Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker to gain administrator privileges on susceptible instances.
The vulnerability, tracked as CVE-2025-20156, carries a CVSS score of 9.9 out 10.0. It has been described as a privilege escalation flaw in the REST API of Cisco Meeting Management.
"This

Cisco Fixes Critical Privilege Escalation Flaw in Meeting Management (CVSS 9.9)

Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks.
"This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant's cloud division said in its 11th

TRIPLESTRENGTH Hits Cloud for Cryptojacking, On-Premises Systems for Ransomware

The AI-powered work platform helps organizations securely identify and access internal enterprise data as part of business processes and workflows.

Source: YAY Media AS via Alamy Stock Photo

NEWS BRIEF

All organizations, regardless of size or industry, are experiencing a data boom, with information being stored in multiple applications, such as Confluence, GitLab, Jira, Monday, Slack, Salesforce, and Zendesk. In turn, the ability to search through the mountains of data to find what they need has become increasingly more difficult. Enterprise search is an area where artificial intelligence (AI) can shine, with tools that take questions from users and them look through various information sources to provide relevant answers quickly.

The challenge, however, is delivering those answers without compromising data security. AI's ability to look at all of an organization's data means that an unauthorized actor could potentially manipulate the system to obtain information that they should not be able to access or use in a manner they should not. Doti AI, an AI-powered enterprise work platform that emerged from stealth today, promises to secure the organization's data while giving employees the ability to find information as part of existing workflows. For example, customer support teams can resolve issues faster by retrieving relevant knowledge base articles or identifying similar past cases without searching across multiple systems, the company said in a statement.

"Doti creates a centralized 'organizational brain' that empowers employees to find accurate, relevant information quickly and effortlessly," the company said.

The platform consolidates data from multiple business applications and sources and presents a single interface to the organization's data, the company said. Because it can handle both structured and unstructured data, users can use the platform to analyze codebases, draft communications, retrieve historical project context, and answer policy questions.

It can be deployed on-premises or in the cloud, and gives organizations robust security controls, including real-time permissions enforcement, hybrid deployment options, and granular access controls. Doti's approach to tenant segregation means customers have "complete flexibility and control over their data." The software-as-a-service customers get a dedicated database. Organizations can deploy the platform locally within their environment in either a fully on-premise or hybrid setup.

If someone compromises the organization, that actor will have only limited access to a limited subset of all the data the platform can see. Doti enforces document-level permissions at the data source. Each resource Doti retrieves is checked every time to ensure the user is allowed to access that information. Doti also developed a layer called "spaces," where specific data is bound to specific users. This means only the intended users can access that information.

The platform has both direct and indirect prompt injection guardrails to prevent leakage of unauthorized information.

As part of the launch, Doti AI also raised $7 million in seed funding led by F2 Venture Capital and several angel investors. Doti AI was founded in January 2024 by Matan Cohen and Opher Hofshi, who have experience in enterprise software and cybersecurity. They were both at Wix — where Cohen was the former software group manager and Hofshi was the former security architects team leader — where they saw firsthand the impact of "organizational information chaos" in large, fast-paced organizations.

**About the Author**

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Doti AI Launches Platform to Securely Find Enterprise Data

The rush to say "yes" allows cybersecurity teams to avoid hard conversations with business stakeholders but also risks losing their ability to effectively protect organizations.

Source: Marek Uliasz via Alamy Stock Photo

For years, cybersecurity was frequently (and derisively) referred to as the "Department of No." Business executives griped that in the face of innovation, cybersecurity teams would slap down ideas, list reasons why the project was insecure, and why what they wanted to do was not feasible. Then came a mindset change. As more security leaders were tasked with demonstrating a return on investment for security budgets, security departments started finding ways to say "yes" more often.

But security's effort to shed the "Department of No" label may have swung too far in the opposite direction, according to Rami McCarthy, an industry veteran, leader, and security researcher who writes regularly on security leadership and management.

