Collecting Cyber-News from over 60 sources

Tag: cvss

Axios Vulnerability Enables Attackers to Crash Node.js Applications via Data Handle Abuse

Sep 12, 2025 11:16 AM

Tags: cvss, cyber, data, flaw, malicious, vulnerability

A critical security vulnerability has been discovered in the popular Axios HTTP client library that allows attackers to crash Node.js applications through malicious data URL handling. The flaw, tracked as CVE-2025-58754, affects all versions of Axios before 1.11.0 and has been assigned a CVSS 3.1 score of 7.5, indicating high severity. Vulnerability Mechanics The vulnerability stems…
SAP Patchday September 2025 – Einfach ausnutzbare Schwachstelle in SAP Netweaver CVSS 10.0

Sep 12, 2025 7:16 AM

Tags: cvss, sap, vulnerability

First seen on security-insider.de Jump to article: www.security-insider.de/sap-patchday-september-2025-netweaver-updates-a-e69ad257d378b5c5894c836edda50797/
SAP Issues Critical Security Patch for NetWeaver and Other Products, Warns of CVE-2025-42944

Sep 11, 2025 3:16 PM

Tags: cve, cvss, sap, update, vulnerability

SAP has released a new security update addressing a broad range of vulnerabilities across its product ecosystem. Among the most alarming is a critical vulnerability identified in SAP NetWeaver, tracked as CVE-2025-42944, which has received the highest possible severity rating of CVSS 10.0. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/sap-patches-cve-2025-42944/
Palo Alto Networks User-ID Agent Flaw Leaks Passwords in Cleartext

Sep 11, 2025 2:16 PM

Tags: credentials, cve, cvss, cyber, data-breach, flaw, leak, network, password, service, vulnerability, windows

A newly disclosed vulnerability in the Palo Alto Networks User-ID Credential Agent on Windows systems allows service account passwords to be exposed in cleartext under certain non-default configurations. Tracked as CVE-2025-4235, the flaw carries a CVSS base score of 4.2 (Medium) and has been assigned a Moderate urgency level. Palo Alto Networks released details and…
Critical flaw SessionReaper in Commerce and Magento platforms lets attackers hijack customer accounts

Sep 11, 2025 12:16 AM

Tags: adobe, cve, cvss, flaw, open-source, vulnerability

Adobe fixed a critical flaw in its Commerce and Magento Open Source platforms that allows an attacker to take over customer accounts. Adobe addressed a critical vulnerability, tracked as CVE-2025-54236 (aka SessionReaper, CVSS score of 9.1) in its Commerce and Magento Open Source platforms. The vulnerability is an improper input validation flaw. >>The bug, dubbed…
Patch Tuesday priorities: Vulnerabilities in SAP NetWeaver and Microsoft NTLM and Hyper-V

Sep 10, 2025 5:16 PM

Tags: access, attack, authentication, awareness, business, ciso, control, cve, cvss, data, exploit, flaw, ibm, infrastructure, Internet, microsoft, mitigation, network, ntlm, oracle, remote-code-execution, risk, sans, sap, service, software, threat, unauthorized, update, vulnerability, windows, zero-day

CSO. “The sole fact of being it a deserialization vulnerability, exploitable in an unauthenticated way, makes it very critical,” he said. “The positive side of this vulnerability for defenders is that it is exploitable through a protocol that is not typically internet-facing, the RMI-P4 SAP protocol.” Deserialization vulnerabilities are common in products like NetWeaver, Johannes Ullrich,…
Patch Tuesday priorities: Vulnerabilities in SAP NetWeaver and Microsoft NTLM and Hyper-V

Sep 10, 2025 5:16 PM

Tags: access, attack, authentication, awareness, business, ciso, control, cve, cvss, data, exploit, flaw, ibm, infrastructure, Internet, microsoft, mitigation, network, ntlm, oracle, remote-code-execution, risk, sans, sap, service, software, threat, unauthorized, update, vulnerability, windows, zero-day

