### Impact
There is an arbitrary code execution vulnerability in the `CsvEnumerator` class of the `job-iteration` repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise.

### Patches
Issue is fixed in versions `1.11.0` and above.

### Workarounds
Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid calling `size` on enumerators constructed with untrusted CSV filenames.

**Impact**

There is an arbitrary code execution vulnerability in the CsvEnumerator class of the job-iteration repository. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise.

**Patches**

Issue is fixed in versions 1.11.0 and above.

**Workarounds**

Users can mitigate the risk by avoiding the use of untrusted input in the CsvEnumerator class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid calling size on enumerators constructed with untrusted CSV filenames.

**References**

*   GHSA-6qjf-g333-pv38

GHSA-6qjf-g333-pv38: Job Iteration API is vulnerable to OS Command Injection attack through its CsvEnumerator class

Online privacy, security, and performance today are more important than ever. For professionals and businesses working online, it’s…

Online privacy, security, and performance today are more important than ever. For professionals and businesses working online, it’s essential to use tools that protect their operations and ensure efficiency. One of the most valuable tools available today is to buy dedicated proxy services that give you exclusive, high-quality IP addresses.

****What Is a Dedicated Proxy?****

A dedicated proxy, also known as a private proxy, provides a single user with full control over an IP address. Unlike shared proxies, where multiple users may compete for bandwidth or reputation, a dedicated proxy ensures optimal speed, security, and reliability because you don’t share it with anyone else.

****Benefits of Dedicated Proxies****

When you buy a dedicated proxy, you unlock significant advantages:

*   **Exclusive IP control**: Your activities are completely isolated from others, reducing the risk of blacklisting or poor IP reputation.
*   **Improved performance**: No bandwidth competition ensures faster, more stable connections.
*   **Better privacy**: Hide your true IP and protect sensitive information.
*   **Reliable data scraping**: Dedicated proxies allow you to collect data efficiently from websites without facing bans.
*   **Bypass geo-restrictions**: Access global platforms as if you were physically in different countries.

Whether you are an e-commerce business, a digital marketer, or a private individual who values privacy, a dedicated proxy can help you operate securely and efficiently.

****Who Needs Dedicated Proxies?****

Dedicated proxies are ideal for:

*   **Businesses** that require secure and reliable online operations.
*   **SEO professionals** monitor search engine results without risking IP bans.
*   **Ad agencies** verifying ads in different regions.
*   **Developers** running scripts or bots that need a clean, private IP address.
*   **Privacy-focused individuals** who want better control of their online footprint.

****Choosing the Right Provider****

When you decide to buy dedicated proxy services, look for:

*   **Fast and unlimited bandwidth**: Essential for data-heavy tasks.
*   **High uptime**: At least 99.95% to ensure your operations run smoothly.
*   **Large IP pool**: Enables access to a range of locations and IP types.
*   **Flexible authentication**: Choose between user-password or IP whitelisting.
*   **Quality support**: Responsive customer service makes all the difference.

Trusted providers offer not just proxies but complete infrastructure and peace of mind for businesses operating in an increasingly competitive online environment.

****Conclusion****

Investing in dedicated proxies is a smart choice for anyone who values speed, security, and privacy online. These proxies give you full control over your IP identity and ensure you can operate without interruptions or risks caused by shared resources.

By choosing a reputable provider, you can ensure that your business or personal activities stay safe, fast, and effective, giving you a competitive advantage in today’s online economy.

Dedicated Proxies: A Key Tool for Online Privacy, Security and Speed

Denmark introduces new AI Copyright Rules to ban non-consensual deepfakes, giving citizens legal control over their face, voice and digital likeness.

Denmark is taking a ground-breaking step in the fight against deepfake technology, proposing an amendment to its copyright laws that would allow individuals to own their own likeness. This innovative approach, backed by a broad consensus in the Danish Parliament, aims to empower citizens to demand the removal of unauthorised digital reproductions of their appearance and voice from online platforms.

****The Growing Threat of Deepfakes****

Deepfakes are incredibly realistic digital fabrications of a person’s image, voice, or actions and are becoming more sophisticated and harder to distinguish from reality, posing significant risks, including harassment, coercion, and even falsely implicating individuals in crimes.

Current legal frameworks, like the United States’ Digital Millennium Copyright Act (DMCA), typically protect creative works like photos or recordings, but not a person’s inherent identity. This means only individuals with significant resources, like Scarlett Johansson, can effectively fight against deepfakes since ordinary citizens often lack the means to pursue legal action.

