Tag: cvss
-
Ungepatchte Lücken ermöglichen Übernahme von GitLab-Konten
Tags: access, authentication, best-practice, bug, ceo, ciso, cve, cvss, cyberattack, dos, github, gitlab, incident response, injection, jobs, mfa, password, risk, sans, service, software, update, vulnerabilityExperten warnen vor einem neuen Bug in GitLab.Eine neue Sicherheitslücke in der Ultimate Enterprise Edition von GitLab ist laut einem Experten ‘gefährlich” und muss schnell gepatcht werden.Die Schwachstelle mit der Bezeichnung CVE-2025-5121 ist eine von zehn, die GitLab am Mittwoch bei der Veröffentlichung von Bugfixes und Sicherheits-Updates für selbstverwaltete Installationen beschrieben hat.’Wir empfehlen dringend, alle…
-
PoC Exploit Unveiled for Windows Disk Cleanup Elevation Vulnerability
Microsoft addressed a high-severity elevation of privilege vulnerability (CVE-2025-21420) in its Windows Disk Cleanup Utility (cleanmgr.exe) during February 2025’s Patch Tuesday. The flaw, scoring 7.8 on the CVSS scale, enabled attackers to execute malicious code with SYSTEM privileges through DLL sideloading and a directory traversal technique. Technical Analysis of CVE-2025-21420 The vulnerability stems from cleanmgr.exe’s…
-
Unpatched holes could allow takeover of GitLab accounts
Tags: access, attack, authentication, best-practice, ceo, communications, control, cve, cvss, data, github, gitlab, incident response, malicious, mfa, password, risk, service, vulnerabilityCVE-2025-2254, a cross-site scripting issue, which, under certain conditions, could allow an attacker to act like a legitimate user by injecting a malicious script into the snippet viewer.All GitLab CE/EE versions from 17.9 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2 are impacted;CVE-2025-0673, a vulnerability that can cause a denial of service by triggering…
-
AI is Redefining Cyber Risk Quantification: Here’s What Every CISO Needs to Know
For years, security leaders have been stuck in a reporting loop: patch volumes, CVSS scores, and red-yellow-green dashboards. These are useful”¦ until they hit the boardroom. That’s when things fall apart. “What does a CVSS score of 9.8 mean for our revenue?” “How exposed are we to real-world loss?” “How much should we budget for……
-
AI is Redefining Cyber Risk Quantification: Here’s What Every CISO Needs to Know
For years, security leaders have been stuck in a reporting loop: patch volumes, CVSS scores, and red-yellow-green dashboards. These are useful”¦ until they hit the boardroom. That’s when things fall apart. “What does a CVSS score of 9.8 mean for our revenue?” “How exposed are we to real-world loss?” “How much should we budget for……
-
Neues GenAI-Tool soll Open-Source-Sicherheit erhöhen
Tags: ai, bug, chatgpt, cvss, exploit, github, incident response, linux, LLM, open-source, tool, update, vulnerabilityEin neu entwickeltes GenAI-Tool soll helfen, Schwachstellen in großen Open-Source-Repositories zu erkennen und zu patchen.Niederländische und iranische Sicherheitsforscher haben ein neues Tool auf Basis von generativer KI (GenAI) ins Leben gerufen, das Plattformen wie ChatGPT ermöglichen soll, Bugs in Code-Repositories zu erkennen und zu patchen.Die Anwendung wurde getestet, indem GitHub nach einer bestimmten Schwachstelle durch…
-
Multiple Microsoft Office Vulnerabilities Enable Remote Code Execution by Attackers
Microsoft has disclosed four critical remote code execution (RCE) vulnerabilities in its Office suite as part of the June 2025 Patch Tuesday updates, posing significant risks to organizations and individuals who depend on the widely used productivity software. The vulnerabilities, tracked as CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, and CVE-2025-47167, each received a CVSS v3.1 base score of…
-
SAP NetWeaver Vulnerability Allows Attackers to Escalate Privileges
A critical vulnerability in the SAP NetWeaver Application Server AS ABAP has been disclosed under SAP Security Note #3600840, carrying a near-maximum CVSS score of 9.6. This flaw, rooted in a Missing Authorization Check within the Remote Function Call (RFC) framework, poses a severe risk to system integrity and availability. Authenticated attackers can exploit this…
