Aggregator

Google addressed four vulnerabilities affecting its Chrome web browser, including one that has been exploited in the wild. Google released security updates to address four vulnerabilities in the Chrome web browser, including CVE-2025-10585, which has reportedly been exploited in the wild. “Google is aware that an exploit for CVE-2025-10585 exists in the wild.” reads the […]

【梆梆安全监测】

安全隐私合规监管趋势及漏洞风险报告

（0817-0830）

●最新监管动态

监管通报动态

●监管支撑汇总

梆梆安全监管支撑数据

国家监管数据分析

●漏洞风险分析

各漏洞类型占比分析

存在漏洞的APP类型分析 

01最新监管动态

1. 监管通报动态

8月21日，上海通管局依据相关法律法规的要求，持续开展移动互联网应用程序隐私合规和网络数据安全专项整治。7月，上海通管局公示了一批162款存在侵害用户权益行为的应用，经核查复检，尚有58款移动互联网应用程序未整改或整改不到位，现予以全国范围内主流应用市场下架处置。

8月25日，网络安全通报中心依据相关法律法规，检测发现38款移动应用存在违法违规收集使用个人信息情况。上期通报的33款违法违规移动应用，经复测仍有5款存在问题，相关移动应用分发平台已予以下架。

8月29日，浙江通管局依据相关法律法规的要求，持续开展个人信息保护系列专项行动。截至目前，仍有14款APP未完成整改工作，上述APP开发运营者应限期落实整改，逾期未完成整改的，浙江通管局将依法依规进行处置。

8月29日，重庆通管局依据相关法律法规的要求，持续开展个人信息保护系列专项行动。截至目前，仍有14款APP未完成整改工作，上述APP开发运营者应限期落实整改，逾期未完成整改的，重庆通管局将依法依规进行处置。

02监管支撑汇总

1. 梆梆安全监管支撑数据

依据近两周监管支撑发现存在隐私合规类问题的APP数据，从APP行业分类及TOP3问题数据两方面来说明。

1)问题行业TOP5：

网络游戏类、实用工具类、本地生活类、网上购物类、餐饮外卖类

2)隐私合规问题TOP3：

TOP1：认定方法 2-1 未逐一列出App(包括委托的第三方或嵌入的第三方代码、插件)收集使用个人信息的目的、方式、范围等；

TOP2：认定方法 3-3 实际收集的个人信息或打开的可收集个人信息权限超出用户授权范围；

TOP3：认定方法 3-9 违反其所声明的收集使用规则，收集使用个人信息。

2. 国家监管数据分析

针对国家近两周监管通报数据，依据问题类型，统计涉及APP数量如下：

问题分类问题数量191-3 未经用户同意收集使用个人信息32191-2 未明示收集使用个人信息的目的、方式和范围31164-1 违规收集个人信息18164-5 APP强制、频繁、过度索取权限15164-2 超范围收集个人信息6191-6 未按法律规定提供删除或更正个人信息功能”或“未公布投诉、举报方式等信息5191-1 未公开收集使用规则2191-4 违反必要原则、收集与其提供的服务无关的个人信息1总计110

针对国家近两周监管通报数据，依据APP类型，统计出现通报的APP数量如下：

APP类型APP数量实用工具类20本地生活类15求职招聘类15网络游戏类3电子图书类2其他2网上购物类2学习教育类2在线影音类2即时通信类1投资理财类1用车服务类1总计66

03漏洞风险分析

从全国的Android APP中随机抽取了3,082款进行漏洞检测发现，存在中高危漏洞威胁的APP为2,399个，即77.84%以上的App存在中高危漏洞风险。而这2,399款漏洞应用中，有高危漏洞的应用共1,790款，占比74.61%，有中危漏洞的应用共2,345款，占比97.75%（同一款应用可能存在多个等级的漏洞）。存在不同风险等级漏洞的App占比如下：

各漏洞类型占比分析

针对不同类型的漏洞进行统计，应用中高危漏洞数量排名前三的类型分别为Java代码反编译风险、HTTPS未校验主机名漏洞以及动态注册Receiver风险。各漏洞类型占比情况如下图所示：