For your information, in 2024, Scarlett Johansson and OpenAI faced a controversy when OpenAI released a new voice for its ChatGPT system, “Sky,” resembling her voice. Johansson declined an offer from OpenAI’s CEO, Sam Altman, to license her voice, still the voice was still launched. Johansson was shocked and threatened legal action, leading to OpenAI halting Sky’s voice.

Scarlet Johansson’s Statement (Source: X.com @BobbyAllyn)

Similarly, viral videos showcasing a DeepTomCruise created by Metaphysic demonstrated just how convincing and unsettling deepfake technology had become.

Tom Cruise’s Deepfake (Source: TikTok)

Adding to these concerns, Hackread recently reported a sophisticated AI-powered phishing operation targeting YouTube content creators. Scammers used a highly realistic deepfake video of YouTube’s CEO, Neal Mohan, to announce fake changes to monetisation policies, aiming to steal login credentials and install malware.

****A New Global Standard?****

Danish Culture Minister Jakob Engel-Schmidt has strongly voiced his concern, stating that “human beings can be run through the digital copy machine and be misused for all sorts of purposes, and I’m not willing to accept that.” He highlighted that existing laws are insufficient to protect individuals from generative AI.

The proposed Danish law would legally define unauthorised digital representations, specifically targeting “very realistic digital representations of a person, including their appearance and voice,” thereby providing a direct legal basis for removal requests and potential financial compensation for victims. It includes exceptions for parody and satire to protect freedom of speech. The legislative proposal is undergoing public review before formal submission this autumn.

Denmark intends to use its upcoming EU presidency to champion a new approach to deepfake regulation across Europe. Unlike current efforts that largely penalise harmful deepfake uses after they occur, Denmark proposes granting individuals copyright over their digital likeness to prevent misuse from the outset.

Apart from Denmark, companies like Metaphysic are exploring alternative solutions. Metaphysic is working on a system that allows individuals to create an AI-generated avatar of themselves and copyright it, which would fall under existing copyright protections, offering a potential workaround in countries where personal likeness isn’t directly copyrightable. However, Denmark’s proposal is a more straightforward solution to a pressing global challenge, and its success could influence future deepfake legislation worldwide.

Denmark Moves Toward AI Copyright Rules for Voice and Appearance

Beijing, China, 14th July 2025, CyberNewsWire

**Beijing, China, July 14th, 2025, CyberNewsWire**

Founded in 2014 by members of Tsinghua University’s legendary Blue Lotus CTF team, Chaitin Tech has announced the availability of SafeLine WAF — a self-hosted web application firewall that has emerged as the most starred WAF project on GitHub in 2025, accumulating over 17,000 stars. It is making waves across the global homelab enthusiasts and startups alike, offering powerful protection with a clean user experience and generous free features.

**Context-Aware Threat Detection**

SafeLine is powered by a semantic analysis engine that evaluates the intent and context of incoming HTTP requests, distinguishing it from conventional WAFs that rely primarily on signature-based detection. This design contributes to a significant reduction in false positives and false negatives while maintaining uninterrupted application traffic. 

**Streamlined Deployment Without Registration**

SafeLine is designed to function without requiring user accounts, subscriptions, or billing information. Installation is supported through a single-command setup that enables full local hosting. The user interface is structured to be accessible for individuals with varying levels of technical expertise, allowing configuration without unnecessary friction. SafeLine is positioned to serve homelabs and businesses seeking effective web protection without compromising simplicity or privacy.

**Comprehensive Feature Set in the Free Edition**

SafeLine’s free tier includes many features typically reserved for paid plans. It includes:

*   The same semantic detection engine as the paid Pro edition
*   Full identity authentication support
*   Open RESTful API access
*   Advanced bot protection with challenge-response mechanisms
*   Rate Limiting and Waiting Room features
*   Unlimited custom rules to tailor security based on application logic

The Free Edition supports protection for up to 10 applications, suitable for small-scale deployments and personal projects. The Lite Edition extends this to 20 applications and incorporates IP geolocation blocking, real-time alerting, and access to curated threat intelligence data.

**Optional Pro Features for Scaling Teams**

SafeLine Pro introduces functionality designed for larger environments. These include:

*   High availability (HA) deployment options
*   Upstream load balancing
*   Advanced traffic analytics and dashboards
*   Interface customization options, such as configurable block pages
*   Unlimited number of protected domains

**Ongoing Development and Community Engagement**

SafeLine follows an agile release cycle, pushing updates every 2 to 3 weeks. Its development is closely aligned with user feedback, and many community suggestions are reflected in each release. As a result, the project enjoys high engagement and trust from its international user base.