-
Ivanti Workspace Control Vulnerability Lets Attackers Remotely Exploit To Steal the Credential
Ivanti has released a critical security update for its Workspace Control software, patching three high-severity vulnerabilities that could allow attackers to compromise sensitive credentials. The vulnerabilities, identified as CVE-2025-5353, CVE-2025-22463, and CVE-2025-22455, affect versions of Ivanti Workspace Control prior to 10.19.10.0. CVE Number Description CVSS Score (Severity) CVE-2025-5353 A hardcoded key in Ivanti Workspace Control…
-
Exploitation of Critical Wazuh Server RCE Vulnerability Leads to Mirai Variant Deployment
The Akamai Security Intelligence and Response Team (SIRT) has uncovered active exploitation of a critical remote code execution (RCE) vulnerability in Wazuh servers, identified as CVE-2025-24016 with a CVSS score of 9.9. Disclosed in February 2025, this vulnerability affects Wazuh versions 4.4.0 through 4.9.0 and stems from unsafe deserialization in the Distributed API (DAPI) requests,…
-
Jenkins Gatling Plugin Flaw Allows CSP Bypass, Exposing Systems to Attack
On June 6, 2025, the Jenkins Project issued a security advisory (SECURITY-3588 / CVE-2025-5806) affecting the Gatling Plugin, a widely used tool for displaying performance test reports within the Jenkins automation server. The vulnerability carries a high severity rating, with CVSS base scores ranging from 8.0 to 9.0 across different versions, indicating a significant risk…
-
Critical RCE Vulnerability in AWS Amplify Studio PoC Now Public
In May 2025, AWS disclosed a critical remote code execution (RCE) vulnerability, CVE-2025-4318, in the @aws-amplify/codegen-ui package”, a core dependency for AWS Amplify Studio’s UI code generation pipeline. The flaw, rated 9.5 on the CVSS scale, stemmed from improper input validation in the expression-binding logic that processes user-defined JavaScript expressions within UI component schemas. How…
-
Critical FreeRTOS-Plus-TCP Flaw Allows Code Execution or System Crash
A critical memory corruption vulnerability, tracked as CVE-2025-5688, has been disclosed in FreeRTOS-Plus-TCP, Amazon’s open-source TCP/IP stack widely used in embedded and IoT devices. The flaw, rated 8.4 (High) on the CVSS scale, is rooted in how the stack processes Link-Local Multicast Name Resolution (LLMNR) and Multicast DNS (mDNS) queries containing excessively long DNS names,…
-
Cisco Warns of Credential Vuln on AWS, Azure, Oracle Cloud
The vulnerability, with a 9.9 CVSS score on a 10-point scale, results in different Cisco ISE deployments all sharing the same credentials as long as the software release and cloud platform remain the same. First seen on darkreading.com Jump to article: www.darkreading.com/vulnerabilities-threats/cisco-warns-critical-static-credential-vulnerability
-
Critical Cisco Nexus Dashboard Vulnerability Lets Attackers Impersonate Managed Devices
Cisco has issued a high-severity security advisory (ID: cisco-sa-ndfc-shkv-snQJtjrp) regarding a critical SSH host key validation vulnerability in its Nexus Dashboard Fabric Controller (NDFC), tracked as CVE-2025-20163. The flaw, assigned a CVSS 3.1 base score of 8.7, could allow unauthenticated, remote attackers to impersonate Cisco NDFC-managed devices, posing significant risks to data center infrastructure. The…
-
Cisco Alerts Users to Critical ISE Vulnerability Exposing Sensitive Data
Cisco has issued a critical security advisory (Advisory ID: cisco-sa-ise-aws-static-cred-FPMjUcm7) for its Identity Services Engine (ISE) when deployed on major cloud platforms”, Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability, tracked as CVE-2025-20286 and classified under CWE-259 (Use of Hard-coded Password), carries a CVSS v3.1 base score of 9.9, indicating…
-
Critical Cisco ISE Auth Bypass Flaw Impacts Cloud Deployments on AWS, Azure, and OCI
Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems.The security defect, tracked as CVE-2025-20286, carries a CVSS score of 9.9 out of 10.0. It has been described as a static credential…
