Aggregator

【火绒安全周报】富士康美国工厂遭网络攻击/斯柯达数据泄露

火绒小问答——「企业版」IP协议控制如何使用

A suspected China-linked threat actor targeted the Indian branch of a global manufacturer leveraging an open source offensive toolkit

黑客正在利用 WordPress 插件 Burst Statistics 中的一个严重认证绕过漏洞，获取网站的管理员级别访问权限。   Burst Statistics 是一款注重隐私的分析插件，在 20 万个 WordPress 网站上启用，被宣传为谷歌分析的轻量级替代方案。   该漏洞编号为 CVE - 2026 - 8181，于 4 月 23 日插件 3.4.0 版本发布...

中央广播电视总台已获得2026年美加墨世界杯的版权。本届世界杯将首次由美国、加拿大和墨西哥三国联合举办，并首次扩军至48支球队，共上演104场精彩对决。此前，央视与国际足联（FIFA）在转播权费用上存

致力于第一时间为企业级用户提供权威漏洞情报和有效解决方案。

1945 年 7 月 16 日，人类历史上首枚原子弹被引爆。这场代号三位一体（Trinity）的核试验的试验不仅开启了核时代，也在瞬间重塑了物质结构。科学家在对当年爆炸现场留下的特殊玻璃岩，即“三位一体石”进行深入研究时，意外发现了一种此前被认为不可能存在的全新晶体结构，这为极端条件下的物质演化提供了全新视角。研究团队利用先进的微观分析技术，在“三位一体石”中识别出一种全新的“笼状化合物”。这种晶体拥有由硅原子构成的 12 面体和 14 面体笼状晶格，其内部结构能够将钙、铜及铁原子牢牢锁住。这种物质并非诞生于缓慢的地质演变，而是在核爆瞬间极端的温度与压力环境下，由熔化的沙粒与汽化的金属导线混合而成。爆炸核心区域的瞬时温度超过 1500 摄氏度，压力高达数吉帕斯卡，相当于标准大气压的数万倍。在这种足以将石墨挤压成金刚石的极端条件下，物质在几秒钟内经历了汽化、混合与骤冷。原子来不及排列成常规的稳定结构，从而被迫形成了这种罕见的非平衡态物质。

Продать исходный код обещают только одному покупателю. Как думаете, сдержат слово?

脑梗塞发生后，通过康复训练可以恢复受损的脑功能，但随着时间的推移，这种恢复能力会逐渐减弱。由东京科学大学的七田崇教授等率领的研究小组对脑梗塞后的小鼠脑部进行了详细调查。结果发现，脑内负责清除死亡细胞等

OpenAI 表示，在近期影响数百个 npm 和 PyPI 软件包的 TanStack 供应链攻击中，两名员工的设备遭到入侵。作为预防措施，该公司已轮换其应用程序的代码签名证书。   在今日发布的安全公告中，OpenAI 称此次事件未影响客户数据、生产系统、知识产权或已部署的软件。   该公司表示，此次漏洞与 TeamPCP 勒索团伙近期发起的 “Mini Shai...

error code: 1003

Day Two of Pwn2Own Berlin 2026 and the stakes continue to rise! Security researchers are back on the Pwn2Own stage, pushing enterprise systems to their limits as the competition heats up. More exploits, more surprises, and more standout moments are unfolding, so follow along here for live updates as the race for Master of Pwn intensifies. There were plenty of big targets on the schedule today, including SharePoint, Exchange, and Safari.

Following an action-packed Day One where $523,000 was awarded for 24 unique 0-day vulnerabilities, Day Two added another $385,750 and 15 unique 0-days, bringing event totals to $908,750 with 39 unique vulnerabilities overall. DEVCORE holds a commanding lead for Master of Pwn with 40.5 points and $405,000, but with one day still to go, anything can happen. Here are the standings as of Day Two but we'll see what the final day of the contest brings. Stay tuned!

We’ll be posting real-time updates and results throughout the competition right here on our blog and across social media. Stay up to date by following us on Twitter, Mastodon, LinkedIn, and Bluesky, and join the conversation using #Pwn2Own Berlin and #P2OBerlin for continuous coverage. 

FAILURE - Unfortunately, Tao Yan & Edouard Bochin of Palo Alto Networks could not get their exploit of Apple Safari – Renderer Only working within the time allotted.

FAILURE - Unfortunately, Stephen Fewer of Rapid7 could not get their exploit of Microsoft SharePoint working within the time allotted.

SUCCESS - Ben Koo (@kiddo_pwn) of Team DDOS used a use-after-free bug to escalate privileges on Red Hat Enterprise Linux for Workstations in the second round, earning $10,000 and 1 Master of Pwn point.

SUCCESS - Dialed in! Nikolaos Mourousias (@deltaclock), Caue Obici (@caueobici) & Bruno Halltari (@BrunoModificato) of OtterSec used a Code Injection bug to exploit LM Studio in the second round, earning $20,000 and 4 Master of Pwn points. Full win!

COLLISON - Although successful on stage, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) targeting Claude Desktop in the Coding Agent category used a bug that was previously known. They still earn $10,000 and 2 Master of Pwn points.

