Tag: flaw
-
Critical SmarterMail Flaw Allows Attackers to Execute Remote Code
SmarterTools has issued an urgent security advisory regarding a critical vulnerability in its widely used SmarterMail software. The flaw, which carries the highest possible severity score, could allow unauthenticated attackers to completely take over affected mail servers. The vulnerability, tracked as CVE-2025-52691, has been assigned a CVSS v3.1 score of 10.0, indicating maximum severity. It affects SmarterMail…
-
Critical IBM API Connect Flaw Allows Attackers to Bypass Authentication
IBM has disclosed a critical authentication bypass vulnerability affecting its API Connect platform, assigning it a maximum CVSS severity score of 9.8. The flaw, tracked as CVE-2025-13915, represents a primary authentication weakness (CWE-305) that requires no user interaction or special privileges to exploit. The vulnerability impacts IBM API Connect versions 10.0.8.0 through 10.0.8.5 and version…
-
CISA Alerts on Active Exploitation of MongoDB Vulnerability CVE-2025-14847
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning about the active exploitation of CVE-2025-14847, a severe vulnerability affecting MongoDB and MongoDB Server. The flaw was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 29, 2025, signaling that threat actors are actively targeting this security weakness in real-world attacks.…
-
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution
The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution.The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution…
-
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution
The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution.The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution…
-
75,000 MongoDBs Exposed as Attackers Exploit ‘MongoBleed’
Tags: data, data-breach, exploit, flaw, group, Internet, mitigation, ransomware, risk, software, vulnerabilityPatches Issued for MongoBleed as Ransomware Groups Target Flaw to Steal Data. Tens of thousands of internet-exposed MongoDB databases are at risk as attackers actively target a critical vulnerability in the software to steal sensitive data, with ransomware groups having joined the fray, researchers warn. MongoDB has issued patches and mitigation advice. First seen on…
-
When One Vulnerability Breaks the Internet and Millions of Devices Join In
The final weeks of 2025 did not arrive quietly. A single software flaw rippled across the internet, healthcare providers disclosed deeply personal data exposures, and millions of everyday devices quietly joined large scale attacks. As we step into 2026, the ColorTokens Threat Advisory brief captures the operating conditions security teams are already living in, where breaches are assumed, exploitation is fast,……
-
Critical 0day flaw Exposes 70k XSpeeder Devices as Vendor Ignores Alert
Researchers reveal CVE-2025-54322, a critical unpatched flaw in XSpeeder networking gear found by AI agents. 70,000 industrial and branch devices are exposed. First seen on hackread.com Jump to article: hackread.com/xspeeder-0day-flaw-devices-vendor-ignores-alert/
-
React2Shell: Anatomy of a max-severity flaw that sent shockwaves through the web
What the research quickly agreed on: Across early reports from Wiz, Palo Alto Networks’ Unit 42, Google AWS, and others, there was a strong alignment on the core mechanics of React2Shell. Researchers independently confirmed that the flaw lives inside React’s server-side rendering pipeline and stems from unsafe deserialization in the protocol used to transmit component…
-
MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide
A recently disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world.The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed.”A flaw First…
-
Top 5 real-world AI security threats revealed in 2025
Tags: access, ai, api, attack, breach, chatgpt, cloud, control, credentials, cybercrime, data, data-breach, defense, email, exploit, flaw, framework, github, gitlab, google, injection, least-privilege, LLM, malicious, malware, microsoft, nvidia, open-source, openai, rce, remote-code-execution, risk, service, software, supply-chain, theft, threat, tool, vulnerabilityA critical remote code execution (RCE) in open-source AI agent framework Langflow that was also exploited in the wildAn RCE flaw in OpenAI’s Codex CLIVulnerabilities in NVIDIA Triton Inference ServerRCE vulnerabilities in major AI inference server frameworks, including those from Meta, Nvidia, Microsoft, and open-source projects such as vLLM and SGLangVulnerabilities in open-source compute framework…
-
MongoBleed Detector Launched to Identify Critical MongoDB Flaw (CVE-2025-14847)
Security researchers have released an open-source detection tool to help organizations identify potential exploitation of MongoBleed (CVE-2025-14847), a critical memory disclosure vulnerability affecting multiple MongoDB versions. The MongoBleed Detector, developed by Neo23x0, provides incident responders with an offline analysis capability to scan MongoDB logs for exploitation indicators without requiring network connectivity or additional agents. MongoBleed…
-
Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed
A severe vulnerability affecting multiple MongoDB versions, dubbed MongoBleed (CVE-2025-14847), is being actively exploited in the wild, with over 80,000 potentially vulnerable servers exposed on the public web. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/exploited-mongobleed-flaw-leaks-mongodb-secrets-87k-servers-exposed/
-
LangChain core vulnerability allows prompt injection and data exposure
