What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2025-01-30 08:42:50 | ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes (lien direct) | >
Overview
A pair of 9.8-severity flaws in mySCADA myPRO Manager SCADA systems were among the vulnerabilities highlighted in Cyble\'s weekly Industrial Control System (ICS) Vulnerability Intelligence Report.
Cyble Research & Intelligence Labs (CRIL) examined eight ICS vulnerabilities in the January 28 report for clients, including high-severity flaws in critical manufacturing, energy infrastructure, and transportation networks.
OS Command Injection (CWE-78) and Improper Security Checks (CWE-358, CWE-319) accounted for half of the vulnerabilities in the report, “indicating a persistent challenge in securing authentication and execution processes in ICS environments,” Cyble said.
Critical mySCADA Vulnerabilities
The critical mySCADA myPRO supervisory control and data acquisition (SCADA) vulnerabilities haven\'t yet appeared in the NIST National Vulnerability Database (NVD) or the MITRE CVE database, but they were the subject of a CISA ICS advisory on January 23.
The mySCADA myPRO Manager system provides user interfaces and functionality for real-time monitoring and control of industrial processes across a range of critical industries and applications. CISA said the vulnerabilities can be exploited remotely with low attack complexity, potentially allowing a remote attacker to execute arbitrary commands or disclose sensitive information.
CVE-2025-20061 was assigned a CVSS v3.1 base score of 9.8 and is an Improper Neutralization of Special Elements used in an OS Command (\'OS Command Injection\') vulnerability. CISA said mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information, so the vulnerability could be used to execute arbitrary commands on an affected system.
CVE-2025-20014 is also a 9.8-severity OS Command Injection vulnerability, as myPRO also does not properly neutralize POST requests sent to a specific port with version information, which could potentially lead to an attacker executing arbitrary commands.
The following mySCADA products are affected:
myPRO Manager: Versions prior to 1.3
myPRO Runtime: Versions prior to 9.2.1
mySCADA recommends that users update to the latest versions:
mySCADA PRO Manager 1.3
mySCADA PRO Runtime 9.2.1
|
Tool Vulnerability Patching Industrial | ★★★ | |
|
2025-01-28 12:00:59 | Critical Vulnerabilities in Node.js Expose Systems to Remote Attacks (lien direct) | >
Overview
A series of critical security vulnerabilities have been discovered in multiple versions of Node.js, a popular open-source JavaScript runtime used to build scalable network applications. These vulnerabilities, outlined in CERT-In Vulnerability Note CIVN-2025-0011, have been classified as high severity, with the potential to compromise sensitive information, disrupt services, and even execute arbitrary code. Users of Node.js, including developers and organizations relying on this platform, are urged to take immediate action to secure their systems.
The vulnerabilities affect several versions of Node.js, including both long-term support (LTS) and current releases. Affected versions include Node.js v18.x, v20.x, v22.x, and the latest v23.x. The flaws stem from various issues, including memory leaks, path traversal vulnerabilities, and worker permission bypasses, which could result in denial of service (DoS) conditions, data theft, and potential system compromises.
The vulnerabilities present a high risk of unauthorized access to sensitive data, denial of service, or even complete system compromise. These flaws can be exploited remotely, allowing attackers to gain control over affected systems. The potential impacts are significant, especially in production environments where Node.js applications are running in high-traffic scenarios.
Key Vulnerabilities in Node.js
CVE-2025-23087 (Node.js v17.x and prior): This critical vulnerability affects older versions of Node.js (v17.x or earlier), with an attacker potentially gaining unauthorized access due to insufficient security controls. The severity of the flaw demands immediate attention from users of these older versions.
CVE-2025-23088 (Node.js v19.x): A critical flaw affecting Node.js v19.x, which could allow an attacker to bypass security measures and execute arbitrary code. It\'s essential for users of v19.x to update to the latest release to mitigate the risk.
CVE-2025-23089 (Node.js v21.x): Similar to CVE-2025-23088, this vulnerability impacts Node.js v21.x, allowing for potential exploitation due to a lack of proper access control and security features. Users should upgrade to patched versions of Node.js immediately.
CVE-2025-23083 (Worker Permission Bypass): A high-severity vulnerability discovered in Node.js v20.x, v22.x, and v23.x, where an attacker could exploit the internal worker leak mechanism via the diagnostics_channel utility. This flaw could enable unauthorized access to worker threads, which are typically restricted, potentially leading to privilege escalation.
|
Tool Vulnerability Threat | ★★★ | |
|
2025-01-28 09:37:55 | phpMyAdmin 5.2.2 Addresses Critical XSS and Library Vulnerabilities (lien direct) | >
Overview
phpMyAdmin, a popular web-based tool for managing MySQL and MariaDB databases, has recently released version 5.2.2, addressing multiple vulnerabilities that posed a medium severity risk. This widely-used tool is a basis for database administrators, offering strong features and ease of use. However, the vulnerabilities discovered could potentially expose users to risks such as unauthorized actions, session hijacking, and data theft.
