Critical Mitel MiCollab Flaw Exposes Systems to Unauthorized File and Admin Access

December 5, 2024 at 10:27AM Cybersecurity researchers revealed a proof-of-concept exploit for a critical vulnerability (CVE-2024-41713) in Mitel MiCollab, enabling unauthorized file access via a path traversal attack. The flaw has been patched in versions 9.8 SP2 and later. Additionally, several vulnerabilities were found in Lorex security cameras, allowing remote code execution. ### Meeting Takeaways … Read more

Researchers Warn of Privilege Escalation Risks in Google’s Vertex AI ML Platform

November 15, 2024 at 08:30AM Cybersecurity researchers uncovered two vulnerabilities in Google’s Vertex AI platform that could allow exploitation for privilege escalation and data exfiltration. Attackers could manipulate job permissions to access restricted resources and deploy malicious models to extract sensitive information. Google has addressed these issues, urging organizations to implement stricter model deployment controls. … Read more

ChatGPT allows access to underlying sandbox OS, “playbook” data

November 14, 2024 at 11:16AM Researcher Marco Figueroa identified vulnerabilities in OpenAI’s ChatGPT sandbox, allowing file uploads, Python script execution, and access to sensitive configurations. While interactions remain confined to the sandbox, these flaws could lead to reverse-engineering of security measures. OpenAI was notified but only expressed interest in one specific issue. ### Meeting Takeaways: … Read more

Unpatched Mazda Connect bugs let hackers install persistent malware

November 8, 2024 at 12:53PM Several vulnerabilities in the Mazda Connect infotainment system, affecting multiple models, allow attackers to execute arbitrary code and gain root access. The issues, including command injection and SQL injection flaws, remain unpatched. Exploitation requires physical access, but threats can arise in various contexts, posing significant risks to vehicle safety. ### … Read more

German Law Could Protect Researchers Reporting Vulns

November 6, 2024 at 04:36PM Germany’s draft legislation aims to protect security researchers from criminal liability when reporting cyber vulnerabilities. It amends existing laws to define criteria for legitimate security research and proposes penalties for malicious acts, with the intent to encourage reporting flaws rather than punishing those who identify them. ### Meeting Takeaways: 1. … Read more

Researcher Discloses 32 Vulnerabilities Found in IBM Security Verify Access 

November 5, 2024 at 06:49AM IBM Security Verify Access has 32 vulnerabilities that attackers could exploit, potentially compromising the entire authentication infrastructure. This alarming discovery was disclosed by a researcher and highlights significant security risks. The findings were reported by SecurityWeek. **Meeting Takeaways:** 1. **Security Vulnerability Report**: Researchers identified 32 vulnerabilities in IBM Security Verify … Read more

Hack Nintendo’s alarm clock to show cat pics? Let’s-a-go!

November 1, 2024 at 04:39AM Hacker GaryOderNichts successfully exploited a vulnerability in Nintendo’s Alarmo clock, allowing him to run custom code. Using insights from researcher Naomi Smith and tools like a Raspberry Pi, he extracted the device’s encryption key and created a payload displaying a cat picture. Nintendo has yet to respond to this hack. … Read more

Sophos reveals 5-year battle with Chinese hackers attacking network devices

October 31, 2024 at 06:21PM Sophos revealed its “Pacific Rim” reports detailing ongoing conflicts with Chinese threat actors over five years. These groups exploit vulnerabilities in networking devices to deploy malware, monitor communications, and facilitate attacks. Sophos has investigated multiple incidents, attributing them to actors like Volt Typhoon, APT31, and APT41/Winnti. ### Meeting Takeaways: Sophos … Read more

SolarWinds left critical hardcoded credentials in its Web Help Desk product

August 22, 2024 at 06:48PM SolarWinds acknowledged a critical security flaw (CVE-2024-28987) in its Web Help Desk (WHD) product, affecting versions 12.8.3 HF1 and earlier. The flaw allows unauthenticated attackers to manipulate sensitive data. An update, HF2, has been released to address the issue. Another critical vulnerability (CVE-2024-28986) has also been identified, with exploitation potential … Read more

Ex-GitHub Engineers Raise $20M to Enhance Pen-Testing with AI-Powered XBOW

July 16, 2024 at 10:27AM Former GitHub engineers secured $20 million from Sequoia Capital for startup XBOW, aiming to use AI to boost pentesters, bug hunters, and security researchers’ efficiency. Founded by Oege de Moor and ex-GitHub engineers, the team includes former Lyft CISO Nico Waisman. XBOW’s AI autonomously passed 75% of web security benchmarks … Read more