-
HPE StoreOnce Faces Critical CVE-2025-37093 Vulnerability, Urges Immediate Patch Upgrade
Hewlett Packard Enterprise (HPE) has issued a new security advisory addressing eight newly discovered vulnerabilities in its StoreOnce data backup and deduplication platform. Among these, the most severe is an authentication bypass vulnerability tracked as CVE-2025-37093, which carries a near-maximum CVSS score of 9.8, indicating a critical risk to affected systems. First seen on thecyberexpress.com…
-
Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code
Tags: cve, cvss, cybersecurity, exploit, flaw, malicious, remote-code-execution, software, vulnerabilityCybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code.The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case…
-
Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code
Tags: cve, cvss, cybersecurity, exploit, flaw, malicious, remote-code-execution, software, vulnerabilityCybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code.The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case…
-
Cisco Wireless LAN Controllers under threat again after critical exploit details go public
A call for urgent patching: Cisco had patched the max severity flaw, CVSS 10 out of 10, in mid-May rollouts for customers with service contracts and through Cisco TAC for customers without service contracts.Researchers recommended promptly upgrading to the latest version of the affected software, as no other workaround is available. “For security teams, the…
-
New ModSecurity WAF Vulnerability Enables Attackers to Crash Systems
A high-severity denial-of-service (DoS) vulnerability (CVE-2025-48866) has been identified in ModSecurity’s Apache module (mod_security2), threatening web application firewall stability. Rated 7.5/10 on the CVSS scale, this flaw enables attackers to crash servers by exploiting argument sanitization logic, with patches now available in version 2.9.10. Sanitisation Logic Flaw The vulnerability stems from ModSecurity’s sanitiseArg action, designed…
-
Critical Cisco IOS XE Flaw Permits Arbitrary File Upload, PoC Released
A critical security vulnerability, tracked as CVE-2025-20188, has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs), threatening enterprise wireless infrastructures worldwide. This flaw, scoring a maximum 10.0 on the CVSS scale, allows unauthenticated remote attackers to upload arbitrary files and potentially execute commands as root, granting full control over affected devices. The vulnerability…
-
Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin
Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files.TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on…
-
Hackers Exploit Craft CMS Vulnerability to Inject Cryptocurrency Miner Malware
Threat actors have exploited a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32432, in the Craft Content Management System (CMS). Discovered by Orange Cyberdefense in mid-February 2025 and publicly disclosed on April 25, 2025, this flaw carries a maximum CVSS score of 10 due to its unauthenticated nature. Affecting Craft CMS versions from 3.0.0-RC1…
-
GIMP Image Editor Vulnerability Allows Remote Attackers to Execute Arbitrary Code
Two major security vulnerabilities have been found in the widely used GIMP image editing software, potentially allowing remote attackers to execute arbitrary code on affected systems, according to security researchers. The vulnerabilities, labeled CVE-2025-2760 and CVE-2025-2761, each have a high CVSS score of 7.8 and impact users who open malicious image files or visit compromised…
-
D-Link Routers Exposed by Hard-Coded Telnet Credential
A recently disclosed vulnerability (CVE-2025-46176) exposes critical security flaws in D-Link’s DIR-605L and DIR-816L routers, revealing hardcoded Telnet credentials that enable remote command execution. The vulnerability affects firmware versions 2.13B01 (DIR-605L) and 2.06B01 (DIR-816L), scoring 6.5 on the CVSS v3.1 scale with medium severity. Security researchers identified improper command neutralization (CWE-77) as the root cause,…