exploit
WhatsApp patched zero-click flaw exploited in Paragon spyware attacks
WhatsApp has patched a zero-click, zero-day vulnerability used to install Paragon’s Graphite spyware following reports from security researchers at the University of Toronto’s Citizen Lab. The company addressed the attack vector late last year “without the need for a client-side fix” and decided not to assign a CVE-ID after “reviewing the CVE guidelines published by […]
Exploits for unpatched Parallels Desktop flaw give root on Macs
Two different exploits for an unpatched Parallels Desktop privilege elevation vulnerability have been publicly disclosed, allowing users to gain root access on impacted Mac devices. Parallels Desktop is a virtualization software that allows Mac users to run Windows, Linux, and other operating systems alongside macOS. It is very popular among developers, businesses, and casual users […]
CISA flags Craft CMS code injection flaw as exploited in attacks
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns that a Craft CMS remote code execution flaw is being exploited in attacks. The flaw is tracked as CVE-2025-23209 and is a high severity (CVSS v3 score: 8.0) code injection (RCE) vulnerability impacting Craft CMS versions 4 and 5. Craft CMS is a content management system (CMS) used […]
Hackers exploit authentication bypass in Palo Alto Networks PAN-OS
Hackers are launching attacks against Palo Alto Networks PAN-OS firewalls by exploiting a recently fixed vulnerability (CVE-2025-0108) that allows bypassing authentication. The security issue received a high-severity score and impacts the PAN-OS management web interface and allows an unauthenticated attacker on the network to bypass authentication and invoke certain PHP scripts, potentially compromising integrity and confidentiality. In […]
zkLend loses $9.5M in crypto heist, asks hacker to return 90%
Decentralized money lender zkLend suffered a breach where threat actors exploited a smart contract flaw to steal 3,600 Ethereum, worth $9.5 million at the time. zkLend is a decentralized money-market protocol built on Starknet, a Layer 2 scaling solution for Ethereum. It enables users to deposit, borrow, and lend various assets. The attack took place […]
SonicWall firewall exploit lets hackers hijack VPN sessions, patch now
Security researchers at Bishop Fox have published complete exploitation details for the CVE-2024-53704 vulnerability that allows bypassing the authentication mechanism in certain versions of the SonicOS SSLVPN application. The vendor warned about the high exploitation possibility of the flaw in a bulletin on January 7, urging administrators to upgrade their SonicOS firewalls’ firmware to address […]
Zyxel won’t patch newly exploited flaws in end-of-life routers
Zyxel has issued a security advisory about actively exploited flaws in CPE Series devices, warning that it has no plans to issue fixing patches and urging users to move to actively supported models. VulnCheck discovered the two flaws in July 2024, but last week, GreyNoise reported having seen exploitation attempts in the wild. According to network […]
CVE-2025-21298: A Critical Windows OLE Zero-Click Vulnerability
Explore CVE-2025-21298, a critical Windows OLE zero-click flaw enabling RCE via email. Learn its risks, impact, and how to defend against attacks. In January 2025, a critical security vulnerability identified as CVE-2025-21298 was disclosed, affecting Windows Object Linking and Embedding (OLE) technology. This vulnerability, with a CVSS score of 9.8, allows for remote code execution (RCE) through specially crafted emails, posing significant […]
Canadian charged with stealing $65 million using DeFI crypto exploits
The U.S. Justice Department has charged a Canadian man with stealing roughly $65 million after exploiting two decentralized finance (DeFI) protocols. DeFI platforms are blockchain-based systems that facilitate peer-to-peer financial services, eliminating the need for conventional centralized financial intermediaries like banks or brokerages. These platforms deliver various financial services related to digital assets, enabling their […]
Hackers get $886,250 for 49 zero-days at Pwn2Own Automotive 2025
The Pwn2Own Automotive 2025 hacking contest has ended with security researchers collecting $886,250 after exploiting 49 zero-days. Throughout the event, they targeted automotive software and products, including electric vehicle (EV) chargers, car operating systems (i.e., Android Automotive OS, Automotive Grade Linux, and BlackBerry QNX), and in-vehicle infotainment (IVI) systems. According to the Pwn2Own Tokyo 2025 contest rules, all […]