存在漏洞的APP类型分析

从APP类型来看，实用工具类APP存在漏洞风险最多,占漏洞APP总量的21.35%，其次为教育学习类APP，占比12.93%，新闻阅读类APP位居第三，占比8.38%，漏洞数量排名前十的类型如下图所示：

The UK’s National Crime Agency is the new chair of the Five Eyes Law Enforcement Group

The JavaScript ecosystem experienced one of its most sophisticated and damaging supply chain attacks in September 2025, when a novel self-replicating worm dubbed “Shai-Hulud” compromised over 477 npm packages, marking the first successful automated propagation campaign in the npm registry’s history. This attack represents a significant evolution in supply chain threats, leveraging both social engineering and […]

The post Lessons Learned from Massive npm Supply Chain Attack Using “Shai-Hulud” Self-Replicating Malware appeared first on Cyber Security News.

Python developers face a growing threat from typosquatted packages in the Python Package Index (PyPI), with malicious actors increasingly targeting this trusted repository to distribute sophisticated malware. Recent discoveries have exposed a concerning trend where threat actors create packages that closely mimic legitimate libraries, using slight spelling variations to trick unsuspecting developers into installing harmful […]

The post Beware of Typosquatted Malicious PyPI Packages That Delivers SilentSync RAT appeared first on Cyber Security News.

A critical security vulnerability has been discovered in PureVPN’s Linux clients that exposes users’ real IPv6 addresses during network reconnections, undermining the privacy protections that users expect from their VPN service. The vulnerability affects both the graphical user interface (GUI version 2.10.0) and command-line interface (CLI version 2.0.1) on Linux systems, specifically tested on Ubuntu […]

The post PureVPN Vulnerability Reveals IPv6 Address While Reconnecting to Wi-Fi appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Ваш браузер под угрозой если он не обновлён.

FX 的研究部门自 2009 年以来一直跟踪英语剧本类电视剧的制作数量。根据其统计，剧本类电视剧制作数量在 2022 年达到峰值的 599 部，此后呈下降趋势。大受好评的新剧数量急剧下降，而流媒体平台则转向优先制作引起轰动的剧集的续集。这些获得续订的剧集也扩大了规模，大幅增加了制作预算。《Severance》第二季的制作费用达到了 2 亿美元，而《怪奇物语》第四季则高达 2.7 亿美元。Netflix 从 2018 年起大量制作非剧本类内容如纪录片和真人秀。与此同时，主要靠广告支持的免费视频平台 YouTube 则成为了一个巨头，不断扩大市场份额。YouTube 在流媒体观众数量方面领先于 Netflix、Paramount+ 和 Hulu。

Gurucul released its AI Insider Risk Management (AI-IRM) product, which extends autonomous triage, bias-free risk scoring, context-rich investigation, and human-AI collaboration to automate response workflows directly within insider risk operations. Organizations face a rise in insider threats, from employees, contractors and third parties to non-human accounts and AI agents. According to Cybersecurity Insiders’ 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the past year. Until now, teams struggled with … More →

The post Gurucul’s AI-IRM accelerates insider risk detection appeared first on Help Net Security.

WatchGuard has released security updates to address a remote code execution vulnerability impacting the company's Firebox firewalls. [...]

Raven Stealer has emerged as a potent information‐stealing threat targeting users of Chromium‐based browsers, most notably Google Chrome. First observed in mid-2025, this lightweight malware distinguishes itself through a modular architecture and stealthy design, allowing it to harvest sensitive information without alerting victims. Delivered predominantly via cracked software bundles and underground forums, Raven Stealer capitalizes […]

The post Raven Stealer Attacking Google Chrome Users to Steal Sensitive Data appeared first on Cyber Security News.

QuSecure launched QuProtect R3, an integrated, production-ready PQC platform designed to simplify encryption modernization for everyone. With the platform’s Reconnaissance innovation, a complimentary module for qualified companies, QuProtect R3 delivers visibility into vulnerable encryption across modern, legacy and cloud systems. Security teams that once spent months and millions compiling a cryptographic bill of materials (CBOM) can now discover their encryption landscape in days, prioritize the highest-risk systems and act without disrupting operations. “Henry Ford, the … More →

The post QuProtect R3 provides encryption visibility across systems appeared first on Help Net Security.

