inject malicious data, and tamper with logs under certain conditions. The vulnerabilities, flagged by cybersecurity vendor OPSWAT, are listed below – CVE-2025-27610 (CVSS score: 7.5) – A path…

Read more →

Automation, CSPMs, endpoint agents, Global Security News, Video Interviews, vulnerabilities, Vulnerability Management

The Evolution of Vulnerability Management with Steve Carter

Steve Carter discusses the evolution of the vulnerability management market, as well as where vulnerability management has failed and why the next phase has to center around automation and scale. The problem, as Carter sees it, is deceptively simple: Organizations are drowning in vulnerabilities but still can’t prioritize or fix them quickly. Scanners can identify..…

Read more →

Exploits, Global Security News, Patch Management Software, Penetration Testing, Threat and Vulnerability Management

Generative AI is making pen-test vulnerability remediation much worse

Technical, organizational, and cultural factors are preventing enterprises from resolving vulnerabilities uncovered in penetration tests — a problem the advent of generative AI is exacerbating rather than relieving. According to a study by penetration testing as a service firm Cobalt, organizations fix less than half of all exploitable vulnerabilities (48%), a figure that drops to…

Read more →

Exploits, Global Security News, Network Security, Security, Vulnerabilities

Public exploits already available for a severity 10 Erlang SSH vulnerability; patch now

Experts are urging enterprises to immediately patch an Erlang/OTP Secure Shell (SSH) vulnerability that allows unauthenticated attackers to gain full access to a device. The remote code execution (RCE) vulnerability (CVE-2025-32433) has a CVSS score of 10, the highest possible severity level. Many impacted devices are widely used in Internet of Things (IoT) and telecom…

Read more →

Exploits, Global Security News

Kimsuky Exploits BlueKeep RDP Vulnerability to Breach Systems in South Korea and Japan

Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to gain initial access. The activity has been named Larva-24005 by the AhnLab Security Intelligence Center (ASEC). “In some systems, initial access was gained through

Read more →

Exploits, Global Security News, Security Bloggers Network

CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability

Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices. Background On April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH…

Read more →

BSides Las Vegas 2024, cybersecurity education, Global Security News, Infosecurity Education, Security Bloggers Network, Security BSides

BSidesLV24 – Common Ground – Beyond Whack-a-Mole: Scaling Vulnerability Management by Embracing Automation

Author/Presenter: Yotam Perkal Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel. Permalink The post BSidesLV24 – Common Ground – Beyond Whack-a-Mole: Scaling Vulnerability Management by Embracing Automation appeared first on…

Read more →

Global Security News

Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution

A critical security vulnerability has been disclosed in the Erlang/Open Telecom Platform (OTP) SSH implementation that could permit an attacker to execute arbitrary code sans any authentication under certain conditions. The vulnerability, tracked as CVE-2025-32433, has been given the maximum CVSS score of 10.0. “The vulnerability allows an attacker with network access to an Erlang/OTP…

Read more →

Exploits, Global Security News

CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The high-severity vulnerability, tracked as CVE-2021-20035 (CVSS score: 7.2), relates to a case of operating system command injection

Read more →

A Little Sunshine, Common Vulnerabilities and Exposures, Corellium, CVE, CVE Numbering Authorities, Global Security News, Latest Warnings, Matt Tait, MITRE, The Coming Storm

Funding Expires for Key Cyber Vulnerability Database

A critical resource that cybersecurity professionals worldwide rely on to identify, mitigate and fix security vulnerabilities in software and hardware is in danger of breaking down. The federally funded, non-profit research and development organization MITRE warned today that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program — which is traditionally funded each…

Read more →

Global Security News

Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence

A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change. The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and…

Read more →

Global Security News

Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability

A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date. Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability refers to the use of a hard-coded cryptographic key that could expose internet-accessible servers to remote code execution attacks

Read more →

Exploits, Global Security News

OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation

A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites. “The

Read more →

Global Security News, North America

PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware

Microsoft has revealed that a now-patched security flaw impacting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. “The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish…

Read more →

Exploits, Global Security News

CISA Warns of CentreStack’s Hard-Coded MachineKey Vulnerability Enabling RCE Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Gladinet CentreStack to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2025-30406 (CVSS score: 9.0), concerns a case of a hard-coded cryptographic key that could be abused to achieve…

Read more →

Exploits, Global Security News, Threat and Vulnerability Management, Vulnerabilities, Windows Security

April Patch Tuesday news: Windows zero day being exploited, ‘big vulnerability’ in 2 SAP apps

