#zero_day

Silverfort has discovered that a misconfiguration can bypass an Active Directory Group Policy designed to disable NTLMv1, allowing…

Bill discusses how to find 'the helpers' and the importance of knowledge sharing. Plus, there's a lot to talk about in our latest vulnerability roundup.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Fuji Electric Equipment: Alpha5 SMART Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Fuji Electric Alpha5 SMART, a servo drive system, are affected: Alpha5 SMART: Versions 4.5 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121 The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code. CVE-2024-34579 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2024-34579. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Data Center Expert Vulnerabilities: Improper Verification of Cryptographic Signature, Missing Authentication for Critical Function 2. RISK EVALUATION Exploitation of these vulnerabilities could allow an attacker to expose private data or achieve remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Data Center Expert: 8.1.1.3 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347 An improper verification of cryptographic signature vulnerability exists that could compromise the Data Center Expert software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root. CVE-2024-8531 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS ...

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

Tel Aviv, Israel, 15th January 2025, CyberNewsWire

Microsoft kicked off 2025 with a new set of patches for a total of 161 security vulnerabilities across its software portfolio, including three zero-days that have been actively exploited in attacks. Of the 161 flaws, 11 are rated Critical, and 149 are rated Important in severity. One other flaw, a non-Microsoft CVE related to a Windows Secure Boot bypass (CVE-2024-7344), has not been assigned

In 2024, the Taiwanese government saw the daily average of attempted attacks by China double to 2.4 million, with a focus on government targets and telecommunications firms.

Company has issued patches for an unprecedented 159 CVEs, including eight zero-days, three of which attackers are already exploiting.

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three "zero-day" weaknesses that are already under active attack. Redmond's inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.