Vulnerabilities
-
Researchers find HTTP/2 flaw that can trigger rapid denial of service on major servers
Researchers say a new HTTP/2 denial-of-service flaw can hit major web servers, including NGINX, Apache HTTPD and Microsoft IIS. The issue can rapidly exhaust memory and may be difficult to block in default configurations.
-
Critical Kirki flaw lets attackers take over WordPress admin accounts
Hackers are exploiting a critical flaw in the Kirki WordPress plugin to hijack user accounts, including admins, with more than 222 attack attempts blocked in 24 hours, according to Wordfence.
-
WordPress WP Maps Pro flaw under active attack, 2,858 attempts blocked
A critical WP Maps Pro flaw is being actively exploited to create WordPress administrator accounts, with Wordfence blocking 2,858 attacks in 24 hours. The issue affects versions through 6.1.0 and was fixed in 6.1.1.
-
Palo Alto PAN-OS flaw under active exploitation as limited attacks reported
Palo Alto Networks said an authentication bypass in PAN-OS and Prisma Access is under active exploitation, with limited attempts seen against unpatched devices. The flaw can let attackers establish unauthorized VPN connections.
-
ChatGPhish flaw can turn ChatGPT summaries into phishing lures
Researchers disclosed ChatGPhish, a ChatGPT flaw that can render malicious links, images and QR codes inside summaries of web pages. The technique may leak browser details and create a new phishing surface during normal browsing.
-
US watchdog cites NIST for mismanaging vulnerability database, duplicate work
A Commerce inspector general report said NIST mismanaged the National Vulnerability Database, leaving a backlog of more than 27,000 unprocessed flaws and duplicating work with CISA. The agency agreed to fix six problems.
-
Attackers use AI agent after Marimo flaw to raid internal database
An unknown threat actor used an LLM agent after exploiting a Marimo vulnerability to steal cloud credentials, retrieve an SSH key and exfiltrate an internal PostgreSQL database, according to a technical analysis from Sysdig.
-
Critical Gogs flaw can let authenticated users run code on servers
A critical, unpatched flaw in Gogs can let authenticated users run arbitrary code on affected servers under certain conditions, with Rapid7 rating the issue 9.4 on the CVSS scale and reporting no CVE yet.
-
Threat actors abuse patched FortiClient EMS flaw to push credential stealer
Threat actors are exploiting a patched FortiClient EMS flaw to push a credential stealer disguised as a Fortinet update, according to a technical analysis from Arctic Wolf. The campaign affects managed endpoints and can expose browser data, cookies and saved credentials.
-
Microsoft urges coordinated disclosure after public zero-day releases
Microsoft said public disclosure of six Windows zero-days without prior notice put customers at risk, after exploit details surfaced over the past month and three of the flaws were later used in active attacks.
