Tag: cvss

Microsoft Fixes 80 Flaws, Including SMB PrivEsc and Azure CVSS 10.0 Bugs

Sep 10, 2025 5:16 PM

Tags: cvss, exploit, flaw, microsoft, software, vulnerability

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day.…
Microsoft Fixes 80 Flaws, Including SMB PrivEsc and Azure CVSS 10.0 Bugs

Sep 10, 2025 5:16 PM

Tags: cvss, exploit, flaw, microsoft, software, vulnerability

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day.…
Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts

Sep 10, 2025 5:16 PM

Tags: adobe, control, cve, cvss, exploit, flaw, hacker, open-source, vulnerability

Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts.The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input…
Microsoft Patchday September 2025 – HPC Pack mit CVSS 9.8 und NTLM mit 8.8 als Hauptangriffsvektoren

Sep 10, 2025 5:16 PM

Tags: cvss, microsoft, ntlm

First seen on security-insider.de Jump to article: www.security-insider.de/microsoft-patchday-september-2025-windows-updates-a-6a6019204714a5acc7ec85e52d6b014f/
Patch Tuesday priorities: Vulnerabilities in SAP NetWeaver and Microsoft NTLM and Hyper-V

Sep 10, 2025 5:16 PM

Tags: access, attack, authentication, awareness, business, ciso, control, cve, cvss, data, exploit, flaw, ibm, infrastructure, Internet, microsoft, mitigation, network, ntlm, oracle, remote-code-execution, risk, sans, sap, service, software, threat, unauthorized, update, vulnerability, windows, zero-day

CSO. “The sole fact of being it a deserialization vulnerability, exploitable in an unauthenticated way, makes it very critical,” he said. “The positive side of this vulnerability for defenders is that it is exploitable through a protocol that is not typically internet-facing, the RMI-P4 SAP protocol.” Deserialization vulnerabilities are common in products like NetWeaver, Johannes Ullrich,…
Patch Tuesday priorities: Vulnerabilities in SAP NetWeaver and Microsoft NTLM and Hyper-V

Sep 10, 2025 5:16 PM

Tags: access, attack, authentication, awareness, business, ciso, control, cve, cvss, data, exploit, flaw, ibm, infrastructure, Internet, microsoft, mitigation, network, ntlm, oracle, remote-code-execution, risk, sans, sap, service, software, threat, unauthorized, update, vulnerability, windows, zero-day

CSO. “The sole fact of being it a deserialization vulnerability, exploitable in an unauthenticated way, makes it very critical,” he said. “The positive side of this vulnerability for defenders is that it is exploitable through a protocol that is not typically internet-facing, the RMI-P4 SAP protocol.” Deserialization vulnerabilities are common in products like NetWeaver, Johannes Ullrich,…
Adobe Issues Urgent Patch for ‘SessionReaper’ Vulnerability in Commerce and Magento

Sep 10, 2025 5:16 PM

Tags: access, adobe, advisory, cve, cvss, flaw, open-source, risk, unauthorized, update, vulnerability

Adobe has issued an urgent security advisory, specifically for CVE-2025-54236, also known as SessionReaper, affecting Adobe Commerce and Magento Open-Source platforms. This flaw has been assigned a CVSS score of 9.1 out of 10, indicating a severe security risk that could lead to unauthorized access and full compromise of customer accounts via the Commerce REST…
FortiDDoS Vulnerability Lets Hackers Execute Unauthorized OS Commands

Sep 9, 2025 6:08 PM

Tags: cvss, cyber, flaw, fortinet, hacker, injection, unauthorized, vulnerability

Fortinet has disclosed a significant OS command injection vulnerability in its FortiDDoS-F appliances that could allow privileged attackers to execute unauthorized code or commands through the command-line interface (CLI). The security flaw, identified as CVE-2024-45325, affects multiple versions of the FortiDDoS-F product line and carries a CVSS 3.1 score of 6.5, indicating medium severity. Vulnerability Details…
FortiDDoS Vulnerability Lets Hackers Execute Unauthorized OS Commands

Sep 9, 2025 6:08 PM

Tags: cvss, cyber, flaw, fortinet, hacker, injection, unauthorized, vulnerability

