Topic: vulnerability disclosure
-
SolarWinds Issues Urgent Patch for Critical Web Help Desk Flaw
SolarWinds has released an urgent hotfix for a critical, unauthenticated remote code execution vulnerability (CVE-2025-26399) in its Web Help Desk software, which poses a severe risk to affected systems. The flaw is a patch bypass for a previous vulnerability and stems from unsafe deserialization...
Read More » -
Security Firms Clash Over CVE Credit Claims
FuzzingLabs accuses Gecko Security of copying their vulnerability discoveries and proof-of-concept exploits, including backdating blog posts to claim credit for CVEs like CVE-2025-51471 and CVE-2025-48889. Gecko Security denies intentional misconduct, attributing the overlap to parallel research ...
Read More » -
SolarWinds Patches Critical RCE Flaw in Web Help Desk
SolarWinds has released a critical update for its Web Help Desk software to patch CVE-2025-26399, an unauthenticated remote code execution vulnerability requiring immediate action to prevent system compromise. The flaw, located in the AjaxProxy class, allows remote attackers to execute arbitrary ...
Read More » -
Urgent: NetScaler Zero-Day Exploit Actively Attacked (CVE-2025-7775)
Three critical vulnerabilities have been discovered in Citrix NetScaler ADC and Gateway devices, with CVE-2025-7775 already being actively exploited for remote code execution and denial of service. Citrix has released security updates for affected versions and strongly advises immediate patching,...
Read More » -
Gladinet patches critical zero-day flaw in file-sharing software
Gladinet has released a critical security update for CentreStack to address CVE-2025-11371, a zero-day vulnerability that allowed attackers to bypass protections and execute remote code on systems. The flaw, discovered by Huntress, involved inadequate input sanitization enabling directory travers...
Read More » -
UK NCSC Backs Public Disclosure of AI Security Flaws
UK cybersecurity and AI authorities advocate for crowdsourced initiatives to identify and address AI vulnerabilities, emphasizing the rising risks from malicious exploitation of advanced platforms. In response to AI system breaches, developers have launched bug bounty programs to incentivize ethi...
Read More » -
Microsoft Entra ID Flaw Let Attackers Hijack Company Tenants
A critical vulnerability (CVE-2025-55241) in Microsoft's Entra ID could have allowed attackers to gain full control over an organization's tenant by exploiting unsigned "actor tokens" and a weakness in the Azure AD Graph API. The flaw enabled attackers to impersonate any user, escalate privileges...
Read More » -
Active Attack Exploits Critical Adobe Commerce, Magento Flaw
Security researchers have identified active exploitation of a critical Adobe Commerce and Magento vulnerability (CVE-2025-54236, SessionReaper), which allows attackers to hijack customer accounts and potentially execute remote code, with over 250 attack attempts blocked in a single day. The vulne...
Read More » -
Urgent CISA Alert: Active Attacks Exploit Critical Linux Sudo Flaw
A critical vulnerability (CVE-2025-32463) in Linux sudo versions 1.9.14 to 1.9.17 allows local attackers to escalate privileges to root using the -R option, even without sudoers file authorization. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known E...
Read More » -
New Ethics Rules for Cybersecurity Research: What You Need to Know
Major cybersecurity conferences are implementing new ethics requirements for research submissions, requiring authors to include stakeholder-based ethics analyses in their papers. A new framework has been developed to help researchers systematically identify all affected parties and assess potenti...
Read More » -
SAP S/4HANA Vulnerability Actively Exploited in Attacks
A critical vulnerability (CVE-2025-42957) in SAP S/4HANA allows attackers to execute unauthorized code and gain administrative control. Despite a patch being available since August 2025, many systems remain unpatched, leading to active exploitation in the wild. Successful attacks can result in se...
Read More » -
Urgent: Patch Windows SMB Flaw Being Actively Exploited
A critical Windows SMB Client vulnerability (CVE-2025-33073) is being actively exploited, allowing attackers to gain SYSTEM-level privileges through a malicious script that compromises SMB connections. Microsoft patched the flaw in June 2025, and CISA has added it to its Known Exploited Vulnerabi...
Read More » -
Cisco ASA Firewalls Remain Vulnerable to Zero-Day Attacks
Approximately 48,000 Cisco ASA devices remain vulnerable to active zero-day attacks, posing ongoing risks globally, with the majority located in the U.S. and other key countries. Attackers have used advanced tactics, including disabling logging and intercepting commands, to exploit vulnerabilitie...
Read More » -
How MCP Server Flaws Escalate to Supply Chain Attacks
A path traversal vulnerability in Smithery.ai's MCP server platform exposed administrative credentials, compromising over 3,000 AI servers and risking a major supply chain incident. The flaw allowed attackers to access sensitive files and an overprivileged token, enabling potential code execution...
Read More » -
Microsoft GoAnywhere Bug Fuels Medusa Ransomware Attacks
A critical vulnerability (CVE-2025-10035) in Fortra's GoAnywhere platform allows unauthenticated attackers to execute remote code, prompting urgent patching and removal of internet exposure. The flaw was exploited as a zero-day by Storm-1175, who used legitimate tools for reconnaissance and deplo...
Read More » -
Critical DrayTek Router Flaw Allows Remote Code Execution
A critical vulnerability (CVE-2025-10547) in DrayTek routers allows unauthenticated remote attackers to execute commands via crafted HTTP/HTTPS requests, potentially leading to system crashes or code execution. DrayTek has released firmware updates for 35 router models and advises immediate insta...
Read More »
