Tag: flaw
-
Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers
Users of the “@adonisjs/bodyparser” npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server.Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting…
-
Critical SmarterMail Bug Enables Unauthenticated File Uploads
A critical SmarterMail flaw allows unauthenticated file uploads, putting thousands of mail servers at risk of remote code execution. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/critical-smartermail-bug-enables-unauthenticated-file-uploads/
-
Thousands of firewalls at risk as legacy flaw in Fortinet faces renewed threat
The company in December warned of recent attacks targeting a 2020 vulnerability. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/thousands-of-firewalls-at-risk-as-legacy-flaw-in-fortinet-under-renewed-thr/808739/
-
Multiple Flaws in QNAP Tools Allow Attackers to Steal Sensitive Data
QNAP has released a security advisory addressing multiple vulnerabilities in its License Center application. If left unpatched, these flaws could allow attackers to steal sensitive information, crash system processes, or modify memory on affected Network Attached Storage (NAS) devices. The security update, released on January 3, 2026, resolves two distinct issues affecting License Center version…
-
Eaton Vulnerabilities Allow Attackers to Execute Arbitrary Code on Host Systems
Eaton has issued a critical security advisory warning users about multiple high-severity vulnerabilities in its UPS Companion software that could allow attackers to execute arbitrary code on affected systems. The power management company released patches addressing two significant security flaws that pose substantial risks to organizations using the software for uninterruptible power supply management.”‹ The…
-
RondoDox Botnet is Using React2Shell to Hijack Thousands of Unpatched Devices
RondoDox hackers exploit the React2Shell flaw in Next.js to target 90,000+ devices, including routers, smart cameras, and small business websites. First seen on hackread.com Jump to article: hackread.com/rondodox-botnet-react2shell-hijack-unpatched-devices/
-
RondoDox Botnet Exploiting Devices With React2Shell Flaw
The Campaign Compromises Open-Source Vulnerability to Hack IoT Devices at Scale. Security firm CloudSEK has uncovered a botnet campaign that is exploiting the React2Shell vulnerability in the Meta-developed, open-source React framework across a variety of devices since December. The security firm attributed the campaign to RondoDox. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/rondodox-botnet-exploiting-devices-react2shell-flaw-a-30436
-
Critical Flaw Puts WHILL Electric Wheelchairs at Risk of Hijacking
A critical Bluetooth flaw could allow nearby attackers to remotely control WHILL electric wheelchairs, posing serious safety risks. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/critical-flaw-puts-whill-electric-wheelchairs-at-risk-of-hijacking/
-
GNU Wget2 Vulnerability Enables Remote File Overwrite Attacks
A high-severity security flaw has been discovered in GNU Wget2, a popular command-line tool used for downloading files from the web. The vulnerability, tracked as CVE-2025-69194, allows remote attackers to overwrite files on a user’s computer without their permission. This issue is rated asImportantwith a CVSS score of8.8 (High), indicating a significant risk to users who rely…
-
CISA Issues Warning on WHILL Model C2 Wheelchair Takeover Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a severe security flaw in WHILL Model C2 electric wheelchairs and Model F power chairs that could allow attackers to hijack the devices via Bluetooth. The vulnerability, tracked as CVE-2025-14346, carries a CVSS v3 score of 9.8, indicating critical severity. Security researchers…
-
IBM warns of critical API Connect bug enabling remote access
IBM disclosed a critical API Connect flaw (CVE-2025-13915, CVSS 9.8) that allows remote access via an authentication bypass. IBM addressed a critical API Connect vulnerability, tracked as CVE-2025-13915 (CVSS score of 9.8) that allows remote access via an authentication bypass. API Connect is IBM’s API management platform. It’s used by organizations to create, secure, manage,…
-
Apache NuttX Flaw Allows Attackers to Crash Embedded Systems
The Apache Software Foundation has released a security advisory addressing a memory corruption vulnerability in the Apache NuttX Real-Time Operating System (RTOS). Tracked as CVE-2025-48769, this flaw affects widely used embedded systems and could allow attackers to destabilize devices or manipulate files. The vulnerability stems from a >>Use After Free
-
The biggest cybersecurity and cyberattack stories of 2025
2025 was a big year for cybersecurity, with cyberattacks, data breaches, threat groups reaching new notoriety levels, and, of course, zero-day flaws exploited in breaches. Some stories, though, were more impactful or popular with our readers than others. This article explores 15 of the biggest cybersecurity stories of 2025. First seen on bleepingcomputer.com Jump to…
-
React2Shell under attack: RondoDox Botnet spreads miners and malware
RondoDox botnet exploits the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. CloudSEK researchers warn that the RondoDox botnet is exploiting the critical React2Shell flaw (CVE-2025-55182) to drop malware and cryptominers on vulnerable Next.js servers. >>CloudSEK’s report details a persistent nine-month RondoDoX botnet campaign targeting IoT devices and web applications. Recently, the…
