Tag: cvss
-
Gefährliche Lücke in Brother Druckern
Tags: access, authentication, bug, ceo, cve, cvss, cybersecurity, data-breach, firmware, jobs, network, service, update, vulnerability, wifiEine Schwachstelle in Brother Druckern zur Umgehung der Authentifizierung kann mit einer anderen Lücke gekoppelt werden, um Remotecode auf den betroffenen Geräten auszuführen.Brother Industries hat mit einer kritischen Sicherheitslücke zu kämpfen, die Hunderte verschiedener Druckermodelle betrifft. Diese Schwachstelle ermöglicht in Verbindung mit einer weiteren Lücke die Ausführung von nicht authentifiziertem Remote-Code (RCE) auf den Geräten.Das…
-
Some Brother printers have a remote code execution vulnerability, and they can’t fix it
The centerpiece of Rapid7’s disclosure is CVE-2024-51978, a vulnerability rated critical (CVSS 9.8 out of 10) that enables attackers to derive the default administrator password from the device’s serial number.While another of the discovered flaws, a medium severity information disclosure vulnerability (CVE-2024-51977), potentially allows an attacker to leak the prerequisite unique serial number via the…
-
Hunt Electronic DVR Vulnerability Leaves Admin Credentials Unprotected
A newly disclosed critical vulnerability in Hunt Electronics’ hybrid DVRs has left thousands of surveillance systems dangerously exposed, with administrator credentials accessible in plaintext to anyone on the internet. Security researchers have assigned this flaw the identifier CVE-2025-6561, and it carries a maximum CVSS severity score of 9.8, underscoring the urgent need for immediate action…
-
Mitsubishi Electric AC Flaw Lets Hackers Remotely Control Systems
A critical security vulnerability has been discovered in multiple Mitsubishi Electric air conditioning systems, potentially allowing hackers to bypass authentication and remotely control affected units. The flaw, identified as CVE-2025-3699, was disclosed by Mitsubishi Electric on June 26, 2025, and has been assigned a maximum CVSS base score of 9.8, indicating its severity. Authentication Bypass…
-
IBM WebSphere Application Server Flaw Enables Arbitrary Code Execution
A severe security flaw has been identified in IBM WebSphere Application Server, potentially allowing remote attackers to execute arbitrary code on affected systems. Tracked under CVE-2025-36038, this vulnerability stems from a deserialization of untrusted data issue, classified under CWE-502. IBM has assigned a critical CVSS Base Score of 9 to this flaw, with a vector…
-
Critical RCE Flaws in Cisco ISE and ISE-PIC Allow Unauthenticated Attackers to Gain Root Access
Cisco has released updates to address two maximum-severity security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could permit an unauthenticated attacker to execute arbitrary commands as the root user.The vulnerabilities, assigned the CVE identifiers CVE-2025-20281 and CVE-2025-20282, carry a CVSS score of 10.0 each. A description of the defects…
-
SAP-Schwachstellen gefährden Windows-Nutzerdaten
Tags: access, compliance, cve, cvss, cyberattack, encryption, fortinet, GDPR, PCI, phishing, risk, sap, spear-phishing, update, vulnerability, windowsSchwachstellen in SAP GUI geben sensible Daten durch schwache oder fehlende Verschlüsselung preis.Die Forscher Jonathan Stross von Pathlock, und Julian Petersohn von Fortinet warnen vor zwei neuen Sicherheitslücken in einer Funktion von SAP GUI, die für die Speicherung der Benutzereingaben in den Windows- (CVE-2025-0055) und Java-Versionen (CVE-2025-0056) zuständig ist .Dadurch werden sensible Informationen wie Benutzernamen,…
-
Cisco ISE Vulnerability Allows Remote Attackers to Execute Malicious Commands
Cisco has issued urgent security patches addressing two critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) platforms. These flaws, which both carry the highest possible CVSS severity score of 10.0, could allow unauthenticated remote attackers to execute malicious commands as the root user, effectively taking complete control of affected…
-
CitrixBleed 2: The nightmare that echoes the ‘CitrixBleed’ flaw in Citrix NetScaler devices
New Citrix flaw ‘CitrixBleed 2’ lets attackers steal session cookies without logging in, echoing a previously exploited vulnerability. A new flaw in Citrix NetScaler ADC and Gateway, dubbed ‘CitrixBleed 2’ (CVE-2025-5777, CVSS v4.0 Base Score of 9.3), can allow unauthenticated attackers to steal session cookies, similar to a past critical exploit. The vulnerability is an…
-
Millions of Brother Printers Hit by Critical, Unpatchable Bug