Jenkins has released critical updates addressing four security flaws that unauthenticated and low-privileged attackers could exploit to disrupt service or glean sensitive configuration details.  Administrators running Jenkins weekly releases up to 2.527 or the Long-Term Support (LTS) stream up to 2.516.2 must upgrade to mitigate these risks. HTTP/2 Denial of Service (CVE-2025-5115) A high-severity issue […]

The post Jenkins Patches Multiple Vulnerabilities that Allow Attackers to Cause a Denial of Service appeared first on Cyber Security News.

CEO应该停止把网络安全当作成本中心，而是主动投资于内部安全团队。

Researchers have uncovered a zero-day vulnerability in TP-Link routers that allows attackers to bypass Address Space Layout Randomization (ASLR) and execute arbitrary code remotely. Tracked as CVE-2025-9961, this flaw resides in the CWMP (TR-069) binary and can be triggered through malformed SOAP requests, granting full control of affected devices. A detailed technical walkthrough of discovery, […]

The post TP-Link Router Zero-Day Lets Attackers Execute Code by Bypassing ASLR appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

一、漏洞概述

近日，Flowise 发布更新修复高风险漏洞，攻击者可以利用该漏洞读取服务器上任意文件。建议您及时开展安全风险自查。

Flowise 是一个开源的、可视化的 LLM 应用构建平台，专为 LangChain.js 打造，支持通过拖拽组件的方式快速构建聊天机器人、问答系统、嵌入式 AI 服务等。它极大降低了构建 LLM 应用的门槛，适合开发者、数据科学家以及产品团队进行原型设计与部署。

据描述，Flowise 存在一个严重的任意文件读取漏洞，攻击者可通过未授权访问以下两个 API 接口：

/api/v1/get-upload-file /api/v1/openai-assistants-file/download

攻击者可构造恶意 chatId 参数（如 ../../）绕过路径校验机制，读取服务器本地任意文件。默认部署情况下，可直接读取。/root/.flowise/database.sqlite —— 包含所有数据库内容，包括 API 密钥、用户数据等敏感信息。该漏洞利用了 fallback 路径逻辑，在文件未找到时会尝试去除 orgId 并重新拼接路径，从而绕过原有的目录限制校验。

漏洞影响的产品和版本：

Flowise <= 3.0.5

二、资产测绘

据daydaymap数据显示互联网存在5,587个资产，风险资产分布情况如下。

三、漏洞复现

四、解决方案

▪ 临时缓解方案

限制公网访问相关 API 接口，建议通过防火墙或网关进行访问控制。

审计历史访问日志，排查是否存在异常文件读取行为。

更换 API 密钥，如怀疑数据库已被读取。

启用 Web 应用防火墙（WAF），拦截路径穿越类请求

▪ 升级修复

立即升级 Flowise 至 v3.0.6 或以上版本

五、参考链接https://github.com/advisories/GHSA-99pg-hqvx-r4gf https://www.ddpoc.com/DVB-2025-10219.htm

原文链接

本文来源于：Beacon Tower Lab（烽火台实验室）公众号，作者：烽火台实验室

Druva released Dru MetaGraph, a secure, tenant-specific, graph-powered foundation for real-time data intelligence, and two new DruAI Agents: Insights Agent and Lifecycle Agent. Together, these innovations can help customers uncover insights near-instantly, simplify decision-making, and act across cyber, compliance, and operational workflows. Historically, backup intelligence has been limited to static dashboards and siloed reports, putting the burden on teams to piece together insights across multiple tools or wait for days or weeks until data analysts … More →

The post DruAI Agents and MetaGraph deliver real-time data intelligence appeared first on Help Net Security.

检测业务是否受到此漏洞影响，请联系长亭应急服务团队！

 WatchGuard released an advisory detailing a critical vulnerability in its Firebox line of network security appliances. Tracked as CVE-2025-9242, the flaw resides in the iked component of WatchGuard’s Fireware OS. An out-of-bounds write in the IKEv2 handling routine can allow a remote, unauthenticated attacker to execute arbitrary code on affected devices. Overview of the Vulnerability […]

The post Critical WatchGuard Vulnerability Lets Unauthenticated Attackers Run Arbitrary Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.