Tag: flaw
-
Fortinet’s silent patch sparks alarm as a critical FortiWeb flaw is exploited in the wild
Tags: advisory, best-practice, cve, defense, exploit, flaw, fortinet, Internet, reverse-engineering, risk, update, vulnerabilityDefense delayed due to silent patching: While Fortinet officially published an advisory for CVE-2025-64446 on November 14, 2025, the vendor’s earlier version release note made no mention of the vulnerability or the fix, leading to criticism that the patch was applied silently.”Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders,…
-
Google fixes new Chrome zero-day flaw exploited in attacks
Google has released an emergency security update to fix the seventh Chrome zero-day vulnerability exploited in attacks this year. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/google-fixes-new-chrome-zero-day-flaw-exploited-in-attacks/
-
Google fixed the seventh Chrome zero-day in 2025
Google patched two Chrome flaws, including a V8 type-confusion bug, tracked as including CVE-2025-13223, which was exploited in the wild. Google released Chrome security updates to address two flaws, including a high-severity V8 type confusion bug tracked as CVE-2025-13223 that has been actively exploited in the wild. The Chrome V8 engine is Google’s open-source JavaScript…
-
W3 Total Cache Security Vulnerability Exposes One Million WordPress Sites to RCE
A critical security flaw has been discovered in the widely used W3 Total Cache WordPress plugin, putting over 1 million websites at serious risk. The vulnerability allows attackers to take complete control of affected websites without needing any login credentials. Field Value CVE ID CVE-2025-9501 Plugin Name W3 Total Cache Affected Versions Before 2.8.13 Fixed…
-
Imunify AI-Bolit Flaw Allows Arbitrary Code Execution and Root Privilege Escalation
A critical vulnerability was discovered in the AI-Bolit component of Imunify security products, raising concerns across the web hosting and Linux server communities. This flaw could let attackers execute arbitrary code and escalate their privileges to root, risking the integrity of millions of servers worldwide. Imunify, a security platform widely used on web hosting servers,…
-
W3 Total Cache Security Vulnerability Exposes One Million WordPress Sites to RCE
A critical security flaw has been discovered in the widely used W3 Total Cache WordPress plugin, putting over 1 million websites at serious risk. The vulnerability allows attackers to take complete control of affected websites without needing any login credentials. Field Value CVE ID CVE-2025-9501 Plugin Name W3 Total Cache Affected Versions Before 2.8.13 Fixed…
-
Chrome Zero-Day Type Confusion Flaw Actively Exploited in the Wild
Google has released an urgent security update for its Chrome browser to address a critical zero-day vulnerability actively exploited by threat actors. The flaw, tracked as CVE-2025-13223, affects the V8 JavaScript engine and poses a significant risk to millions of Chrome users worldwide.”‹ Critical Zero-Day Under Active Attack The vulnerability was discovered by Clément Lecigne of…
-
Chrome Zero-Day Type Confusion Flaw Actively Exploited in the Wild
Google has released an urgent security update for its Chrome browser to address a critical zero-day vulnerability actively exploited by threat actors. The flaw, tracked as CVE-2025-13223, affects the V8 JavaScript engine and poses a significant risk to millions of Chrome users worldwide.”‹ Critical Zero-Day Under Active Attack The vulnerability was discovered by Clément Lecigne of…
-
CISA Reports Active Attacks on FortiWeb WAF Vulnerability Allowing Admin Access
Tags: access, attack, cisa, cve, cyber, cybersecurity, exploit, flaw, fortinet, infrastructure, kev, vulnerability, wafThe Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Fortinet FortiWeb vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is being actively exploited in the wild. The vulnerability, tracked as CVE-2025-64446, allows unauthenticated attackers to gain administrative access to affected systems via a path-traversal vulnerability. Critical Path Traversal Flaw…
-
Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability
Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild.The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or…
-
Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability
Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild.The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or…
-
Microsoft fixes Windows 10 update flaw
Temporarily disable non-Microsoft services/startup apps (Clean Boot) to eliminate third-party interference.If the update still fails, download the .msu package for KB5068781 from the Microsoft Update Catalog and install manually (run wusa.exe <filename>.msu /quiet /norestart). Ensure you match architecture and version.If you installed the update but still face issues: verify the build number via winver to ensure it…
-
RondoDox botnet malware now hacks servers using XWiki flaw
The RondoDox botnet malware is now exploiting a critical remote code execution (RCE) flaw in XWiki Platform tracked as CVE-2025-24893. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/rondodox-botnet-malware-now-hacks-servers-using-xwiki-flaw/
-
Fortinet’s delayed alert on actively exploited defect put defenders at a disadvantage
The security vendor silently patched a vulnerability, but did not assign the flaw a CVE or publicly disclose its existence until 17 days later. By then, widespread attacks were already underway. First seen on cyberscoop.com Jump to article: cyberscoop.com/fortinet-delayed-disclosure-exploited-vulnerability/
-
CISA Alerts on Critical Lynx+ Gateway Flaw Leaks Data in Cleartext