The update resolves two cross-site scripting (XSS) vulnerabilities (CVE-2025-24530 and CVE-2025-24529) and a potential issue in the glibc/iconv library (CVE-2024-2961). These vulnerabilities underline the importance of staying up to date with security patches to safeguard sensitive data and ensure secure database management.
According to the advisory:
Reported By: The vulnerability was reported by a security researcher identified as "bluebird."
Severity: Moderate.
Solution: Users are encouraged to upgrade to version 5.2.2 or apply the patch.
Vulnerability Details
Three significant vulnerabilities were identified in phpMyAdmin versions prior to 5.2.2:
1. CVE-2025-24530: XSS in “Check Tables”
Description: This XSS vulnerability allows an attacker to exploit the "Check Tables" feature by crafting a malicious table name. This could result in injecting malicious scripts into the application.
Impact: Successful exploitation could lead to session hijacking, data theft, and unauthorized actions.
CWE ID: CWE-661 (Improper Neutralization of Input During Web Page Generation).
Fix: This issue was resolved through commit a45efd0eb9415240480adeefc587158c766bc4a0.
2. CVE-2025-24529: XSS in “Insert”
Description: This vulnerability involves the "Insert" functionality, which could be manipulated to execute malicious scripts.
Impact: Exploitation could compromise user accounts and sensitive data by injecting malicious code into user |
Tool Vulnerability Threat Medical | ★★★ | |
|
2025-01-27 15:02:33 | IT Vulnerability Report: 7-Zip, Windows and Fortinet Fixes Urged by Cyble (lien direct) | >
Overview
Cyble\'s vulnerability intelligence report to clients last week examined high-risk flaws in 7-Zip, Microsoft Windows, and Fortinet, among other products. It also examined dark web claims of a zero-day vulnerability in Apple iOS.
In all, the report from Cyble Research and Intelligence Labs (CRIL) looked at 14 vulnerabilities and dark web exploits, including one vulnerability with a maximum CVSS severity score of 10.0 and another with more than 276,000 web exposures.
Here are some of the vulnerabilities highlighted by Cyble\'s vulnerability intelligence unit as meriting high-priority attention by security teams.
The Top IT Vulnerabilities
CVE-2024-50603 is a 10.0-severity OS Command Injection vulnerability in the Aviatrix Controller that could allow an unauthenticated user to execute arbitrary commands against the cloud networking platform controller, due to improper neutralization of special elements used in an OS command. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
CVE-2025-0411 is a critical vulnerability in the 7-Zip file archiving software that allows attackers to bypass the Mark-of-the-Web (MOTW) protection mechanism, which is intended to warn users about potentially dangerous files downloaded from the internet. An attacker could use the vulnerability to craft an archive file so that the files do not inherit the MOTW mark when they are extracted by 7-Zip. The vulnerability was just announced, but a patch has been available since November 30. As 7-Zip lacks an auto-update function, users must download the update directly.
CVE-2024-12084 is a 9.8-severity Heap-Based Buffer Overflow vulnerability in the Rsync file synchronization tool. The vulnerability arises from improper handling of checksum lengths that exceed the fixed limit of 16 bytes (SUM_LENGTH) during the processing of user-controlled data. An attacker could manipulate checksum lengths, leading to out-of-bounds memory writes in the sum2 buffer. This could enable remote code execution (RCE) on systems running the Rsync server. Cyble detected more than 276,000 vulnerable web-facing Rsync exposures (image below).
Dark Web Exploits and Zero Days
The |
Tool Vulnerability Threat Patching Cloud | ★★★ | |
|
2025-01-27 12:16:17 | United Against Cybercrime: ASEAN Ministers Forge New Security Pathways (lien direct) | >
Overview
The digital world in Southeast Asia is evolving rapidly, with nations striving to balance innovation, inclusivity, and security. The recently held 5th ASEAN Digital Ministers\' Meeting (ADGMIN) in Bangkok, Thailand, marked a significant milestone in this journey. The meeting highlighted the importance of cybersecurity in shaping a resilient digital future for the region. The ASEAN Digital Masterplan 2025 (ADM 2025) continues to serve as a guiding framework for fostering collaboration, enabling trust in digital services, and promoting the safe and inclusive use of technology.
