A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is 46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply a patch to fix this issue.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-887c-mr87-cxwp: PyTorch Improper Resource Shutdown or Release vulnerability

Bots now account for half of all internet traffic, according to a new study that shows how non-human activity has grown online.

If you sometimes feel that the internet isn’t the same vibrant place it used to be, you’re not alone. New research suggests that most of the traffic traversing the network isn’t human at all.

Bots (software programs that interact with web sites) have been ubiquitous for years. But in its 2025 Bad Bot Report, application security company Imperva claimed this is the first time traffic from bots became more prevalent than human traffic.

The rise in bots is down to generative artificial intelligence (AI), Imperva said. This is the same technology that now flirts with people online for you and automatically writes heartfelt consolatory emails on behalf of heartless administrators. This tech has made it easier to create bots that do your bidding online. While some of those bots are benign, not all have your best interests at heart.

**The rise of bad bots**

Traffic from “bad bots”—those created with malicious intent—first surpassed good bot traffic in 2016, Imperva’s research said, and it’s been getting worse. Bad bots comprised 37% of internet traffic in 2024, up from 32% the year prior. Good bots accounted for just 14% of the internet’s traffic.

Bad bots do all kinds of unpleasant things. An increasing number try to hijack peoples’ online accounts, which they often do by “credential stuffing.” This is where a bot takes a password and email address that has been stolen and leaked online, and then tries those credentials across a myriad of services in the hope that its owner will have reused the password elsewhere.

These account takeover attacks have skyrocketed lately. December 2024 saw around 330,000 such incidents, up from around 190,000 in December 2023. That could be down to a flood of data breaches that flooded the market with more stolen credentials to try, Imperva said.

Other attacks include scraping data from websites, which is a problem for businesses that don’t want their intellectual property stolen, and also for the individuals who own that data.

Cyber criminals use bots to commit payment fraud by exploiting vulnerabilities in checkout systems. There’s also a thriving business in scalping bots that buy everything from event tickets to new sneakers for high-value resale, denying legitimate customers the opportunity to buy these items for themselves.

The report also found bots targeting specific sectors. The travel industry accounted for 27% of bad bot traffic (the highest by industry) in 2024, up from 21% in 2023. These bots pull tricks such as pretending to book airline seats online and abandoning the purchase at the last minute, which skews seat pricing.

Retail was the second hardest-hit industry in 2024, accounting for 15% of bot traffic, followed by education at 11%.

Bots are also getting better at evading detection. Faking a browser identity (effectively wearing a digital mask that makes them look like Chrome or Firefox) has been a common tactic for years, but now bots are also using other techniques. These include using IP addresses owned by residential users, which are difficult for web site administrators to spot. Bots are also using virtual private networks to cloak their origin.

AI-enabled bots are also getting far better at cracking CAPTCHAs—the tests that help you to pass as a human when accessing a web site. And malicious software developers are now coding bots that learn about the environment they’re up against and change how they approach it to fly under the radar.

Another change is in the method that these bots use to communicate with their targets. Traditionally, bots would often browse a web page directly, interacting with it in the same way that a human would. That’s changing as newer bots communicate directly with the servers running the web application behind the scenes in their own language. They do this using application programming interfaces (APIs), which are communication channels that programs can use to retrieve information from a web application.

As the bots get smarter and more ubiquitous, what can you do? Sadly, fighting bad bots is largely the job of the companies operating the web applications that serve you and use your data. However, there are a couple of things you can do as an individual to protect yourself and the community at large.

*   **Don’t reuse passwords.** Use a different password for every service you use to stop the credential stuffing bots, and make those passwords complex to avoid brute-force attacks. Use a trusted password manager to keep those passwords safe and easily accessible.
*   **Protect your PC.** Install anti-malware software and follow basic cyber hygiene measures. This will help to prevent attackers from compromising your machine and using it for their own online purposes.
*   **Don’t become a proxy.** Attackers might be able to use your IP address as a proxy for their bots if you don’t protect it. Avoid using untrusted VPNs from suspicious sources, as these have been known to sell your IP address on for others to use. Similarly, take a minute to update the hardware on your home router, or ensure that your telecommunications provider does it if the router came from them. Attackers will often compromise vulnerable routers and use them for bot attacks.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Hi, robot: Half of all internet traffic now automated 

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).

