Security
Headlines
HeadlinesLatestCVEs

Tag

#web

SpyCloud Unveils Top 10 Cybersecurity Predictions Poised to Disrupt Identity Security in 2026

Austin, TX/USA, 18th November 2025, CyberNewsWire

HackRead
Open in Source
#vulnerability#web#ios#mac#apple#intel#oauth#auth
Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks

Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East. The activity has been attributed by Google-owned Mandiant to a threat cluster tracked as UNC1549 (aka Nimbus Manticore or Subtle Snail), which was first documented by the threat

Schneider Electric PowerChute Serial Shutdown

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Schneider Electric Equipment: PowerChute Serial Shutdown Vulnerabilities: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Restriction of Excessive Authentication Attempts, Incorrect Default Permissions 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access user accounts or gain elevated system access. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of Schneider Electric PowerChute Serial Shutdown are affected: Schneider Electric PowerChute Serial Shutdown: Versions 1.3 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 A path traversal vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST/REST/UpdateJRE request payload. CVE-2025-115...

Shelly Pro 4PM

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Low attack complexity Vendor: Shelly Equipment: Pro 4PM Vulnerability: Allocation of Resources Without Limits or Throttling 2. RISK EVALUATION Successful exploitation of this vulnerability could result in a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of Pro 4PM, a smart DIN rail switch, is affected: Pro 4PM: prior to v1.6 3.2 VULNERABILITY OVERVIEW 3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 Due to lack of input bounds checking, an attacker can send a specially crafted request to any RPC endpoint. The malicious request causes the device's JSON parser to overallocate memory, leading the device to reboot and creating a denial-of-service condition. CVE-2025-11243 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-...

METZ CONNECT EWIO2

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: METZ CONNECT Equipment: EWIO2 Vulnerabilities: Authentication Bypass by Primary Weakness, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'), Unrestricted Upload of File with Dangerous Type, Path Traversal: '.../...//', Improper Access Control 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS METZ CONNECT reports that the following products are affected: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M: All versions METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM: All versions METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM: All versions 3.2 Vulnerability Overview 3.2.1 AUTHENTI...

Schneider Electric EcoStruxure Machine SCADA Expert & Pro-face BLUE Open Studio

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: EcoStruxure Machine SCADA Expert & Pro-face BLUE Open Studio Vulnerability: Use of a Broken or Risky Cryptographic Algorithm 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to loss of confidentiality and integrity. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products use an affected AVEVA component: EcoStruxure Machine SCADA Expert: Versions prior to 2023.1 Patch 1 Pro-face BLUE Open Studio: Versions prior to 2023.1 Patch 1 3.2 VULNERABILITY OVERVIEW 3.2.1 Use of a Broken or Risky Cryptographic Algorithm CWE-327 The vulnerability disclosed by AVEVA Group Limited impacts the affected Schneider Electric software. Additional information about the vulnerabilities can be found in the AVEVA advisory AVEVA-2025-006. The vulnerability, if exploited, could allow a attacker with read access to Edge project files...

Shelly Pro 3EM

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Low attack complexity Vendor: Shelly Equipment: Pro 3EM Vulnerability: Out-of-Bounds Read 2. RISK EVALUATION Successful exploitation of this vulnerability could result in a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of Pro 3EM, a smart DIN rail switch, is affected: Pro 3EM: all versions 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS READ CWE-125 By sending a specially crafted Modbus request, an attacker can direct the device to access an illegal data address without standard error handling, causing the device to reboot and leading to a denial-of-service condition. CVE-2025-12056 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2025-12056. A base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/...

Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages

Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites. The malicious npm packages, published by a threat actor named "dino_reborn" between September and November 2025, are

Microsoft Mitigates Record 5.72 Tbps DDoS Attack Driven by AISURU Botnet

Microsoft on Monday disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 5.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The tech giant said it was the largest DDoS attack ever observed in the cloud, and that it originated from a TurboMirai-class Internet of

Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability

Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. "Type