A threat actor is exploiting a zero-day elevation of privileges vulnerability in the Windows Common Log File System to deploy ransomware, one of a number of critical holes Microsoft plugged today as part of its April Patch Tuesday releases. “The targets include organizations in the information technology (IT) and real estate sectors of the United…

Read more →

Exploits, Global Security News

CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation

A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog after reports emerged of active exploitation in the wild. The vulnerability is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances.…

Read more →

Global Security News, Security Bloggers Network, types of vulnerability assessment​, vulnerabilities, vulnerability assessment, Vulnerability Assessment Best Practices, Vulnerability Management

The Ultimate Guide to Vulnerability Assessment

Vulnerability assessment is a process that identifies security weaknesses of any IT system, network, application, or cloud environment. It is a proactive approach to detect and fix security gaps before… The post The Ultimate Guide to Vulnerability Assessment appeared first on Strobes Security. The post The Ultimate Guide to Vulnerability Assessment appeared first on Security…

Read more →

Exploits, Global Security News

Google Patches Quick Share Vulnerability Enabling Silent File Transfers Without Consent

Cybersecurity researchers have disclosed details of a new vulnerability impacting Google’s Quick Share data transfer utility for Windows that could be exploited to achieve a denial-of-service (DoS) or send arbitrary files to a target’s device without their approval. The flaw, tracked as CVE-2024-10668 (CVSS score: 5.9), is a bypass for two of the 10 shortcomings…

Read more →

Global Security News

Google Fixed Cloud Run Vulnerability Allowing Unauthorized Image Access via IAM Misuse

Cybersecurity researchers have disclosed details of a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run that could have allowed a malicious actor to access container images and even inject malicious code. “The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull…

Read more →

Exploits, Global Security News, Security Bloggers Network, zero day

Exploited: Critical Unauthenticated Access Vulnerability in CrushFTP (CVE-2025-2825)

In the ever-evolving landscape of web application vulnerabilities, a new critical flaw has emerged. CVE-2025-2825 is a high-severity vulnerability that allows attackers to bypass authentication on CrushFTP servers. This popular enterprise file transfer solution is often used in corporate environments to manage sensitive data, making this vulnerability particularly concerning. Attackers are actively exploiting this flaw……

Read more →

CSO and CISO, IT Leadership, Threat and Vulnerability Management, Global Security News

10 best practices for vulnerability management according to CISOs

It was 2003, and I was giving my first cybersecurity presentation at an industry conference in Chicago. I talked about the onslaught of worms and viruses at the time (MSBlast, SQLSlammer, etc.), and stressed the importance of strong vulnerability and patch management to the audience. When it came time for the Q&A, an audience member…

Read more →

cyber security, Exploits, Global Security News, Security Bloggers Network

Next.js Vulnerability Exposes Middleware Security Gaps

On March 21, 2025, a critical authorization bypass vulnerability in Next.js, identified as CVE-2025-29927, was disclosed with a CVSS score of 9.1. This framework’s middleware handling flaw enables attackers to bypass authentication and authorization, exposing sensitive routes to unauthorized access. Exploiting this vulnerability does not require authentication, providing attackers with direct access to protected routes.…

Read more →

Global Security News

BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability

In what’s an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it…

Read more →

Exploits, Global Security News, Security, Vulnerabilities

Ubuntu namespace vulnerability should be addressed quickly: Expert

Linux admins who have enabled the unprivileged user namespace restriction in their recent Ubuntu environments should take action to close three new vulnerabilities that allow a threat actor to bypass the supposed protection. This warning comes after researchers at Qualys found three different ways this hardening feature can, under certain circumstances, be bypassed.  “It needs…

Read more →

Exploits, Global Security News

Mozilla Patches Critical Firefox Bug Similar to Chrome’s Recent Zero-Day Vulnerability

Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day. The security vulnerability, CVE-2025-2857, has been described as a case of an incorrect handle that could lead to a sandbox escape.…

Read more →

Exploits, Global Security News, Security, Vulnerabilities

VMware plugs a high-risk vulnerability affecting its Windows-based virtualization

Broadcom is warning customers of a high-severity, authentication bypass flaw, now fixed, affecting VMWare Tools for Windows. Tracked as CVE-2025-22230, the issue stems from improper access control and could allow privilege escalation on the affected system. “An authentication bypass vulnerability in VMware Tools for Windows was privately reported to VMware,” said Broadcom in a security…

Read more →

Blog, CVE-2025-29927, Emergency Response, Global Security News, Next.js, Security Bloggers Network

Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927)

