#VulnerabilityManagement

Critical Vulnerabilities Found in Ruijie Reyee Cloud Management Platform

by

December 13, 2024 at 10:54AM Cybersecurity firm Claroty warns of vulnerabilities in the Reyee cloud management platform that could enable attackers to take control of 50,000 devices. Using device serial numbers, hackers can generate credentials, execute denial-of-service attacks, and potentially steal sensitive data. Ruijie has reportedly fixed all identified security issues. **Meeting Takeaways: Vulnerabilities in … Read more

OData Injection Risk in Low-Code/No-Code Environments

by

December 13, 2024 at 10:06AM Organizations using low-code/no-code (LCNC) platforms face security risks, particularly OData injection, which can expose sensitive data. This vulnerability is poorly understood and lacks established safeguards. To combat these risks, proactive security strategies must be developed, including automated monitoring tools and collaboration between security teams and developers for effective input validation. … Read more

In Other News: Gen Digital Makes $1B Buy, Recall Captures Sensitive Data, MITRE ATT&CK Evaluations

by

December 13, 2024 at 08:36AM SecurityWeek’s roundup highlights key cybersecurity stories, including China’s Salt Typhoon espionage revealing phone call recordings, WhatsApp’s fixed View Once feature, and Russia’s Secret Blizzard attacks in Ukraine. Notable developments include MITRE’s evaluations, Gen Digital’s $1 billion acquisition of MoneyLion, and Yahoo’s layoffs in its cybersecurity team. ### Key Takeaways from … Read more

Hackers Possibly Stole Personal Data From Bitcoin ATM Operator Byte Federal

by

December 13, 2024 at 08:21AM Bitcoin ATM operator Byte Federal informed 58,000 individuals of a potential data breach, discovered on November 18, due to a vulnerability in GitLab. Personal data may have been accessed, but no funds were compromised. Byte Federal is taking security measures and advises users to monitor their accounts for suspicious activities. … Read more

Microsoft Patches Vulnerabilities in Windows Defender, Update Catalog 

by

December 13, 2024 at 06:40AM Microsoft has patched two critical vulnerabilities: one in Windows Defender (CVE-2024-49071) related to information disclosure, and another in the Update Catalog (CVE-2024-49147) involving privilege escalation. These issues have been fully mitigated, requiring no action from users. Transparency remains a priority for Microsoft with CVE identifiers. **Meeting Takeaways: Microsoft Vulnerabilities Update** … Read more

Over 300K Prometheus Instances Exposed: Credentials and API Keys Leaking Online

by

December 12, 2024 at 09:51AM Cybersecurity researchers warn that numerous publicly accessible Prometheus servers are vulnerable to information leakage and attacks due to inadequate authentication. Sensitive data, including credentials, can be exposed, and denial-of-service attacks may occur via specific endpoints. Organizations should implement authentication, limit exposure, and monitor server activity to mitigate risks. **Meeting Takeaways … Read more

Apache issues patches for critical Struts 2 RCE bug

by

December 12, 2024 at 08:39AM A severe remote code execution vulnerability (CVE-2024-53677) in Apache Struts 2 has been revealed, with a rating of 9.5 or 9.8. Attackers can exploit it without privileges. Users must upgrade to Struts 6.4.0+ to avoid risk. There are no workarounds; patching is mandatory. ### Meeting Takeaways 1. **Vulnerability Severity**: The … Read more

Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS

by

December 12, 2024 at 07:39AM A recently patched vulnerability in Apple’s iOS and macOS could allow unauthorized access to sensitive user data by bypassing the TCC security framework. Tracked as CVE-2024-44131, this flaw was linked to the FileProvider component. Attackers could exploit it to intercept user actions without raising alerts. ### Meeting Takeaways – Dec … Read more

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

by

December 12, 2024 at 05:15AM A critical vulnerability (CVE-2024-11972, CVSS 9.8) in the Hunk Companion WordPress plugin allows attackers to install malicious plugins, risking Remote Code Execution and other exploits. This flaw impacts all versions prior to 1.9.0 and has over 10,000 installations. Additionally, a related vulnerability in WPForms also poses risks. ### Meeting Takeaways … Read more

Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts

by

December 11, 2024 at 09:42AM A critical vulnerability in Microsoft’s multi-factor authentication (MFA) was identified, allowing attackers to bypass security easily without user notice. Labeled AuthQuake, the flaw stemmed from inadequate rate limits and extended code validity. Microsoft addressed the issue in October 2024, tightening security measures to enhance MFA effectiveness. **Meeting Takeaways: Dec 11, … Read more