"Lately, every BSides \[conference\] seems to have a talk on avoiding the no and reframing security teams as a Department of Yes," McCarthy wrote recently, noting that these talks help create a false premise that saying no is inherently bad and should be avoided at all costs. In the enthusiasm to enable and accommodate, security often overlooks the value of a deliberate, strategic no and how that can create boundaries to protect the organization.

"The Department of Yes talks are inspiring, but they often elide the messy realities," McCarthy tells Dark Reading. "Working in partnership-oriented security programs, I've seen the harm caused by avoiding hard conversations: belated nos disrupting delivery, technical debt, and burned-out teams."

McCarthy believes the goal of security is not to be an obstacle but a guide—and sometimes guiding means saying no in a way that is clear, thoughtful, and constructive. The notion of security as the Department of No has long been criticized for its gatekeeping and adversarial approach. But in the push to reframe security teams as enablers, organizations risk overcorrecting and prioritizing harmony over hard truths, he says.

Saying no is a necessary tool for managing risk and maintaining alignment. Avoiding it entirely can create challenges, such as misalignment, overwhelmed teams, and unmanaged risks, McCarthy warns.

"Security teams can add the most value by reducing low-ROI risks, allowing the organization to focus on higher-ROI opportunities," he says. "This means being selective about when to say no and framing decisions in terms of how they align with business goals. Done well, security doesn't just mitigate risk—it enables the company to take smarter, bolder risks."

**The Cost of Avoiding No**

Avoiding the word no can have cascading effects, says behavioral scientist and cybersecurity expert Jessica Barker, MBE Ph.D. She argues that a well-considered no, delivered with empathy, can be a service to the organization rather than an obstacle.

"Empathy is not people-pleasing," Barker says. "It's about understanding the perspective of the person or team making the request, reflecting that understanding, and explaining why their request is not possible or why an alternative is a better option."

But there are also risks to saying no too often, says Tom Van de Wiele, an ethical hacker and cybersecurity adviser who has written on the importance of security's need to say yes. The pitfalls of saying no to people too often extend beyond hurt feelings, he says.

"The biggest risk is that people will simply work around security altogether," Van de Wiele says. "Once that happens, data can end up in uncontrolled environments, and the organization loses visibility into who is using what, where information lives, and how it's protected."

The avoidance can lead to shadow IT, technical debt, and temporary workarounds that become permanent, creating significant security gaps.

**How to Say No Effectively**

So how do security leaders balance the need to say yes to enable business but also say no well when necessary? It's not always simple. Delivering a poorly handled no can undermine trust and disrupt organizational processes. McCarthy says it's important to avoid giving a no without context, saying it too late, or doing so inconsistently. He also stresses the need to align decisions with business goals to foster trust and ensure stakeholders understand security's role.

Barker emphasizes that constructive communication is critical.

"People often want to be heard and respected, more than anything else," she says. "How communications are received and delivered makes a huge difference."

By aligning security decisions with business goals and presenting them as shared priorities, security teams can build trust and collaboration.

Van de Wiele highlights the importance of open communication, suggesting initiatives like "ask-me-anything" sessions and regular stand-ups to foster a culture of partnership.

"When employees see that the security team genuinely wants to enable their work, they're more likely to follow approved processes and seek guidance," he says.

**A Framework for Better Nos**

McCarthy suggests several strategies for delivering a constructive no that align with business goals and build trust:

1.  Align on business outcomes: Ensure all stakeholders agree on shared priorities and organizational goals before making decisions.
    
2.  Provide context: Clearly communicate the rationale for decisions, including the associated risks and how they align with priorities.
    
3.  Be consistent: Build trust by maintaining clear policies and standards so stakeholders know what to expect.
    
4.  Demonstrate partnership: Reinforce alignment with business goals by enabling secure pathways or timelines for progress where possible.
    
5.  Prioritize critical decisions: Be selective about when to say no, reserving firm decisions for significant risks or high-priority situations.
    

"The most effective strategy is showing, not just saying, that you're focused on enabling the business," McCarthy says. "Look for chances to align security with revenue-generating efforts. Reinforce this alignment and build trust with other teams."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Security Needs to Start Saying 'No' Again

The new administration moved quickly to remove any constraints on AI development and collected $500 billion in investment pledges for an American-owned AI joint venture.

