Aggregator

当前环境异常，需完成验证后才能继续访问。

一支粉笔，两袖微尘  三尺讲台，四季耕耘  师泽如光，微以致远 师泽若水，润物无声

ISC Stormcast播客讨论了近期网络安全威胁、勒索软件攻击、供应链漏洞及网络钓鱼活动，并提供了防御建议。

Why CISOs Must Rethink Access, Behavioral Analytics and AI Governance at Scale
Zero trust is evolving beyond static controls and network segmentation. CISOs must prepare for dynamic, behavior-driven security models that incorporate real-time intelligence, enforce identity and data safeguards, and manage AI as both a threat vector and a security tool.

In the Rush for AI-Run SOCs, Security Experts Warn of Trust and Governance Issues
AI SOC agents are touted as the future of security operations, promising nonstop triage and faster response. But cybersecurity experts warn most autonomous AI solutions are still immature, prone to false answers and lack the guardrails needed to keep them from running amok.

Attacker Socially Engineered Developer With Phishing Email
A hacker laced 18 popular npm packages with cryptocurrency stealing malware after socially engineering the developer into giving up his credentials to the JavaScript runtime environment. Aikido Security said the 18 software packages collectively have downloads of more than two billion each week.

State Department Offers Up to $10M for Tips on Volodymyr Tymoshchuk
A hacker who federal prosecutors say was behind the LockerGoga and MegaCortex ransomware strains faces a seven count criminal indictment in U.S. federal court, prosecutors said Tuesday. Ukrainian national Volodymyr Tymoshchuk, 28, was administrator of the two ransomware operations, prosecutors say.

Breach Affecting 104,000 Underscores Health Data Risks for Non-Healthcare Firms
An Ohio hand tool manufacturer that sells its products through franchises is notifying nearly 104,000 people of a breach potentially compromising their medical data. The incident is a cautionary tale for non-healthcare sector entities about the risks they face involving health information.

Firms cooperating with cybercrime syndicates in Burma and Cambodia face sanctions by the US government and enforcement actions by China, but the scams continue to grow.

A vulnerability was found in Microsoft Windows. It has been rated as problematic. This issue affects some unknown processing of the component RRAS. This manipulation causes buffer over-read. The identification of this vulnerability is CVE-2025-53796. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Microsoft Windows. It has been declared as critical. This vulnerability affects unknown code of the component PowerShell. The manipulation results in improper restriction of communication channel to intended endpoints. This vulnerability was named CVE-2025-49734. The attack needs to be approached locally. There is no available exploit. It is best practice to apply a patch to resolve this issue.

iPhone 17全系列采用120Hz刷新率屏幕并支持息屏显示功能。息屏显示可降至1Hz以节省电量，并可在不唤醒设备时查看内容。动态刷新率根据使用场景自动调整，在游戏等场景使用60Hz至120Hz，在网页浏览等场景使用较低刷新率。此前这些功能仅限于Pro机型。

A vulnerability described as problematic has been identified in SAP NetWeaver and ABAP Platform 740/2008_1_710/ST-PI 2008_1_700. The affected element is an unknown function of the component RFC Enabled Function Module. Executing manipulation can lead to missing authorization. This vulnerability is handled as CVE-2025-27428. The attack can be executed remotely. There is not any exploit available. A patch should be applied to remediate this issue.

A vulnerability, which was classified as critical, was found in Vmware Spring Security up to 6.4.3. This affects the function BCryptPasswordEncoder.matches of the component Long Password Handler. Executing manipulation can lead to improper authentication. This vulnerability appears as CVE-2025-22228. The attack may be performed from remote. There is no available exploit. You should upgrade the affected component.

Reddit通知用户IP地址请求过多被限制，需等待后再尝试访问，并提供联系方式以便进一步沟通或解决问题，要求附上指定代码和账户信息。

A vulnerability categorized as problematic has been discovered in Blog Designer Pro Plugin up to 3.4.7 on WordPress. Affected is an unknown function. Such manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-47694. The attack can be launched remotely. No exploit exists.

A vulnerability, which was classified as critical, has been found in Majestic Support Plugin up to 1.1.0 on WordPress. This issue affects some unknown processing. Performing manipulation results in missing authorization. This vulnerability is cataloged as CVE-2025-49860. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Blog Designer PRO Plugin up to 3.4.7 on WordPress. It has been declared as critical. This affects an unknown part. Such manipulation leads to file inclusion. This vulnerability is traded as CVE-2025-47695. The attack may be launched remotely. There is no exploit available.