OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-p3qf-84rg-jxfc: OliveTin OS Command Injection vulnerability

After reporters found dozens of firms hiding privacy tools from search results, US senator Maggie Hassan insists the companies explain their practices—and pledge to improve access to privacy controls.

United States senator Maggie Hassan is pressing major data brokers after an investigation by The Markup/CalMatters and copublished by WIRED found at least 35 firms hid opt-out information from search results, making it harder for people to take control of their own data and safeguard their privacy online.

Hassan, the top Democrat on the Joint Economic Committee, put five of the top firms—IQVIA Digital, Comscore, Telesign Corporation, 6sense Insights, and Findem—on notice Wednesday, demanding that each explain why code on their sites appears designed to frustrate deletion requests.

None of the companies immediately responded to WIRED’s request for comment. None previously responded to requests for comment during the investigation.

California law requires brokers to provide a way to delete personal data; however, the investigation found dozens of registered brokers obscuring their opt-out tools by hiding them from Google and other search results. Consumer advocates called it a “clever work-around” that undermines privacy rights and may qualify as an illegal _dark pattern_—a design decision that, according to California’s privacy regulator, erodes consumer “autonomy, decision making, or choice when asserting their privacy rights or consenting.”

Hassan wants the firms to justify the placement of their opt‑out pages; acknowledge whether they used code to block search indexing and, if so, against how many users; pledge to remove any such code by September 3; and provide Congress with recent audit results and steps taken since the investigation, if any, to improve user access.

“Data brokers and other online providers have a responsibility to prevent the misuse of consumer data, and Americans deserve to understand if and how their personal information is being used,” Hassan wrote, citing other tactics variously employed by the firms—forcing users to scroll through multiple screens, dismiss needless pop-ups, and hunt for links in shrunken text.

Behind the scenes, data brokers fuel a multibillion-dollar industry that trades in detailed personal information—often gathered without a person’s knowledge or consent. They compile sprawling dossiers often packed with precise location histories, political leanings, and religious affiliations, then sell and resell those profiles, powering everything from hyper‑targeted ads to law‑enforcement surveillance.

Even among the small share of Americans who know this surveillance ecosystem exists, fewer still grasp its true scale—or the ways it can shape, influence, or intrude on their lives.

Earlier this year, the Trump administration quietly abandoned a proposed rule that would have sharply limited brokers’ collection and sale of Americans’ data by treating certain brokers as “consumer reporting agencies” under the Fair Credit Reporting Act. At the same time, contract documents show the US intelligence community is preparing a centralized marketplace to streamline purchases of commercially available data—giving agencies shared access to large repositories of sensitive information without the court orders otherwise required for traditional surveillance.

For survivors of domestic violence, sexual assault, and stalking, the risks are acute. The National Network to End Domestic Violence’s Safety Net Project warns that data brokers collect and sell vast amounts of information that can put survivors at risk, adding that opting out is already a burdensome, piecemeal process, forcing people to contact companies one by one, navigate hard-to-find forms, and resubmit deletion requests regularly as information is re-collected and re-listed.

“Instead of requiring people to navigate byzantine labyrinths to protect their personal information, these companies have a responsibility to make the tools that allow Americans to exercise their right to privacy easy to find and use,” Hassan tells WIRED.

Sean Vitka, the executive director of Demand Progress, a nonprofit advocacy group critical of the industry, compares the surveillance ecosystem underlying commercial data markets to the knotted tails of a rat king—an inseparable tangle of entities sustained by unchecked data flows. “The damage done by data brokers manifests in countless ways,” he says, “but it’s all enabled by the same predatory abuse of consumers’ data.”

“And consistent with what we’re seeing here, the industry cannot be trusted to mitigate its own harms.”

Data Brokers Face New Pressure for Hiding Opt-Out Pages From Google

Kaspersky reports Efimer Trojan infecting thousands, swapping crypto wallets, brute-forcing sites, and spreading through torrents and phishing. Cybercriminals…

Kaspersky reports Efimer Trojan infecting thousands, swapping crypto wallets, brute-forcing sites, and spreading through torrents and phishing.

