vulnerability
MITRE shares 2024’s top 25 most dangerous software weaknesses
MITRE has shared this year’s top 25 list of the most common and dangerous software weaknesses behind more than 31,000 vulnerabilities disclosed between June 2023 and June 2024. Software weaknesses refer to flaws, bugs, vulnerabilities, and errors found in software’s code, architecture, implementation, or design. Attackers can exploit them to breach systems where the vulnerable […]
Ubuntu Linux impacted by decade-old ‘needrestart’ flaw that gives root
Five local privilege escalation (LPE) vulnerabilities have been discovered in the needrestart utility used by Ubuntu Linux, which was introduced over 10 years ago in version 21.04. The flaws were discovered by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They were introduced in needrestart version 0.8, released in April 2014, and fixed only […]
Oracle warns of Agile PLM file disclosure flaw exploited in attacks
Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287, which was actively exploited as a zero-day to download files. Oracle Agile PLM is a software platform that enables businesses to manage product data, processes, and collaboration across global teams. Yesterday, Oracle urged Agile PLM customers to install the […]
Apple fixes two zero-days used in attacks on Intel-based Macs
Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems. “Apple is aware of a report that this issue may have been exploited,” the company said in an advisory issued on Tuesday. The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of […]
CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three new flaws in its Known Exploited Vulnerabilities (KEV) catalog, including a critical OS command injection impacting Progress Kemp LoadMaster. The flaw, discovered by Rhino Security Labs and tracked as CVE-2024-1212, was addressed via an update released on February 21, 2024. However, this is the first […]
D-Link urges users to retire VPN routers impacted by unfixed RCE flaw
D-Link is warning customers to replace end-of-life VPN router models after a critical unauthenticated, remote code execution vulnerability was discovered that will not be fixed on these devices. The flaw was discovered and reported to D-Link by security researcher ‘delsploit,’ but technical details have been withheld from the public to avoid triggering mass exploitation attempts in […]
Security plugin flaw in millions of WordPress sites gives admin access
A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin ‘Really Simple Security’ (formerly ‘Really Simple SSL’), including both free and Pro versions. Really Simple Security is a security plugin for the WordPress platform, offering SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detection. Its free version alone is used in […]
Palo Alto Networks warns of critical RCE zero-day exploited in attacks
Palo Alto Networks is warning that a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces, currently tracked as ‘PAN-SA-2024-0015,’ is actively being exploited in attacks. The flaw was originally disclosed on November 8, 2024, with Palo Alto Networks warning customers to restrict access to their next-generation firewalls because of a “potential” remote code execution (RCE) vulnerability impacting […]
Microsoft Exchange adds warning to emails abusing spoofing flaw
Microsoft has disclosed a high-severity Exchange Server vulnerability that allows attackers to forge legitimate senders on incoming emails and make malicious messages a lot more effective. The security flaw (CVE-2024-49040) impacts Exchange Server 2016 and 2019, and was discovered by Solidlab security researcher Vsevolod Kokorin, who reported it to Microsoft earlier this year. “The problem is that […]
D-Link won’t fix critical bug in 60,000 exposed EoL modems
Tens of thousands of exposed D-Link routers that have reached their end-of-life are vulnerable to a critical security issue that allows an unauthenticated remote attacker to change any user’s password and take complete control of the device. The vulnerability was discovered in the D-Link DSL6740C modem by security researcher Chaio-Lin Yu (Steven Meow), who reported it to Taiwan’s […]