Cisco has issued a warning regarding active exploitation attempts of two persistent vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows, which have been present for two years. The vulnerabilities, identified as CVE-2020-3153 (with a CVSS score of 6.5) and CVE-2020-3433 (CVSS score: 7.8), could potentially allow authenticated local…
Linus Torvalds, the founder of Linux and Git, famously stated, “given enough eyeballs, all bugs are shallow.” While this highlights a core tenet of open-source software—that greater visibility can lead to more rapid identification of issues—recent analysis raises questions about the efficacy of this principle in real-world applications. Emil Wåreus,…
On Tuesday, Microsoft disclosed that it had rectified an authentication bypass vulnerability in Jupyter Notebooks associated with Azure Cosmos DB, which had the potential to grant unauthorized full read and write access. This issue was identified on August 12, 2022, and was effectively resolved worldwide by October 6, 2022, shortly…
OpenSSL has announced critical updates addressing two high-severity vulnerabilities within its cryptographic library. These flaws, identified as CVE-2022-3602 and CVE-2022-3786, pose risks of denial-of-service (DoS) attacks and potential remote code execution (RCE). The vulnerabilities stem from buffer overrun issues that can be exploited during the verification of X.509 certificates, typically…
Recent research has uncovered multiple critical vulnerabilities within Checkmk, an IT infrastructure monitoring software, which may allow an unauthenticated remote attacker to seize full control of affected systems. These vulnerabilities could potentially be mishandled collectively, posing significant risks to users, especially those utilizing Checkmk version 2.1.0p10 or older. Stefan Schiller,…
CISA Issues Warnings About Vulnerabilities in Industrial Control Systems The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently highlighted critical vulnerabilities in industrial control systems (ICS) through three advisory alerts. These advisories specifically address security flaws found in software produced by ETIC Telecom, Nokia, and Delta Industrial Automation, posing…
Recent disclosures from Microsoft highlight a worrying trend: nation-state and criminal actors are increasingly capitalizing on publicly-identified zero-day vulnerabilities to infiltrate targeted environments. In its detailed Digital Defense Report, which spans 114 pages, Microsoft observes that the time lag between the announcement of a vulnerability and its exploitation has decreased…
VMware has issued patches for five security vulnerabilities impacting its Workspace ONE Assist. These vulnerabilities pose significant risks, with some allowing attackers to bypass authentication and gain elevated access. Among the most severe are three vulnerabilities designated CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687, each rated 9.8 on the Common Vulnerability Scoring System…
Lenovo Addresses Critical UEFI Firmware Vulnerabilities Affecting Various Devices Lenovo has identified and addressed three significant vulnerabilities within the Unified Extensible Firmware Interface (UEFI) firmware that impact numerous Yoga, IdeaPad, and ThinkBook devices. These shortcomings could allow an adversary to disable UEFI Secure Boot or reset factory default Secure Boot…