Tag: advisory
-
QNAP Fixes 14 Vulnerabilities in QTS, QuTS Hero, QuTS Cloud, and QVP
QNAP has issued security advisory QSA-26-10, which addresses 14 vulnerabilities affecting its widely used NAS and surveillance platforms, including QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro appliances). These vulnerabilities were disclosed on April 6, 2026, and are categorized as having “Important” severity. They impact the following versions: QTS 5.2.7, QuTS hero h5.2.8, QuTS…
-
Veeam würdigt herausragende Leistungen seiner EMEA-Partner auf der Tagung
Veeam Software, das Unternehmen für Data- und AI-Trust, hat die Gewinner seiner ‘EMEA Partner Awards 2026″ bekannt gegeben, die im Rahmen seines jährlichen <> vom 15. bis 18. Juni in Portugal verkündet wurden. Der Partner.Advisory-Council bringt eine ausgewählte Gruppe der strategisch wichtigsten Partner von Veeam aus ganz Europa, dem Nahen Osten und Afrika zusammen, […] First…
-
Beats Studio Buds Vulnerability Lets Attackers Within Bluetooth Range Access Microphone
Apple has revealed a significant security vulnerability affecting Beats Studio Buds, which could allow attackers within Bluetooth range to access a device’s microphone without user consent. This issue, identified as CVE-2025-20701, was addressed in Beats Firmware Update 1B211, released on June 16, 2026. According to Apple’s advisory, the flaw impacts devices that are not yet…
-
FortiBleed Campaign Targets FortiGate Devices to Harvest VPN and Admin Credentials
Tags: advisory, attack, authentication, credentials, cyber, data-breach, exploit, fortinet, threat, vpnFortinet has issued a security warning about ongoing credential-harvesting attacks targeting FortiGate devices in a campaign known as “FortiBleed.” Threat actors are exploiting weak authentication practices rather than any newly disclosed vulnerabilities. A PSIRT advisory released on June 19, 2026, by Carl Windsor indicates that the attackers are reusing previously exposed credentials from earlier incidents,…
-
Fortinet Warns of Active FortiBleed Credential Theft Attacks on FortiGate Devices
Tags: advisory, attack, authentication, credentials, cyber, data-breach, exploit, fortinet, theft, threatFortinet has issued a security warning about ongoing credential-harvesting attacks targeting FortiGate devices in a campaign known as “FortiBleed.” Threat actors are exploiting weak authentication practices rather than any newly disclosed vulnerabilities. A PSIRT advisory released on June 19, 2026, by Carl Windsor indicates that the attackers are reusing previously exposed credentials from earlier incidents,…
-
Critical LiteLLM Flaw Allows Authentication Bypass via Host Header Injection
Tags: advisory, attack, authentication, cve, cyber, flaw, framework, github, injection, vulnerabilityA critical security vulnerability tracked as CVE-2026-49468 has been disclosed in the LiteLLM framework, exposing deployments to authentication bypass attacks via Host header injection. The issue, published in the GitHub Advisory Database and classified under GHSA-4xpc-pv4p-pm3w, affects all LiteLLM versions before 1.84.0 and has been assigned a critical severity rating due to its potential impact…
-
Critical LiteLLM Flaw Allows Authentication Bypass via Host Header Injection
Tags: advisory, attack, authentication, cve, cyber, flaw, framework, github, injection, vulnerabilityA critical security vulnerability tracked as CVE-2026-49468 has been disclosed in the LiteLLM framework, exposing deployments to authentication bypass attacks via Host header injection. The issue, published in the GitHub Advisory Database and classified under GHSA-4xpc-pv4p-pm3w, affects all LiteLLM versions before 1.84.0 and has been assigned a critical severity rating due to its potential impact…
-
Critical Wazuh Flaw Enables Threat Actors to Alter Alerts and Remove Logs
A critical security flaw in Wazuh Manager could allow unauthenticated threat actors to tamper with alerts, delete forensic evidence, and execute arbitrary OpenSearch operations by exploiting an input validation weakness in the platform’s new inventory synchronization pipeline. Tracked under GitHub advisory GHSA-ff9g-85jq-r3g3, the vulnerability affects Wazuh Manager version 5.0.0-beta1 and carries a maximum CVSS score…
-
Oracle PeopleSoft RCE Flaw Used as Zero-Day in Ongoing ShinyHunters Campaign
Tags: advisory, breach, exploit, flaw, google, group, intelligence, mandiant, oracle, rce, remote-code-execution, threat, update, vulnerability, zero-dayShinyHunters exploited a critical Oracle PeopleSoft zero-day to breach over 100 organizations, mostly universities, before a patch was available. Mandiant and Google’s Threat Intelligence Group published an analysis of an active ShinyHunters campaign on June 11, one day after Oracle finally issued an advisory for the vulnerability being exploited. The gap matters: the activity ran…
