Tag: cvss
-
CVSS-Score 10.0 – Goanywhere-Schwachstelle entpuppt sich als Zero Day
First seen on security-insider.de Jump to article: www.security-insider.de/cyberangriffe-goanywhere-zero-day-schwachstelle-a-11f6cfd74454f5ebf50fb1350896889a/
-
SUSE Rancher Flaws Allow Attackers to Lock Out Admin Accounts
A critical security vulnerability in SUSE Rancher Manager has been discovered that enables attackers with elevated privileges to lock out administrative accounts, potentially disrupting entire Kubernetes cluster management operations. The flaw, tracked asCVE-2024-58260, carries a high severity rating with a CVSS score of 7.1. Vulnerability Overview The security issue stems from missing server-side validation on the username…
-
Attackers exploited critical Fortra GoAnywhere flaw in zero-day attacks (CVE-2025-10035)
CVE-2025-10035, a perfect CVSS 10.0 vulnerability in the Fortra GoAnywhere managed file transfer solution, has apparently been exploited in zero-day attacks before the patch … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/09/26/fortra-goanywhere-zero-day-cve-2025-10035/
-
Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure
Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.”This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by…
-
Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure
Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.”This is not ‘just’ a CVSS 10.0 flaw in a solution long favored by…
-
Critical Cisco Flaw Lets Remote Attackers Execute Code on Firewalls and Routers
Cisco published Security Advisory cisco-sa-http-code-exec-WmfP3h3O revealing a severe flaw in multiple Cisco platforms that handle HTTP-based management. Tracked as CVE-2025-20363, this vulnerability stems from improper validation of user-supplied input in HTTP requests. CVE Affected Products Impact CVSS 3.1 Score CVE-2025-20363 Secure Firewall ASA & FTD with SSL VPN or MUS enabled; IOS/IOS XE with Remote…
-
Critical Cisco Flaw Lets Remote Attackers Execute Code on Firewalls and Routers
Cisco published Security Advisory cisco-sa-http-code-exec-WmfP3h3O revealing a severe flaw in multiple Cisco platforms that handle HTTP-based management. Tracked as CVE-2025-20363, this vulnerability stems from improper validation of user-supplied input in HTTP requests. CVE Affected Products Impact CVSS 3.1 Score CVE-2025-20363 Secure Firewall ASA & FTD with SSL VPN or MUS enabled; IOS/IOS XE with Remote…
-
Salesforce AI Agent Vulnerability Lets Attackers Steal Sensitive Data
Cybersecurity researchers at Noma Labs have discovered a critical vulnerability in Salesforce’s Agentforce AI platform that could allow attackers to steal sensitive customer data through sophisticated prompt injection techniques. The vulnerability, dubbed >>ForcedLeak,
-
Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems
Urgent warning for Fortra GoAnywhere MFT users. A CVSS 10.0 deserialization vulnerability (CVE-2025-10035) in the License Servlet allows command injection. Patch to v7.8.4 immediately to prevent system takeover. First seen on hackread.com Jump to article: hackread.com/critical-cvss-10-flaw-goanywhere-file-transfer/
-
Critical DNN Platform Vulnerability Let Attackers Execute Malicious Scripts
A severe Stored Cross-Site Scripting (XSS) vulnerability in the Prompt module of the DNN Platform enables low-privilege attackers to inject and execute arbitrary scripts in the context of privileged users. Published as GHSA-2qxc-mf4x-wr29 by Daniel Valadas yesterday, this vulnerability affects all versions of the DotNetNuke.Core package prior to 10.1.0 and carries a CVSS v3.1 base…
-
State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability
Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors.The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity.”Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious…
-
Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants
A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant.The vulnerability, tracked as CVE-2025-55241, has been assigned the maximum CVSS score of 10.0. It has been described by Microsoft as a privilege escalation flaw in Azure Entra. There…
-
Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability
Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands.The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity.”A deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT allows an actor with a validly forged…
-
HubSpot’s Jinjava Engine Flaw Exposes Thousands of Sites to RCE Attacks
A critical security vulnerability has been discovered in HubSpot’s Jinjava template engine, potentially exposing thousands of websites and applications to remote code execution attacks. The flaw, tracked as CVE-2025-59340, carries the maximum CVSS score of 10.0, indicating the severity of the security risk. Sandbox Bypass Enables Dangerous Exploits The vulnerability stems from a sandbox bypass mechanism…
-
WatchGuard Patches Critical Firebox Firewall Flaw (CVE-2025-9242) With 9.3 CVSS Score
WatchGuard has issued security updates addressing a vulnerability, tracked as CVE-2025-9242, affecting its Firebox firewall devices. This flaw involves an out-of-bounds write weakness within the Fireware OS, potentially allowing remote attackers to execute arbitrary code on vulnerable devices configured with IKEv2 VPN. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/cve-2025-9242-vulnerability/
-
Nokia CBIS/NCS Manager API Vulnerability Allows Attackers to Bypass Authentication
On September 18, 2025, Orange Cert publicly disclosed a critical authentication bypass vulnerability affecting Nokia’s CBIS (CloudBand Infrastructure Software) and NCS (Nokia Container Service) Manager API (CVE-2023-49564). With a CVSS 3.1 score of 9.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), the vulnerability poses a severe risk to organizations relying on these management platforms to orchestrate and secure their containerized network…
-
How Top CISOs Approach Exposure Management in the Context of Managing Cyber Risk
