Tag: remote-code-execution
-
Happy DOM Flaw Allows Remote Code Execution Affecting 2.7 Million Users
A critical security vulnerability has been discovered in Happy DOM, a popular JavaScript library used for server-side rendering and testing frameworks. The flaw, tracked as CVE-2025-61927, enables attackers to escape the virtual machine context and execute arbitrary code on affected systems, potentially compromising millions of applications worldwide. Critical VM Context Escape Vulnerability Happy DOM versions 19…
-
Oracle E-Business Suite Flaw Enables Remote Code Execution and Data Theft
Tags: business, cvss, cyber, data, flaw, oracle, remote-code-execution, software, theft, vulnerabilityOracle has issued a critical security alert for a severe vulnerability in its E-Business Suite platform that could allow attackers to execute remote code and steal sensitive data without requiring authentication. The flaw, identified asCVE-2025-61884, affects multiple versions of the widely used enterprise software and has been assigned a CVSS score of 7.5, indicating high…
-
Oracle E-Business Suite Remote Code Execution Vulnerability (CVE-2025-61882) Notice
Overview Recently, NSFOCUS CERT detected that Oracle issued a security bulletin to fix the remote code execution vulnerability (CVE-2025-61882) in Oracle E-Business Suite; Because Oracle Concurrent Processing (BI Publisher Integration) of Oracle E-Business Suite does not strictly validate and filter user input, unauthenticated attackers can use SSRF, CRLF injection, Vulnerability chains such as path traversal…The…
-
Oracle E-Business Suite Remote Code Execution Vulnerability (CVE-2025-61882) Notice
Overview Recently, NSFOCUS CERT detected that Oracle issued a security bulletin to fix the remote code execution vulnerability (CVE-2025-61882) in Oracle E-Business Suite; Because Oracle Concurrent Processing (BI Publisher Integration) of Oracle E-Business Suite does not strictly validate and filter user input, unauthenticated attackers can use SSRF, CRLF injection, Vulnerability chains such as path traversal…The…
-
Zero-day in file-sharing software leads to RCE, and attacks are ongoing
Usually we’d say patch up”¦ not this time First seen on theregister.com Jump to article: www.theregister.com/2025/10/10/zeroday_in_filesharing_software_leads/
-
Apple doubles maximum bug bounty to $2M for zero-click RCEs
Apple raised bug bounties to $2M for zero-click RCEs, doubling payouts. Since 2020, it’s paid $35M to 800 researchers. Apple doubled its bug bounty rewards, now offering up to $2 million for zero-click remote code execution flaws. Since 2020, the tech giant has paid $35M to 800 researchers. Apple aims to pay exploit chains comparable…
-
Apple bumps RCE bug bounties to $2M to counter commercial spyware vendors
Higher difficulty means higher rewards: The culmination of that work is what Apple now calls Memory Integrity Enforcement (MIE) and is a feature of its new A19 and A19 Pro chips found in its iPhone 17 and iPhone Air lineup. MIE is leveraged in iOS to protect the entire kernel and over 70 userland processes,…
-
Apple now offers $2 million for zero-click RCE vulnerabilities
Apple is announcing a major expansion and redesign of its bug bounty program, doubling maximum payouts, adding new research categories, and introducing a more transparent reward structure. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/apple-now-offers-2-million-for-zero-click-rce-vulnerabilities/
-
From LFI to RCE: Active Exploitation Detected in Gladinet and TrioFox Vulnerability
Tags: cve, cybersecurity, exploit, flaw, rce, remote-code-execution, software, vulnerability, zero-dayCybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products.The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and First seen…
-
7-Zip Vulnerabilities Allowing Remote Code Execution
Two critical vulnerabilities in 7-Zip’s handling of ZIP archives have emerged, enabling remote attackers to execute arbitrary code by exploiting directory traversal flaws. Both issues stem from improper processing of symbolic links within ZIP files, allowing crafted archives to force traversal to unintended locations and ultimately run code under the context of vulnerable services. Directory…