Tags: access, cisa, control, cve, cyber, cybersecurity, data, flaw, infrastructure, leak, risk, vulnerabilityThe Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding multiple vulnerabilities affecting General Industrial Controls’ Lynx+ Gateway device. Released on November 13, 2025, under alert code ICSA-25-317-08, these flaws pose significant risks to industrial control systems. They could enable remote attackers to access sensitive information or disrupt critical operations. CVE…
-
Critical Imunify360 AI-Bolit Bug Fixed in Latest Patch
A critical flaw in Imunify360 allowed attacker code to run during scans, putting millions of websites at risk. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/imunify360-zero-day-bolit-bug-patch/
-
ShadowMQ: Critical AI Flaws Impact Meta, NVIDIA, and More
ShadowMQ exposes how insecure code reuse can quietly spread dangerous vulnerabilities across the AI ecosystem. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/artificial-intelligence/shadowmq-critical-ai-flaws-impact-meta-nvidia-and-more/
-
Kraken Uses Benchmarking to Enhance Ransomware Attacks
Cisco Talos has observed overlaps between Kraken and the earlier HelloKitty cartel through attack tactics using SMB flaws for big-game hunting and double extortion First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/kraken-benchmarking-enhance/
-
EchoGram Flaw Bypasses Guardrails in Major LLMs
HiddenLayer reveals the EchoGram vulnerability, which bypasses safety guardrails on GPT-5.1 and other major LLMs, giving security teams just a 3-month head start. First seen on hackread.com Jump to article: hackread.com/echogram-flaw-bypass-guardrails-major-llms/
-
IBM AIX Flaw Allows Remote Attackers to Run Arbitrary Commands
IBM has released critical security updates addressing four severe vulnerabilities in AIX and VIOS systems that could allow remote attackers to execute arbitrary commands, steal credentials, and traverse system directories. The vulnerabilities affect multiple AIX versions and require immediate patching. The most critical vulnerability, CVE-2025-36250, carries a perfect 10.0 CVSS score and impacts the NIM…
-
Critical RCE Flaws in AI Inference Engines Expose Meta, Nvidia, and Microsoft Frameworks
Tags: ai, cve, cyber, flaw, framework, infrastructure, microsoft, nvidia, open-source, rce, remote-code-execution, technology, vulnerabilitySecurity researchers at Oligo Security have uncovered a series of critical Remote Code Execution vulnerabilities affecting widely deployed AI inference servers from major technology companies. The flaws affect frameworks developed by Meta, NVIDIA, Microsoft, and open-source projects such as vLLM, SGLang, and Modular, potentially exposing enterprise AI infrastructure to serious security risks. CVE ID Affected…
-
Hackers Weaponize XWiki Flaw to Build and Rent Out Botnet Networks
Tags: attack, botnet, crypto, cve, cyber, cybersecurity, exploit, flaw, hacker, intelligence, malware, network, threat, vulnerabilityCybersecurity researchers have observed a dramatic escalation in attacks exploiting a critical XWiki vulnerability, with multiple threat actors now leveraging CVE-2025-24893 to deploy botnets, cryptocurrency miners, and custom malware toolkits.”‹ The vulnerability, initially detected by VulnCheck’s Canary Intelligence system on October 28, 2025, has rapidly evolved from a single attacker’s exploit into a widespread multi-actor…
-
Critical FortiWeb WAF Flaw Actively Exploited to Establish Admin Access and Seize Total Control
Fortinet has released urgent security updates to address a critical vulnerability in its FortiWeb Web Application Firewall (WAF) that is being actively exploited in the wild. Tracked as CVE-2025-64446, the flaw allows unauthenticated attackers to execute administrative commands and gain complete control of affected systems. The vulnerability has been assigned a critical severity rating with…
-
RondoDox expands botnet by exploiting XWiki RCE bug left unpatched since February 2025
RondoDox botnet exploits unpatched XWiki flaw CVE-2025-24893 to gain RCE and infect more servers, despite fixes released in February 2025. RondoDox is targeting unpatched XWiki servers via critical RCE flaw CVE-2025-24893 (CVSS score of 9.8), pulling more devices into its botnet despite patches released in Feb 2025. The XWiki Platform is a generic wiki framework…
-
ISO and ISMS: 9 reasons security certifications go wrong
2. Approaching implementation as a one-off activity: One of the most common reasons why ISO/ISMS implementations fail in companies is that they are not actually integrated into daily business operations. Many view ISO/ISMS implementation as a one-off activity, undertaken simply to obtain the certification. However, they neglect to integrate the established processes into their daily…
-
Strix: Open-source AI agents for penetration testing
Security teams know that application flaws tend to show up at the worst time. Strix presents itself as an open source way to catch them earlier by using autonomous agents that … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/11/17/strix-open-source-ai-agents-penetration-testing/
-
Week in review: Windows kernel flaw patched, suspected Fortinet FortiWeb zero-day exploited
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Adopting a counterintelligence mindset in luxury logistics In this Help Net … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/11/16/week-in-review-windows-kernel-flaw-patched-suspected-fortinet-fortiweb-zero-day-exploited/
-
A Single Bug in Mobile Apps Can Cost You Millions! Protect with Secure Code Review!
A leading banking app was forced into a three-day shutdown after attackers exploited a small coding oversight that granted access to customer accounts. The flaw had quietly existed in the codebase for months, completely slipping past the development team. What made the incident even more frustrating was that a simple peer review could have identified……
-
RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet
The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution.The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution through a request to…