Originally launched in China, SafeLine has now spread to users across Southeast Asia, South America, Europe, North America, and Africa, with a global install base nearing 400,000. It has become a favorite in both personal and production environments, especially where self-hosted, privacy-respecting infrastructure is a priority.

**About Chaitin Tech**

SafeLine is developed by **Chaitin Tech**, one of China’s most prominent cybersecurity companies. Founded by members of **Tsinghua University’s Blue Lotus CTF team** — widely recognized for their world-class security expertise — Chaitin has delivered innovative solutions and contributed to critical security research for over a decade.

**Contact**

**Marketing Manager**  
**Carrie Luo**  
**Chaitin Tech**  
**\[email protected\]**

China-Built SafeLine WAF Gains Global Popularity Among Startups & Homelabs

Cybercriminals are using sponsored ads and fake news websites to lure victims to investment scams.

Researchers have uncovered a large campaign impersonating news websites, such as those from CNN, BBC, CNBC, News24, and ABC News, to promote investment scams.

Adding a well known brand to your scammy site is a tale as old as time, and gives it an air of legitimacy that increases the likelihood that people will click the link and check out what’s what.

Here’s how the scam works:

1.  The scammers buy ads on Google and Facebook, which follow a similar pattern along the lines of “Shocking: \[Local Celebrity\] backs new passive income stream for citizens!”
2.  If you click the link, you’ll be taken to a website that look like one of the major news outlets, and which will tell you about a breakthrough investment strategy.
3.  The article will encourage you to sign up for a program that will earn you money without having to lift a finger. You sign up by providing your name, email address, and phone number.
4.  A friendly advisor (scammer) calls you about the opportunity, referencing the article and explaining how it all works.
5.  You’ll be told that to start off you’ll have to make a small deposit (around $240) and then you will see your investment grow (on the fake trading platform).
6.  Your friendly advisor urges you to invest more to increase your return. And it keeps on growing, until you want to cash in when you’ll find there’s extra fees to pay, problems with account verifications, and all sorts of delays.
7.  When it dawns on you that you’ve been had, your entire investment and all the fees you paid are gone. Also gone is your friendly advisor who has sold your details to another scammer, to squeeze the last dollars out of the ordeal.

The researchers describe an international organization with 17,000 baiting news sites across 50 countries, with the US as the most targeted country.

The “investment platforms” have names like Eclipse Earn, Solara Vynex, and Trap10. Besides the ads, websites, and platforms, the scammers use countless social media accounts to host and promote the sponsored ads.

**How to spot these types of scams**

*   The account hosting the sponsored ad has no history, zero followers, and minimal profile details.
*   The ad shows a picture of a local celebrity and mimics a well-known news outlet implying that the celebrity is already using that platform.
*   The ad promises huge returns within a few days.
*   The “friendly advisor” asks for a lot of details about you claiming it’s because of KYC (Know Your Customer) regulations.
*   The website uses cheap top-level domains (TLDs) like .xyz, , .io, .shop, or .click.
*   The website URLs are typosquatting on major brands.

**How to protect yourself**

Besides being aware of the above red flags, here are some measures that generally keep you and your devices safe.

*   Use an active security solution that blocks malicious websites.
*   Don’t click on unsolicited links in emails, social media posts, and on untrusted websites.
*   Double check anything you read. Would a celebrity really endorse such an investment scheme? Is it real, or just clickbait or disinformation?
*   Don’t provide any personal information or send money to someone you just met online.
*   Verify that platforms are legit through official regulators (like the SEC in the US or FCA in the UK).

If you have already provided personal information to a scammer:

*   Immediately stop interacting with the scammer.
*   Change the passwords to important accounts and enable 2FA where possible.
*   Contact your banks and other financial institutions to alert them, and to freeze or flag any suspicious transactions.
*   Check your credit report and watch for signs of identity theft.
*   Report the crime to the authorities.

**Malwarebytes protects**

Malwarebytes protects against these scams.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 CNN, BBC, and CNBC websites impersonated to scam people 

py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-x8c6-gj59-6rx8: py-libp2p is vulnerable to DoS attacks through use of large RSA keys

In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).

GHSA-qxh9-qmf2-rhwc: Roundup is vulnerable to XSS through interactions between URLs and issue tracker templates

WatchTowr Labs reveals CVE-2025-25257, a critical FortiWeb SQL injection allowing unauthenticated remote code execution. Patch your FortiWeb 7.0,…

WatchTowr Labs reveals CVE-2025-25257, a critical FortiWeb SQL injection allowing unauthenticated remote code execution. Patch your FortiWeb 7.0, 7.2, 7.4, 7.6 devices immediately to prevent full system compromise. Update NOW!

