#CommandInjection

Cisco Says Flaws in Industrial Routers, BGP Tool Remain Unpatched 8 Months After Disclosure

by

December 10, 2024 at 07:21AM Cisco’s Talos unit has revealed several unpatched vulnerabilities in MC Technologies’ industrial router and GoCast’s BGP tool, despite responsible disclosure to vendors months ago. Notably, the MC LR router has four high-severity command injection flaws, while GoCast has three critical vulnerabilities, both potentially exploitable through crafted HTTP requests. ### Meeting … Read more

Critical OpenWrt Flaw Exposes Firmware Update Server to Exploitation

by

December 9, 2024 at 01:29PM The OpenWrt Project has released a critical patch addressing a vulnerability (CVE-2024-54143) that could allow attackers to inject malicious firmware through its sysupgrade server. Issues include command injection in the image builder and truncated SHA-256 hash collisions, compromising firmware integrity. Users are urged to upgrade to mitigate risks. ### Meeting … Read more

QNAP Patches Vulnerabilities Exploited at Pwn2Own

by

December 9, 2024 at 08:29AM QNAP Systems announced security patches for vulnerabilities discovered at Pwn2Own Ireland 2024, including a severe command injection flaw (CVE-2024-50393) and a CRLF injection bug (CVE-2024-48868), both with CVSS scores of 8.7. Users are urged to update their systems to protect against potential attacks. ### Meeting Takeaways 1. **Vulnerability Patches Released**: … Read more

CISA warns of more Palo Alto Networks bugs exploited in attacks

by

November 14, 2024 at 05:03PM CISA has identified two critical vulnerabilities in Palo Alto Networks’ Expedition migration tool, now actively exploited: CVE-2024-9463 (unauthenticated command injection) and CVE-2024-9465 (SQL injection). Federal agencies must patch affected systems by December 5. Security updates are available in Expedition 1.2.96 and later, and user credentials should be rotated post-update. **Meeting … Read more

Critical bug in EoL D-Link NAS devices now exploited in attacks

by

November 13, 2024 at 01:37PM A critical vulnerability (CVE-2024-10914) in D-Link end-of-life NAS devices allows unauthenticated command injection via malicious HTTP requests. D-Link has ceased support and advises customers to retire affected models. Despite warnings, attackers have begun exploiting this flaw, targeting over 41,000 exposed devices on the internet. ### Meeting Takeaways 1. **Critical Vulnerability … Read more

Many Legacy D-Link NAS Devices Exposed to Remote Attacks via Critical Flaw

by

November 11, 2024 at 06:10AM D-Link has alerted users about a critical command injection vulnerability in several discontinued NAS models, leaving them exposed to remote attacks. This emphasizes the importance of maintaining security awareness for legacy devices. **Meeting Takeaways:** 1. **Vulnerability Alert**: D-Link has identified a critical-severity command injection vulnerability. 2. **Affected Products**: The issue … Read more

HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities

by

November 11, 2024 at 05:39AM Hewlett Packard Enterprise (HPE) released security updates for Aruba Networking Access Point products, addressing critical command injection vulnerabilities (CVE-2024-42509, CVE-2024-47460) that allow unauthenticated remote code execution. Users are advised to enable cluster security or block access to UDP port 8211 and implement management access controls to mitigate risks. **Meeting Takeaways: … Read more

D-Link won’t fix critical flaw affecting 60,000 older NAS devices

by

November 8, 2024 at 02:23PM Over 60,000 D-Link NAS devices are vulnerable to a critical command injection flaw (CVE-2024-10914). An attacker can exploit it via crafted HTTP GET requests. D-Link confirmed no fix will be provided and recommends retiring the affected devices or isolating them from the internet due to their end-of-life status. ### Meeting … Read more

Unpatched Mazda Connect bugs let hackers install persistent malware

by

November 8, 2024 at 12:53PM Several vulnerabilities in the Mazda Connect infotainment system, affecting multiple models, allow attackers to execute arbitrary code and gain root access. The issues, including command injection and SQL injection flaws, remain unpatched. Exploitation requires physical access, but threats can arise in various contexts, posing significant risks to vehicle safety. ### … Read more

HPE Patches Critical Vulnerabilities in Aruba Access Points

by

November 8, 2024 at 06:49AM HPE has issued a warning about two critical vulnerabilities in Aruba Networking access points, which could allow for unauthenticated command injection. The company has since released patches to address these security issues. **Meeting Takeaways:** 1. **Company Alert**: HPE has issued a warning regarding two critical vulnerabilities identified in Aruba Networking … Read more