From addressing online scams to operationalizing the ASEAN Regional Computer Emergency Response Team (CERT) and advancing AI governance, the event showcased ASEAN\'s commitment to fortifying its digital ecosystem against cyber threats. With an emphasis on collaboration and proactive measures, the meeting highlighted the pressing need to enhance cybersecurity frameworks, strengthen cross-border data governance, and address emerging challenges posed by technologies like generative AI.
Key Cybersecurity Highlights
ASEAN Regional CERT Operationalization: One of the significant milestones discussed was the operationalization of the ASEAN Regional Computer Emergency Response Team (CERT). This initiative aims to enhance collaboration among member states, facilitate real-time information sharing, and strengthen the region\'s preparedness against cyberattacks. CERT\'s operationalization highlights ASEAN\'s focus on collective resilience in cyberspace.
Tackling Online Scams: Online scams remain a pressing issue across ASEAN. The ASEAN Working Group on Anti-Online Scams (WG-AS) released its Report on Online Scams Activities in ASEAN (2023–2024), offering insights into the threat landscape. The report outlines key recommendations for regional collaboration to combat scams effectively. The ASEAN Recommendations on Anti-Online Scams provide a framework for governments to develop policies aimed at mitigating online fraud, with a focus on cross-border scams and fraudulent activities exploiting digital platforms.
Promoting Responsible State Behavior in Cyberspace: ASEAN adopted the Checklist for Responsible State Behavior in Cyberspace, aligning with global norms to promote peace and security online. This initiative focuses on fostering cooperation and ensuring responsible use of digital tools while mitigating risks.
Strengthening Cross-Border Data Governance: Data governance was another key topi |
Ransomware Tool Vulnerability Threat Technical | ★★★ | |
|
2025-01-24 14:40:40 | Unlocking Vulnrichment: Enhancing CVE Data for Smarter Vulnerability Management (lien direct) | >
Overview
The Cybersecurity and Infrastructure Security Agency (CISA) has introduced Vulnrichment, an innovative initiative designed to enhance CVE data by adding crucial context, scoring, and detailed analysis. Launched on May 10, 2024, Vulnrichment aims to empower security professionals by providing more than just basic CVE information-it offers the insights needed to make informed, timely decisions regarding vulnerability management.
As part of a mid-year update, CISA\'s Tod Beardsley, Vulnerability Response Section Chief, provides an overview of how this resource can be leveraged to improve vulnerability management.
For IT defenders and vulnerability management teams, Vulnrichment represents a significant advancement in how CVE data is presented and utilized. By enriching basic CVE records with essential metadata like Stakeholder-Specific Vulnerability Categorization (SSVC) decision points, Common Weakness Enumeration (CWE) IDs, and Common Vulnerability Scoring System (CVSS) scores, Vulnrichment transforms raw CVE data into a more actionable and comprehensive resource.
The best part? No additional setup is required. This enhanced data is integrated directly into the CVE feeds already being consumed by security teams. Whether you\'re pulling CVE data from the official CISA platform at https://cve.org or GitHub at https://github.com/CVEProject/cvelistV5, you\'re already collecting the enriched CVE records that Vulnrichment provides.
How Vulnrichment Enhances CVE Data
CISA\'s Vulnrichment is designed to provide a deeper layer of insight into each CVE, helping security professionals prioritize vulnerabilities with greater clarity. Here\'s an example of how Vulnrichment works with a specific CVE, CVE-2023-45727, which has been marked as a Known Exploited Vulnerability (KEV) by CISA. If you want to understand the exploitation status of this CVE, you can query the SSVC decision points included in the Vulnrichment ADP (Authorized Data Publisher) container. For instance, using the command line tool jq, you can execute a query to extract the "Exploitation" field to understand whether the vulnerability is actively being exploited, requires proof of concept, or is not yet exploited in the wild.
By parsing the ADP container, you can extract this enriched data, which helps you make informed decisions about whether to prioritize this vulnerability over others. This ability to access context-rich CVE data provides valuable intelligence for vulnerability management efforts, enabling teams to prioriti |
Tool Vulnerability Threat Patching Technical | ★★★ | |
|
2025-01-24 13:53:11 | Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks (lien direct) | >
Threat actors chained together four vulnerabilities in Ivanti Cloud Service Appliances (CSA) in confirmed attacks on multiple organizations in September, according to an advisory released this week by the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The agencies urged users to upgrade to the latest supported version of Ivanti CSA, and to conduct threat hunting on networks using recommended detection techniques and Indicators of Compromise (IoCs).