CSO. “The sole fact of being it a deserialization vulnerability, exploitable in an unauthenticated way, makes it very critical,” he said. “The positive side of this vulnerability for defenders is that it is exploitable through a protocol that is not typically internet-facing, the RMI-P4 SAP protocol.” Deserialization vulnerabilities are common in products like NetWeaver, Johannes Ullrich,…
Adobe Issues Urgent Patch for ‘SessionReaper’ Vulnerability in Commerce and Magento

Sep 10, 2025 5:16 PM

Tags: access, adobe, advisory, cve, cvss, flaw, open-source, risk, unauthorized, update, vulnerability

Adobe has issued an urgent security advisory, specifically for CVE-2025-54236, also known as SessionReaper, affecting Adobe Commerce and Magento Open-Source platforms. This flaw has been assigned a CVSS score of 9.1 out of 10, indicating a severe security risk that could lead to unauthorized access and full compromise of customer accounts via the Commerce REST…
Microsoft Fixes 80 Flaws, Including SMB PrivEsc and Azure CVSS 10.0 Bugs

Sep 10, 2025 5:16 PM

Tags: cvss, exploit, flaw, microsoft, software, vulnerability

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day.…
Microsoft Fixes 80 Flaws, Including SMB PrivEsc and Azure CVSS 10.0 Bugs

Sep 10, 2025 5:16 PM

Tags: cvss, exploit, flaw, microsoft, software, vulnerability

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day.…
Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts

Sep 10, 2025 5:16 PM

Tags: adobe, control, cve, cvss, exploit, flaw, hacker, open-source, vulnerability

Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts.The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input…
Microsoft Patchday September 2025 – HPC Pack mit CVSS 9.8 und NTLM mit 8.8 als Hauptangriffsvektoren

Sep 10, 2025 5:16 PM

Tags: cvss, microsoft, ntlm

First seen on security-insider.de Jump to article: www.security-insider.de/microsoft-patchday-september-2025-windows-updates-a-6a6019204714a5acc7ec85e52d6b014f/
Ivanti Endpoint Manager Vulnerabilities Allow Remote Code Execution by Attackers

Sep 9, 2025 6:08 PM

Tags: advisory, control, cve, cvss, cyber, endpoint, flaw, ivanti, remote-code-execution, vulnerability

Ivanti released Security Advisory for Endpoint Manager versions 2024 SU3 and 2022 SU8, detailing two high”severity flaws (CVE-2025-9712 and CVE-2025-9872). Both issues stem from insufficient filename validation and require only minimal user interaction, potentially granting full control over affected systems. Vulnerability Overview The two vulnerabilities share identical characteristics and impact: CVE Number Description CVSS Score…
FortiDDoS Vulnerability Lets Hackers Execute Unauthorized OS Commands

Sep 9, 2025 6:08 PM

Tags: cvss, cyber, flaw, fortinet, hacker, injection, unauthorized, vulnerability

Fortinet has disclosed a significant OS command injection vulnerability in its FortiDDoS-F appliances that could allow privileged attackers to execute unauthorized code or commands through the command-line interface (CLI). The security flaw, identified as CVE-2024-45325, affects multiple versions of the FortiDDoS-F product line and carries a CVSS 3.1 score of 6.5, indicating medium severity. Vulnerability Details…
FortiDDoS Vulnerability Lets Hackers Execute Unauthorized OS Commands

Sep 9, 2025 6:08 PM

Tags: cvss, cyber, flaw, fortinet, hacker, injection, unauthorized, vulnerability

Fortinet has disclosed a significant OS command injection vulnerability in its FortiDDoS-F appliances that could allow privileged attackers to execute unauthorized code or commands through the command-line interface (CLI). The security flaw, identified as CVE-2024-45325, affects multiple versions of the FortiDDoS-F product line and carries a CVSS 3.1 score of 6.5, indicating medium severity. Vulnerability Details…
Ivanti Endpoint Manager Vulnerabilities Allow Remote Code Execution by Attackers

Sep 9, 2025 6:08 PM

Tags: advisory, control, cve, cvss, cyber, endpoint, flaw, ivanti, remote-code-execution, vulnerability

