#web

Tech Transparency Project warns Chinese-owned VPNs like Turbo VPN and X-VPN remain on Apple and Google app stores, raising national security concerns.

A new campaign has been observed leveraging fake websites advertising popular software such as WPS Office, Sogou, and DeepSeek to deliver Sainbox RAT and the open-source Hidden rootkit. The activity has been attributed with medium confidence to a Chinese hacking group called Silver Fox (aka Void Arachne), citing similarities in tradecraft with previous campaigns attributed to the threat actor.

FBI tracked IntelBroker as UK’s Kai West using an email address, crypto trails, YouTube activity and forum posts after dozens of high-profile data breaches and darknet activity.

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

### Impact OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. ### Patches In OpenBao v2.2.2 and later, manually setting the configuration option `disable_unauthed_rekey_endpoints=true` allows an operator to deny these rarely-used endpoints on global listeners. In a future OpenBao release [communicated on our website](https://openbao.org/docs/deprecation/), we will set this to `true` for all users and provide an authenticated alternative. This vulnerability has been disclosed to HashiCorp; see their website for more information. ### Workarounds If an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges. ### References See the [deprecation notice](https://openbao.org/docs/deprecation/unauthed-rekey/).

ZURICH, Switzerland – Zurich-based automation platform Flowable has been recognized as a Representative Vendor in the Gartner newly released…

Cybercriminals are using jailbroken AI models to assist them in designing campaigns and improving their tactics.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.3 ATTENTION: Low attack complexity Vendor: TrendMakers Equipment: Sight Bulb Pro Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Improper Neutralization of Special Elements used in a Command ('Command Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to capture sensitive information and execute arbitrary shell commands on the target device as root if connected to the local network segment. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of the Sight Bulb Pro Firmware are affected: Sight Bulb Pro Firmware ZJ_CG32-2201: Version 8.57.83 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327 During the initial setup of the device the user connects to an access point broadcast by the Sight Bulb Pro. During the negotiation, AES Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt co...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: Air conditioning systems Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to control the air conditioning system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric reports the following air conditioning systems are affected: G-50: Ver.3.37 and prior G-50-W: Ver.3.37 and prior G-50A: Ver.3.37 and prior GB-50: Ver.3.37 and prior GB-50A: Ver.3.37 and prior GB-24A: Ver.9.12 and prior G-150AD: Ver.3.21 and prior AG-150A-A: Ver.3.21 and prior AG-150A-J: Ver.3.21 and prior GB-50AD: Ver.3.21 and prior GB-50ADA-A: Ver.3.21 and prior GB-50ADA-J: Ver.3.21 and prior EB-50GU-A: Ver.7.11 and prior EB-50GU-J: Ver.7.11 and prior AE-200J: Ver.8.01 and prior AE-200A: Ver.8.01 and prior AE-200E: Ver.8.01 and prior AE-50J: Ver.8.01 and prior AE-50A: Ver.8.01 an...

### Summary A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). ### Details In `\allure2-main\plugins\xunit-xml-plugin\src\main\java\io\qameta\allure\xunitxml\XunitXmlPlugin.java` the application uses `DocumentBuilderFactory` without disabling DTDs or external entities. By generating a report with a malicious xml file within it, an attacker can perform XXE to leverage SSRF, or to read system files. ### PoC To recreate this vulnerability, you need to install allure for command-line (In my POC I used a Windows 11 Machine). 1. Create a folder called `allure`, and within it, create a malicious XML file. I will attach my SSRF and file reading payloads, however...