A slew of vulnerabilities, including a critical CVSS 9.8 that enables an attacker to generate the default admin password, affect hundreds of printer, scanner, and label-maker models made by manufacturer Brother. First seen on darkreading.com Jump to article: www.darkreading.com/endpoint-security/millions-brother-printers-critical-unpatchable-bug
-
Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC
Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild.The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0.It has been described as a case of memory overflow that could result in unintended control flow and…
-
Critical Kibana Flaws Enable Heap Corruption and Remote Code Execution
A critical security flaw has been uncovered in Kibana, the popular data visualization platform for the Elastic Stack, exposing organizations to severe risks of heap corruption and potential remote code execution. The vulnerability, tracked as CVE-2025-2135, carries a CVSS v3.1 score of 9.9, marking it as a critical threat that requires immediate attention from both…
-
Critical Convoy Flaw Allows Remote Code Execution on Servers
A critical vulnerability (CVE-2025-52562) in Performave Convoy”, a KVM server management panel widely used by hosting providers”, enables unauthenticated attackers to execute arbitrary code on affected systems. Rated the maximum CVSS score of 10.0, this flaw exposes servers to complete compromise without requiring authentication. Vulnerability Summary According to the Github report, the flaw resides in…
-
WinRAR Vulnerability Exploited with Malicious Archives to Execute Code
Tags: cve, cvss, cyber, exploit, flaw, malicious, remote-code-execution, risk, vulnerability, windowsA newly disclosed vulnerability in RARLAB’s WinRAR, the widely used file compression utility for Windows, has put millions of users at risk of remote code execution (RCE) attacks. Tracked as CVE-2025-6218 and assigned a CVSS score of 7.8 (High), this flaw allows attackers to execute arbitrary code simply by convincing a victim to open a…
-
China-linked Salt Typhoon Exploits Critical Cisco Vulnerability to Target Canadian Telecom
The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory warning of cyber attacks mounted by the China-linked Salt Typhoon actors to breach major global telecommunications providers as part of a cyber espionage campaign.The attackers exploited a critical Cisco IOS XE software (CVE-2023-20198, CVSS score: 10.0) to…
-
Stop Blaming CVSS: The Real Problem in Vulnerability Management is Us
CVSS is not the enemy, so the sooner we stop blaming the tool and start fixing the system around it, the better off we’ll all be. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/06/stop-blaming-cvss-the-real-problem-in-vulnerability-management-is-us/
-
Versa Director Flaws Let Attackers Execute Arbitrary Commands
A newly disclosed set of vulnerabilities in Versa Networks’ SD-WAN orchestration platform, Versa Director, with the flaws enabling authenticated attackers to upload malicious files and execute arbitrary commands on affected systems. The vulnerabilities, tracked as CVE-2025-23171 and CVE-2025-23172, stem from insecure file upload and webhook functionalities, both carrying a CVSS score of 7.2, indicating high…
-
Over 100,000 WordPress Sites Exposed to Privilege Escalation via MCP AI Engine
The Wordfence Threat Intelligence team identified a severe security flaw in the AI Engine plugin, a widely used tool installed on over 100,000 WordPress websites. This vulnerability, classified as an Insufficient Authorization to Privilege Escalation via Model Context Protocol (MCP), has a CVSS score of 8.8 (High) and has been assigned the identifier CVE-2025-5071. Affecting…
-
Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication
Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions.The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0.”A vulnerability allowing remote code execution (RCE) on the Backup Server by…
-
Citrix NetScaler ADC Gateway Flaws Expose Sensitive Data to Hackers
Two critical vulnerabilities have been discovered in Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), potentially exposing sensitive data to hackers and putting enterprise networks at significant risk. The flaws, identified as CVE-2025-5349 and CVE-2025-5777, have been rated with high severity, carrying CVSS base scores of 8.7 and 9.3, respectively. Summary…
-
Citrix NetScaler ADC Gateway Flaws Expose Sensitive Data to Hackers