-
Best of 2025: Google Gemini AI Flaw Could Lead to Gmail Compromise, Phishing
Researchers discovered a security flaw in Google’s Gemini AI chatbot that could put the 2 billion Gmail users in danger of being victims of an indirect prompt injection attack, which could lead to credentials being stolen or phishing attacks. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/01/google-gemini-ai-flaw-could-lead-to-gmail-compromise-phishing-2/
-
Breach Roundup: Clop Tied to Korean Air Vendor Breach
Also: China-Linked APT Hijack Updates, Condé Nast Data Leaked, La Poste Hit. This week, a Clop-linked vendor breach hit Korean Air, a China-linked APT hijacked software updates, a critical zero-day flaw remained unpatched, Condé Nast faced a data leak, La Poste was disrupted and Korean police extradited a malware operation suspect. First seen on govinfosecurity.com…
-
RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers
Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox.As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector, CloudSEK said…
-
Critical CVSS 9.8 Flaw Found in IBM API Connect Authentication System
IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application.The vulnerability, tracked as CVE-2025-13915, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw.”IBM API Connect could allow a…
-
Critical vulnerability in IBM API Connect could allow authentication bypass
Tags: api, authentication, control, exploit, flaw, governance, ibm, mitigation, monitoring, radius, resilience, service, software, update, vmware, vulnerabilityInterim fixes provided: IBM said that the issue was discovered during internal testing, and it has provided interim fixes for each affected version of the software, with individual update details for VMware, OCP/CP4I, and Kubernetes.The only mitigation suggested for the flaw, according to IBM’s security bulletin, is this: “Customers unable to install the interim fix…
-
Apache StreamPipes Flaw Lets Anyone Become Admin
A critical Apache StreamPipes vulnerability lets users hijack admin accounts via broken authentication. The post Apache StreamPipes Flaw Lets Anyone Become Admin appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-apache-streampipes-flaw-lets-anyone-become-admin/
-
Critical Apache StreamPipes Flaw Allows Attackers to Take Over Admin Accounts
Apache StreamPipes has released an urgent security advisory addressing CVE-2025-47411, a critical privilege escalation vulnerability affecting versions 0.69.0 through 0.97.0. The flaw allows attackers with legitimate non-administrator accounts to exploit the user ID creation mechanism and hijack administrator credentials, gaining full control over the streaming data platform. The Vulnerability The vulnerability stems from improper handling…
-
Singapore CSA warns of maximun severity SmarterMail RCE flaw
Singapore’s CSA warns of CVE-2025-52691, a critical SmarterMail flaw enabling unauthenticated remote code execution via arbitrary file upload. Singapore’s Cyber Security Agency of Singapore (CSA) warns of a maximum severity flaw, tracked as CVE-2025-52691 (CVSS score of 10.0), in SmarterMail. The vulnerability enables unauthenticated remote code execution via arbitrary file upload. >>Successful exploitation of the…
-
RondoDox botnet exploits React2Shell flaw to breach Next.js servers
The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/rondodox-botnet-exploits-react2shell-flaw-to-breach-nextjs-servers/
-
IBM Warns of Critical API Connect Bug Allowing Remote Authentication Bypass
IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application.The vulnerability, tracked as CVE-2025-13915, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw.”IBM API Connect could allow a…
-
IBM Warns of Critical API Connect Bug Allowing Remote Authentication Bypass
IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application.The vulnerability, tracked as CVE-2025-13915, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw.”IBM API Connect could allow a…
-
Singapore CSA Warns of Critical SmarterMail Flaw Enabling Unauthenticated Remote Code Execution
The Cyber Security Agency of Singapore (CSA) has issued a high-priority alert warning organizations and system administrators about a critical security vulnerability affecting SmarterMail, an enterprise email and collaboration platform developed by SmarterTools. The flaw, tracked as CVE-2025-52691, carries the highest possible severity rating and could allow attackers to execute arbitrary code remotely without authentication. First seen on…
-
MongoBleed (CVE-2025-14847): MongoDB Memory Leak Flaw
First seen on resecurity.com Jump to article: www.resecurity.com/blog/article/mongobleed-cve-2025-14847-mongodb-memory-leak-flaw
-
Bluetooth Headphones Can Be Weaponized to Hack Phones
Tags: flawHigh-severity flaws in popular Bluetooth headphones can enable eavesdropping and smartphone hijacking, with many devices still unpatched. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/news-bluetooth-headphone-vulnerabilities/
-
Critical SmarterMail Flaw Allows Attackers to Execute Remote Code
SmarterTools has issued an urgent security advisory regarding a critical vulnerability in its widely used SmarterMail software. The flaw, which carries the highest possible severity score, could allow unauthenticated attackers to completely take over affected mail servers. The vulnerability, tracked as CVE-2025-52691, has been assigned a CVSS v3.1 score of 10.0, indicating maximum severity. It affects SmarterMail…