Cybersecurity researchers have uncovered a major weakness, CVE-2025-25257, in a key part of Fortinet’s security software: the FortiWeb Fabric Connector, vital for linking Fortinet’s web application firewall (FortiWeb) with other security tools, enabling dynamic protections.

The vulnerability was initially reported to Fortinet by Kentaro Kawane from GMO Cybersecurity by Ierae. The subsequent demonstration of escalating the vulnerability to full system control was performed and published by watchTowr Labs, and the findings were shared exclusively with Hackread.com.

****What Happened?****

This is an “unauthenticated SQL injection in GUI” flaw, which means attackers can exploit a weakness in the system’s administrative interface without needing a username or password, tricking the FortiWeb system into running their own harmful commands by sending specially designed requests over the internet.

WatchTowr Labs discovered this hidden problem by comparing FortiWeb version 7.6.4 with an older version, 7.6.3. They pinpointed the weakness in the get\_fabric\_user\_by\_token function within the /bin/httpsd program. This function, intended for logins from other Fortinet devices like FortiGate firewalls, failed to properly check incoming information, allowing injection of harmful commands using the Authorisation: Bearer header in requests to /api/fabric/device/status.

Initial attempts were tricky due to limitations like disallowing spaces in commands. However, researchers cleverly bypassed this using MySQL’s comment syntax (/**/). This made the SQL injection successful, even allowing them to fully bypass the login check with a simple 'or'1'='1 command, which returned a “200 OK” message confirming success.

****From Simple Trick to Taking Control****

Researchers managed to escalate this initial SQL injection into Remote Code Execution (RCE). They achieved this using MySQL’s INTO OUTFILE statement to write files directly to the system’s directory. A critical finding was that the database process ran with root privileges, allowing it to place harmful files almost anywhere.

Although direct execution wasn’t possible, they leveraged an existing Python script in the /cgi-bin folder that automatically executed with high privileges. By writing a special Python file (.pth) to a specific Python directory, they could force the system to run their own Python code, demonstrating a complete system compromise.

****Potential Consequences and What to Do****

If exploited, an attacker could gain full control of your FortiWeb device and potentially other connected systems. This risks sensitive data theft, service disruption, or using your systems for further attacks, leading to significant financial, reputational, and legal damage.

To stay protected, immediately update your FortiWeb system to the patched version. If an immediate update isn’t feasible, Fortinet suggests temporarily disabling the HTTP/HTTPS administrative interface as a workaround.

Here are the details of the impacted FortiWeb versions:

*   7.6.0 through 7.6.3 (upgrade to 7.6.4 or newer)

*   7.4.0 through 7.4.7 (upgrade to 7.4.8 or newer)

*   7.2.0 through 7.2.10 (upgrade to 7.2.11 or newer)

*   7.0.0 through 7.0.10 (upgrade to 7.0.11 or newer)

Critical Vulnerability Exposes Fortinet FortiWeb to Full Takeover (CVE-2025-25257)

The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.

This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.

GHSA-7pgf-ppxw-8624: Apache Zeppelin exposes server resources to unauthenticated attackers

Plus: An “explosion” of AI-generated child abuse images is taking over the web, a Russian professional basketball player is arrested on ransomware charges, and more.

WIRED reported this week on public records that show the United States Department of Homeland Security urging local law enforcement around the country to interpret common protest activities and surrounding logistics—including riding a bike, livestreaming a police encounter, or skateboarding—as “violent tactics.” The guidance could influence cops to use everyday behavior as a pretext for police action.

An AI hiring bot used on the McDonald’s “McHire” site exposed tens of millions of job applicants’ personal data because of a group of web-based security vulnerabilities—including use of the classically guessable password “123456” on an administrator account. The site’s chatbot, known as Olivia, was built by the artificial intelligence software firm Paradox.ai. Meanwhile, in the wake of last week’s devastating floods in Texas that killed at least 120 people, conspiracy theories about the extreme weather event have gained enough traction among anti-government extremists, GOP influencers, and others with large platforms to produce real-world consequences like death threats.

Finally, the metadata of the “full raw” surveillance footage captured near Jeffrey Epstein’s cell the night before the disgraced financier was found hanged shows it’s not “raw” footage at all. Instead, according to a WIRED analysis and digital video forensics experts, the full video is made up of two clips, and it was likely processed using powerful editing software.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**4 Young People Arrested Over Cyberattacks Against UK Retailers**

Earlier this year, three retailers in the UK—Harrods, the Co-Op, and M&S—were disrupted by sprawling cyberattacks. Some shelves were left empty for weeks, and M&S executives expect the attacks will cost around £300 million ($407 million) in total. This week, law enforcement officials at the National Crime Agency (NCA), the country’s equivalent of the FBI, announced the arrest of four people as part of investigations into the three attacks.