Tags: ai, attack, best-practice, business, ciso, control, cvss, cyber, cybersecurity, data, framework, group, intelligence, leak, metric, monitoring, risk, software, strategy, threat, update, vulnerability, vulnerability-managementWondering what your peers think of exposure management? New reports from the Exposure Management Leadership Council, a CISO working group sponsored by Tenable, offer insights. Key takeaways The CISOs who make up the Exposure Management Leadership Council see exposure management as a strategic and game-changing approach to unified proactive security. They believe exposure management can…
-
How Tenable Found a Way To Bypass a Patch for BentoML’s Server-Side Request Forgery Vulnerability CVE-2025-54381
Tenable Research recently discovered that the original patch for a critical vulnerability affecting BentoML could be bypassed. In this blog, we explain in detail how we discovered this patch bypass in this widely used open source tool. The vulnerability is now fully patched. Key takeaways Tenable Research discovered that the initial patch for a high-severity…
-
Chaos Mesh Critical Vulnerabilities Expose Kubernetes Clusters to Takeover
Security Research recently uncovered four new flaws, CVE-2025-59358, CVE-2025-59359, CVE-2025-59360, and CVE-2025-59361, in the default configuration of the Chaos Controller Manager GraphQL server, a popular open-source chaos engineering platform for Kubernetes. Three of these flaws carry a maximum CVSS 3.1 score of 9.8, enabling any pod in the cluster to run arbitrary commands or inject…
-
Gefährliche Schwachstellen in Kubernetes-Testing-Plattform Chaos-Mesh
Das JFrog-Security-Research-Team hat mehrere kritische Schwachstellen in Chaos-Mesh, einer weit verbreiteten Testing-Plattform in Kubernetes-Umgebungen, entdeckt und offengelegt. Die Sicherheitslücken wurden unter dem Namen ‘Chaotic Deputy” (CVE-2025-59358, CVE-2025-59359, CVE-2025-59360 und CVE-2025-59361) zusammengefasst, wobei die letzten drei jeweils eine CVSS-Bewertung von 9.8 aufweisen. Sie ermöglichen es Angreifern mit Zugriff innerhalb des Clusters, vollständige Kontrolle über die Umgebung…
-
Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds
A team of academics from ETH Zürich and Google has discovered a new variant of a RowHammer attack targeting Double Data Rate 5 (DDR5) memory chips from South Korean semiconductor vendor SK Hynix.The RowHammer attack variant, codenamed Phoenix (CVE-2025-6202, CVSS score: 7.1), is capable of bypassing sophisticated protection mechanisms put in place to resist the…
-
FlowiseAI Password Reset Token Vulnerability Enables Account Takeover
Acritical vulnerabilityin FlowiseAI has been discovered that allows attackers to take over user accounts with minimal effort. The flaw, tracked as CVE-2025-58434, affects both cloud-hosted and self-hosted FlowiseAI deployments, posing significant risks to organizations using this AI workflow automation platform. CVE Number Affected Product Vulnerability Type CVSS 3.1 Score CVE-2025-58434 FlowiseAI (npm package flowise) Unauthenticated Password…
-
Linux CUPS Flaw Allows Remote Denial of Service and Authentication Bypass
Two critical security vulnerabilities have been discovered in the Common Unix Printing System (CUPS), a widely used printing subsystem for Unix-like operating systems. The flaws, designated as CVE-2025-58364 and CVE-2025-58060, expose Linux systems to remote denial-of-service attacks and authentication bypass, potentially affecting millions of Linux machines worldwide. CVE Severity CVSS Score Impact Affected Versions CVE-2025-58364…
-
Critical CVE-2025-5086 in DELMIA Apriso Actively Exploited, CISA Issues Warning
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.The vulnerability, tracked as CVE-2025-5086, carries a CVSS score of 9.0 out of 10.0. According to First seen…
-
Axios Vulnerability Enables Attackers to Crash Node.js Applications via Data Handle Abuse
A critical security vulnerability has been discovered in the popular Axios HTTP client library that allows attackers to crash Node.js applications through malicious data URL handling. The flaw, tracked as CVE-2025-58754, affects all versions of Axios before 1.11.0 and has been assigned a CVSS 3.1 score of 7.5, indicating high severity. Vulnerability Mechanics The vulnerability stems…
-
SAP Patchday September 2025 – Einfach ausnutzbare Schwachstelle in SAP Netweaver CVSS 10.0
First seen on security-insider.de Jump to article: www.security-insider.de/sap-patchday-september-2025-netweaver-updates-a-e69ad257d378b5c5894c836edda50797/
-
SAP Issues Critical Security Patch for NetWeaver and Other Products, Warns of CVE-2025-42944
SAP has released a new security update addressing a broad range of vulnerabilities across its product ecosystem. Among the most alarming is a critical vulnerability identified in SAP NetWeaver, tracked as CVE-2025-42944, which has received the highest possible severity rating of CVSS 10.0. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/sap-patches-cve-2025-42944/
-
Palo Alto Networks User-ID Agent Flaw Leaks Passwords in Cleartext
Tags: credentials, cve, cvss, cyber, data-breach, flaw, leak, network, password, service, vulnerability, windowsA newly disclosed vulnerability in the Palo Alto Networks User-ID Credential Agent on Windows systems allows service account passwords to be exposed in cleartext under certain non-default configurations. Tracked as CVE-2025-4235, the flaw carries a CVSS base score of 4.2 (Medium) and has been assigned a Moderate urgency level. Palo Alto Networks released details and…
-
Critical flaw SessionReaper in Commerce and Magento platforms lets attackers hijack customer accounts
Adobe fixed a critical flaw in its Commerce and Magento Open Source platforms that allows an attacker to take over customer accounts. Adobe addressed a critical vulnerability, tracked as CVE-2025-54236 (aka SessionReaper, CVSS score of 9.1) in its Commerce and Magento Open Source platforms. The vulnerability is an improper input validation flaw. >>The bug, dubbed…