The January 22 advisory builds on October 2024 advisories from CISA and Ivanti and offers new information on the ways threat actors can chain together vulnerabilities in an attack. The four vulnerabilities were exploited as zero days, leading some to suspect sophisticated nation-state threat actors, possibly linked to the People\'s Republic of China (PRC).
The Ivanti CSA Exploit Chains
CVE-2024-8963, a critical administrative bypass vulnerability, was used in both exploit chains, first in conjunction with the CVE-2024-8190 and CVE-2024-9380 remote code execution (RCE) vulnerabilities, and in the second chain with CVE-2024-9379, a SQL injection vulnerability.
The vulnerabilities were chained to gain initial access, conduct RCE attacks, obtain credentials, and implant web shells on victim networks. In one case, the threat actors (TAs) moved laterally to two servers.
The vulnerabilities affect Ivanti CSA 4.6x versions before 519, and two of the vulnerabilities (CVE-2024-9379 and CVE-2024-9380) affect CSA versions 5.0.1 and below. However, Ivanti says the CVEs have not been exploited in version 5.0.
The First Exploit Chain
In the RCE attacks, the threat actors sent a GET request to datetime.php to obtain session and cross-site request forgery (CSRF) tokens, followed by a POST request to the same endpoint using the TIMEZONE input field to manipulate the setSystemTimeZone |
Tool Vulnerability Threat Patching Cloud | ★★★ | |
|
2025-01-23 13:31:20 | CERT-UA Warns of Malicious AnyDesk Requests Under the Pretext of Phony “Security Audits” (lien direct) | >
Overview
Government entities and organizations in Ukraine are on high alert after the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a social engineering campaign targeting unsuspecting users with malicious AnyDesk requests.
The attackers are impersonating CERT-UA, a legitimate government agency, to trick victims into granting remote access to their computers using AnyDesk, a popular remote desktop application.
Here\'s a breakdown of the attack and how to stay safe:
Deceptive Tactics
Impersonation: Attackers are using the CERT-UA name, logo, and even a specific AnyDesk ID (1518341498, though this may change) to establish trust with potential victims.
Pretext for Access: The attackers claim to be conducting a "security audit" to check the level of protection on the target\'s device.
CERT-UA\'s Clarification
CERT-UA has confirmed that it may use remote access tools like AnyDesk in specific situations. However, they emphasize that such actions only occur “with prior approval” established through official communication channels.
Indicators of Compromise
Unsolicited AnyDesk connection requests, particularly those mentioning a security audit.
AnyDesk requests from users named "CERT-UA" or with the AnyDesk ID 1518341498 (be wary of variations).
Recommendations to Stay Safe
Be Wary of Unsolicited Requests: Never grant remote access to your device unless you have initiated the request and can confirm the identity of the person on the other end.
Multi-Factor Authentication: Enable multi-factor authentication on any remote access software you use for an extra layer of security.
Verification is Key: If you\'re unsure about the legitimacy of a remote access request, contact the organization the requester claims to represent through a verified communication channel (e.g., phone num |
Tool | ★★★ | |
|
2025-01-23 12:43:04 | Aircraft Collision Avoidance Systems Hit by High-Severity ICS Vulnerability (lien direct) | >
Overview
A pair of vulnerabilities in the Traffic Alert and Collision Avoidance System (TCAS) II for avoiding midair collisions were among 20 vulnerabilities reported by Cyble in its weekly Industrial Control System (ICS) Vulnerability Intelligence Report.
The midair collision system flaws have been judged at low risk of being exploited, but one of the vulnerabilities does not presently have a fix. They could potentially be exploited from adjacent networks.
Other ICS vulnerabilities covered in the January 15-21 Cyble report to subscribers include flaws in critical manufacturing, energy and other critical infrastructure systems. The full report is available for subscribers, but Cyble is publishing information on the TCAS vulnerabilities in the public interest.
TCAS II Vulnerabilities
The TCAS II vulnerabilities were reported to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) by European researchers and defense agencies. CISA in turn disclosed the vulnerabilities in a January 21 advisory.
The vulnerabilities are still undergoing analysis by NIST, but Cyble vulnerability researchers said the weaknesses “underscore the urgent need for enhanced input validation and secure configuration controls in transportation systems.”
TCAS airborne devices function independently of ground-based air traffic control (ATC) systems, according to the FAA, and provide collision avoidance protection for a range of aircraft types. TCAS II is a more advanced system for commercial aircraft with more than 30 seats or a maximum takeoff weight of more than 33,000 pounds. TCAS II offers advanced features such as recommended escape maneuvers for avoiding midair collisions.
The first vulnerability, CVE-2024-9310, is an “Untrusted Inputs” vulnerability in TCAS II that presently carries a CVSS 3.1 base score of 6.1.
