Tag: cve
-
Apple Backports Fix for CVE-2025-43300 Exploited in Sophisticated Spyware Attack
Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild.The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file.”Apple is aware of a report that this issue…
-
Apple Backports Fix for CVE-2025-43300 Exploited in Sophisticated Spyware Attack
Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild.The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file.”Apple is aware of a report that this issue…
-
Samsung’s image library flaw opens a zero-click backdoor
Patch now or risk a backdoor: A September 2025 Release 1 patch addresses the flaw that affects devices running Android versions 13 through 16. “Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code,” Samsung said in the disclosure.For enterprises, CVE-2025-21043 is more than a personal device issueit…
-
CVE-2025-58434: Critical FlowiseAI Flaw Enables Full Account Takeover
A severe security vulnerability has been discovered in FlowiseAI, an open-source AI workflow automation tool, exposing users to the risk of complete account compromise. Tracked as CVE-2025-58434, this vulnerability affects both the cloud-hosted version of FlowiseAI and self-hosted deployments that expose the relevant API endpoints. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/cve-2025-58434/
-
LangChainGo Vulnerability Allows Malicious Prompt Injection to Access Sensitive Data
A recently discovered flaw in LangChainGo, the Go implementation of the LangChain framework for large language models, permits attackers to read arbitrary files on a server by injecting malicious prompt templates. Tracked as CVE-2025-9556, this vulnerability arises from the use of the Gonja template engine, which supports Jinja2 syntax and can be manipulated to perform…
-
FlowiseAI Password Reset Token Vulnerability Enables Account Takeover
Acritical vulnerabilityin FlowiseAI has been discovered that allows attackers to take over user accounts with minimal effort. The flaw, tracked as CVE-2025-58434, affects both cloud-hosted and self-hosted FlowiseAI deployments, posing significant risks to organizations using this AI workflow automation platform. CVE Number Affected Product Vulnerability Type CVSS 3.1 Score CVE-2025-58434 FlowiseAI (npm package flowise) Unauthenticated Password…
-
Linux CUPS Flaw Allows Remote Denial of Service and Authentication Bypass
Two critical security vulnerabilities have been discovered in the Common Unix Printing System (CUPS), a widely used printing subsystem for Unix-like operating systems. The flaws, designated as CVE-2025-58364 and CVE-2025-58060, expose Linux systems to remote denial-of-service attacks and authentication bypass, potentially affecting millions of Linux machines worldwide. CVE Severity CVSS Score Impact Affected Versions CVE-2025-58364…
-
Samsung Fixes Image Parsing Vulnerability Exploited in Android Attacks
Samsung patched CVE-2025-21043, a critical flaw in its Android devices exploited in live attacks. Users urged to install September 2025 update. First seen on hackread.com Jump to article: hackread.com/samsung-android-image-parsing-vulnerability-attacks/
-
New Windows 11 Flaw Slips In Through Old Patch
A Microsoft fix introduced CVE-2025-53136, leaking kernel addresses in Windows 11/Server 2022. Learn risks and how to stay protected. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/news/windows-11-flaw-sept-2025/
-
CISA Lays Out Roadmap for CVE Program’s ‘Quality Era’
Five months after the future of the CVE program was thrown in doubt, CISA this week released a roadmap that calls for steps to take for its new “quality era,” which includes public sponsorship, expanded public-private partnership, and modernization. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/09/cisa-lays-out-roadmap-for-cve-programs-quality-era/
-
All your vulns are belong to us! CISA wants to maintain gov control of CVE program
Get ready for a fight over who steers the global standard for vulnerability identification First seen on theregister.com Jump to article: www.theregister.com/2025/09/12/cisas_vision_for_cve/
-
CISA pledges robust support for funding, further development of CVE program
A key official from the agency said the vulnerability management program will continue with additional participation and enhancements. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/cisa-pledges-robust-support-for-funding-further-development-of-cve-program/760020/
-
Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks
Samsung has released its monthly security updates for Android, including a fix for a security vulnerability that it said has been exploited in zero-day attacks.The vulnerability, CVE-2025-21043 (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution.”Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to First…
-
Cybersecurity Snapshot: Security Lags Cloud and AI Adoption, Tenable Report Finds, as CISA Lays Out Vision for CVE Program’s Future
Tags: access, ai, api, attack, automation, best-practice, breach, bug-bounty, business, cisa, cloud, communications, computer, control, cve, cyber, cybersecurity, data, data-breach, defense, encryption, exploit, framework, google, governance, government, identity, infrastructure, intelligence, international, Internet, linkedin, mitre, network, nist, office, open-source, privacy, programming, RedTeam, resilience, risk, risk-management, service, skills, software, strategy, tactics, technology, threat, tool, update, vulnerabilityCheck out Tenable’s report detailing challenges and best practices for cloud and AI security. Plus, CISA rolled out a roadmap for the CVE Program, while NIST updated its guidelines for secure software patches. And get the latest on TLS/SSL security and AI attack disclosures! Here are five things you need to know for the week…
-