Source: Andrey Popov via Alamy Stock Photo

President Donald Trump revoked former President Joe Biden's 2023 executive order aimed at putting security guardrails around artificial intelligence (AI) systems and their potential impact to national security, giving a major boost to private sector companies like OpenAI, Oracle, and Softbank. They responded in kind with collective pledges to spend up to $600 billion on building out AI infrastructure in the US.

Biden's AI executive order required developers of AI and large language models (LLMs) like ChatGPT to develop safety standards and share results with the federal government to help prevent AI-powered cyberattacks against citizens, critical infrastructure, dangerous biological weapons, and other areas affecting US national security.

**Artificial Intelligence Private Sector Ponies Up**

Fast on the heels of that revocation, the Trump administration unveiled Project Stargate, which is intended to funnel hundreds of billions into AI infrastructure in the US. The Stargate event at the White House was attended by SoftBank CEO Masayoshi Son, who had already pledged $100 billion to the fund. OpenAI CEO Sam Altman and Oracle co-founder Larry Ellison each pledged an initial $100 billion, all of which will be used to set up a separate company committed to US AI infrastructure. Microsoft, Nvidia, and semiconductor company Arm are also involved as technology partners.

During the ceremony, Ellison said there are already data centers in Texas under construction as part of Project Stargate.

Leading AI CEOs, including Marty Sprinzen, CEO of Vantiq, were delighted by the news.

"As I sit here at the World Economic Forum in Davos, Switzerland, the atmosphere is charged with enthusiasm following President Trump's announcement of the Stargate initiative — a collaboration between OpenAI, SoftBank, and Oracle to invest up to $500 billion in artificial intelligence infrastructure," Sprinzen said in a statement.

One outlier with less enthusiasm for Project Stargate is Elon Musk, who claimed the companies don't have the cash to cover the pledges.

**Trump Administration's AI Cybersecurity Plan**

It's still not completely clear this means if or how there will be any federal oversight of AI technology or its development.

The Biden AI executive order was far from perfect, according to Max Shier, CISO at Optiv, but he still would like to see some federal oversight of AI development.

"I don't disagree with the reversal per se, as I don't think the EO that Biden signed was adequate and it had its flaws," Shier says. "However, I would hope that they replace it with one that levies more appropriate controls on the industry that are not as overbearing as the previous EO and still allows for innovation."

Shier anticipates standards developed by the National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO) will help "provide guardrails for ethical and responsible use."

For now, the new administration is ready to leave the task of developing AI with adequate safety controls in private sector hands. Adam Kentosh at Digital.ai says he is confident they are up to the task.

"The rapid pace of AI development makes it essential to strike a balance between innovation and security. While this balance is critical, the responsibility likely falls more on individual corporations than on the federal government to ensure that industries adopt thoughtful, secure practices in AI development," Kentosh says. "By doing so, we can avoid a scenario where government intervention becomes necessary."

That might not be enough, according to Shier.

"Private enterprise should not be allowed to govern themselves or be trusted to develop under their own standards for ethical use," he stresses. "There has to be guardrails provided that don't stifle smaller companies from participating in innovation but still allow for some oversight and accountability. This is especially true in instances where public safety or national security is at risk or has the potential to cause risk."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Trump Overturns Biden Rules on AI Development, Security

Stored Cross-Site Scripting (XSS) in the Categorization Option of My Subscriptions Functionality in Silverpeas Core 6.4.1 allows a remote attacker to execute arbitrary JavaScript code. This is achieved by injecting a malicious payload into the Name field of a subscription. The attack can lead to session hijacking, data theft, or unauthorized actions when an admin user views the affected subscription.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-788m-27g4-cf86: Cross site scripting in Silverpeas Core

Advanced persistent threat group PlushDaemon, active since 2019, is using a sophisticated modular backdoor to collect data from infected systems in South Korea.

Source: BeeBright via Shutterstock

A newly discovered Chinese threat group has targeted a South Korean VPN developer with a supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.

