Aggregator

当前环境出现异常状态，请完成验证操作后方可继续访问相关内容。

当前环境异常，需完成验证后方可继续访问。

Microsoft has confirmed that Chinese state-sponsored threat actors are actively exploiting critical zero-day vulnerabilities in on-premises SharePoint servers, prompting urgent security warnings for organizations worldwide.  The tech giant’s Security Response Center reported coordinated attacks targeting internet-facing SharePoint installations using newly disclosed vulnerabilities that enable authentication bypass and remote code execution. Key Takeaways1. CVE-2025-53770/53771 in on-premises […]

The post Chinese Hackers Actively Exploiting SharePoint Servers 0-Day Flaw in the Wild appeared first on Cyber Security News.

甲骨文与OpenAI合作共建超大规模数据中心，并通过星际之门计划每年获得300亿美元收入。

Cervantes is an open-source collaborative platform built for pentesters and red teams. It offers a centralized workspace to manage projects, clients, vulnerabilities, and reports, all in one place. By streamlining data organization and team coordination, it helps reduce the time and complexity involved in planning and executing penetration tests. As an open-source solution under the OWASP umbrella, it understands the specific needs of penetration testers from managing targets to organizing vulnerabilities, proof-of-concepts and remediation recommendations. … More →

The post Cervantes: Open-source, collaborative platform for pentesters and red teams appeared first on Help Net Security.

Преступные переводы на баланс мобильника станут пустой тратой времени.

威联通推出边缘AI加速器（QAI-U100/AQI-M100），基于RockChip RK1808芯片提供3TOPS算力，提升NAS相册识别速度36%和人脸识别22%，售价69美元。

/r/netsec 是一个由社区管理的技术信息安全内容聚合平台，旨在为安全从业者、学生、研究人员和黑客提供有价值的信息资源。

DuraCommが提供するSPM-500 DP-10iN-100-MUには、複数の脆弱性が存在します。

Lantronixが提供するProvisioning Managerには、XML外部エンティティ参照（XXE）の不適切な制限の脆弱性が存在します。

Phishing is one of the oldest and most effective technique used by cybercriminals. No one is immune to them, not even internet security experts, as seen in the case of Troy Hunt, who recently fell for a phishing email. Before AI became mainstream, phishing emails often gave themselves away. They were full of grammar mistakes and awkward wording, making them easier to spot. That’s changed. Today’s phishing attacks are much more convincing, often looking just … More →

The post Phishing simulations: What works and what doesn’t appeared first on Help Net Security.

Huntress's Kyle Hanslovan Warns of MFA Bypass, Rogue Apps, Fake Device Enrollments
Cybercriminals are bypassing MFA using session tokens and rogue app access, with shadow workflows enabling persistent inbox theft against SMBs. Huntress offers behavioral training and managed identity response to SMBs for real protection not just more alerts, says CEO Kyle Hanslovan.

Early Hacktivists Laid the Blueprint for Chinese Hacking
There's a reason why many of the same tools appear time and time again in Chinese nation-state hacking: A first-generation of hackers who grew up together online and continue to swap techniques to this day. A report shows the influence of the so-called "Red 40".

Alpha Wellness Says 'Devastating' Incident Forced Closure of Georgia-Based Center
Another small medical care provider has shut its doors forever as the result of a recent "devastating" cyberattack. Georgia-based Alpha Wellness & Alpha Medical Centre has permanently pulled the plug on its operations following a data theft attack by cybercriminal gang RansomHub.

Experts Say Critical Infrastructure Sectors Have Made Little Cybersecurity Progress
Panelists told the House subcommittee on cybersecurity and infrastructure protection that U.S. critical infrastructure sectors have made few cyber improvements over the last 15 years despite fears of retaliation following digital and physical attacks on Iranian nuclear sites.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'volticks (@movx64 on twitter)' was reported to the affected vendor on: 2025-07-23, 78 days ago. The vendor is given until 2025-11-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

Schneider Electricが提供する複数の製品には、複数の脆弱性が存在します。

"Discovery Drive"是一款自动天线旋转器，适用于"Discovery Dish"及其他类似天线。它支持跟踪极地轨道卫星并快速切换至地静止卫星。内置ESP32控制器，支持Wi-Fi或串口控制，并兼容多种软件。具备高扭矩、高精度及防水设计，适合户外使用。预发布页面已上线，众筹期间价格将优惠至少100美元。

Китайцы нашли обход, пока вы обновлялись.

美国网络安全和基础设施安全局（CISA）于7月22日将两个Microsoft SharePoint漏洞（CVE-2025-49704和CVE-2025-49706）添加到已知被利用的漏洞目录中，并要求联邦机构在次日修复。这些漏洞涉及伪造和远程代码执行攻击链，可导致未经授权访问本地SharePoint服务器。微软指出中国黑客组织利用这些漏洞自7月7日起攻击本地SharePoint服务器。