Latest News

A critical security vulnerability has been disclosed in AMI's MegaRAC Baseboard Management Controller (BMC) software that could allow an attacker to bypass authentication and carry out post-exploitation actions. The vulnerability, tracked as CVE-2024-54085, carries a CVSS v4 score of 10.0, indicating maximum severity. "A local or remote attacker can exploit the vulnerability by accessing the

Cybercriminals exploit AI hype with SEO poisoning, tricking users into downloading malware disguised as DeepSeek software, warns McAfee Labs in a new report.

Cybersecurity researchers have warned about a large-scale ad fraud campaign that has leveraged hundreds of malicious apps published on the Google Play Store to serve full-screen ads and conduct phishing attacks. "The apps display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks," Bitdefender said in a report shared with

Palo Alto, USA, 18th March 2025, CyberNewsWire

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: WebHMI – Deployed with EcoStruxure Power Automation System Vulnerability: Initialization of a Resource with an Insecure Default 2. RISK EVALUATION Successful exploitation of this vulnerability could allow unauthorized access to the underlying software application running WebHMI. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports the following products are affected because they use WebHMI v4.1.0.0 and prior: EcoStruxure Power Automation System: Versions 2.6.30.19 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 Initialization of a Resource with an Insecure Default CWE-1188 An initialization of a resource with an insecure default vulnerability exists that could cause an attacker to execute unauthorized commands when a system's default password credentials have not been changed on first use. The default username is not displayed correctly in t...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.4 ATTENTION: Low attack complexity/public exploits are available/known public exploitation Vendor: Rockwell Automation Equipment: Industrial Data Center (IDC) with VMware, VersaVirtual Appliance (VVA) with VMware, Threat Detection Managed Services (TDMS) with VMware, Endpoint Protection Service with RA Proxy & VMware, Engineered and Integrated Solutions with VMware Vulnerabilities: Time-of-check Time-of-use (TOCTOU) Race Condition, Write-what-where Condition, Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker with local administrative privileges to execute code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell Automation Lifecycle Services with VMware are affected: Industrial Data Center (IDC) with VMware: Generations 1 through 4 VersaVirtual Appliance (VVA) with VMware: Series A and B Threat Detection Managed Services (TDMS) with VMware: All versions Endpoi...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: EcoStruxure Power Automation System User Interface (EPAS-UI) Vulnerability: Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to bypass device authentication, potentially gain access to sensitive information, or execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: EcoStruxure Power Automation System User Interface (EPAS-UI): Version v2.1 up to and including v2.9 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER AUTHENTICATION CWE-287 The Schneider Electric EcoStruxure Power Automation System User Interface (EPAS-UI) is vulnerable to authentication bypass. This occurs when an unauthorized user, without permission rights, has physical access to the EPAS-UI computer and is able to reboot the workstation and interrupt the normal boot process....

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: ASCO 5310 / 5350 Vulnerabilities: Download of Code Without Integrity Check, Allocation of Resources Without Limits or Throttling, Cleartext Transmission of Sensitive Information, Unrestricted Upload of File with Dangerous Type 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform a denial of service, loss of availability, or loss of device integrity. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports the following products are affected: Schneider Electric ASCO 5310 Single-Channel Remote Annunciator: All versions Schneider Electric ASCO 5350 Eight Channel Remote Annunciator: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494 Schneider Electric ASCO 5310 / 5350 remote annunciator is vulnerable to a download of code without integrity check vulner...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.0 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure Panel Server Vulnerability: Insertion of Sensitive Information into Log File 2. RISK EVALUATION Successful exploitation of this vulnerability could allow disclosure of sensitive information, including the disclosure of credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports the following versions of EcoStruxure Panel Server are affected: EcoStruxure Panel Server: Versions v2.0 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 Insertion of Sensitive Information into Log File CWE-532 There is an insertion of sensitive information into log files vulnerability that could cause the disclosure of FTP server credentials when the FTP server is deployed, and the device is placed in debug mode by an administrative user and the debug files are exported from the device. CVE-2025-2002 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 ...

Amazon informed Echo users in the US that the "Do not send voice recordings" feature will stop working on March 28, 2025.