GHSA-vvgc-356p-c3xw: golang.org/x/net vulnerable to Cross-site Scripting

An issue in the component /models/config.py of Whoogle search v0.9.0 allows attackers to execute arbitrary code via supplying a crafted search query.

GHSA-2689-cw26-6cpj: Whoogle allows attackers to execute arbitrary code via supplying a crafted search query

BidenCash dumps almost a million stolen credit card records on Russian forum, exposing card numbers, CVVs, and expiry dates in plain text with no cardholder names.

BidenCash, a dark web carding marketplace known for its aggressive tactics, has leaked a fresh batch of 910,380 stolen credit card records on the Russian-language cybercrime forum XSS.

The leak, published on April 14 at 6:37 PM (UTC), includes card numbers, CVV codes, and expiration dates but lacks names or other personally identifying information. Despite the limited data set, the dump poses a clear risk for online fraud, particularly in card-not-present transactions.

Screenshot from the leaked data shows the format of the dump: 11111111111111|04/28|000 (Image credit: Hackread.com)

This isn’t the first time BidenCash has released stolen data in bulk. The platform has a history of pushing free leaks as a way to gain attention, build credibility, or as in this case, claim enforcement of its own marketplace rules.

In March 2023, BidenCash leaked 2 million credit card details, which included cardholders’ full names, card numbers, bank details, expiration dates, CVV numbers, home addresses, and more than 500,000 email addresses.

Later, in December 2023, the marketplace released over 1.6 million credit card records containing full card numbers, expiration dates, and CVV numbers, all stored in plain text format.

****“Anti-Public System”****

In the post released alongside the leak on the Russian forum, BidenCash claimed that the data was scraped from different forums and Telegram groups throughout the past month. They stated the purpose was to showcase their so-called “anti-public system,” an internal process designed to identify and remove already-circulated cards from their marketplace.

> _“Once again, we will show the results of our anti-public system’s work. These are the data collected from various chats and forums over the course of a month. The cards that were found on our platform for sale have been removed, and the suppliers were fined for each card found.”_
> 
> BidenCash

In other words, BidenCash is presenting this leak as a type of audit. If any vendor was caught selling cards that were already in circulation, those listings were taken down, and the sellers were penalised.

It’s an attempt at quality control, but it also functions as a promotional move. By dropping a massive dataset for free, they increase visibility among carders and lure traffic back to the site.

BidenCash admin on XSS forum (Image credit: Hackread.com)

****No Names – Still Dangerous****

While the leak doesn’t contain names, the exposed card data is far from harmless. Criminals often pair such datasets with other breached information or use them in automated testing tools to conduct fraud. The absence of names may help these records bypass some fraud detection systems that match identity data.

Cybercriminals can also filter the list by BIN (Bank Identification Number) to target specific banks or regions. At the time of writing, there has been no public confirmation about which banks are affected or how many of the cards are still active.

****Context and Risks****

BidenCash has been around since early 2022, acting as a hub for selling stolen credit card information. A lot of these markets pop up and vanish, but this one’s stuck around mostly because it tries to keep its listings in check and claims to kick out duplicate or outdated data.

This new leak seems like more than just a giveaway. It’s a way for them to show they’re still active, keeping tabs on their sellers, and making noise to stay relevant. While the data doesn’t contain names or email addresses, the exposed card info can still be misused. If you’re concerned about your payment card data exposure, do this:

*   Set up alerts for unusual charges

*   Monitor your bank statements closely

*   Use virtual cards for online purchases when possible

*   Consider requesting a new card if suspicious activity arises

BidenCash Market Dumps 1 Million Stolen Credit Cards on Russian Forum

A new variant of the hello pervert emails claims that the target's system is infected with njRAT and spoofs the victims email address

In a new version of the old “Hello pervert”  emails, scammers are relying on classic email spoofing techniques to try and convince victims that they have lost control of their email account and computer systems.

Email spoofing basically comes down to sending emails with a false sender address, a method in use in various ways by scammers. Obviously, pretending to be someone else can have its advantages, especially if that someone else holds a position of power or trust with regards to the receiver.

But sending a message to the victim’s from their _own_ email address might convince the victim that they have lost access over their own account.