The group, dubbed PlushDaemon by the researchers at ESET Research who discovered it, typically aims to hijack legitimate updates of Chinese applications in its malicious operations "by redirecting traffic to attacker-controlled servers," according to a blog post by ESET researcher Facundo Muñoz published on Jan. 22. "Additionally, we have observed the group gaining access via vulnerabilities in legitimate web servers," he wrote.

However, the researchers also discovered the group in May 2024 planting malicious code in an NSIS installer for the Windows version of the VPN software of South Korean company IPany, representing a departure from its typical operations, they said. ESET notified IPany and the malicious installer was removed from the company's website.

PlushDaemon has been active since at least 2019, engaging in cyberespionage operations against individuals and entities in mainland China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is the exclusive user of several types of malware in its malicious activities, mostly notably a custom, modular backdoor for collecting various data from infected machines, called SlowStepper for Windows, according to ESET.

**Atypical Supply-Chain Attack**

The first sign of the supply-chain attack came in May 2024, when ESET researchers noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the IPany website.

"The victims appear to have manually downloaded a ZIP archive containing a malicious NSIS installer from the URL https://ipany\[.\]kr/download/IPanyVPNsetup.zip," Muñoz wrote. However, the researchers didn't find suspicious code on the download page "to produce targeted downloads, for example by geofencing to specific targeted regions or IP ranges." This led them to believe that "anyone using the IPany VPN might have been a valid target."

Several users attempted to install the Trojanized software in the network of a semiconductor company and an unidentified software development company in South Korea. Further research found even older cases of infection via the campaign, with the two oldest coming from a victim in Japan in November 2023 and a victim in China in December 2023, the researchers said.

**SlowStepper Backdoor**

The payload in the supply chain attack is PlushDaemon's own SlowStepper backdoor, which has more than 30 modules. However, the group used a "lite" version of the backdoor in the IPany attack, which contains fewer features than other previous and newer versions, the researchers said.

The backdoor features a multistage command-and-control (C2) protocol using DNS, and is known for its ability to download and execute dozens of additional Python modules with espionage capabilities.

"Both the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for extensive collection of data, and spying through recording of audio and videos," Muñoz wrote.

The researchers found PlushDaemon's tools stored in a remote code repository hosted on the Chinese platform GitCode, under the LetMeGo22 account. At the time of writing, the profile was private.

**Another Chinese APT Emerges**

China already has a raft of known and active APTs that regularly and persistently engage in cyberespionage activities against the US and its allies. One of the most notable operations of late was the infiltration of US broadband provider networks by Chinese APT Salt Typhoon; however, the investigation into that incident was dealt a significant blow on Jan. 21, when President Trump, on his second day back in office, fired the cyber safety board looking into it.

However, with a new, sophisticated actor like PlushDaemon now emerging from the shadows, organizations need to be more vigilant than ever against malicious cyber activity from China, Muñoz said.

"The numerous components in the PlushDaemon toolset and its rich version history show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for," he wrote.

To that end, ESET included a link to its GitHub repository that contains a comprehensive list of indicators of compromise (IoCs) and samples of PlushDaemon activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Chinese Cyberspies Target South Korean VPN in Supply Chain Attack

CloudSEK uncovers a Zendesk vulnerability allowing cybercriminals to exploit subdomains for phishing and investment scams. Learn about the…

CloudSEK uncovers a Zendesk vulnerability allowing cybercriminals to exploit subdomains for phishing and investment scams. Learn about the risks and needed fixes.

Cybersecurity researchers at CloudSEK have identified a security vulnerability in Zendesk’s SaaS platform. The platform’s subdomain registration feature can be exploited by cybercriminals to launch phishing and investment scams.

Zendesk, a widely-used customer support platform, offers free trial accounts and allows users to easily register subdomains. According to CloudSEK’s analysis, this functionality can be abused by threat actors to create subdomains resembling legitimate brands, enabling convincing phishing campaigns.

Researchers noted that the vulnerability could be exploited in “pig butchering” scams, a form of investment fraud where victims are groomed over time into investing in fraudulent schemes.