-
Response to Oracle Security Alert Advisory: Oracle E-Business Suite Pre-Auth RCE (CVE-2025-61882)
AttackIQ has released a new emulation in response to the Oracle Security Alert Advisory detailing the CVE-2025-61882 vulnerability, which impacts Oracle E-Business Suite versions 12.2.3 through 12.2.14. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/10/response-to-oracle-security-alert-advisory-oracle-e-business-suite-pre-auth-rce-cve-2025-61882/
-
Anatomy of a Modern Threat: Deconstructing the Figma MCP Vulnerability
Threat researchers recently disclosed a severe vulnerability in a Figma Model Context Protocol (MCP) server, as reported by The Hacker News. While the specific patch is important, the discovery itself serves as a critical wake-up call for every organization rushing to adopt AI. This incident provides a blueprint for a new class of attacks that…
-
Anatomy of a Modern Threat: Deconstructing the Figma MCP Vulnerability
Threat researchers recently disclosed a severe vulnerability in a Figma Model Context Protocol (MCP) server, as reported by The Hacker News. While the specific patch is important, the discovery itself serves as a critical wake-up call for every organization rushing to adopt AI. This incident provides a blueprint for a new class of attacks that…
-
CVE-2025-61882 Explained: The Oracle Zero-Day Breach That Hit Enterprises Hard
Tags: authentication, breach, business, cve, exploit, flaw, group, oracle, ransomware, remote-code-execution, vulnerability, zero-dayA critical zero-day vulnerability in Oracle E-Business Suite (EBS) was exploited by the Cl0p ransomware group in mid-2025. The flaw, later tracked as CVE-2025-61882, allowed remote code execution without authentication,… The post CVE-2025-61882 Explained: The Oracle Zero-Day Breach That Hit Enterprises Hard appeared first on Strobes Security. First seen on securityboulevard.com Jump to article: https://securityboulevard.com/2025/10/cve-2025-61882-explained-the-oracle-zero-day-breach-that-hit-enterprises-hard/
-
Critical Redis Flaw Could Compromise Most Cloud Environments
A Redis flaw, CVE-2025-49844, exposes 75% of cloud systems to remote code execution, data theft, and full system compromise. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/news/redis-vulnerability-cloud-compromise/
-
Critical Redis Flaw Could Compromise Most Cloud Environments
A Redis flaw, CVE-2025-49844, exposes 75% of cloud systems to remote code execution, data theft, and full system compromise. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/news/redis-vulnerability-cloud-compromise/
-
Critical Redis Flaw Could Compromise Most Cloud Environments
A Redis flaw, CVE-2025-49844, exposes 75% of cloud systems to remote code execution, data theft, and full system compromise. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/news/redis-vulnerability-cloud-compromise/
-
Framelink Figma MCP Server Opens Orgs to Agentic AI Compromise
Patch now: A bug (CVE-2025-53967) in a third-party option for connecting Figma to agentic AI can lead to remote code execution (RCE). First seen on darkreading.com Jump to article: www.darkreading.com/vulnerabilities-threats/figma-mcp-server-agentic-ai-compromise
-
Figma MCP Server Opens Orgs to Agentic AI Compromise
Patch now: A bug (CVE-2025-53967) in the popular Web design tool’s option for talking to agentic AI can lead to remote code execution (RCE). First seen on darkreading.com Jump to article: www.darkreading.com/vulnerabilities-threats/figma-mcp-server-agentic-ai-compromise
-
PoC Exploit Released for Critical Vulnerabilities in Lua Engine
A new proof-of-concept exploit has been released for three severe vulnerabilities in the Lua scripting engine used by Redis 7.4.5. Security researchers discovered that attackers can trigger remote code execution and privilege escalation by abusing flaws in the Lua parser, the unpack() function, and the protection of basic type metatables. These issues pose a direct threat to…
-
PoC Exploit Released for Critical Vulnerabilities in Lua Engine