SUCCESS - Le Duc Anh Vu (@vulda17) of Viettel Cyber Security (@vcslab) exploited Cursor, earning $30,000 and 3 Master of Pwn points. Full win!

WITHDRAWAL - Kiyong Kwak of Kakaogames and Song Nuri of Samsung Electronics has withdrawn their entry for Apple Safari – Renderer Only in the Web Browser category.

FAILURE - Unfortunately, Ruitong of Abstract Team, University of Colorado Boulder could not get their exploit of Red Hat Enterprise Linux for Workstations working within the time allotted.

SUCCESS - Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) exploited OpenAI Codex in the second round, earning $20,000 and 4 Master of Pwn points.

COLLISON - Although successful on stage, Billy (@st424204), Bruce Chen (@bruce30262), Pan Zhenpeng (@Peterpan980927) & Weiming Shi (@bestswngs) of STARLabs SG (@starlabs_sg) targeting NVIDIA Megatron Bridge used a bug that was previously known. They still earn $2,500 and 1 Master of Pwn point.

WITHDRAWAL - Alon Ben Tsur (@iamgweej), Yahav Azran (@_yahav) have withdrawn their entry for Red Hat Enterprise Linux for Workstations in the Local Escalation of Privilege category.

SUCCESS - Orange Tsai (@orange_8361) of DEVCORE Research Team chained 3 bugs to achieve Remote Code Execution as SYSTEM on Microsoft Exchange, earning $200,000 and 20 Master of Pwn points.

SUCCESS / COLLISON - David Tae & Louis Hur of Out Of Bounds targeted Ollama, hitting a one-vulnerability collision with a previous attempt and earning $28,000 and 3 Master of Pwn points.

FAILURE - Nguyen Thanh Dat (@rewhiles) of Viettel Cyber Security (@vcslab) could not get their exploit of Mozilla Firefox – Renderer Only working within the time allotted.

SUCCESS - Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., Urs Mueller (@compasssecurity) of Compass Security exploited Cursor in the second round, earning $15,000 and 3 Master of Pwn points.

SUCCESS - Siyeon Wi used an integer overflow bug to escalate privileges on Microsoft Windows 11 in the fourth round, earning $7,500 and 3 Master of Pwn points.

SUCCESS / COLLISON - Byung Young Yi (@yibarrack) of Out Of Bounds targeted LiteLLM, hitting a one-vulnerability collision with a previous attempt and earning $17,750 and 3.75 Master of Pwn points.

SUCCESS - Confirmed! 0xDACA (@0xDACA) & Noam Trobishi (@NTrobishi) used a use-after-free bug to exploit NV Container Toolkit in the second round, earning $25,000 and 5 Master of Pwn points.

Day Two of Pwn2Own Berlin 2026 is underway and the stakes continue

由于今天的主流网站都是为市场份额最大的浏览器 Chrome 设计的，市场份额较小的浏览器如 Safari 和 Firefox 不得不适应这种现实而改变其工作方式。Safari 和 Firefox 都包含了特定代码针对不同域名改变渲染方式。Firefox 的 about:compat 包含了一系列网站的兼容性干预措施，Safari 的 Quirks.cpp 改变了 facebook.com、x.com/twitter.com 和 reddit.com 的画中画视频处理方式——这些公司开发了有问题的视频代码，但与其等待它们修复代码，Safari 直接为每一位用户提供了权益之计。Chrome 当然不需要此类代码，毕竟网站是优化运行在 Chrome 而不是其它浏览器上。在 IE 时代之后我们迎来了 Chrome 时代，历史在重复。

Keycard has announced Keycard for Multi-Agent Apps, extending its platform to support delegated, session-based access across systems of autonomous agents. Keycard lets developers build apps where every agent has its own identity, access is scoped to each task and every action is fully attributable across agents, users and systems. “Enterprises are rebuilding business functions around AI agents. Right now the developers building these systems have to choose: give agents broad access and they’re ungovernable or … More →

The post Keycard helps developers secure autonomous AI agents with scoped access appeared first on Help Net Security.

与白俄罗斯有关联的威胁组织 “幽灵写手”（Ghostwriter）被指发起了一系列针对乌克兰政府组织的新攻击。   “幽灵写手” 至少自 2016 年起就十分活跃，与针对邻国，尤其是乌克兰的网络间谍活动和影响力行动有关。它还有多个别称，包括 “冷峻邻居”（FrostyNeighbor）、“普什查&rdqu...

error code: 1003

思科发布了更新，以修复 Catalyst SD - WAN 控制器中一个最高严重级别的身份验证绕过漏洞，该公司表示此漏洞已在有限的攻击中被利用。   该漏洞编号为 CVE - 2026 - 20182，CVSS 评分为 10.0。   思科称：“思科 Catalyst SD - WAN 控制器（原 SD - WAN vSmart）和思科 Catalyst SD - ...

error code: 1003

随着苹果正式推送 iOS 26.5系统更新，地图应用的商业化进程迈出了实质性的一步。尽管目前用户在地图应用中尚未看到具体的广告内容，但新版系统已经完成了广告功能的兼容性适配与底层框架部署。在最新发布的