January 28, 2024 at 08:35PM Trend Micro’s Zero Day Initiative held an automotive-focused Pwn2Own event in Tokyo, awarding over $1.3 million for 49 vehicle-related zero day vulnerabilities. Synacktiv secured $450,000 for demonstrating six successful exploits, including gaining root access to a Tesla Modem. Additionally, critical vulnerabilities in various products were reported, urging prompt installation of … Read more
January 26, 2024 at 08:15AM CISA warned that Westermo Lynx industrial switches are vulnerable to eight flaws, with potential for remote exploitation and device tampering. Spanish cybersecurity researchers identified the flaws, including cross-site scripting and code injection. Although some vulnerabilities are challenging to exploit, the company is addressing the issues with a patch for CSRF … Read more
January 24, 2024 at 07:36AM Google announced the release of Chrome 121, addressing 17 vulnerabilities, 11 of which were reported by external researchers. Three were rated as ‘high’ severity, earning bug bounty rewards totaling over $30,000. The update also resolved six medium-severity and two low-severity issues. The specific technical details of the resolved bugs were … Read more
January 23, 2024 at 01:48PM Three vulnerabilities in Lamassu Douro bitcoin ATMs allowed attackers with physical access to take over and steal user assets, as reported by IOActive. The vulnerabilities, tracked as CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177, enabled attackers to execute an attack with the same level of access as regular customers. Lamassu fixed the bugs … Read more
January 22, 2024 at 03:24PM Apple has released iOS 17.3 and macOS Sonoma 14.3 updates to address 16 vulnerabilities including WebKit flaws exploited in zero-day attacks. Apple warns of code execution, denial-of-service, and data exposure threats and suspects recent exploitation. The updates also fix security issues in several other components. Apple hasn’t provided technical details … Read more
January 21, 2024 at 09:37PM “Pompourin,” former admin of BreachForums, sentenced to 20 years supervised release after pleading guilty to running a site facilitating sales of stolen data, hacking tools, and illegal materials. New UEFI vulnerabilities, PixieFail, impact network booting, involving several vendors. Also critical Chrome and Ivanti Endpoint Manager Mobile vulnerabilities. Researchers discover iOS … Read more
January 19, 2024 at 07:54PM CISA is pressuring organizations to urgently address critical vulnerabilities in Ivanti Connect Secure VPN. Agencies must apply available mitigations, remove compromised products, and report infected devices. This follows a Chinese government-backed hacking team exploiting the vulnerabilities. The company has released pre-patch mitigations, with comprehensive fixes set to begin rollout on … Read more
January 19, 2024 at 02:30PM CISA issued an emergency directive to address widespread exploitation of Ivanti Connect Secure and Ivanti Policy Secure flaws by threat actors. Federal agencies must immediately implement mitigation measures, report indications of compromise, and take action to restore impacted appliances. Threat monitoring service has detected compromised Ivanti appliances being used for … Read more
January 19, 2024 at 12:24PM Members of the Huntr bug bounty platform discovered critical vulnerabilities in MLflow and Hugging Face. The vulnerabilities in MLflow, with a CVSS score of 10, enabled attackers to delete files, access sensitive information, or execute remote code. Hugging Face also had a flaw allowing the injection of malicious code. ClearML … Read more
January 19, 2024 at 06:12AM The US security agency CISA warns of increasing exploitation of two Ivanti Connect Secure VPN vulnerabilities by a Chinese cyberespionage group, compromising over 2,100 devices belonging to various organizations. Additionally, a separate Ivanti product flaw is being exploited. Patches have been released with mitigations, but widespread exploitation continues, including new … Read more