Overview Recently, NSFOCUS CERT detected that Next.js issued a security announcement and fixed the middleware permission bypass vulnerability (CVE-2025-29927). Because Next.js lacks effective verification of the source of the x-middleware-subrequest header, when configuring to use middleware for authentication and authorization, an unauthenticated attacker can bypass system permission controls by manipulating the x-middleware-subrequest header to access…

Read more →

CVE, Cybersecurity, Exploits, Global Security News, Next.js, open source, open source software, Research, vulnerability, vulnerability disclosure

Researchers raise alarm about critical Next.js vulnerability

Researchers warn that attackers could exploit a recently discovered critical vulnerability in the open-source JavaScript framework Next.js to bypass authorization in middleware and gain access to targeted systems. Vercel, the San Francisco-based company that created and maintains Next.js, released a patch for CVE-2025-29927 in Next.js 15.2.3 on March 18 and published a security advisory on…

Read more →

Global Security News

Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication

A set of five critical security shortcomings have been disclosed in the Ingress NGINX Controller for Kubernetes that could result in unauthenticated remote code execution, putting over 6,500 clusters at immediate risk by exposing the component to the public internet. The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974 ), assigned a CVSS score of

Read more →

Exploits, Global Security News

Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks

A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions. The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0. “Next.js uses an internal header x-middleware-subrequest to prevent recursive requests from triggering infinite loops,” Next.js said in…

Read more →

CVE, CVE-2025-29927, Global Security News, Security Bloggers Network

CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability

When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what’s happening with a newly discovered vulnerability in Next.js – one of the most… The post CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability appeared first on Strobes Security. The post CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability appeared first…

Read more →

Exploits, Global Security News, Security, Vulnerabilities

CISA marks NAKIVO’s critical backup vulnerability as actively exploited

The Cybersecurity and Infrastructure Security Agency (CISA) has added a patched, high-severity vulnerability affecting NAKIVO’s backup and replication software to its known exploited vulnerability (KEV) catalog. The flaw, tracked as CVE-2024-48248, is a path traversal issue that received a high severity rating with CVSS 8.6 out of 10 and was marked “critical” by NAKIVO in…

Read more →

Exploits, Global Security News

CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2024-48248 (CVSS score: 8.6), an absolute path traversal bug that could allow an unauthenticated attacker to

Read more →

Blog, CVE-2025-24071, Emergency Response, Global Security News, Security Bloggers Network, Windows, Windows vulnerability

Windows File Explorer Spoofing Vulnerability (CVE-2025-24071)

Overview Recently, NSFOCUS CERT detected that Microsoft released a security announcement and fixed the spoofing vulnerability of Windows File Explorer (CVE-2025-24071), with a CVSS score of 7.5. Due to the implicit trust and automatic file parsing behavior of .library-ms files by Windows Explorer, unauthenticated attackers can save files by constructing RAR/ZIP with an embedded malicious…

Read more →

Authentication, Vulnerabilities, Exploits, Global Security News

Critical vulnerability in AMI MegaRAC BMC allows servers’ takeover

Researchers found a critical vulnerability in the AMI MegaRAC baseband management controller (BMC) used by multiple server manufacturers. The vulnerability could allow attackers to bypass authentication and take control of the vulnerable server over the Redfish management interface. “Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware,…

Read more →

Exploits, Global Security News

New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking

A critical security vulnerability has been disclosed in AMI’s MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions. The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity. “A local or remote attacker can exploit the vulnerability by accessing the

Read more →

Exploits, Global Security News

Apache Tomcat Vulnerability Actively Exploited Just 30 Hours After Public Disclosure

A recently disclosed security flaw impacting Apache Tomcat has come under active exploitation in the wild following the release of a public proof-of-concept (PoC) a mere 30 hours after public disclosure. The vulnerability, tracked as CVE-2025-24813, affects the below versions – Apache Tomcat 11.0.0-M1 to 11.0.2 Apache Tomcat 10.1.0-M1 to 10.1.34 Apache Tomcat 9.0.0-M1 to…

Read more →

AI, Application Security, Automation in Security, CISO Suite, cyber defense, cyber security, cyber threat, Cybersecurity, Cybersecurity Strategy, Data Consolidation, Data Overload, Data Privacy, Data Security, Digital Privacy, Episodes, Global Security News, Governance, Risk & Compliance, Information Security, infosec, IT Security Collaboration, Managing Cybersecurity Data, penetration testing, PlexTrac, Podcast, Podcasts, privacy, purple teaming, Red Teaming, Risk Management, risk scoring, Security, security best practices, Security Bloggers Network, Social Engineering, Technology, Threat Intelligence, vulnerability remediation, Weekly Edition