Cybercriminals are getting more creative with their scams, and the latest example comes from a malware operation known as Efimer. First spotted by Kaspersky in October 2024 and still active and spreading in 2025, the Trojan has been stealing cryptocurrency, spreading through hacked WordPress sites, torrents and targeted phishing emails.

****Phishing Emails Posing as Legal Notices****

The phishing emails in the most recent campaign pretend to come from lawyers at a large company, warning recipients that their domain name violates trademarks. The message threatens legal action but offers to buy the domain instead.

Victims are then prompted to open an attachment for “details,” which actually contains a multi-stage script. This script drops the Efimer trojan and disguises its activity with fake error messages, so users think nothing happened.

The phishing email (Image via Securelist)

****Replacing Your Wallet Addresses****

Once running, Efimer behaves like a ClipBanker Trojan. It monitors the clipboard for cryptocurrency wallet addresses and replaces them with the attacker’s own. It also targets mnemonic phrases used to recover wallets, saving them to files before exfiltrating them to a command server hidden on the Tor network.

If Task Manager is running, the malware shuts down to avoid detection. It even installs Tor itself if it’s not already on the machine, downloading it from multiple hardcoded URLs to make blocking more difficult.

****Targeting WordPress Sites with Brute Force****

Kaspersky’s analysis shows Efimer has extra scripts that can brute-force WordPress logins by automatically generating target domains from Wikipedia word lists, then testing large batches of passwords against them.

When credentials are cracked, attackers can post malicious files or lure users with fake movie torrents. One such lure involves a password-protected torrent that appears to contain a film in XMPEG format but actually installs another Efimer variant, complete with spoofed wallets for Tron and Solana.

Another script, nicknamed “Liame,” focuses on gathering email addresses from specified websites. It can scrape addresses from HTML and mailto links, then send them back to the attackers.

The same infrastructure can also push spam-like payloads to targeted domains. This versatility means Efimer can serve both as a direct theft tool and as part of a larger spam or phishing system.

One of the malicious torrent files involved in the scam (Image via Securelist)

****Worldwide Victims****

From October 2024 to July 2025, Kaspersky products detected over 5,000 users hit by Efimer, with the highest activity in Brazil, followed by India, Spain, Russia, Italy and Germany. The attackers clearly target both individuals, through torrents and phishing, and businesses, by compromising corporate websites.

To protect your system from Efimer trojan, don’t open suspicious attachments, don’t download torrents from random sites and keep your antivirus software updated. For website owners, strong passwords, two-factor authentication, and regular software updates are critical to keep attackers from installing malware on their servers.

Efimer Trojan Steals Crypto, Hacks WordPress Sites via Torrents and Phishing

Researchers observed exploitation attempts against a vulnerability with a CVSS score of 10 in a popular Erlang-based platform for critical infrastructure and OT development.

Patch Now: Attackers Target OT Networks via Critical RCE Flaw

In the August 2025 patch Tuesday round Microsoft fixed a total of 111 Microsoft vulnerabilities, some of which are very important.

In the August 2025 patch Tuesday round Microsoft fixed a total of 111 Microsoft vulnerabilities. A few of them are very important for people to apply.

Even if you’re not a tech expert, keeping your Windows system up to date is one of the simplest and most effective ways to protect yourself from online threats. Microsoft releases important updates on the second Tuesday of every month, called “Patch Tuesday.” These updates fix security problems and keep your Windows system up to date.

Here is a step-by-step guide for updating your Windows 11 (it might be slightly different for older versions) computer this August 2025:

1\. Open **Settings**

*   Click the Start button (the Windows logo at the bottom left of your screen).
*   Click on Settings (it looks like a little gear).

2\. Go to **Windows Update**

*   In the Settings window, look for Windows Update (usually at the bottom of the menu on the left).
*   Click on Windows Update.

3\. **Check for Updates**

*   You’ll see a button that says **Check for updates**. Click it.
*   Windows will now look for the August 2025 Patch Tuesday updates.

If you have selected automatic updates earlier you may see this:  

And this:

*   Which means all you have to do is restart your system and you’re done updating.
*   If not, continue with the below.

