Displaying items by tag: RCE

GUEST OPINION:  Microsoft is addressing 57 vulnerabilities this March 2025 Patch Tuesday, which is a similar volume to last month. However, Microsoft has evidence of in-the-wild exploitation for as many as six of the vulnerabilities published today, and CISA KEV already lists all of them.

GUEST OPINION:  Microsoft is addressing 70 vulnerabilities this December 2024 Patch Tuesday, with evidence of in-the-wild exploitation and public disclosure for one of the vulnerabilities published today, and this is reflected in a CISA KEV entry.

GUEST RESEARCH:

Executive Summary

• Team82 has researched devices manufactured by Ruijie Networks and discovered 10 vulnerabilities in its Reyee cloud management platform
• These vulnerabilities affect both the Reyee platform, as well as Reyee OS network devices
• The vulnerabilities, if exploited, could allow a malicious attacker to execute code on any cloud-enabled device, giving them the ability to control tens of thousands of devices
• In addition, Team82 has devised an attack called Open Sesame, in which an attacker can pinpoint exploit a device in close physical proximity through the cloud, executing arbitrary code on it and gaining access to its internal network

COMPANY NEWS UPDATE :  As production lines become increasingly reliant on interconnected computer systems, the risk of cybercriminal exploitation looms large.

Security firm F5 has disclosed a critical vulnerability in its BIG-IP product, a family of hardware and software solutions that are used for application delivery and centralised device management.

COMPANY NEWS: Sophos, a global leader in next-generation cybersecurity, today released details of a novel exploit that bypasses a patch for a critical vulnerability (CVE-2021-40444) affecting the Microsoft Office file format. The findings are reported in a new SophosLabs Uncut article, “Attackers test ‘CAB-less 40444’ exploit in a dry run,” that shows how the attackers took a publicly available proof-of-concept Office exploit and weaponised it to deliver Formbook malware. The attackers then distributed it through spam emails for approximately 36 hours before it disappeared, according to Sophos researchers.

A serious vulnerability in the Log4j Java-based logging library is affecting many enterprise applications and cloud services.

Cybersecurity risks in the retail industry suggests that the 2021 holiday shopping season will be further disrupted by cybercriminals looking to create chaos and take advantage of an unprecedented global supply chain crisis, according to one security firm.

A widely deployed SSL VPN device known as Pulse Secure Connect has been revealed to have a serious vulnerability, with a Common Vulnerability Scoring System score of 10, the maximum possible, that can be exploited remotely.

Three remotely exploitable vulnerabilities in Microsoft's NT Lan Manager, a proprietary authentication protocol, have been patched by the company in its updates for June, after they were detailed by Israeli security outfit Preempt.

Networking vendor Cisco has released patches to fix a flaw in its Adaptive Security Appliance software that can be remotely exploited.