HybridPetya Exploits UEFI Vulnerability to Bypass Secure Boot on Legacy Systems
ESET Research has uncovered a sophisticated new ransomware variant called HybridPetya, discovered on the VirusTotal sample sharing platform. This malware represents a dangerous evolution of the infamous Petya/NotPetya ransomware family, incorporating advanced capabilities to compromise UEFI-based systems and exploit CVE-2024-7344 to bypass UEFI Secure Boot protections on vulnerable systems. Unlike its predecessors, HybridPetya demonstrates significant…
-
CISA looks to partners to shore up the future of the CVE Program
The US Cybersecurity and Infrastructure Security Agency (CISA) has affirmed its continuing support for the Common Vulnerabilities and Exposures (CVE) program. >>If we … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/09/12/cisa-cve-program-future/
-
Microsoft Windows Defender Firewall Vulnerabilities Allow Privilege Escalation
Microsoft has released security advisories for four newly discovered vulnerabilities in its Windows Defender Firewall Service that could enable attackers to elevate privileges on affected Windows systems. The flaws, tracked as CVE-2025-53808, CVE-2025-54104, CVE-2025-54109, and CVE-2025-54915, were all disclosed on September 9, 2025, and share similar characteristics. While exploitation requires local access, successful attacks could…
-
Microsoft Windows Defender Firewall Vulnerabilities Allow Privilege Escalation
Microsoft has released security advisories for four newly discovered vulnerabilities in its Windows Defender Firewall Service that could enable attackers to elevate privileges on affected Windows systems. The flaws, tracked as CVE-2025-53808, CVE-2025-54104, CVE-2025-54109, and CVE-2025-54915, were all disclosed on September 9, 2025, and share similar characteristics. While exploitation requires local access, successful attacks could…
-
New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit
Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya/NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year.Slovakian cybersecurity company ESET said the samples were uploaded First seen on thehackernews.com Jump…
-
Critical CVE-2025-5086 in DELMIA Apriso Actively Exploited, CISA Issues Warning
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.The vulnerability, tracked as CVE-2025-5086, carries a CVSS score of 9.0 out of 10.0. According to First seen…
-
Samsung fixed actively exploited zero-day
Samsung fixed the remote code execution flaw CVE-2025-21043 that was exploited in zero-day attacks against Android devices. Samsung addressed the remote code execution vulnerability, tracked as CVE-2025-21043, that was exploited in zero-day attacks against Android users. The vulnerability is an out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1. A remote attacker can exploit…
-
U.S. CISA adds Dassault Systèmes DELMIA Apriso flaw to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Dassault Systèmes DELMIA Apriso flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Dassault Systèmes DELMIA Apriso flaw, tracked as CVE-2025-5086 (CVSS score of 9.0), to its Known Exploited Vulnerabilities (KEV) catalog. Dassault Systèmes DELMIA Apriso is a Manufacturing Operations Management (MOM) software platform…
-
CISA Unveiled a New Vision for the CVE Program. Can It Work?
Updated CVE Roadmap Follows Threats to Funding. The Cybersecurity and Infrastructure Security Agency is unveiling a new vision for its globally-adopted vulnerability tracking system but security analysts warn that funding threats and turmoil inside the federal agency could derail any reforms before they take hold. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/cisa-unveiled-new-vision-for-cve-program-work-a-29424
-
Akira Ransomware exploits year-old SonicWall flaw with multiple vectors
Researchers warn that Akira ransomware group is exploiting a year-old SonicWall firewall flaw, likely using three attack vectors for initial access. The Akira ransomware group is exploiting a year-old SonicWall firewall vulnerability, tracked as CVE-2024-40766 (CVSS score of 9.3), likely using three attack vectors for initial access, according to Rapid7. >>Evidence collected during Rapid7’s investigations…
-
Palo Alto Exposes Passwords in Plain Text
Palo Alto’s CVE-2025-4235 leaks service passwords, demanding urgent patching and resets. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/palo-alto-exposes-passwords-in-plain-text-cve-2025-4235/
-
Palo Alto Exposes Passwords in Plain Text CVE-2025-4235
Palo Alto’s CVE-2025-4235 leaks service passwords, demanding urgent patching and resets. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/palo-alto-exposes-passwords-in-plain-text-cve-2025-4235/
-
CISA Launches Roadmap for the CVE Program
The US cybersecurity agency called for the CVE program to remain publicly maintained and vendor-neutral while emphasizing the need for broader engagement First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/cisa-launches-roadmap-cve-program/
-
Google fixes critical Chrome flaw, researcher earns $43K
Google addressed a critical use-after-free vulnerability in its Chrome browser that could potentially lead to code execution. A researcher earned $43000 from Google for reporting a critical Chrome vulnerability, tracked as CVE-2025-10200, in the Serviceworker component. A use-after-free (UAF) occurs when a program accesses memory after it has been freed. This can cause crashes, data…
-
Akira ransomware affiliates continue breaching organizations via SonicWall firewalls
Over a year after SonicWall patched CVE-2024-40766, a critical flaw in its next-gen firewalls, ransomware attackers are still gaining a foothold in organizations by exploiting … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/09/11/akira-ransomware-sonicwall-firewalls/