Fortinet has disclosed a significant OS command injection vulnerability in its FortiDDoS-F appliances that could allow privileged attackers to execute unauthorized code or commands through the command-line interface (CLI). The security flaw, identified as CVE-2024-45325, affects multiple versions of the FortiDDoS-F product line and carries a CVSS 3.1 score of 6.5, indicating medium severity. Vulnerability Details…
Ivanti Endpoint Manager Vulnerabilities Allow Remote Code Execution by Attackers

Sep 9, 2025 6:08 PM

Tags: advisory, control, cve, cvss, cyber, endpoint, flaw, ivanti, remote-code-execution, vulnerability

Ivanti released Security Advisory for Endpoint Manager versions 2024 SU3 and 2022 SU8, detailing two high”severity flaws (CVE-2025-9712 and CVE-2025-9872). Both issues stem from insufficient filename validation and require only minimal user interaction, potentially granting full control over affected systems. Vulnerability Overview The two vulnerabilities share identical characteristics and impact: CVE Number Description CVSS Score…
Ivanti Endpoint Manager Vulnerabilities Allow Remote Code Execution by Attackers

Sep 9, 2025 6:08 PM

Tags: advisory, control, cve, cvss, cyber, endpoint, flaw, ivanti, remote-code-execution, vulnerability

Ivanti released Security Advisory for Endpoint Manager versions 2024 SU3 and 2022 SU8, detailing two high”severity flaws (CVE-2025-9712 and CVE-2025-9872). Both issues stem from insufficient filename validation and require only minimal user interaction, potentially granting full control over affected systems. Vulnerability Overview The two vulnerabilities share identical characteristics and impact: CVE Number Description CVSS Score…
Breaking Down Silos: Why You Need an Ecosystem View of Cloud Risk

Sep 9, 2025 5:08 PM

Tags: access, attack, business, ciso, cloud, compliance, container, cvss, cyber, data, data-breach, exploit, governance, grc, identity, infrastructure, Internet, least-privilege, metric, network, risk, threat, tool, training, vulnerability

A disjointed approach to cloud security generates more noise than clarity, making it hard for you to prioritize what to fix first. Learn how Tenable dissolves this challenge by integrating cloud security into a unified exposure management platform giving you the context to pinpoint your organization’s biggest cyber risks. Don’t just manage cloud security understand…
Breaking Down Silos: Why You Need an Ecosystem View of Cloud Risk

Sep 9, 2025 5:08 PM

Tags: access, attack, business, ciso, cloud, compliance, container, cvss, cyber, data, data-breach, exploit, governance, grc, identity, infrastructure, Internet, least-privilege, metric, network, risk, threat, tool, training, vulnerability

A disjointed approach to cloud security generates more noise than clarity, making it hard for you to prioritize what to fix first. Learn how Tenable dissolves this challenge by integrating cloud security into a unified exposure management platform giving you the context to pinpoint your organization’s biggest cyber risks. Don’t just manage cloud security understand…
Argo CD Security Flaw Rated 9.8 Leaves GitOps Repositories Exposed

Sep 8, 2025 11:08 AM

Tags: api, cloud, credentials, cve, cvss, data-breach, flaw, kubernetes, open-source, password, tool, vulnerability

A security flaw in Argo CD, the popular open-source GitOps tool for Kubernetes, has been targeted at the DevOps and cloud-native communities. Tracked as CVE-2025-55190, the vulnerability has been rated critical with a CVSS score of 9.8 out of 10, as it allows attackers to retrieve sensitive repository credentials, including usernames and passwords, through a…
Critical Argo CD API Flaw Exposes Repository Credentials to Attackers

Sep 8, 2025 8:08 AM

Tags: api, credentials, cvss, cyber, flaw, kubernetes, open-source, password, tool, vulnerability

A major security flaw has been discovered in Argo CD, a popular open-source tool used for Kubernetes GitOps deployments. The vulnerability allows project-level API tokens to expose sensitive repository credentials, such as usernames and passwords, to attackers. The issue has been classified as critical with a CVSS score of 9.8/10 and is tracked asCVE-2025-55190. The…
CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation

Sep 5, 2025 7:20 PM

Tags: cisa, cve, cvss, exploit, flaw, update, vulnerability

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild.The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity.”Sitecore Experience Manager…
Hacker nutzen gravierende Schwachstelle bei SAP S/4HANA aus