A critical flaw in LangChain Core could allow attackers to steal sensitive secrets and manipulate LLM responses via prompt injection. LangChain Core (langchain-core) is a key Python package in the LangChain ecosystem that provides core interfaces and model-agnostic tools for building LLM-based applications. A critical vulnerability, tracked as CVE-2025-68664 (CVSS score of 9.3), affects the…
-
New MongoDB Flaw Lets Unauthenticated Attackers Read Uninitialized Memory
A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory.The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent…
-
High severity flaw in MongoDB could allow memory leakage
MongoDB 8.2.0 through 8.2.3MongoDB 8.0.0 through 8.0.16MongoDB 7.0.0 through 7.0.26MongoDB 6.0.0 through 6.0.26MongoDB 5.0.0 through 5.0.31MongoDB 4.4.0 through 4.4.29All MongoDB Server v4.2 versionsAll MongoDB Server v4.0 versionsAll MongoDB Server v3.6 versionsIn its advisory, MongoDB “strongly suggested” that users upgrade immediately to the patched versions of the software: MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.However,…
-
Unpatched FortiGate Security Flaw Allows Attackers to Bypass 2FA Controls
A critical authentication bypass vulnerability in FortiGate devices enables threat actors to circumvent two-factor authentication (2FA) protections through case-sensitive username manipulation. The flaw, tracked as CVE-2020-12812, affects organizations with specific LDAP integration configurations and remains exploitable on unpatched systems. The vulnerability stems from FortiGate’s default case-sensitive username handling conflicting with LDAP directories that treat usernames…
-
ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories
It’s getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in, they’re blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut “hacker stories” now looks more like a mirror of the systems we all use.This week’s findings show…
-
High-severity MongoDB flaw CVE-2025-14847 could lead to server takeover
MongoDB addressed a high-severity vulnerability that can be exploited to achieve remote code execution on vulnerable servers. MongoDB addressed a high-severity vulnerability, tracked as CVE-2025-14847 (CVSS score 8.7), an unauthenticated, remote attacker can exploit the issue to execute arbitrary code on vulnerable servers. >>An client-side exploit of the Server’s zlib implementation can return uninitialized heap…
-
Fortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability
Fortinet on Wednesday said it observed “recent abuse” of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations.The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second…
-
CISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution
Tags: authentication, cisa, cve, cybersecurity, exploit, flaw, infrastructure, injection, kev, network, remote-code-execution, vulnerabilityThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code First seen on thehackernews.com…
-
Pen testers accused of ‘blackmail’ after reporting Eurostar chatbot flaws
AI goes off the rails “¦ because of shoddy guardrails First seen on theregister.com Jump to article: www.theregister.com/2025/12/24/pentesters_reported_eurostar_chatbot_flaws/
-
NVIDIA Isaac Vulnerabilities Enable Remote Code Execution Attacks
NVIDIA released critical security updates for its Isaac Launchable platform on December 23, 2025, addressing three severe vulnerabilities that could allow unauthenticated attackers to execute arbitrary code remotely. All three flaws carry a maximum CVSS score of 9.8, placing them in the critical severity category and requiring immediate attention from affected organizations. The security bulletin…
-
Net-SNMP Vulnerability Triggers Buffer Overflow, Crashing the Daemon
A critical buffer overflow vulnerability in Net-SNMP’s snmptrapd daemon allows remote attackers to crash the service by sending specially crafted packets, potentially disrupting network monitoring operations across enterprise environments. The flaw, tracked as CVE-2025-68615, affects all versions of Net-SNMP before the recently released patches. Security researcher Buddurid, working with Trend Micro Zero Day Initiative, discovered…
-
MongoDB warns admins to patch severe RCE flaw immediately
MongoDB has warned IT admins to immediately patch a high-severity vulnerability that can be exploited in remote code execution (RCE) attacks targeting vulnerable servers. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/mongodb-warns-admins-to-patch-severe-rce-flaw-immediately/
-
Eurostar Accused Researchers of Blackmail for Reporting AI Chatbot Flaws
Researchers discovered critical flaws in Eurostar’s AI chatbot including prompt injection, HTML injection, guardrail bypass, and unverified chat IDs – Eurostar later accused them of blackmail. First seen on hackread.com Jump to article: hackread.com/eurostar-blackmail-research-report-ai-chatbot-flaw/
-
Critical MongoDB Flaw Leaks Sensitive Data Through zlib Compression
MongoDB has disclosed a critical security vulnerability tracked as CVE-2025-14847 that could allow attackers to extract uninitialized heap memory from database servers without authentication. The flaw, affecting multiple MongoDB versions dating back to v3.6, stems from a client-side exploit in the server’s zlib compression implementation.”‹ Vulnerability Overview The security issue enables malicious actors to retrieve…
-
103K n8n Automation Instances at Risk From RCE Flaw
A critical n8n RCE flaw puts more than 103,000 automation instances at risk of full system compromise. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/103k-n8n-automation-instances-at-risk-from-rce-flaw/
-
WatchGuard warns critical flaw in Firebox devices facing exploitation
The company said the threat activity is part of a larger campaign against edge devices and internet-exposed infrastructure. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/watchguard-critical-flaw-firebox-exploitation/808617/