A 20-year-old female, two males aged 19, and another aged 17 were all arrested at their homes in the West Midlands and London on Thursday morning. One of the 19-year-old males is from Latvia, while the others are from the UK, the NCA says. They are suspected of potential Computer Misuse Act offenses, blackmail, money laundering, and “participating in the activities of an organized crime group,” the NCA said in a statement. The law enforcement agency has not named the individuals arrested or released precise locations of where they are based; however, NCA’s deputy director Paul Foster said the arrests were a “significant step” in its investigations.

The attacks against the three British retailers have been broadly linked, including partially by the NCA, to the loose cybercriminal group Scattered Spider. The hacking group, which first emerged in 2022, is largely made up of young, English-speaking individuals, and has recently been seen targeting retailers, airlines, and the insurance industry across the UK and the US.

**‘Explosion’ of AI-Generated Child Abuse Images Could Overwhelm the Web, Experts Warn**

It didn’t take criminals long to start using generative AI to create ultra-realistic child sexual abuse images. Now huge volumes of illegal, AI-created content are being found online, with criminals moving to use the technology to create videos as well as still images. During the first six months of this year, analysts at the Internet Watch Foundation, a UK-based organization that removes child sexual abuse material (CSAM) from the web, identified 1,286 AI-generated videos that show abuse—more than 1,000 of the videos showed the most serious type of abuse.

“There is an incredible risk of AI-generated CSAM leading to an absolute explosion that overwhelms the clear web,” said Derek Ray-Hill, the interim chief executive of the Internet Watch Foundation. Separate figures from the US-based National Center for Missing & Exploited Children (NCMEC) say it has received 485,000 reports of AI CSAM in the first half of this year—up from 67,000 for the entirety of last year. Around 35 tech companies have reported finding AI-generated CSAM on their platforms, NCMEC said.

**Italian Police Arrest an Alleged Member of China’s Silk Typhoon Hacking Group**

In a rare instance of Western law enforcement actually laying hands on an alleged Chinese state-sponsored hacker, Italian police arrested Xu Zewei, a 33-year-old from Shanghai, at an airport in Milan on July 3. The police were acting on a warrant issued by the US Department of Justice seeking Xu’s arrest on hacking charges. Authorities allege he’s a member of the espionage group known as Silk Typhoon or Hafnium, which has carried out widespread data theft from Western governments and private sector companies for years. US prosecutors are specifically accusing Xu of taking part in Silk Typhoon’s hacking that targeted researchers working to develop a Covid-19 vaccine in 2020 and 2021. He’s also alleged to have participated in a far less targeted hacking campaign in which the same group broke into tens of thousands of Microsoft exchange servers around the world, leaving behind backdoors for later reconnaissance. Xu’s lawyer denied the charges, saying it’s a case of mistaken identity, and Xu’s wife also has reportedly said that Xu is an IT technician at the company GTA Semi Conductor.

**Russian Pro Basketball Player Arrested on Ransomware Charges**

In more news of alleged hackers arrested in European airports—and a very unusual case of alleged cybercriminal moonlighting—French police this week detained Russian professional basketball player Daniil Kasatkin in the Charles de Gaulle airport in Paris, accusing him of being part of a ransomware group. Authorities haven’t yet named the ransomware crew they claim Kasatkin was a part of, but say that from 2020 to 2022 it hit close to 900 organizations, including two American government agencies. Kasatkin’s lawyer, Frédéric Bélot, denied the accusations, saying his client is “useless with computers and can't even install an application.” Kasatkin, who played for the pro basketball team MBA Moscow, had traveled to France with his fiancée to propose to her.

**Bodyguards Using Strava Leaked the Detailed Locations of Sweden’s Prime Minister**

Here’s your annual reminder, athletic oversharers of the world, to set your Strava account settings to private. This week, Sweden’s Dagens Nyheter newspaper revealed that seven bodyguards for Swedish government officials left their Strava accounts public, revealing their locations as they carried out 1,400 exercise activities—and in many cases, the locations of the people they were protecting, including the Swedish prime minister, Ulf Kristersson. The leaked locations of the prime minister included hotels where he stayed, private addresses, a family vacation, trips abroad, and his private home, which was intended to be secret. Repeat after me, Strava enthusiasts with security clearances: Go to Settings, tap Privacy Controls, then Activities. Future scandal averted.

Tag

#auth