Vulnerabilities Archives - Page 20 of 85

Exploitation of VMware Vulnerability Imminent Following Release of PoC

Issued by: Security Week

The vulnerability, tracked as CVE-2022-22972, affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. It allows a malicious actor who has network access to the UI to bypass authentication. Shortly after VMware released patches, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors would “quickly develop a capability to exploit CVE-2022-22972,”…

Vulnerabilities

Researchers Devise New Type of Bluetooth LE Relay Attacks

Issued by: Security Week

Meant to provide significantly reduced power consumption and costs at communication ranges similar to those provided by Bluetooth, BLE is used for a broad range of applications in sectors such as automotive, healthcare, security, home entertainment, and more. BLE proximity authentication is typically to unlock or keep unlocked products such as cars, smart locks, access…

Vulnerabilities

Critical Zyxel Firewall Bug Under Active Attack After PoC Exploit Debut

Issued by: Dark Reading

Zyxel firewalls are under active cyberattack after a critical security vulnerability was disclosed last week that could allow unauthenticated, remote arbitrary code execution. The bug (CVE-2022-30525, CVSS 9.8) was silently patched in April, but no public disclosure was made until last Thursday, May 12, when Rapid7 released a technical report on the issue. It also…

Vulnerabilities

Critical Vulnerability Allows Remote Hacking of Zyxel Firewalls

Issued by: Security Week

The flaw, tracked as CVE-2022-30525, affects ATP, VPN and USG FLEX series firewalls. The vulnerability can be exploited by a remote, unauthenticated attacker for arbitrary code execution as the “nobody” user. The affected products are recommended for businesses and they provide VPN, SSL inspection, intrusion protection, web filtering and email security capabilities. The Shodan search…

Vulnerabilities

Known macOS Vulnerabilities Led Researcher to Root Out New Flaws

Issued by: Dark Reading

Sometimes all it takes to root out a new software vulnerability is to study and analyze previous bug reports. That’s how researcher Csaba Fitzl says he sniffed out some new Apple macOS vulnerabilities, one of which was a mirror image of a logic flaw that a group of researchers competing in the 2020 Pwn2Own contest…

Vulnerabilities

ICS Patch Tuesday: Siemens, Schneider Electric Address 43 Vulnerabilities

Issued by: Security Week

Siemens has released 12 advisories covering 35 vulnerabilities. Based on CVSS scores, the most important advisory covers 11 flaws affecting the web server of SICAM P850 and P855 devices. One of these bugs is critical and it allows an unauthenticated attacker to execute arbitrary code or launch a denial-of-service (DoS) attack. The five high-severity vulnerabilities…

Vulnerabilities

Microsoft Azure Vulnerability Allowed Code Execution, Data Theft

Issued by: Security Week

Tracked as CVE-20220-29972, the security hole was identified in the third-party Open Database Connectivity (ODBC) data connector used in Integration Runtime (IR) in the affected Azure services to connect to Amazon Redshift. A remote attacker could have exploited the flaw to execute arbitrary commands across the IR infrastructure, impacting multiple tenants, the tech giant explains….

Vulnerabilities

Synology, QNAP, WD Warn Users About Vulnerabilities Exploited at Hacking Contest

Issued by: Security Week

The vulnerabilities were disclosed at the Zero Day Initiative’s Pwn2Own Austin contest in November 2021, where participants earned more than $1 million for hacking routers, printers, smart spears, smartphones and network-attached storage (NAS) devices. The NAS exploits at Pwn2Own targeted WD devices, and they earned participants roughly $500,000. It turns out that at least half…

Vulnerabilities

Many Internet-Exposed Servers Affected by Exploited Redis Vulnerability

Issued by: Security Week

Tracked as CVE-2022-0543, the security hole has a CVSS score of 10 and is described as an insufficient sanitization in Lua. While Redis statically links the Lua Library, some Debian/Ubuntu packages dynamically link it, leading to a sandbox escape that can be exploited to achieve remote code execution. Both Debian and Ubuntu announced patches for…

Vulnerabilities

Hackers fool major tech companies into handing over data of women and minors to abuse

Issued by: Blog Malwarebytes

Some major tech companies have unwittingly opened harassment and exploitation opportunities to the women and children who they have pledged to protect. This happened because they provided information in response to emergency data requests from legitimate law enforcement accounts that hackers had compromised. This finding came from four federal law enforcement agencies and a couple…