24h | 7d | 30d

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 7 Posts
  • 26 Interactions

Fediverse

Profile picture
  • 9
  • 6
  • 12 hours ago
Profile picture
  • 4
  • 2
  • 22 hours ago
Profile picture

watchTowr has an even better write-up on CVE-2025-25257 in Fortinet FortiWeb.

labs.watchtowr.com/pre-auth-sq

  • 1
  • 2
  • 18 hours ago
Profile picture

🚨 Critical alert: A pre-auth RCE exploit (CVE-2025-25257) targeting Fortinet FortiWeb is now public. Patch to 7.6.4+/7.4.8+ immediately or disable HTTP admin interfaces. Unpatched systems are at high risk. Details: redteamnews.com/red-team/cve/c

  • 1
  • 0
  • 10 hours ago
Profile picture

Critical SQL Injection Flaw in FortiWeb: Urgent Patch Required

Fortinet's Latest Security Challenge Fortinet has disclosed a critical SQL injection vulnerability affecting its FortiWeb product, posing a significant risk to unpatched systems. The flaw, identified as CVE-2025-25257, carries a CVSS severity score of 9.6/10, making it one of the most serious vulnerabilities reported this year. This vulnerability allows unauthenticated attackers to execute arbitrary SQL…

undercodenews.com/critical-sql

  • 0
  • 0
  • 12 hours ago

Overview

  • NetScaler
  • ADC

17 Jun 2025
Published
12 Jul 2025
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
49.70%

Description

Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Statistics

  • 8 Posts
  • 50 Interactions

Fediverse

Profile picture

In a rare move, CISA gave federal agencies just one day to patch Citrix Netscaler bug CVE-2025-5777

Patch ASAP #CitrixBleed2 #2Citrix2Bloody

therecord.media/cisa-orders-ag

  • 7
  • 6
  • 15 hours ago
Profile picture

If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - they’ve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.

  • 6
  • 14
  • 13 hours ago
Profile picture

Critical Flaw in Citrix NetScaler Exposes Enterprise Systems to Potential Exploits

Enterprises at Risk: A New Security Flaw Uncovered in Citrix NetScaler A dangerous new vulnerability has surfaced, targeting one of the most trusted tools in enterprise cybersecurity—Citrix NetScaler. Identified as CVE-2025-5777, this flaw compromises the integrity of Citrix NetScaler ADC and Gateway devices, platforms widely used for secure remote access and authentication services.…

undercodenews.com/critical-fla

  • 0
  • 1
  • 20 hours ago
Profile picture

CitrixBleed 2: A Critical Threat Returns with CVE-2025-5777

A New Exploit Echoes an Old Danger In a major alert that echoes past cybersecurity alarms, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered vulnerability in Citrix NetScaler systems—CVE-2025-5777, nicknamed CitrixBleed 2—to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, with a CVSS v4.0 Base Score of 9.3, is considered critical, enabling…

undercodenews.com/citrixbleed-

  • 0
  • 0
  • 21 hours ago
Profile picture

This Week in Security: Bitchat, CitrixBleed Part 2, Opossum, and TSAs

@jack is back with a weekend project. Yes, that Jack. [Jack Dorsey] spent last weekend learning about Bluetooth meshing, and built Bitchat, a BLE mesh encrypted messaging application. It uses X25519 for key exchange, and AES-GCM for message encryption. [Alex Radocea] took a look at the current state of the project, suspects it was vibe coded, and points out a glaring problem with the cryptography.

So let’s take a quick look at the authentication and encryption layer of Bitchat. The whitepaper is useful, but still leaves out some of the important details, like how the identity key is tied to the encryption keys. The problem here is that it isn’t.

Bitchat has, by necessity, a trust-on-first-use authentication model. There is intentionally no authentication central authority to verify the keys of any given user, and the application hasn’t yet added an out-of-band authentication method, like scanning QR codes. Instead, it has a favorites system, where the user can mark a remote user as a favorite, and the app saves those keys forever. There isn’t necessarily anything wrong with this approach, especially if users understand the limitations.

The other quirk is that Bitchat uses ephemeral keys for each chat session, in an effort to have some forward secrecy. In modern protocols, it’s desirable to have some protection against a single compromised encryption key exposing all the messages in the chain. It appears that Bitchat accomplishes this by generating dedicated encryption keys for each new chat session. But those ephemeral keys aren’t properly verified. In fact, they aren’t verified by a user’s identity key at all!

The attack then, is to send a private message to another user, present the public key of whoever your’re trying to impersonate, and include new ephemeral encryption keys. Even if your target has this remote user marked as a favorite, the new encryption keys are trusted. So the victim thinks this is a conversation with a trusted person, and it’s actually a conversation with an attacker. Not great.

Now when you read the write-up, you’ll notice it ends with [Alex] opening an issue on the Bitchat GitHub repository, asking how to do security reports. The issue was closed without comment, and that’s about the end of the write-up. It is worth pointing out that the issue has been re-opened, and updated with some guidance on how to report flaws.