Tackling Data Overload: Strategies for Effective Vulnerability Remediation

In part one of our three part series with PlexTrac, we address the challenges of data overload in vulnerability remediation. Tom hosts Dahvid Schloss, co-founder and course creator at Emulated Criminals, and Dan DeCloss, CTO and founder of PlexTrac. They share their expertise on the key data and workflow hurdles that security teams face today.…

Read more →

Exploits, Global Security News

Meta Warns of FreeType Vulnerability (CVE-2025-27363) With Active Exploitation Risk

Meta has warned that a security vulnerability impacting the FreeType open-source font rendering library may have been exploited in the wild. The vulnerability has been assigned the CVE identifier CVE-2025-27363, and carries a CVSS score of 8.1, indicating high severity. Described as an out-of-bounds write flaw, it could be exploited to achieve remote code execution…

Read more →

Exploits, Global Security News

Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks

Apple on Tuesday released a security update to address a zero-day flaw that it said has been exploited in “extremely sophisticated” attacks. The vulnerability has been assigned the CVE identifier CVE-2025-24201 and is rooted in the WebKit web browser engine component. It has been described as an out-of-bounds write issue that could allow an attacker…

Read more →

Apple, Cybersecurity, Exploits, Global Security News, iOS, mac, patching, Safari, Technology, Threats, zero days

Apple discloses zero-day vulnerability, releases emergency patches

Apple released emergency software patches Tuesday that address a newly identified zero-day vulnerability in the company’s WebKit web browser engine.  Tracked as CVE-2025-24201, an attacker can potentially escape the constraints of Webkit’s Web Content sandbox, potentially leading to unauthorized actions. The sandbox is a security feature that isolates untrusted web content in order to prevent…

Read more →

Blog, Global Security News, Perspectives and POVS, Security Bloggers Network

Beyond Patching: Why a Risk-Based Approach to Vulnerability Management Is Essential 

The cybersecurity industry has long treated patching as the gold standard for vulnerability management. It is the cornerstone of compliance frameworks, a key metric for security performance, and often the first response to a newly discovered vulnerability. But patching alone is no longer enough.  In the 2025 Gartner® report, We’re Not Patching Our Way Out…

Read more →

Exploits, Global Security News

Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices

Unpatched TP-Link Archer routers have become the target of a new botnet campaign dubbed Ballista, according to new findings from the Cato CTRL team. “The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet,” security researchers Ofek Vardi and Matan Mittelman said in a…

Read more →

Global Security News

Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-25012, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution.…

Read more →

Asia Pacific, federal contractors, Gerry Connolly, Global Security News, Government, HackerOne, Nancy Mace, Policy, vdp, vulnerability disclosure

House passes bill requiring federal contractors to have vulnerability disclosure policies

A bill that would close a loophole in federal cybersecurity standards by requiring government contractors to abide by vulnerability disclosure policies moved one step closer to law Monday after sailing through the House. The passage of the Federal Contractor Cybersecurity Vulnerability Reduction Act in the House came a month after Reps. Nancy Mace, R-S.C., and…

Read more →

Exploits, Global Security News

Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks

Threat actors have been exploiting a security vulnerability in Paragon Partition Manager’s BioNTdrv.sys driver in ransomware attacks to escalate privileges and execute arbitrary code. The zero-day flaw (CVE-2025-0289) is part of a set of five vulnerabilities that was discovered by Microsoft, according to the CERT Coordination Center (CERT/CC). “These include arbitrary kernel memory mapping and

Read more →

Business Continuity, Vulnerabilities, Exploits, Global Security News

Schwachstellen managen: Die besten Vulnerability-Management-Tools

Schwachstellen zu managen, muss keine Schwerstarbeit sein. Wenn Sie die richtigen Tools einsetzen. Das sind die besten in Sachen Vulnerability Management. Foto: eamesBot – shutterstock.com Nicht nur das Vulnerability Management hat sich im Laufe der Jahre erheblich verändert, sondern auch die Systeme, auf denen Schwachstellen identifiziert und gepatcht werden müssen. Systeme für das Schwachstellen-Management fokussieren…

Read more →

Exploits, Global Security News, vulnerabilities

Critical Microsoft Partner Center vulnerability under attack, CISA warns

A critical vulnerability in Microsoft’s Partner Center platform is under attack, enabling unauthenticated attackers to escalate privileges, potentially leading to data breaches, malware deployment, and lateral movement across enterprise networks. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw, tracked as CVE-2024-49035, to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation…

Read more →

WordPress Appliance - Powered by TurnKey Linux