patch

ESET Patches Privilege Escalation Vulnerabilities in Windows, macOS Products

by

September 23, 2024 at 10:00AM ESET released patches for high-severity CVE-2024-7400 impacting Windows products, enabling privilege escalation through file deletion. The fix was automatically distributed to customers. The security flaw affected multiple end-user and enterprise products. ESET also addressed medium-severity CVE-2024-6654, which could cause denial-of-service attacks on macOS security tools, with patches for Cyber Security … Read more

GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions

by

September 19, 2024 at 01:36AM GitLab released patches to address a critical flaw in both Community and Enterprise Editions, rooted in the ruby-saml library, allowing an authentication bypass. The vulnerability affects single sign-on security, prompting the update of dependencies and urging self-managed installations to enable two-factor authentication as a mitigation. Threat indicators suggest active exploitation … Read more

Google tags a tenth Chrome zero-day as exploited this year

by

August 26, 2024 at 06:00PM Google announced that it has fixed the tenth zero-day vulnerability exploited in 2024, either by attackers or security researchers in hacking contests. Based on the meeting notes, it appears that Google revealed the patching of the tenth zero-day exploit that was exploited in the wild in 2024 by either attackers … Read more

Microsoft discloses Office zero-day, still working on a patch

by

August 9, 2024 at 12:17PM Microsoft has identified a high-severity zero-day vulnerability in Office 2016 and later, for which a patch is yet to be released. Based on the meeting notes, the key takeaway is that Microsoft has announced a high-severity zero-day vulnerability impacting Office 2016 and later versions that is still awaiting a patch. … Read more

Google fixes Android kernel zero-day exploited in targeted attacks

by

August 5, 2024 at 06:43PM This month’s Android security updates address 46 vulnerabilities, encompassing a high-severity remote code execution (RCE) flaw that has been exploited in targeted attacks. Based on the meeting notes, the key takeaway is that Android security updates for this month have patched 46 vulnerabilities, one of which is a high-severity remote … Read more

Recent Adobe Commerce Vulnerability Exploited in Wild

by

July 18, 2024 at 11:03AM CISA and Adobe issued warnings about an actively exploited vulnerability in Adobe Commerce, allowing attackers to execute arbitrary code. Adobe released patches for affected versions and an isolated patch for the vulnerability. CISA included the vulnerability in its Known Exploited Vulnerabilities catalog, and federal agencies have until August 7 to … Read more

Organizations Warned of Exploited GeoServer Vulnerability

by

July 16, 2024 at 12:09PM CISA is urgently advising federal agencies to address a high-severity vulnerability in GeoServer (CVE-2024-36401) due to active exploitation risks. The flaw allows unauthenticated attackers to execute remote code through crafted input, affecting all GeoServer instances. Users are recommended to apply the latest patches and review CISA’s Known Exploited Vulnerabilities list … Read more

Exploitation Attempts Target New MOVEit Transfer Vulnerability

by

June 26, 2024 at 06:05AM Progress Software announced patches for two critical authentication bypass vulnerabilities affecting its MOVEit Transfer file transfer software. CVE-2024-5805 and CVE-2024-5806 were identified, with the latter already targeted by exploitation attempts. The company enacted patches for both, with further mitigations for CVE-2024-5806’s third-party component vulnerability, amidst heightened security concerns. After reviewing … Read more

CISA Warns of Exploited Linux Kernel Vulnerability

by

May 31, 2024 at 07:36AM CISA warns of active exploitation of Linux kernel vulnerability CVE-2024-1086, enabling local attackers to elevate privileges. Affected versions range from 5.14 to 6.6, potentially impacting all versions since 3.15. Various distributions are confirmed affected, with potential for more. Proof-of-concept code has been published, and successful exploitation may lead to arbitrary … Read more

CrushFTP Patches Exploited Zero-Day Vulnerability

by

April 22, 2024 at 09:33AM CrushFTP issued patches for a zero-day vulnerability affecting versions 9, 10, and 11. The flaw could allow an unauthenticated attacker to access system files. DMZ server users are protected. Version 10.71 and 11.1.0 have patches. Customers on version 9 should upgrade. The vulnerability has been exploited in the wild, and … Read more