4\. **Download and Install**

*   If updates are found, they will start downloading right away. When that’s done, you’ll see a button that says **Install** or **Restart now**.
*   Click **Install** if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click **Restart now**.

5\. Double-check everything Is updated

*   After restarting, go back to Windows Update and check again. If it says **You’re up to date**, you’re all set!

Of the 111 fixed flaws, a few stand out. Let’s have a look at why this round is important.

CVE-2025-50165: Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

This vulnerability can be exploited without user interaction and for example be exploited by sending a target a specially .jpeg file in an Office document or other documents and files. Successful exploitation allows arbitrary remote code execution (RCE) which basically means your machine is at their control.

CVE-2025-53766: Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network.

A buffer overflow occurs when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

GDI+ (Graphics Device Interface Plus) is a component of the Windows operating system that provides a way for applications to display graphics and formatted text on screens and printers.

An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. Successful exploitation of this vulnerability could cause remote code execution or information disclosure on web services that are parsing documents that contain a specially crafted metafile, without involvement of the target. In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Microsoft patches some very important vulnerabilities in August&#8217;s patch Tuesday 

Cybersecurity researchers have discovered a new malvertising campaign that's designed to infect victims with a multi-stage malware framework called PS1Bot.
"PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system

New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks

Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can repeatedly submit login attempts without restrictions, potentially gaining unauthorized administrative access. This vulnerability corresponds to CWE-307: Improper Restriction of Excessive Authentication Attempts.

GHSA-vq9x-w82r-rhmc: Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.

Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-gqp3-2cvr-x8m3: Apache Tomcat Improper Resource Shutdown or Release vulnerability

Session Fixation vulnerability in Apache Tomcat via rewrite valve.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

GHSA-23hv-mwm6-g8jf: Apache Tomcat Session Fixation vulnerability

A surge in brute-force attacks on Fortinet products could signal a new vulnerability. A timeline shows a strong…

A surge in brute-force attacks on Fortinet products could signal a new vulnerability. A timeline shows a strong link between attack spikes and security flaws.

An unusual surge in cyberattack activity against security products from Fortinet has put experts on alert. On August 3, 2025, researchers at cybersecurity firm GreyNoise detected a major spike in brute-force attacks, with over 780 unique IP addresses targeting Fortinet’s SSL VPNs in a single day. This discovery was revealed in a detailed research report shared with Hackread.com.

For your information, a brute-force attack is when an attacker repeatedly tries to guess a username or password to break into a system. GreyNoise’s analysis of this traffic revealed a focused and deliberate effort by attackers, not just random opportunism. The research also found that Hong Kong and Brazil were the top target countries over the last 90 days.

GreyNoise security experts observed two distinct waves of these attacks. The first was a long-running, steady attack, but a second, more focused wave began on August 5. While the initial August 3 traffic targeted Fortinet’s main operating system, FortiOS, the later attacks shifted to FortiManager, a tool that manages and configures multiple Fortinet devices. Targeting FortiManager could allow attackers to compromise entire networks rather than individual systems.

The researchers also found a clue that the attackers might have launched their tools from a residential network, possibly a home computer. While not unheard of, this is unusual for such large-scale, coordinated attacks and could mean the attackers are trying to disguise their operations as normal internet traffic. This link suggests a connection between the recent attacks and earlier activity observed in June.

According to GreyNoise’s research, spikes in this kind of cyberattack activity are often a warning sign. The company found that 80% of similar attack surges against a vendor’s products are followed by a public disclosure of a new security vulnerability.

A timeline from GreyNoise visually demonstrates this link. The chart below shows that white dots, which represent a spike in brute-force activity, consistently appear before or at the same time as red dots, which represent a new public security vulnerability (CVE). This correlation suggests that a sudden increase in attacker activity is a strong indicator that a new flaw may soon be discovered or disclosed.

Source: GreyNoise

With this new activity, Fortinet customers are being advised to remain on high alert and to use GreyNoise’s tools to identify and block malicious IP addresses. Hackread.com will continue to monitor the situation closely for any new developments.

Latest News