-
Oracle PeopleSoft RCE Flaw Used as Zero-Day in Ongoing ShinyHunters Campaign
Tags: advisory, breach, exploit, flaw, google, group, intelligence, mandiant, oracle, rce, remote-code-execution, threat, update, vulnerability, zero-dayShinyHunters exploited a critical Oracle PeopleSoft zero-day to breach over 100 organizations, mostly universities, before a patch was available. Mandiant and Google’s Threat Intelligence Group published an analysis of an active ShinyHunters campaign on June 11, one day after Oracle finally issued an advisory for the vulnerability being exploited. The gap matters: the activity ran…
-
Microsoft Teams Android Flaw Could Let Attackers Disclose Sensitive Information
Microsoft has disclosed a high-severity information disclosure vulnerability affecting its Teams application for Android, tracked as CVE-2026-42835. The flaw, publicly released on June 9, 2026, has been assigned a CVSS v3.1 base score of 8.1, categorizing it as an “Important” severity issue. According to Microsoft’s advisory, the vulnerability stems from improper neutralization of special elements…
-
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest.Google’s Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its…
-
Attackers Exploit Critical Langflow Flaw for Remote Code Execution
Attackers have begun actively exploiting a high-severity vulnerability in Langflow, tracked as CVE-2026-5027, which enables remote code execution via a path traversal flaw in the platform’s file upload functionality. The issue, disclosed by Tenable under advisory TRA-2026-26, affects the POST /api/v2/files endpoint, where improper sanitization of the filename parameter allows attackers to write arbitrary files anywhere on the underlying…
-
Attackers Exploit Critical Langflow Flaw for Remote Code Execution
Attackers have begun actively exploiting a high-severity vulnerability in Langflow, tracked as CVE-2026-5027, which enables remote code execution via a path traversal flaw in the platform’s file upload functionality. The issue, disclosed by Tenable under advisory TRA-2026-26, affects the POST /api/v2/files endpoint, where improper sanitization of the filename parameter allows attackers to write arbitrary files anywhere on the underlying…
-
Multiple VMware Stored XSS Flaw Enable Attackers to Inject Malicious Scripts
VMware has disclosed multiple high-severity stored cross-site scripting (XSS) vulnerabilities affecting VMware Cloud Foundation (VCF) Operations, potentially allowing attackers to inject malicious scripts and compromise administrative environments. The issues, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under advisory VMSA-2026-0004 on June 8, 2026, and carry a combined CVSS v3 base score of 8.0, indicating…
-
Multiple VMware Stored XSS Flaw Enable Attackers to Inject Malicious Scripts
VMware has disclosed multiple high-severity stored cross-site scripting (XSS) vulnerabilities affecting VMware Cloud Foundation (VCF) Operations, potentially allowing attackers to inject malicious scripts and compromise administrative environments. The issues, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under advisory VMSA-2026-0004 on June 8, 2026, and carry a combined CVSS v3 base score of 8.0, indicating…
-
Multiple VMware Stored XSS Flaw Enable Attackers to Inject Malicious Scripts
VMware has disclosed multiple high-severity stored cross-site scripting (XSS) vulnerabilities affecting VMware Cloud Foundation (VCF) Operations, potentially allowing attackers to inject malicious scripts and compromise administrative environments. The issues, tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724, were published under advisory VMSA-2026-0004 on June 8, 2026, and carry a combined CVSS v3 base score of 8.0, indicating…
-
Critical UniFi OS RCE Chain Grants Root Access Without Credentials
Tags: access, advisory, authentication, credentials, cyber, flaw, injection, rce, remote-code-execution, update, vulnerabilitySecurity Advisory Bulletin 064 describing a critical chain of vulnerabilities in UniFi OS Server that allows unauthenticated remote code execution and full root takeover. The issue combines an authentication-gateway bypass, a path-traversal mismatch, and a command-injection sink in the package-update service. When chained, these flaws let an attacker send a single crafted HTTP request to…
-
Critical UniFi OS Auth Bypass Flaws Lead to Unauthenticated Root RCE
Ubiquiti has addressed three critical vulnerabilities within the UniFi OS Server that attackers can chain together to achieve unauthenticated remote code execution (RCE) with root privileges. Disclosed on May 21, 2026, via Security Advisory Bulletin 064 (SAB-064), the flaws are tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. Each vulnerability carries a maximum CVSS 3.1 severity score…