Two critical vulnerabilities have been discovered in Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), potentially exposing sensitive data to hackers and putting enterprise networks at significant risk. The flaws, identified as CVE-2025-5349 and CVE-2025-5777, have been rated with high severity, carrying CVSS base scores of 8.7 and 9.3, respectively. Summary…
-
LangSmith Bug Could Expose OpenAI Keys and User Data via Malicious Agents
Cybersecurity researchers have disclosed a now-patched security flaw in LangChain’s LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts.The vulnerability, which carries a CVSS score of 8.8 out of a maximum of 10.0, has been codenamed AgentSmith by Noma Security.LangSmith is an observability and evaluation platform that allows…
-
Hackers Weaponize Langflow Vulnerability to Launch Flodrix Botnet
Tags: ai, botnet, cve, cvss, cyber, cybercrime, exploit, flaw, framework, hacker, remote-code-execution, vulnerabilityA critical security flaw in Langflow, a widely adopted Python-based AI prototyping framework, is being actively exploited by cybercriminals to deploy the rapidly evolving Flodrix botnet. Security researchers have confirmed that attackers are exploiting CVE-2025-3248, a remote code execution (RCE) vulnerability rated 9.8 on the CVSS scale, to compromise unpatched Langflow servers and enlist them…
-
Copilot AI Bug Could Leak Sensitive Data via Email Prompts
Microsoft Patched Flaw Allowing Attackers to Hijack Copilot Responses. A well-phrased email was all an attacker would have needed to trick Microsoft Copilot into handing over sensitive data until the operating system giant patched the vulnerability. The zero-click prompt injection attack vulnerability received a CVSS severity score of 9.3. First seen on govinfosecurity.com Jump to…
-
‘Dangerous’ vulnerability in GitLab Ultimate Enterprise Edition
Tags: access, ai, attack, authentication, best-practice, ceo, communications, control, cve, cvss, data, flaw, github, gitlab, incident response, injection, malicious, mfa, password, risk, service, vulnerabilityCVE-2025-2254, a cross-site scripting issue, which, under certain conditions, could allow an attacker to act like a legitimate user by injecting a malicious script into the snippet viewer.All GitLab CE/EE versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2 are impacted;CVE-2025-0673, a vulnerability that can cause a denial of service by triggering…
-
Microsoft Defender Spoofing Flaw Enables Privilege Escalation and AD Access
A newly disclosed spoofing vulnerability (CVE-2025-26685) in Microsoft Defender for Identity (MDI) enables unauthenticated attackers to capture Net-NTLM hashes of critical Directory Service Accounts (DSAs), potentially compromising Active Directory environments. Rated 6.5 (Medium) on the CVSS v3.1 scale, this flaw exploits MDI’s Lateral Movement Paths (LMPs) feature and has been actively addressed in Microsoft’s May…
-
Acer Control Center Flaw Lets Attackers Run Malicious Code as Elevated User
A critical security flaw (CVE-2025-5491) in Acer ControlCenter allows remote attackers to execute arbitrary code with NT AUTHORITY\SYSTEM privileges via a misconfigured Windows Named Pipe. The vulnerability, rated 8.8 on the CVSS scale, stems from insecure permissions on a custom protocol pipe exposed by the ACCSvc.exe service. Acer has released patched versions (4.00.3058+) to address…
-
HashiCorp Nomad ACL Lookup Flaw Allows Privilege Escalation
HashiCorp disclosed a critical security flaw (CVE-2025-4922) in its Nomad workload orchestration tool on June 11, 2025, exposing clusters to privilege escalation risks through improper ACL policy enforcement. The vulnerability, rated 8.1 CVSS, enables attackers to bypass namespace restrictions via strategic job naming conventions. Technical Analysis Nomad’s Access Control List (ACL) system uses prefix-based matching…
-
Ungepatchte Lücken ermöglichen Übernahme von GitLab-Konten
Tags: access, authentication, best-practice, bug, ceo, ciso, cve, cvss, cyberattack, dos, github, gitlab, incident response, injection, jobs, mfa, password, risk, sans, service, software, update, vulnerabilityExperten warnen vor einem neuen Bug in GitLab.Eine neue Sicherheitslücke in der Ultimate Enterprise Edition von GitLab ist laut einem Experten ‘gefährlich” und muss schnell gepatcht werden.Die Schwachstelle mit der Bezeichnung CVE-2025-5121 ist eine von zehn, die GitLab am Mittwoch bei der Veröffentlichung von Bugfixes und Sicherheits-Updates für selbstverwaltete Installationen beschrieben hat.’Wir empfehlen dringend, alle…