Aggregator

比尔·盖茨时隔两年半再度到访中国；iPhone 18 Pro 加入新配色；于东来宣布年后退休

1月│月报 谛听工控安全月报上线了，工信部的最新政策，1月发生的多起工控安全事件，谛听团队收集的最新攻击教据......更多安全资讯，请关注“谛听ditecting",每月更新!

构建全生命周期、系统性的安全围栏与安全评估能力

Recorded Future 年度威胁情报报告如期发布。

A vulnerability categorized as problematic has been discovered in Newgen OmniApp. The impacted element is an unknown function. Such manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2025-69908. The attack can be launched remotely. No exploit exists.

A vulnerability categorized as critical has been discovered in Free5GC 1.4.0. Affected is the function AccessTokenScopeCheck of the file internal/sbi/processor/access_token.go. Executing a manipulation of the argument targetNF can lead to improper access controls. This vulnerability is handled as CVE-2025-66719. The attack can be executed remotely. There is not any exploit available. Applying a patch is advised to resolve this issue.

A vulnerability identified as critical has been detected in svenstaro miniserve 0.32.0. Affected by this vulnerability is an unknown functionality. The manipulation leads to symlink following. This vulnerability is uniquely identified as CVE-2025-67124. The attack can only be initiated within the local network. No exploit exists.

A vulnerability was found in Free5GC 1.4.0. It has been declared as problematic. This issue affects the function HandleDeletePoliciesPolAssoId of the file internal/sbi/processor/ampolicy.go. Such manipulation leads to null pointer dereference. This vulnerability is listed as CVE-2025-66720. The attack must be carried out from within the local network. There is no available exploit. A patch should be applied to remediate this issue.

A vulnerability, which was classified as critical, was found in chillzhuang SpringBlade 4.5.0. This vulnerability affects the function authRoutes. The manipulation results in improper access controls. This vulnerability was named CVE-2025-70983. The attack may be performed from remote. There is no available exploit.

A vulnerability categorized as critical has been discovered in Aptsys POS Platform Web Services Module up to 2025-05-28. This impacts an unknown function of the component Internal API. The manipulation results in improper authentication. This vulnerability is cataloged as CVE-2025-52024. The attack may be launched remotely. There is no exploit available.

A vulnerability described as critical has been identified in Aptsys gemscms POS Platform Backend up to 2025-05-28. This affects an unknown part of the component GetServiceByRestaurantID Endpoint. Executing a manipulation can lead to sql injection. This vulnerability appears as CVE-2025-52025. The attack may be performed from remote. There is no available exploit.

A vulnerability classified as problematic has been found in TeamViewer DEX Client up to 26.0 on Windows. This impacts an unknown function of the file NomadBranch.exe of the component Content Distribution Service. This manipulation causes out-of-bounds read. This vulnerability appears as CVE-2026-23568. The attacker needs to be present on the local network. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability was found in TeamViewer DEX Client up to 26.0 on Windows. It has been rated as critical. The affected element is an unknown function of the component RPC Handler. Performing a manipulation results in link following. This vulnerability is identified as CVE-2026-23563. The attack is only possible with local access. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability labeled as problematic has been found in docopt.cpp 0.6.2. Affected by this issue is the function LeafPattern::match. The manipulation results in integer overflow. This vulnerability was named CVE-2025-67125. The attack needs to be approached within the local network. There is no available exploit.

伪装成漏洞检测工具样本分析

漏洞简介2.9.4 之前的 Chainlit 版本在 /project/element 更新流程中存在任意文件读取漏洞。认证客户端可以发送带有用户控制路径值的自定义元素，从而使服务器将引用的文件复制到攻击者的会话中。由此产生的元素标识符（chainlitKey）可以通过 /project/file/<chainlitKey> 检索文件内容，从而允许披露 Chainlit 服务可读取的任

vm2沙箱逃逸漏洞（CVE-2026-22709）

这款老设备它运行着一套老旧的 PHP 代码，此前团队已经过数次审计，我本人就热衷于在高难度的 Web 环境中挖掘漏洞。往往这种旧设备功能模块单一，即使存在漏洞也是复杂且隐蔽的，可能得将各类漏洞进行综合利用，才能完成一整条完整的漏洞利用链。

New Year CTF 2026 Writeup

国立研究開発法人情報通信研究機構（NICT）は、「NICTER観測レポート2025」を公開しました。NICTERプロジェクトの大規模サイバー攻撃観測網における2025年の観測結果をまとめています。