Aggregator

内容来自2025年05月14日，京东第十七届京麒沙龙上的技术分享的语音转录。近年来，蓝军实战攻防战术“内核稳定，外延革新”，本次分享将结合实战经验和思考，深入剖析近年来蓝军实战攻防战术的演变情况，进行深入的技术交流与研讨。

人工智能治理的国际合作是应对跨国风险的必然选择。人工智能所引发的隐私侵犯、算法歧视、深度伪造、系统性认知扭曲等风险，不受地理疆域的限制，具有跨国界传播的特性，单一国家之力难以实现有效防控。

2025年5月10日，北京——作为中国CTF竞赛领域标杆性团队的蓝莲花战队在京举办成立十五周年主题论坛。

前不久，《中国信息安全》杂志社正式取得国家网信办颁发的《互联网新闻信息服务许可证》，标志着杂志社在互联网新闻信息传播领域获得权威资质认可。目前，杂志社新媒体平台账号均已添加红“V”标识。

Добро пожаловать в эру, где ИИ не исполняет приказы, а устанавливает правила.

A vulnerability, which was classified as problematic, has been found in cPanel. This issue affects some unknown processing of the file autoinstall4imagesgalleryupgrade.php. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2008-6927. The attack may be initiated remotely. Furthermore, there is an exploit available.

Welcome to the first day of Pwn2Own Berlin 2025! We have 11 different attempts, including our first ever AI attempts. We’ll be updating this blog with results as we have them.

And that bring Day One of #Pwn2Own Berlin to a close. We awarded $260,000 today, but more great research is yet to come. STAR Labs has an early lead on Master of Pwn, but it's anyone's game at this point. Stay tuned for more results as we go.

SUCCESS - Pumpkin (@u1f383) from DEVCORE Research Team used an integer overflow to escalate privs on Red Hat Linux. He earns $20,000 and 2 Master of Pwn points.

Going from user land to root.

COLLISION - We have a bug collision. Although Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) successfully demonstrated his exploit of #NVIDIA Triton, the bug he used was known by the vendor (but not patched). He still earns $15K and 1.5 Master of Pwn points.

SUCCESS - Chen Le Qi (@cplearns2h4ck) of STARLabs SG combined a UAF and an integer overflow to escalate to SYSTEM on #Windows 11. He earns $30,000 and 3 Master of Pwn points.

FAILURE - Unfortunately, the team from Wiz Research could not get their exploit of the NVIDIA Triton Inference working within the time allotted.

COLLISION - Hyunwoo Kim (@V4bel) and Wongi Lee (@_qwerty_po) of Theori were able to escalate to root on Red Hat Linux with an info leak and a UAF, but one of the bugs used was an N-day. They still win $15,000 and 1.5 Master of Pwn points.

SUCCESS - The first ever winner of the AI category in Pwn2Own history is Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam). His successful exploitation of Chroma earns him $20,000 and 2 Master of Pwn points.

SUCCESS - In a surprise to no one, Marcin Wiązowski's privilege escalation on Windows 11 is confirmed! He used an Out-of-Bounds Write to escalate to SYSTEM. His work earns him $30,000 and 3 Master of Pwn points.

SUCCESS - Their enthusiasm was rewarded as Team Prison Break (Best of the Best 13th) used an integer overflow to escape Oracle VirtualBox and execute code on the underlying OS. They earn $40,000 and 4 Master of Pwn points.

COLLISION - We have another collision - Viettel Cyber Security (@vcslab) targeting NVIDIA Triton Inference Server successfully demonstrated their exploit - however it was known to the vendor, but not yet patched. They still earn $15000 and 1.5 Master of Pwn Points

SUCCESS - Hyeonjin Choi (@d4m0n_8) of Out Of Bounds earns $15,000 for a third round win and 3 Master of Pwn Points by successfully using a type confusion bug to escalate privileges in #Windows11 #Pwn2Own #P2OBerlin

SUCCESS - Nicely done! Billy and Ramdhan of STAR Labs used a UAF to perform their Docker Desktop escape and execute code on the underlying OS. They earn $60,000 and 6 Master of Pwn Points.

Python 恶意包 “solana-token” 伪装成合法包欺骗 Solana 开发人员，

速修复

We are honored to announce that ANY.RUN became a gold winner at the annual Globee Business Awards 2025. The award aims to recognize and celebrate excellence in various industries worldwide, including cybersecurity.  Our solution, ANY.RUN’s TI Lookup, was named best in the Cyber Threat Intelligence category. We believe that threat intelligence is an essential aspect […]

The post ANY.RUN Becomes a Gold Winner in Threat Intelligence at Globee Awards 2025   appeared first on ANY.RUN's Cybersecurity Blog.

A vulnerability was found in SourceCodester Online Student Clearance System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/edit-admin.php. The manipulation of the argument id/txtfullname/txtemail/cmddesignation leads to sql injection. This vulnerability was named CVE-2025-4467. The attack can be initiated remotely. Furthermore, there is an exploit available.

A vulnerability was found in WP Content Security Plugin Plugin up to 2.3 on WordPress. It has been rated as problematic. Affected by this issue is some unknown functionality of the component CSP-Report Field Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2025-4579. The attack may be launched remotely. There is no exploit available.

A Russia-linked threat actor has been attributed to a cyber espionage operation targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities, including a then-zero-day in MDaemon, according to new findings from ESET. The activity, which commenced in 2023, has been codenamed Operation RoundPress by the Slovak cybersecurity company. It has

7天系统学习，掌握通用方法论。 积累实战经验，提升技术竞争力。

Telegram平台惊现84亿美元犯罪网络，涵盖诈骗、洗钱及人口贩卖

看雪论坛作者ID：Brinmon

Пока одни ждут свежую коллекцию, другие рассылают вредоносный код через подставные домены.

Vanaf 15 mei 2025 zijn meer vormen van spionage strafbaar, zoals digitale spionage en diasporaspionage. Hiervoor krijgt het Wetboek van Strafrecht een nieuwe strafbepaling. Het kabinet wil met de wet onze nationale veiligheid, de veiligheid van personen, vitale infrastructuur en hoogwaardige technologieën beter beschermen.

The team at CyberSaint is thrilled to announce the latest additions and updates to the CyberStrong solution. To start, we’ve expanded Continuous Control Automation to help our clients streamline adoption and configuration, helping you assess your cyber risk data faster than ever before. We’ve also added updates to editing reports and an important update to tracking risk trends on the Executive Dashboard. 

The post CyberStrong May Product Update appeared first on Security Boulevard.

Cybersecurity researchers have discovered a malicious package named "os-info-checker-es6" that disguises itself as an operating system information utility to stealthily drop a next-stage payload onto compromised systems. "This campaign employs clever Unicode-based steganography to hide its initial malicious code and utilizes a Google Calendar event short link as a dynamic dropper for its final