June 28, 2024 at 07:12AM Fortra released patches for a critical SQL injection vulnerability (CVE-2024-5276, CVSS 9.8) in FileCatalyst Workflow version 5.1.6 Build 135 and earlier. This flaw could create administrative user accounts and modify application data. Tenable identified the issue and published PoC code for exploiting it. Fortra addressed the vulnerability in version 5.1.6 … Read more
June 26, 2024 at 09:35AM Progress Software revealed new vulnerabilities affecting MOVEit Transfer and Gateway, including critical authentication bypass-style flaws with a severity score of 9.1. Last year’s breaches affected 2,773 organizations, prompting an embargo on the information until June 25 to allow for patching. The vulnerabilities could lead to file-less attacks and should be … Read more
April 26, 2024 at 10:18AM Over 1,400 vulnerable CrushFTP instances are at risk due to a critical server-side template injection bug (CVE-2024-4040). Attackers can escape the virtual file system (VFS) sandbox, gain admin privileges, and execute code. CrushFTP urges immediate upgrades, warning of exploited vulnerability with potential for data exfiltration. Difficulty in detecting exploitation adds … Read more
April 24, 2024 at 09:33AM Security researchers and CrushFTP warn of a critical sandbox escape flaw (CVE-2024-4040) in version 11.1 of the multiprotocol, multiplatform, cloud-based file transfer server. The vulnerability has been actively exploited and potentially politically motivated, leading to intelligence gathering attacks on US organizations. Publicly available exploit code raises high risks, urging immediate … Read more
April 22, 2024 at 09:33AM CrushFTP issued patches for a zero-day vulnerability affecting versions 9, 10, and 11. The flaw could allow an unauthenticated attacker to access system files. DMZ server users are protected. Version 10.71 and 11.1.0 have patches. Customers on version 9 should upgrade. The vulnerability has been exploited in the wild, and … Read more
February 5, 2024 at 04:52PM AnyDesk announced its production systems have been compromised, leading to plans for certificate revocation and password resets. The company assured that end user devices were unaffected and that it is collaborating with law enforcement agencies. AnyDesk advised customers to update passwords and confirmed that it is safe to use its … Read more