Post-Quantum Scanning


There’s a deadline coming. Depending on where you land on the quantum computing skepticism scale, it’s either the end of cryptography as we know it, or a pipe dream that’s always going to be about 10 years away. My suspicion happens to be that keeping qubits in sync is a hard problem in much the same way that factoring large numbers is a hard problem. But I don’t recommend basing your cryptography on that hunch.

Governments around the world are less skeptical of the quantum computer future, and have set specific deadlines to migrate away from quantum-vulnerable algorithms. The issue here is that finding all those uses of “vulnerable” algorithms is quite the challenge. TLS, SSH, and many more protocols support a wide range of cryptography schemes, and only a few are considered Post Quantum Cryptography (PQC).

Anvil Secure has seen this issue, and released an Open Source tool to help. Pqcscan is a simple idea: Scan a list of targets and collect their supported cryptography via an SSH and TLS scan. At the end, the tool generates a simple report of how many of the endpoints support PQC. This sort of compliance is usually no fun, but having some decent tools certainly helps.

Citrixbleed 2


Citrix devices have a problem. Again. The nickname for this particular issue is CitrixBleed 2, which hearkens all the way back to Heartbleed. The “bleed” here refers to an attack that leaks little bits of memory to attackers. We know that it’s related to an endpoint called doAuthentication.do.

The folks at Horizon3 have a bit more detail, and it’s a memory management issue, where structures are left pointing to arbitrary memory locations. The important thing is that an incomplete login message is received, the code leaks 127 bytes of memory at a time.

What makes this vulnerability particularly bad is that Citrix didn’t share any signs of attempted exploitation. Researchers have evidence of this vulnerability being used in the wild back to July 1st. That’s particularly a problem because the memory leak is capable of revealing session keys, allowing for further exploitation. Amazingly, in an email with Ars Technica, Citrix still refused to admit that the flaw was being used in the wild.

Opossum


We have a new TLS attack, and it’s a really interesting approach. The Opossum Attack is a Man in the Middle (MitM) attack that takes advantage of of opportunistic TLS. This TLS upgrade approach isn’t widely seen outside of something like email protocols, where the StartTLS command is used. The important point here is that these connections allow a connection to be initiated using the plaintext protocol, and then upgrade to a TLS protocol.

The Opossum attack happens when an attacker in a MitM position intercepts a new TCP connection bound for a TLS-only port. The attacker then initiates a plaintext connection to that remote resource, using the opportunistic port. The attacker can then issue the command to start a TLS upgrade, and like an old-time telephone operator, patch the victim through to the opportunistic port with the session already in progress.

The good news is that this attack doesn’t result in encryption compromise. The basic guarantees of TLS remain. The problem is that there is now a mismatch between exactly how the server and client expect the connection to behave. There is also some opportunity for the attacker to poison that connection before the TLS upgrade takes place.

TSAs


AMD has announced yet another new Transient Execution attack, the Transient Scheduler Attack. The AMD PDF has a bit of information about this new approach. The newly discovered leak primitive is the timing of CPU instructions, as instruction load timings may be affected by speculative execution.

The mitigation for this attack is similar to others. AMD recommends running the VERW instruction when transitioning between Kernel and user code. The information leakage is not between threads, and so far appears to be inaccessible from within a web browser, cutting down the real-world exploitability of this new speculative execution attack significantly.

Bits and Bytes


The majority of McDonald’s franchises uses the McHire platform for hiring employees, because of course it’s called “McHire”. This platform uses AI to help applicants work through the application process, but the issues found weren’t prompt injection or anything to do with AI. In this case, it was a simple default username and password 123456:123456 that gave access to a test instance of the platform. No real personal data, but plenty of clues to how the system worked: an accessible API used a simple incrementing ID, and no authentication to protect data. So step backwards through all 64 million applications, and all that entered data was available to peruse. Yikes! The test credentials were pulled less than two hours after disclosure, which is an impressive turn-around to fix.

When you’ve been hit by a ransomware attack, it may seem like the criminals on the other side are untouchable. But once again, international law enforcement have made arrests of high-profile ransomeware gangs. This time it’s members of Scattered Spider that were arrested in the UK.

And finally, the MCP protocol is once again making security news. As quickly as the world of AI is changing, it’s not terribly surprising that bugs and vulnerabilities are being discovered in this very new code. This time it’s mcp-remote, which can be coerced to run arbitrary code when connecting to a malicious MCP server. Connect to server, pop calc.exe. Done.

hackaday.com/2025/07/11/this-w…

  • 0
  • 0
  • 16 hours ago
Profile picture

CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch

[...] Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes. The U.S.

bleepingcomputer.com/news/secu

  • 0
  • 0
  • 15 hours ago
Profile picture

Critical CVE-2025-5777 Vulnerability in Citrix NetScaler ADC: What It Means for Your Security Posture