Sep 5, 2025 4:20 PM

Tags: access, authentication, bug, ciso, cloud, cve, cvss, cyberattack, exploit, flaw, germany, hacker, injection, monitoring, password, reverse-engineering, sans, sap, service, update, vulnerability

Ein Exploit für die Schwachstelle wurde bereits in freier Wildbahn beobachtet.Vergangenen Monat hat SAP einen Patch für S/4HANA herausgebracht, der die gewaltige Schwachstelle CVE-2025-42957 mit einem CVSS-Score von 9,9 beheben soll. Der nun aufgetauchte Exploit ermöglicht es einem User mit geringen Berechtigungen, mittels Code-Injection in der SAP-Programmiersprache ABAP die vollständige Kontrolle über ein S/4HANA-System zu…
Hacker nutzen gravierende Schwachstelle bei SAP S/4HANA aus

Sep 5, 2025 4:20 PM

Tags: access, authentication, bug, ciso, cloud, cve, cvss, cyberattack, exploit, flaw, germany, hacker, injection, monitoring, password, reverse-engineering, sans, sap, service, update, vulnerability

Ein Exploit für die Schwachstelle wurde bereits in freier Wildbahn beobachtet.Vergangenen Monat hat SAP einen Patch für S/4HANA herausgebracht, der die gewaltige Schwachstelle CVE-2025-42957 mit einem CVSS-Score von 9,9 beheben soll. Der nun aufgetauchte Exploit ermöglicht es einem User mit geringen Berechtigungen, mittels Code-Injection in der SAP-Programmiersprache ABAP die vollständige Kontrolle über ein S/4HANA-System zu…
Critical SAP S/4HANA Vulnerability Actively Exploited, Allowing Full System Takeover

Sep 5, 2025 2:20 PM

Tags: control, cve, cvss, cyber, exploit, flaw, injection, sap, vulnerability

A critical security flaw in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited by attackers, according to research from SecurityBridge. The vulnerability, which carries a CVSS score of 9.9 out of 10, allows a low-privileged user to execute code injection and gain full control of an SAP system. Organizations running SAP S/4HANA on-premise or…
CVSS-Score 10.0 – Über 450 Telefonanlagen durch Zero-Day-Lücke kompromittiert

Sep 4, 2025 8:20 AM

Tags: cvss, zero-day

First seen on security-insider.de Jump to article: www.security-insider.de/kritische-sicherheitsluecke-in-freepbx-update-empfohlen-a-286b09e2cdb3ad2f9dd852b4d955592d/
CISA Alerts on Critical SunPower Vulnerability Allowing Full Device Takeover

Sep 3, 2025 11:19 AM

Tags: cisa, control, credentials, cvss, cyber, cybersecurity, infrastructure, network, vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a high-severity alert (ICSA-25-245-03) regarding a critical vulnerability in SunPower’s PVS6 solar inverter series that allows attackers on adjacent networks to gain complete control of the device. Rated 9.4 out of 10 on the CVSS v4 scale, the vulnerability stems from hard-coded credentials in the Bluetooth…
FreePBX: CVE-2025-57819 (CVSS 10.0); 6620 ungepatchte Telefonanlagen

Sep 1, 2025 12:19 AM

Tags: cve, cvss, Internet, software, vulnerability

In Telefonanlagen mit der Software FreePBX gibt es die Schwachstelle CVE-2025-57819 mit einem CVSS Index von 10.0. Da brennt bildlich gesprochen die Hütte, und die Anlagen müssten unverzüglich gepatcht werden. Die Sicherheitsforscher von The Shadowserver Foundation haben das Internet gescannt … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/09/01/freepbx-cve-2025-57819-cvss-10-0-6620-ungepatchte-telefonanlagen/
Cisco IMC Virtual Keyboard Vulnerability Allows Attackers to Redirect Users to Malicious Websites

Aug 28, 2025 7:23 PM

Tags: cisco, cve, cvss, cyber, flaw, malicious, update, vulnerability

Cisco has released urgent security updates to remediate a high-severity vulnerability in its Integrated Management Controller (IMC) virtual keyboard video monitor (vKVM) module that could allow unauthenticated, remote attackers to hijack sessions and redirect users to malicious websites. The flaw, tracked as CVE-2025-20317, carries a CVSS base score of 7.1 and affects a wide range…
Cisco Nexus 3000 9000 Vulnerability Enables DoS Attacks