Ivanti released Security Advisory for Endpoint Manager versions 2024 SU3 and 2022 SU8, detailing two high”severity flaws (CVE-2025-9712 and CVE-2025-9872). Both issues stem from insufficient filename validation and require only minimal user interaction, potentially granting full control over affected systems. Vulnerability Overview The two vulnerabilities share identical characteristics and impact: CVE Number Description CVSS Score…
Breaking Down Silos: Why You Need an Ecosystem View of Cloud Risk

Sep 9, 2025 5:08 PM

Tags: access, attack, business, ciso, cloud, compliance, container, cvss, cyber, data, data-breach, exploit, governance, grc, identity, infrastructure, Internet, least-privilege, metric, network, risk, threat, tool, training, vulnerability

A disjointed approach to cloud security generates more noise than clarity, making it hard for you to prioritize what to fix first. Learn how Tenable dissolves this challenge by integrating cloud security into a unified exposure management platform giving you the context to pinpoint your organization’s biggest cyber risks. Don’t just manage cloud security understand…
Breaking Down Silos: Why You Need an Ecosystem View of Cloud Risk

Sep 9, 2025 5:08 PM

Tags: access, attack, business, ciso, cloud, compliance, container, cvss, cyber, data, data-breach, exploit, governance, grc, identity, infrastructure, Internet, least-privilege, metric, network, risk, threat, tool, training, vulnerability

A disjointed approach to cloud security generates more noise than clarity, making it hard for you to prioritize what to fix first. Learn how Tenable dissolves this challenge by integrating cloud security into a unified exposure management platform giving you the context to pinpoint your organization’s biggest cyber risks. Don’t just manage cloud security understand…
Argo CD Security Flaw Rated 9.8 Leaves GitOps Repositories Exposed

Sep 8, 2025 11:08 AM

Tags: api, cloud, credentials, cve, cvss, data-breach, flaw, kubernetes, open-source, password, tool, vulnerability

A security flaw in Argo CD, the popular open-source GitOps tool for Kubernetes, has been targeted at the DevOps and cloud-native communities. Tracked as CVE-2025-55190, the vulnerability has been rated critical with a CVSS score of 9.8 out of 10, as it allows attackers to retrieve sensitive repository credentials, including usernames and passwords, through a…
Critical Argo CD API Flaw Exposes Repository Credentials to Attackers

Sep 8, 2025 8:08 AM

Tags: api, credentials, cvss, cyber, flaw, kubernetes, open-source, password, tool, vulnerability

A major security flaw has been discovered in Argo CD, a popular open-source tool used for Kubernetes GitOps deployments. The vulnerability allows project-level API tokens to expose sensitive repository credentials, such as usernames and passwords, to attackers. The issue has been classified as critical with a CVSS score of 9.8/10 and is tracked asCVE-2025-55190. The…
CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation

Sep 5, 2025 7:20 PM

Tags: cisa, cve, cvss, exploit, flaw, update, vulnerability

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild.The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity.”Sitecore Experience Manager…
Hacker nutzen gravierende Schwachstelle bei SAP S/4HANA aus

Sep 5, 2025 4:20 PM

Tags: access, authentication, bug, ciso, cloud, cve, cvss, cyberattack, exploit, flaw, germany, hacker, injection, monitoring, password, reverse-engineering, sans, sap, service, update, vulnerability

Ein Exploit für die Schwachstelle wurde bereits in freier Wildbahn beobachtet.Vergangenen Monat hat SAP einen Patch für S/4HANA herausgebracht, der die gewaltige Schwachstelle CVE-2025-42957 mit einem CVSS-Score von 9,9 beheben soll. Der nun aufgetauchte Exploit ermöglicht es einem User mit geringen Berechtigungen, mittels Code-Injection in der SAP-Programmiersprache ABAP die vollständige Kontrolle über ein S/4HANA-System zu…
Hacker nutzen gravierende Schwachstelle bei SAP S/4HANA aus

Sep 5, 2025 4:20 PM

Tags: access, authentication, bug, ciso, cloud, cve, cvss, cyberattack, exploit, flaw, germany, hacker, injection, monitoring, password, reverse-engineering, sans, sap, service, update, vulnerability