-
Chinese spies are using LinkedIn to lure Westerners into sharing sensitive information
The advisory warns that Chinese spies are using public job search platforms to recruit people with access to non-public information. First seen on techcrunch.com Jump to article: techcrunch.com/2026/06/04/chinese-spies-are-using-linkedin-to-lure-westerners-into-sharing-sensitive-information/
-
PoC Exploit Released for Cisco Unified Communications Manager Security Vulnerability
A proof-of-concept (PoC) exploit has been released for a critical server-side request forgery (SSRF) vulnerability impacting Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME), increasing the likelihood of active exploitation in enterprise environments. Cisco Unified Manager Security Vulnerability Tracked as CVE-2026-20230 and detailed in Cisco advisory cisco-sa-cucm-ssrf-cXPnHcW, the…
-
Acer Confirms Patch in Progress for Wave 7 Router 0-Day Flaw
Acer has confirmed that it is actively developing a firmware patch to address critical zero-day vulnerabilities affecting its Wave 7 routers, following responsible disclosure by an independent security researcher. According to an official advisory published on June 2, 2026, the vulnerabilities impact Acer Wave 7 devices running firmware version T7c_GBL_1.01.000055 or earlier. The flaws expose…
-
Can’t make sense of Dashlane’s vault theft notification? You’re not alone.
Security advisory leaves out key details. Dashlane maintains complete silence. First seen on arstechnica.com Jump to article: arstechnica.com/security/2026/06/dashlane-issues-opaque-advisory-warning-20-encrypted-vaults-were-stolen/
-
Dashlane issues opaque advisory warning 20 encrypted vaults were stolen
Security advisory leaves out key details. Dashlane maintains complete silence. First seen on arstechnica.com Jump to article: arstechnica.com/security/2026/06/dashlane-issues-opaque-advisory-warning-20-encrypted-vaults-were-stolen/
-
Optiv Sells Consulting Business To Focus On Managed Services, Security Solutions: Exclusive
Optiv Security has completed the sale of its advisory, consulting and transformation (ACT) business to investment firm Vobis Ventures, which will create a new entity operating as Optiv Consulting, the company told CRN exclusively. First seen on crn.com Jump to article: www.crn.com/news/security/2026/optiv-sells-consulting-business-to-focus-on-managed-services-security-solutions-exclusive
-
Critical KMW CCTV Flaw Allows Unauthorised Access to Surveillance Feeds
A critical security vulnerability in KMW CCTV security cameras could allow attackers to gain full, unauthorised access to live surveillance feeds and device settings, raising serious concerns for organisations that rely on these systems in sensitive environments. The issue, tracked as CVE-2026-5386 and disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) under advisory…
-
The Security Growth Platform: Why MSPs Are Moving Beyond vCISO Tools
Three years ago, the practical question for an MSP building a cybersecurity practice was which “vCISO platform” to buy. The term was good shorthand for the work at the time: assessments, advisory, reporting, maybe a compliance module bolted on the side. The work has since outgrown the descriptor.A Security Growth Platform is the more precise…
-
Angular Language Service Extension Flaws Allow Remote Code Execution
Tags: advisory, attack, cyber, flaw, github, malicious, remote-code-execution, risk, service, vulnerabilityMultiple high-severity vulnerabilities have been discovered in the Angular Language Service VS Code extension (Angular.ng-template), exposing developers to remote code execution (RCE) attacks through malicious project files and dependencies. The issues, tracked under GitHub advisory GHSA-ccq4-xmxr-8hcq, affect all versions before 21.2.4 and have been patched in the latest release. These flaws pose significant risks to…
-
FBI warns of Kali365 phishing-as-a-service after April Microsoft 365 attacks
The law enforcement agency published an advisory on Thursday about Kali365, a Telegram-based service for cybercriminals that allows them to capture legitimate “OAuth” tokens enabling widespread access to Microsoft 365 environments. First seen on therecord.media Jump to article: therecord.media/fbi-warns-of-kali365-phishing-attacks
-
Critical Vulnerability in Cisco Secure Workload Threatens Enterprise API Security
Cisco has disclosed a critical security vulnerability in its Secure Workload platform that could allow unauthenticated attackers to gain high-level administrative access to sensitive enterprise environments. The flaw, tracked as CVE-2026-20223, carries a maximum CVSS score of 10.0 and is classified under CWE-306 (Missing Authentication for Critical Function). According to Cisco’s advisory (cisco-sa-csw-pnbsa-g8WEnuy), the issue…