A New Threat Emerges in Enterprise VPN Infrastructure A newly disclosed security vulnerability, CVE-2025-5777, has sent waves through the cybersecurity landscape, especially among enterprises using Citrix NetScaler ADC and Gateway products. This flaw exposes organizations to serious risks tied to remote access and authentication tools, which are often at the core of…

undercodenews.com/critical-cve

  • 0
  • 0
  • 12 hours ago

Overview

  • Sudo project
  • Sudo

30 Jun 2025
Published
09 Jul 2025
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
0.32%

KEV

Description

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

Statistics

  • 2 Posts
  • 16 Interactions

Fediverse

Profile picture

Just published a proof-of-concept exploit for CVE-2025-32463, a new Linux privilege escalation vulnerability affecting sudo discovered and disclosed by Stratascale about 2 weeks ago.

The PoC is available on GitHub. A full technical writeup will be published on my blog soon.

GitHub: github.com/morgenm/sudo-chroot

  • 7
  • 8
  • 10 hours ago

Overview

  • ServiceNow
  • Now Platform

08 Jul 2025
Published
08 Jul 2025
Updated

CVSS v4.0
HIGH (8.2)
EPSS
0.04%

KEV

Description

A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the KB Articles in the References section.

Statistics

  • 2 Posts
  • 2 Interactions

Fediverse

Profile picture

Security experts warn: the new "Count(er) Strike" flaw (CVE-2025-3648) in #ServiceNow could let even low-privileged or anonymous users infer and steal sensitive table data 😱🔓. 85% of Fortune 500 firms may be at risk. Patch now & review your ACLs! Read more 👉 techradar.com/pro/security/wor #cybersecurity #infosec
#newz

  • 1
  • 0
  • 23 hours ago
Profile picture

ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs thehackernews.com/2025/07/serv

  • 1
  • 0
  • Last hour

Overview

  • Juniper Networks
  • Juniper Security Director

11 Jul 2025
Published
12 Jul 2025
Updated

CVSS v3.1
CRITICAL (9.6)
EPSS
Pending

KEV

Description

A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface. Numerous endpoints on the Juniper Security Director appliance do not validate authorization and will deliver information to the caller that is outside their authorization level. An attacker can access data that is outside the user's authorization level. The information obtained can be used to gain access to additional information or perpetrate other attacks, impacting downstream managed devices. This issue affects Security Director version 24.4.1.

Statistics

  • 2 Posts

Fediverse

Profile picture

🚨 CVE-2025-52950 (CRITICAL, CVSS 9.6): Juniper Security Director 24.4.1 has a missing authorization flaw letting unauthenticated attackers read/tamper with sensitive resources via the web UI. Patch ASAP, restrict access, and monitor logs! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 2 hours ago

Overview

  • Axis Communications AB
  • AXIS Camera Station Pro

11 Jul 2025
Published
11 Jul 2025
Updated

CVSS v3.1
CRITICAL (9.0)
EPSS
0.66%

KEV

Description

The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack.

Statistics

  • 2 Posts
  • 1 Interaction

Fediverse

Profile picture

CRITICAL: CVE-2025-30023 in AXIS Camera Station Pro (<6.9) allows authenticated RCE via deserialization flaw (CWE-502). Upgrade to 6.9+ ASAP! Restrict access & monitor logs. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 21 hours ago
Profile picture

Axis published some interesting advisories.

Here's a sev:CRIT post-auth RCE:

axis.com/dam/public/9b/a5/72/c

and an LPE:

axis.com/dam/public/40/0e/03/c

But since those are post-auth, you first need access, right? Well you're in luck because here's an auth bypass:

axis.com/dam/public/a3/42/92/c

And an AitM attack that the description is vague on:

axis.com/dam/public/01/d9/24/c

No PoCs here but they were reported by Team82 so maybe there will be a write-up soon.

  • 1
  • 0
  • 18 hours ago

Overview

  • Pending

11 Jul 2025
Published
11 Jul 2025
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

SSRF in JGM Pandoc.

github.com/jgm/pandoc/issues/1

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe.

cve.org/CVERecord?id=CVE-2025-

  • 1
  • 2
  • 16 hours ago

Overview

  • Meta Platforms, Inc
  • ExecuTorch

11 Jul 2025
Published
11 Jul 2025
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture

A Friday advisory from Facebook? Nice.

facebook.com/security/advisori

Description: A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f

  • 1
  • 1
  • 11 hours ago

Overview

  • Facebook
  • mvfst

11 Jul 2025
Published
11 Jul 2025
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture

And another one.

facebook.com/security/advisori

A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00.

  • 1
  • 1
  • 11 hours ago

Overview

  • GNU
  • Tar

11 Jul 2025
Published
11 Jul 2025
Updated

CVSS v3.1
MEDIUM (4.1)
EPSS
Pending

KEV

Description

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture

sev:MED 4.1 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal.

cve.org/CVERecord?id=CVE-2025-

  • 1
  • 1
  • 13 hours ago
Showing 1 to 10 of 38 CVEs