Aggregator

A vulnerability was found in KAON KCM3100 up to 1.4.2. It has been declared as very critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to authentication bypass using alternate channel. This vulnerability is known as CVE-2025-51381. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in NVIDIA NVDebug Tool 1.6.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to internal asset exposed to unsafe debug access level or state. This vulnerability is handled as CVE-2025-23252. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in conda-forge conda-smithy up to 3.47.0 and classified as critical. This issue affects the function travis_headers of the component Configuration File Handler. The manipulation leads to incorrect default permissions. The identification of this vulnerability is CVE-2025-49843. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in ggml-org llama.cpp. It has been classified as critical. Affected is the function llama_vocab::impl::token_to_piece of the file llama.cpp/src/vocab.cpp. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2025-49847. It is possible to launch the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

As applications become more distributed, traditional monitoring and security tools are failing to keep pace. This article explores how eBPF, when utilized by the graduated CNCF Cilium and its sub-project Tetragon, combined with Software Bills of Materials (SBOMs), can provide insights and a security feedback loop for modern systems. We’ll create a container image and its SBOM. We’ll then launch it, simulate a breach, and see how our eBPF-based setup with Tetragon captures the issue. … More →

The post Kernel-level container insights: Utilizing eBPF with Cilium, Tetragon, and SBOMs for security appeared first on Help Net Security.

A vulnerability has been found in microlight 0.0.7 and classified as problematic. This vulnerability affects unknown code of the file microlight.js of the component Color Value Handler. The manipulation leads to null pointer dereference. This vulnerability was named CVE-2025-45525. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as very critical, was found in teleport Community Edition up to 17.5.1. This affects an unknown part. The manipulation leads to incorrect authorization. This vulnerability is uniquely identified as CVE-2025-49825. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in microlight 0.0.7. Affected by this issue is the function reset of the file microlight.js. The manipulation leads to denial of service. This vulnerability is handled as CVE-2025-45526. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as critical was found in Sitecore Experience Manager and Experience Platform up to 7.0. Affected by this vulnerability is an unknown functionality of the component Powershell Extension. The manipulation leads to unrestricted upload. This vulnerability is known as CVE-2025-34511. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as very critical has been found in Trend Micro Endpoint Encryption Policy Server. Affected is an unknown function. The manipulation leads to use of obsolete function. This vulnerability is traded as CVE-2025-49214. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Lychee up to 6.6.9. It has been rated as critical. This issue affects some unknown processing of the file SecurePathController.php. The manipulation leads to path traversal. The identification of this vulnerability is CVE-2025-50202. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in conda-forge conda-smithy up to 3.47.0. It has been declared as problematic. This vulnerability affects the function travis_encrypt_binstar_token. The manipulation leads to information disclosure. This vulnerability was named CVE-2025-49824. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in comfyanonymous comfyui 0.3.40. It has been classified as problematic. Affected is the function set_attr of the file /comfy/utils.py. The manipulation leads to dynamically-determined object attributes. This vulnerability is traded as CVE-2025-6107. It is possible to launch the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions. The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," the

美国总统特朗普将字节跳动剥离 TikTok 美国业务的最后期限再次延长 90 天。这是特朗普上任至今第三次给予 TikTok 宽限期。TikTok 美国业务出售或被禁止服务的禁令原本于 2025 年 1 月 19 日生效，特朗普于 1 月 20 日上任之后就给了它 75 天宽限期。该宽限期于 4 月 5 日截至，但将 TikTok 美国业务出售给美国公司的谈判仍然在进行之中，特朗普之后第二次给了 75 天的宽限期。在 6 月 19 日第二次宽限期即将结束之际，白宫宣布再次延长 90 天。白宫新闻秘书 Karoline Leavitt 在一份声明中表示，政府将在延长期间努力确保交易完成，让美国人民能继续使用 TikTok，并确保数据安全。

Iran has throttled internet access in the country in a purported attempt to hamper Israel's ability to conduct covert cyber operations, days after the latter launched an unprecedented attack on the country, escalating geopolitical tensions in the region. Fatemeh Mohajerani, the spokesperson of the Iranian Government, and the Iranian Cyber Police, FATA, said the internet slowdown was designed to

This article showcases free, open-source security tools that support your organization’s teams in red teaming, threat hunting, incident response, vulnerability scanning, and cloud security. Autorize: Burp Suite extension for automatic authorization enforcement detection Autorize is an open-source Burp Suite extension that checks if users can access things they shouldn’t. It runs automatic tests to help security testers find authorization problems. BadDNS: Open-source tool checks for subdomain takeovers BadDNS is an open-source Python DNS auditing tool … More →

The post 35 open-source security tools to power your red team, SOC, and cloud security appeared first on Help Net Security.

因与以色列之间日益加剧的冲突，伊朗在采取限制互联网访问的措施之后，准备全面切断与全球互联网之间的接入，此举旨在阻止以色列的网络攻击。伊朗政府还督促公民删除 WhatsApp 应用，声称该应用被以色列用于监视。WhatsApp 是伊朗最受欢迎的消息平台之一。在伊以爆发冲突之后，伊朗居民报告互联网服务经常中断，甚至 VPN 也越来越不可靠。Cloudflare 报告称伊朗两家主要移动运营商周二下线。NetBlocks 监测显示伊朗的互联网流量大幅下降。伊朗网民仍然可以访问国内互联网，但官员表示内部网络的带宽也可能会缩减八成。

Will humans remain essential in cybersecurity, or is AI set to take over? According to Wipro, many CISOs are leveraging AI to improve threat detection and response times and to build enhanced incident response capabilities. What’s changing AI systems can now perform a variety of tasks that were once handled by entry-level analysts, such as drafting reports, generating alerts, and assembling presentations for management. By taking over these repetitive jobs, AI gives human professionals more … More →

The post AI is changing cybersecurity roles, and entry-level jobs are at risk appeared first on Help Net Security.

A CVSS score 7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Sharkkcode and Zeze with TeamT5' was reported to the affected vendor on: 2025-06-18, 78 days ago. The vendor is given until 2025-10-16 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.