Ein Exploit für die Schwachstelle wurde bereits in freier Wildbahn beobachtet.Vergangenen Monat hat SAP einen Patch für S/4HANA herausgebracht, der die gewaltige Schwachstelle CVE-2025-42957 mit einem CVSS-Score von 9,9 beheben soll. Der nun aufgetauchte Exploit ermöglicht es einem User mit geringen Berechtigungen, mittels Code-Injection in der SAP-Programmiersprache ABAP die vollständige Kontrolle über ein S/4HANA-System zu…
Critical SAP S/4HANA Vulnerability Actively Exploited, Allowing Full System Takeover

Sep 5, 2025 2:20 PM

Tags: control, cve, cvss, cyber, exploit, flaw, injection, sap, vulnerability

A critical security flaw in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited by attackers, according to research from SecurityBridge. The vulnerability, which carries a CVSS score of 9.9 out of 10, allows a low-privileged user to execute code injection and gain full control of an SAP system. Organizations running SAP S/4HANA on-premise or…
CVSS-Score 10.0 – Über 450 Telefonanlagen durch Zero-Day-Lücke kompromittiert

Sep 4, 2025 8:20 AM

Tags: cvss, zero-day

First seen on security-insider.de Jump to article: www.security-insider.de/kritische-sicherheitsluecke-in-freepbx-update-empfohlen-a-286b09e2cdb3ad2f9dd852b4d955592d/
CISA Alerts on Critical SunPower Vulnerability Allowing Full Device Takeover

Sep 3, 2025 11:19 AM

Tags: cisa, control, credentials, cvss, cyber, cybersecurity, infrastructure, network, vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a high-severity alert (ICSA-25-245-03) regarding a critical vulnerability in SunPower’s PVS6 solar inverter series that allows attackers on adjacent networks to gain complete control of the device. Rated 9.4 out of 10 on the CVSS v4 scale, the vulnerability stems from hard-coded credentials in the Bluetooth…
FreePBX: CVE-2025-57819 (CVSS 10.0); 6620 ungepatchte Telefonanlagen

Sep 1, 2025 12:19 AM

Tags: cve, cvss, Internet, software, vulnerability

In Telefonanlagen mit der Software FreePBX gibt es die Schwachstelle CVE-2025-57819 mit einem CVSS Index von 10.0. Da brennt bildlich gesprochen die Hütte, und die Anlagen müssten unverzüglich gepatcht werden. Die Sicherheitsforscher von The Shadowserver Foundation haben das Internet gescannt … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/09/01/freepbx-cve-2025-57819-cvss-10-0-6620-ungepatchte-telefonanlagen/
Cisco IMC Virtual Keyboard Vulnerability Allows Attackers to Redirect Users to Malicious Websites

Aug 28, 2025 7:23 PM

Tags: cisco, cve, cvss, cyber, flaw, malicious, update, vulnerability

Cisco has released urgent security updates to remediate a high-severity vulnerability in its Integrated Management Controller (IMC) virtual keyboard video monitor (vKVM) module that could allow unauthenticated, remote attackers to hijack sessions and redirect users to malicious websites. The flaw, tracked as CVE-2025-20317, carries a CVSS base score of 7.1 and affects a wide range…
Cisco Nexus 3000 9000 Vulnerability Enables DoS Attacks

Aug 28, 2025 1:23 PM

Tags: advisory, attack, cisco, cvss, cyber, dos, network, service, vulnerability

Cisco has issued a high-severity security advisory warning of a dangerous vulnerability in its Nexus 3000 and 9000 Series switches that could allow attackers to trigger denial of service (DoS) attacks through crafted network packets. The vulnerability, tracked asCVE-2025-20241and assigned a CVSS score of 7.4, affects the Intermediate System-to-Intermediate System (IS-IS) feature in Cisco NX-OS…
Attackers exploiting NetScaler ADC and Gateway zero day flaw, Citrix warns

Aug 28, 2025 5:23 AM

Tags: access, advisory, attack, authentication, backdoor, citrix, control, country, cve, cvss, cyber, cybersecurity, exploit, flaw, group, infrastructure, mitigation, rce, remote-code-execution, service, update, vulnerability, zero-day

NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or service groups bound with IPv6 servers, and those bound with DBS IPv6 services or…