Aug 28, 2025 1:23 PM

Tags: advisory, attack, cisco, cvss, cyber, dos, network, service, vulnerability

Cisco has issued a high-severity security advisory warning of a dangerous vulnerability in its Nexus 3000 and 9000 Series switches that could allow attackers to trigger denial of service (DoS) attacks through crafted network packets. The vulnerability, tracked asCVE-2025-20241and assigned a CVSS score of 7.4, affects the Intermediate System-to-Intermediate System (IS-IS) feature in Cisco NX-OS…
Attackers exploiting NetScaler ADC and Gateway zero day flaw, Citrix warns

Aug 28, 2025 5:23 AM

Tags: access, advisory, attack, authentication, backdoor, citrix, control, country, cve, cvss, cyber, cybersecurity, exploit, flaw, group, infrastructure, mitigation, rce, remote-code-execution, service, update, vulnerability, zero-day

NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or service groups bound with IPv6 servers, and those bound with DBS IPv6 services or…
Risikobasiertes Schwachstellen-Management schützt kritische Geschäftsprozesse »Der CVSS-Score ist nur der Anfang«

Aug 27, 2025 7:23 AM

Tags: cvss, cybersecurity, vulnerability

Sicherheitsverantwortliche sehen sich mit einer rasant steigenden Zahl potenziell gefährlicher Schwachstellen konfrontiert und tun sich zunehmend schwer damit, diese Flut fundiert zu priorisieren. Unternehmen stellen mit einem risikobasierten Schwachstellen-Management die Weichen für eine an den Geschäftsprozessen ausgerichtete Cybersecurity und reduzieren so ihre Ausfall- und Verlustrisiken nachhaltig. First seen on ap-verlag.de Jump to article: ap-verlag.de/risikobasiertes-schwachstellen-management-schuetzt-kritische-geschaeftsprozesse-der-cvss-score-ist-nur-der-anfang/98405/
Citrix NetScaler Devices Yet Again Under Attack

Aug 26, 2025 11:23 PM

Tags: attack, citrix, cve, cvss, exploit, hacker, update, vulnerability

Citrix Publishes Patches After Attackers Exploit Memory Overflow Vulnerability. NetScaler customers of virtualization giant Citrix once again should patch immediately to stymie the hackers exploiting a zero-day. Citrix warned Tuesday that hackers are using a memory overflow vulnerability now tracked as CVE-2025-7775. The vulnerability carries a CVSS score of 9.2. First seen on govinfosecurity.com Jump…
PhpSpreadsheet Library Vulnerability Lets Attackers Inject Malicious HTML Input

Aug 26, 2025 1:54 PM

Tags: cvss, cyber, flaw, malicious, vulnerability

A criticalServer-Side Request Forgery (SSRF)vulnerability has been discovered in the popular PhpSpreadsheet library, allowing attackers to inject malicious HTML input when processing spreadsheet documents. The vulnerability, assignedCVE-2025-54370, affects multiple versions of the phpoffice/phpspreadsheet package and carries ahigh severity ratingwith CVSS v3.1 score of7.5and CVSS v4.0 score of8.7. Vulnerability Details The security flaw was discovered by Aleksey…
Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3

Aug 25, 2025 9:55 PM

Tags: access, container, cve, cvss, docker, flaw, macOS, malicious, vulnerability, windows

Docker has released fixes to address a critical security flaw affecting the Docker Desktop app for Windows and macOS that could potentially allow an attacker to break out of the confines of a container.The vulnerability, tracked as CVE-2025-9074, carries a CVSS score of 9.3 out of 10.0. It has been addressed in version 4.44.3.”A malicious…
How Exposure Management Has Helped Tenable Reduce Risk and Align with the Business

Aug 25, 2025 6:54 PM

Tags: application-security, attack, automation, bug-bounty, business, ciso, cloud, compliance, cvss, cyber, cybersecurity, data, detection, endpoint, infrastructure, linux, penetration-testing, regulation, risk, service, soc, strategy, threat, tool, update, vulnerability, vulnerability-management

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In the second of a two-part blog series, Tenable CSO Robert Huber shares how exposure management has helped him reduce risk and better align with the business. You can read the entire Exposure…