The text of the email roughly looks like this:

> “As you may have noticed, I sent you an email from your email account
> 
> This means I have full access to your account
> 
> I’ve been watching you for a few months
> 
> The thing is, you got infected with a njrat through an adult site you visited
> 
> If you don’t know about this, let me explain
> 
> The njrat gives me full access and control over your device.
> 
> This means I can see everything on your screen, turn on the camera and microphone, but you don’t know it
> 
> I also have access to all your contacts and all your correspondence.
> 
> On the left half of the screen, I made a video showing how you satisfied yourself, on the right half you see the video you watched.
> 
> With a click of a mouse I can send this video to all your emails and contacts on social networks
> 
> I can also see access to all your communications and messaging programs that you use.
> 
> If you want to avoid this,
> 
> Transfer the amount of 1200 USD to my bitcoin address (“write buy bitcoin or find for bitcoin exchange if you don’t know”)
> 
> My Bitcoin address (BTC wallet): 1FJg6nuRLLv4iQLNFPTpGwZfKjHJQnmwFs
> 
> After payment is received, I will delete the video and you will not hear from me again
> 
> I’m giving you 48 hours to pay
> 
> Do not forget that I will see you when you open the message, the counter will start
> 
> If I see you’ve shared this message with someone else, the video will be posted immediately”

If the victim decides to search for “njrat” they’ll find that it’s a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, upload/download files, view the victim’s desktop, and more.

Scary stuff, and it supports the claims the scammer makes.

But, as with all sextortion scams, this threat is an entirely empty one. There is more than likely no lurid video, no “njrat,” no list of contacts. Instead, there is just a threat which is meant to drive panic which is meant to drive payment.

When we checked, we were happy to see that the scammers’ Bitcoin wallet is empty, although they could have set up a separate one for each victim.

**How to recognize sextortion emails**

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

*   The emails often look as if they came from one of your own email addresses.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email, the scammer claims to have used “Pegasus” or some Trojan to spy on you through your own computer.
*   The scammer says they know “your password” or compromised your account.
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**What to do when you receive an email like this**

First of all, even if it’s only to reassure yourself, scan your computer with an anti-malware solution that can detect and remove njRAT (if present).

Second, if your computer is clean, check if your email account has not been compromised. Change the password and enable 2FA if possible.

Don’t respond to the scammer, since that will confirm that the email address is in use and the mail is read. This could invoke more emails from scammers.

Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.

Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.

For your ease of mind, turn off your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

 “I sent you an email from your email account,” sextortion scam claims 

Palo Alto, California, 16th April 2025, CyberNewsWire

**Palo Alto, California, April 16th, 2025, CyberNewsWire**

SquareX researchers Jeswin Mathai and Audrey Adeline will be disclosing a new class of data exfiltration techniques at BSides San Francisco 2025. Titled “Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out”, the talk will demonstrate multiple data splicing techniques that will allow attackers to exfiltrate any sensitive file or clipboard data, completely bypassing major Data Loss Protection (DLP) vendors listed by Gartner by exploiting architectural vulnerabilities in the browser. 

DLP is a core pillar of every enterprise security stack. Data breaches can result in severe consequences including IP loss, regulatory violations, fines, and severe reputational damage. With over 60% of corporate data being stored in the cloud, browsers have become the primary way for employees to create, access, and share data. Consequently, the browser has become a particularly attractive target for external attackers and insider threats alike. Yet, existing endpoint and cloud DLP solutions have limited telemetry and control over how employees interact with data on the browser. 

Additionally, there are several unique challenges when it comes to maintaining data lineage in the browser. This includes managing multiple personal and professional identities, the wide landscape of sanctioned and shadow SaaS apps, and the numerous pathways in which sensitive data can flow between these apps. Unlike managed devices where enterprises have full control over what can be installed on the device, employees can easily sign up for various SaaS services without the IT team’s knowledge or oversight. 

> SquareX researcher Audrey Adeline says, “Data splicing attacks are a complete game changer for insider threats and attackers that are seeking to steal information from enterprises. They exploit newer browser features that were invented long after existing DLP solutions and thus the data exfiltrated using these techniques are completely uninspected, resulting in full bypasses. With today’s workforce heavily relying on SaaS apps and cloud storage services, any organization that uses the browser is vulnerable to data splicing attacks.”

