Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models

Cybersecurity researchers have uncovered multiple security flaws in Dell's ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware. The vulnerabilities have been codenamed

The Hacker News
Open in Source
#vulnerability#windows#dell#The Hacker News
WinRAR Zero-Day CVE-2025-8088 Exploited to Spread RomCom Malware

Critical WinRAR flaw CVE-2025-8088 exploited by Russia-linked hackers to spread RomCom malware, update to version 7.13 now to…

ReVault! When your SoC turns against you… deep dive edition

Talos reported 5 vulnerabilities to Broadcom and Dell affecting both the ControlVault3 Firmware and its associated Windows APIs that we are calling “ReVault”.

The US Court Records System Has Been Hacked

Plus: Instagram sparks a privacy backlash over its new map feature, hackers steal data from Google's customer support system, and the true scope of the Columbia University hack comes into focus.

GHSA-c6g5-g6r7-q4j6: Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery

An SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs.

GHSA-6v93-frf9-2rp8: Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allow a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web component due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation.

CyberArk and HashiCorp Flaws Enable Remote Vault Takeover Without Credentials

Cybersecurity researchers have discovered over a dozen vulnerabilities in enterprise secure vaults from CyberArk and HashiCorp that, if successfully exploited, can allow remote attackers to crack open corporate identity systems and extract enterprise secrets and tokens from them.  The 14 vulnerabilities, collectively named Vault Fault, affect CyberArk Secrets Manager, Self-Hosted, and

Hackers Went Looking for a Backdoor in High-Security Safes—and Now Can Open Them in Seconds

Security researchers found two techniques to crack at least eight brands of electronic safes—used to secure everything from guns to narcotics—that are sold with Securam Prologic locks.

GHSA-2vcf-qxv3-2mgw: Craft CMS has a theoretical bypass for CVE-2025-23209

**Pre-requisites:** * Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret) * Somehow, manage to create an arbitrary file in Craft’s `/storage/backups` folder. With those two pieces in place, you could create a specific, malicious request to the `/updater/restore-db` endpoint to execute CLI commands remotely. Fixed in https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57 ----- Reported by Marco O. (segfault)

15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652)

A new report by VulnCheck exposes a critical command injection flaw (CVE-2025-53652) in the Jenkins Git Parameter plugin.…