Aggregator

DuraCommが提供するSPM-500 DP-10iN-100-MUには、複数の脆弱性が存在します。

Lantronixが提供するProvisioning Managerには、XML外部エンティティ参照（XXE）の不適切な制限の脆弱性が存在します。

Phishing is one of the oldest and most effective technique used by cybercriminals. No one is immune to them, not even internet security experts, as seen in the case of Troy Hunt, who recently fell for a phishing email. Before AI became mainstream, phishing emails often gave themselves away. They were full of grammar mistakes and awkward wording, making them easier to spot. That’s changed. Today’s phishing attacks are much more convincing, often looking just … More →

The post Phishing simulations: What works and what doesn’t appeared first on Help Net Security.

Huntress's Kyle Hanslovan Warns of MFA Bypass, Rogue Apps, Fake Device Enrollments
Cybercriminals are bypassing MFA using session tokens and rogue app access, with shadow workflows enabling persistent inbox theft against SMBs. Huntress offers behavioral training and managed identity response to SMBs for real protection not just more alerts, says CEO Kyle Hanslovan.

Early Hacktivists Laid the Blueprint for Chinese Hacking
There's a reason why many of the same tools appear time and time again in Chinese nation-state hacking: A first-generation of hackers who grew up together online and continue to swap techniques to this day. A report shows the influence of the so-called "Red 40".

Alpha Wellness Says 'Devastating' Incident Forced Closure of Georgia-Based Center
Another small medical care provider has shut its doors forever as the result of a recent "devastating" cyberattack. Georgia-based Alpha Wellness & Alpha Medical Centre has permanently pulled the plug on its operations following a data theft attack by cybercriminal gang RansomHub.

Experts Say Critical Infrastructure Sectors Have Made Little Cybersecurity Progress
Panelists told the House subcommittee on cybersecurity and infrastructure protection that U.S. critical infrastructure sectors have made few cyber improvements over the last 15 years despite fears of retaliation following digital and physical attacks on Iranian nuclear sites.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'volticks (@movx64 on twitter)' was reported to the affected vendor on: 2025-07-23, 60 days ago. The vendor is given until 2025-11-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Schneider Electricが提供する複数の製品には、複数の脆弱性が存在します。

"Discovery Drive"是一款自动天线旋转器，适用于"Discovery Dish"及其他类似天线。它支持跟踪极地轨道卫星并快速切换至地静止卫星。内置ESP32控制器，支持Wi-Fi或串口控制，并兼容多种软件。具备高扭矩、高精度及防水设计，适合户外使用。预发布页面已上线，众筹期间价格将优惠至少100美元。

Китайцы нашли обход, пока вы обновлялись.

美国网络安全和基础设施安全局（CISA）于7月22日将两个Microsoft SharePoint漏洞（CVE-2025-49704和CVE-2025-49706）添加到已知被利用的漏洞目录中，并要求联邦机构在次日修复。这些漏洞涉及伪造和远程代码执行攻击链，可导致未经授权访问本地SharePoint服务器。微软指出中国黑客组织利用这些漏洞自7月7日起攻击本地SharePoint服务器。

2025年5月，Creams Cafe泄露约16万条客户数据，包括邮件、地址、姓名和电话号码。Creams Cafe未回应此事件，但HIBP用户确认数据真实有效。

一项新的CVE漏洞显示，软件定义无线电可远程发送刹车指令至列车尾部无线控制盒。研究员Neil Smith花费12年时间披露此问题，但美国铁路协会未重视。该漏洞可能导致列车意外制动甚至脱轨。目前尚未修复，铁路协会计划于2027年前采用新标准替换现有系统。

Brave浏览器为保护隐私，默认屏蔽Windows 11的Recall功能，通过将正常窗口设为隐身模式阻止截图。用户可自行选择启用该功能。当前Recall处于预览阶段。

英伟达宣布其CUDA软件平台将支持RISC-V架构，推动该开源指令集在数据中心的应用。在2025年中国RISC-V峰会上，英伟达展示GPU与RISC-V CPU协同工作的配置，并计划构建异构计算平台。

Был дом с кондиционером — стал «наркопритоном».

Fraud is growing faster than revenue in eCommerce. That’s one of the first things PwC and Forter point out in their new report, and it’s a wake-up call for online retailers. Fraud is rising faster than ever Right now, eCommerce leaders are dealing with a mix of challenges: economic ups and downs, political uncertainty, more cyber threats, and new fraud rules kicking in on 1st September. The report focuses on what’s happening outside the business. … More →

The post The fraud trends shaping 2025: Pressure builds on online retailers appeared first on Help Net Security.

​​AI大模型“善恶人格”已被开启？张谧教授受邀解读背后原理，分享安全治理新方向。

研究人员发现一种新型点击劫持技术TapTrap，可利用Android动画功能绕过权限系统，在用户不知情下启动敏感操作或窃取数据。76%的应用易受攻击，且问题在Android 15和16中仍未修复。