As part of the talk, they will also be releasing an open-source toolkit, “Angry Magpie”, which will allow pentesters and red teams to test their existing DLP stack and better understand their organization’s vulnerability to Data Splicing Attacks. SquareX hopes that the research will highlight the severe threats that browsers pose on data loss and serve as a call to action for enterprises and vendors alike to re-think their data loss protection strategies. 

Upon the completion of BSides San Francisco, the SquareX team will also be presenting at RSAC 2025 and will be available at Booth S-2361, South Expo for further discussions on the research.

**Talk Details:**

**Title:** Data Splicing Attacks: Breaking Enterprise DLP from the Inside Out

**Speakers:** Jeswin Mathai and Audrey Adeline

**Event:** BSides San Francisco 2025

**Location:** San Francisco, CA

**Toolkit Release:** Angry Magpie (Open Source)

**About the Speakers**

**Jeswin Mathai****, Chief Architect, SquareX**

Jeswin Mathai serves as the Chief Architect at SquareX, where he leads the design and implementation of the company’s infrastructure. A seasoned speaker and researcher, Jeswin has showcased his work at prestigious international stages such as DEF CON US, DEF CON China, RootCon, Blackhat Arsenal, Recon Village, and Demo Labs at DEFCON. He has also imparted his knowledge globally, training in-classroom sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. He is also the creator of popular open-source projects such as AWSGoat, AzureGoat, and PAToolkit.

**Audrey Adeline****, Researcher**

Audrey currently leads the Year of Browser Bugs (YOBB) project at SquareX which has disclosed multiple major architectural browser vulnerabilities to date. She is also a published author of The Browser Security Field Manual. Key discoveries from YOBB include Polymorphic Extensions, Browser Ransomware and Browser Syncjacking, all of which have been covered by major publications such as Forbes, Bleeping Computer and Mashable. She is passionate about furthering cybersecurity education and has run multiple workshops with Stanford University and Women in Security and Privacy (WISP). Prior to SquareX, Audrey was a cybersecurity investor at Sequoia Capital and graduated from the University of Cambridge with a degree in Natural Sciences.

**About SquareX**

SquareX’s industry-first Browser Detection and Response (BDR) helps organizations detect, mitigate, and threat-hunt client-side web attacks targeting employees happening against their users in real-time. This includes defending against identity attacks, malicious extensions, spearphishing, browser data loss, and insider threats. 

SquareX takes a research and attack-focused approach to browser security. SquareX’s dedicated research team was the first to discover and disclose multiple pivotal attacks, including Last Mile Reassembly Attacks, Browser Syncjacking, Polymorphic Extensions, and Browser-Native Ransomware. As part of the Year of Browser Bugs (YOBB) project, SquareX commits to continue disclosing at least one major architectural browser vulnerability every month.  

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX to Uncover Data Splicing Attacks at BSides San Francisco, A Major DLP Flaw that Compromises Data Security of Millions

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-27936

**Mattermost vulnerable to Observable Timing Discrepancy**

Moderate severity GitHub Reviewed Published Apr 16, 2025 to the GitHub Advisory Database • Updated Apr 16, 2025

**Package**

gomod github.com/mattermost/mattermost-plugin-msteams (Go)

**Affected versions**

<= 1.15.0

gomod github.com/mattermost/mattermost/server/v8 (Go)

\>= 10.5.0, < 10.5.2

< 8.0.0-20250314142426-c049748b8863

10.5.2

8.0.0-20250314142426-c049748b8863

Published to the GitHub Advisory Database

Apr 16, 2025

Last updated

Apr 16, 2025

GHSA-2j87-p623-8cc2: Mattermost vulnerable to Observable Timing Discrepancy

Hertz confirms data breach linked to Cleo software flaw; Cl0p ransomware group leaked stolen data, exposing names, driver’s…

Hertz confirms data breach linked to Cleo software flaw; Cl0p ransomware group leaked stolen data, exposing names, driver’s licenses, and credit card details.

Car rental company Hertz has announced that some of its customers’ private details were accessed without permission. This happened because of vulnerabilities in Cleo Communications US, LLC (Cleo), a company that provides software services to Hertz.  

It is worth noting that in December 2024, the Cl0p ransomware group claimed responsibility for exploiting vulnerabilities in Cleo’s managed file transfer software, leading to the theft of large amounts of corporate data. A few days later, the group published the stolen Hertz data archive on its dark web leak site.