CloudSEK’s analysis found 1,912 instances of Zendesk websites since 2023, with some companies showing an unusually high number of registered subdomains. While intended to facilitate rapid business setup, this feature introduces a significant security risk.

Attackers can use Zendesk’s platform to create fake subdomains, launch phishing campaigns, and build trust through its professional appearance. Leveraging Zendesk’s communication features, they can send phishing emails disguised as legitimate customer support messages. These emails often include malicious links or attachments to lure victims into clicking.

A demo phishing disguising as an invitation reached Gmail inbox (via CloudSEK).

In one demo phishing attack against XYZ Company, an attacker registered a URL mimicking the target company’s address, provided email, name, and company size details, and named a Zendesk instance. They then registered a subdomain, obtained admin access, and sent an invitation email. Threat actors used this setup to link active phishing pages to users, pretending to assign tickets.

Malicious links within the emails redirected victims to fake investment platforms or support pages controlled by the attackers. These platforms were designed to manipulate victims into sharing sensitive information or transferring funds.

CloudSEK’s research shared with Hackread.com also points out a critical flaw in Zendesk’s email validation process. The platform lacks essential checks when adding users to subdomains, allowing attackers to target employees and customers with phishing attempts disguised as legitimate ticket assignments. Zendesk emails often land directly in users’ primary inboxes, increasing the likelihood of interaction.

CloudSEK responsibly disclosed the vulnerability to Zendesk, urging prompt action to mitigate its exploitation by cybercriminals.

1.  Geo Targetly URL Shortener Abused in Phishing Scam
2.  NuGet Packages Exploited to Target Developers with Malware
3.  Postman Workspaces Leak 30K API Keys and Sensitive Tokens
4.  US Govt Impersonated in Aggressive DocuSign Phishing Scams
5.  PayPal Phishing Exploits MS365 Tools with Genuine-Looking Emails

Zendesk’s Subdomain Registration Exposed to Phishing, Pig Butchering Scams

The pardon comes after 11 years in prison for Ross Ulbricht, who was sentenced to life without parole on several charges, including computer hacking, distribution of narcotics, and money laundering.

Source: White House Photo via Alamy Stock Photo

NEWS BRIEF

On just his second day in office, President Trump has pardoned Ross Ulbricht, the creator and owner of an underground criminal forum website known for cybercrime and drug trafficking.

Known as "Dread Pirate Roberts," Ulbricht operated the anonymous marketplace, known as "Silk Road," from 2011 to 2013, until law enforcement shut down the site and arrested him in California.

At 31, Ulbricht was convicted of distributing narcotics, engaging in a continuing criminal enterprise, conspiring to commit computer hackings, conspiring to create fake identities, and laundering money, all of which earned him life in prison without parole — a harsh sentence that law enforcement insisted would act as a deterrent to others.

The Justice Department pursued charges against Ulbricht's associates, who claimed to have murdered five people on his behalf, though there is no evidence of these murders taking place.

Silk Road at the time was described as "the most sophisticated and extensive criminal marketplace on the Internet" by US Attorney Preet Bharara, and it was considered a place for criminals to buy and sell illegal drugs and other illegal goods anonymously and outside the lens of law enforcement.

Libertarian activists have supported Ulbricht's release for years on the premise that Ulbricht's early writings on his ideas for Silk Road stemmed from his interest in creating a free and anonymous marketplace.

In May 2024, President Trump promised to commute Ulbricht's sentence. After being reminded by Ulbricht of his promise via social media platform X, Trump fulfilled this campaign promise.

"I just called the mother of Ross William Ulbricht to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and unconditional pardon of her son, Ross," Trump posted to his Truth Social site yesterday. "The scum that worked to convict him were some of the same lunatics who were involved in the modern day weaponization of government against me. He was given two life sentences, plus 40 years. Ridiculous!"

Prior to his sentencing, Ulbricht stated that Silk Road was a costly idea that he "deeply regrets" in a letter to the judge when seeking leniency, however, it remains unclear if he continues to maintain these beliefs more than a decade later.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Trump Pardons 'Silk Road' Dark Web Drug Market Creator

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

Latest News