A new proof-of-concept exploit has been released for three severe vulnerabilities in the Lua scripting engine used by Redis 7.4.5. Security researchers discovered that attackers can trigger remote code execution and privilege escalation by abusing flaws in the Lua parser, the unpack() function, and the protection of basic type metatables. These issues pose a direct threat to…
-
Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution
Redis warns of CVE-2025-49844, a Lua script flaw enabling RCE via use-after-free. Attackers need authenticated access to exploit it. Redis disclosed a critical RCE bug, tracked as CVE-2025-49844 (also known as “RediShell”, with a CVSS score of 10.0), where a malicious Lua script can exploit the garbage collector to trigger a use-after-free vulnerability and enable…
-
10.0-severity RCE flaw puts 60,000 Redis instances at risk
Tags: authentication, cloud, container, cve, data-breach, docker, exploit, flaw, group, Internet, network, rce, remote-code-execution, risk, vulnerabilityLack of Redis authentication is a widespread issue: While Redis supports authentication, it is often deployed without it, especially on internal networks, but also on the internet. For example, the Wiz researchers note that in 57% of cloud environments, Redis is deployed as a container image and the official Redis container on Docker Hub does…
-
GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns
Tags: attack, cve, cybercrime, exploit, flaw, group, ransomware, remote-code-execution, vulnerability, zero-dayStorm-1175 exploits GoAnywhere MFT flaw CVE-2025-10035 in Medusa attacks, allowing easy remote code execution via License Servlet bug. A cybercrime group, tracked as Storm-1175, has been actively exploiting a maximum severity GoAnywhere MFT vulnerability (CVE-2025-10035) in Medusa ransomware attacks for nearly a month. The vulnerability CVE-2025-10035 is a deserialization issue in the License Servlet of…
-
GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns
Tags: attack, cve, cybercrime, exploit, flaw, group, ransomware, remote-code-execution, vulnerability, zero-dayStorm-1175 exploits GoAnywhere MFT flaw CVE-2025-10035 in Medusa attacks, allowing easy remote code execution via License Servlet bug. A cybercrime group, tracked as Storm-1175, has been actively exploiting a maximum severity GoAnywhere MFT vulnerability (CVE-2025-10035) in Medusa ransomware attacks for nearly a month. The vulnerability CVE-2025-10035 is a deserialization issue in the License Servlet of…
-
#RediShell: Redis/Valkey Get ‘Perfect 10’ Critical RCE Vuln
Redis hell: CVSS 10.0 vulnerability in ubiquitous cloud storage layer. PATCH NOW. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/10/redis-valkey-redishell-richixbw/
-
#RediShell: Redis/Valkey Get ‘Perfect 10’ Critical RCE Vuln
Redis hell: CVSS 10.0 vulnerability in ubiquitous cloud storage layer. PATCH NOW. First seen on securityboulevard.com Jump to article: securityboulevard.com/2025/10/redis-valkey-redishell-richixbw/
-
Redis patches critical >>RediShell<< RCE vulnerability, update ASAP! (CVE-2025-49844)
Redis, the company behind the widely used in-memory data structure store of the same name, has released patches for a critical vulnerability (CVE-2025-49844) that may allow … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/10/07/redis-patches-critical-redishell-rce-vulnerability-update-asap-cve-2025-49844/
-
Patch Now: ‘RediShell’ Threatens Cloud Via Redis RCE
A 13-year-old flaw with a CVSS score of 10 in the popular data storage service allows for full host takeover, and more than 300k instances are currently exposed. First seen on darkreading.com Jump to article: www.darkreading.com/cloud-security/patch-now-redishell-redis-rce
-
Redis patches critical >>RediShell<< RCE vulnerability, update ASAP! (CVE-2025-49844)
Redis, the company behind the widely used in-memory data structure store of the same name, has released patches for a critical vulnerability (CVE-2025-49844) that may allow … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/10/07/redis-patches-critical-redishell-rce-vulnerability-update-asap-cve-2025-49844/