Cl0p ransomware gang on its dark web leak site (Image credit: Hackread.com)

In its official press release (PDF), Hertz, which also owns Dollar and Thrifty car rental brands, explained that Cleo runs a system that Hertz uses to send files for specific tasks. On February 10, 2025, Hertz found out that some of its data was taken by an unauthorised individual, who Hertz believes took advantage of weaknesses, called zero-day vulnerabilities, in its software and were exploited in October 2024 and December 2024.

Right after detecting suspicious activity, Hertz launched an investigation to understand what happened and what information could be exposed. This investigation concluded on April 2, 2025, revealing that accessed data may include names, contact details, birth dates, credit card numbers, and driver’s license information.

“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims,” may also be impacted, the company explained.

Hertz confirmed that Cleo is investigating the issue and fixing the software problems, and that they have already reported this data breach to the police and other government agencies. To be extra careful, Hertz is offering two years of free identity monitoring or dark web monitoring services to people who might be affected, through a company called Kroll.  

Notably, a data breach notification filed with the Maine Attorney General reveals that 3,409 residents of Maine were affected by this data breach. Because this number exceeds 1,000, Hertz has notified consumer reporting agencies, as required by law in Maine. The breach is categorised as an “External system breach (hacking),” according to the Maine Attorney General’s filing, providing a clearer understanding of the nature of the security incident.

Herts claims that at the moment, there is no evidence that anyone’s information has been used to commit fraud. The company also recommends checking account statements and credit reports regularly and has provided a phone number, 866-408-8964, to call if you have more questions.

You can also put a fraud alert on their credit file for free, the company notes. An initial alert lasts for one year. To set up a fraud alert, you need to contact Equifax, Experian, or TransUnion. 

Another option is to put a “credit freeze” on your credit report. This stops credit bureaus from sharing information without the person’s permission. This can help prevent new credit accounts from being opened in someone’s name without their knowledge. However, Hertz warns that a credit freeze might delay or prevent the approval of new loans or credit if you need them quickly.

Thomas Richards, Infrastructure Security Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, commented on the latest development, stating:

“It’s incredibly unfortunate that customers had their sensitive information compromised in such an attack. Data is a form of currency for cybercriminals, and therefore, it is essential that all organisations harbouring sensitive information manage their software risk by taking measures to improve their cybersecurity posture to prevent a compromise like this from happening again.”

Hertz Confirms Data Breach After Hackers Stole Customer PII

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics.   
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.

Wednesday, April 16, 2025 08:00

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics.   

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.     

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.      

**Eclipse vulnerabilities **

_Discovered by Kelly Patterson of Cisco Talos._    

Eclipse ThreadX is an embedded development suite including an operating system that provides performance for resource-constrained devices. 

TALOS-2024-2098 (CVE-2025-0726, CVE-2025-2260) A denial of service vulnerability exists in the NetX HTTP server functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. 

Two integer underflow vulnerabilities exist in the HTTP server PUT request functionality of Eclipse ThreadX NetX Duo git commit 6c8e9d1, TALOS-2024-2104 (CVE-2025-0727, CVE-2025-2259) and TALOS-2024-2105 (CVE-2025-0728, CVE-2025-2258). Specially crafted network request packets can lead to denial of service. An attacker can send malicious packets to trigger these vulnerabilities. 

**STMicroelectronics vulnerabilities **

_Discovered by Kelly Patterson of Cisco Talos._    

STMicroelectronics is a European multinational semiconductor contract manufacturing and design company. 

TALOS-2024-2096 (CVE-2024-45064) is a buffer overflow vulnerability in the FileX Internal RAM interface functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted set of network packets can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability. 

TALOS-2024-2097 (CVE-2024-50384-CVE-2024-50385) is a denial-of-service vulnerability in the NetX Component HTTP server functionality. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. 

Two integer underflow vulnerabilities exist in the HTTP server PUT request functionality. For TALOS-2024-2102 (CVE-2024-50594-CVE-2024-50595), a specially crafted series of network requests can lead to denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability. For TALOS-2024-2103 (CVE-2024-50596-CVE-2024-50597), a specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Tag

#web