CISA notes that “By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).”
The second flaw, CVE-2024-11166, is an 8.2-severity External Control of System or Configuration Setting vulnerability. TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F could be attacked by threat actors impersonating a ground station to issue a Comm- |
Tool Vulnerability Threat Patching Industrial Commercial | ★★★ | |
|
2025-01-22 10:44:07 | Australian Cyber Security Centre Targets Bulletproof Hosting Providers to Disrupt Cybercrime Networks (lien direct) | >
Overview
The Australian Cyber Security Centre (ACSC) has issued a detailed warning regarding Bulletproof Hosting Providers (BPH). These illicit infrastructure services play a critical role in supporting cybercrime, allowing malicious actors to conduct their operations while remaining largely undetectable. The Australian government\'s growing efforts to combat cybercrime highlight the increasing difficulty for cybercriminals to maintain secure, resilient, and hidden infrastructures.
BPH services are an integral part of the Cybercrime-as-a-Service (CaaS) ecosystem, which provides a range of tools and services enabling cybercriminals to carry out their attacks. From ransomware campaigns to data theft, cybercriminals rely on BPH providers to host illicit websites, deploy malware, and execute phishing scams. These hosting services help criminals stay out of the reach of law enforcement and avoid detection, making it harder to track down those behind cyberattacks.
The term "bulletproof" is somewhat misleading, as it is more of a marketing ploy than a reflection of the actual capabilities of these providers. Despite the branding, BPH providers remain vulnerable to disruption just like other infrastructure providers. What sets them apart is their blatant disregard for legal requests to shut down services, as they refuse to comply with takedown orders or abuse complaints from victims or law enforcement. This allows cybercriminals to continue their activities with little fear of being interrupted or exposed.
How Bulletproof Hosting Providers Operate
BPH providers typically lease virtual or physical infrastructure to cybercriminals, offering them a platform to run their operations. These services often include leasing IP addresses and servers that obscure the true identities of their customers. Many BPH providers achieve this by utilizing complex network switching methods, making it difficult to trace activity back to its source. In some cases, these providers even lease IP addresses from legitimate data centers or Internet Service Providers (ISPs), many of whom may remain unaware that their infrastructure is being used for criminal purposes.
A key strategy employed by BPH providers is frequently changing the internet-facing identifiers associated with their customers. This could include altering IP addresses or domain names, further complicating efforts to track criminal activity. These techniques frustrate cybersecurity efforts and investigative agencies, hindering their ability to identify, apprehend, and disrupt criminal activity.
Anot |
Ransomware Malware Tool Vulnerability Threat Legislation | ★★ | |
|
2025-01-22 08:12:57 | Cyble Finds Thousands of Security Vendor Credentials on Dark Web (lien direct) | >
Overview
Account credentials from some of the largest cybersecurity vendors can be found on the dark web, a result of the growing problem of infostealers, according to an analysis of Cyble threat intelligence data.
The credentials – available for as little as $10 in cybercrime marketplaces – span internal accounts and customer access across web and cloud environments, including internal security company enterprise and development environments that could pose substantial risks.
The accounts ideally would have been protected by multifactor authentication (MFA), which would have made any attack more difficult. However, the leaked credentials underscore the importance of dark web monitoring as an early warning system for keeping such leaks from becoming much bigger cyberattacks.
Leaked Security Company Credentials
Leaked credentials have an inherent time value – the older the credentials, the more likely the password has been changed – so Cyble researchers looked only at credentials leaked since the start of the year.
Cyble looked at 13 of the largest enterprise security vendors-along with some of the bigger consumer security companies-and found credentials from all of them on the dark web. The credentials were likely pulled from info stealer logs and then sold in bulk on cybercrime marketplaces.
Most of the credentials appear to be customer credentials that protect access to sensitive management and account interfaces, but all the security vendors Cyble examined had access to internal systems leaked on the dark web, too.
Security vendors had credentials leaked to potentially critical internal systems such as Okta, Jira, GitHub, AWS, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom, plus several other password managers, authentication systems, and device management platforms.
Cyble did not attempt to determine whether any of the credentials were valid, but many were for easily accessible web console interfaces, SSO logins, and other web-facing account access points.
The vendors Cyble looked at included a range of network and cloud security providers, including some of the biggest makers of SIEM systems, EDR tools, and firewalls.
All have had data exposures just since the start of the year that ideally were addressed quickly, or at least required additional authentication steps for access.
One of the largest security vendors Cyble looked at may have more sensitive accounts exposed, as company email addresses are listed among the credentials for |
Ransomware Tool Vulnerability Threat Cloud | ★★★ |
To see everything:
Our RSS (filtrered)
