Google „Fast Pair“ ist Sicherheitsrisiko

Hier kann man wieder sehen, dass "Komfort" (oder was auch immer die Amerikaner dafür halten) ein natürlicher Feind der Sicherheit ist. Google hatte ein Verfahren namens Fast Pair ersonnen, das die Kopplung von Bluetooth (BT) Zubehörgeräten mit Android vereinfachen soll. Gut gedacht, schlecht gemacht. Forschende der Uni Leuven (Belgien) haben schon im vorigen Jahr eine Schwachstelle in dem System gefunden und vertraulich an Google gemeldet. Wann genau das war, ist nirgends dokumentiert. Die zugeordnete Fehlernummer CVE-2025-36911 muss (aus der Zahl zu schließen) ungefähr um die Jahresmitte vergeben worden sein.
Die Schwachstelle

https://www.pc-fluesterer.info/wordpress/2026/01/20/google-fast-pair-ist-sicherheitsrisiko/

#Empfehlung #Mobilfunk #Warnung #android #bluetooth #google #hersteller #sicherheit #vorbeugen

‼️WPair is a defensive security research tool that demonstrates the CVE-2025-36911 (eg WhisperPair) vulnerability in Google's Fast Pair protocol.

https://github.com/zalexdev/wpair-app

Features:

▪️BLE Scanner - Discovers Fast Pair devices broadcasting the 0xFE2C service UUID

▪️Vulnerability Tester - Non-invasive check if device is patched against CVE-2025-36911

▪️Exploit Demonstration - Full proof-of-concept for authorized security testing

▪️HFP Audio Access - Demonstrates microphone access post-exploitation

▪️Live Listening - Real-time audio streaming to phone speaker

▪️Recording - Save captured audio as M4A files

🔴 CVE-2025-14533 - Critical (9.8)

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-14533/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

‼️CVE-2025-14533: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1, exposing 100,000 sites.

CVSS: 9.8
CVE Published: January 20th, 2026
Bounty: $975.00

Advisory: https://github.com/advisories/GHSA-jm76-5g2j-p4hp

Writeup: https://www.wordfence.com/blog/2026/01/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-advanced-custom-fields-extended-wordpress-plugin/

Description: The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.

2026-01-19 (Monday): Catching up on two infections in my lab from last week, and I added an entry with a #pcap of scans and probes and web traffic hitting my web server.

I attempted to set up MongoDB on my server to detect any "MongoBleed" CVE-2025-14847 activity, but I was unable to configure the server properly.

I opened TCP port 27017 on my Apache web server, and I'm only receiving web scans/probes on that port.

Feel free to check out my latest posts at https://www.malware-traffic-analysis.net/2026/index.html

Or not. I'm not your parent. I can't tell you what to do.

Heads up for my fellow Red Hat Enterprise Linux (RHEL) 10 users:

Important: kernel security update

kernel: libceph: fix potential use-after-free in have_mon_and_osd_map() (CVE-2025-68285)

So do your `dnf update` ASAP :)

More details: https://access.redhat.com/errata/RHSA-2026:0786

#SelfHost #Security #CVE2025_68285 @homelab

Eine kritische Sicherheitslücke CVE-2026-0629 erlaubt es Angreifern, Admin-Zugriff auf zahlreiche #TPLink Vigi-Überwachungskameras per Fernzugriff zu erlangen. https://www.golem.de/specials/tp-link/

🟠 CVE-2026-0899 - High (8.8)

Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0899/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

#OT #Advisory VDE-2025-106
Beckhoff: XSS Vulnerability in TwinCAT 3 HMI Server

On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page.
#CVE CVE-2025-41768

https://certvde.com/en/advisories/vde-2025-106/

#CSAF https://beckhoff.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2025-106.json

This looks to be Hajime only going after Mikrotik routers in some scanner's inventory. Highly targeted (only hitting our Mikrotiks), low and slow over time.

Definitely coming from a wide array of other compromised edge devices.

https://viz.greynoise.io/tags/mikrotik-routeros-rce-cve-2017-20149-attempt?days=90

🔴 CVE-2026-0907 - Critical (9.8)

Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0907/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🔴 CVE-2026-0610 - Critical (9.8)

SQL Injection vulnerability in remote-sessions in Devolutions Server.This issue affects Devolutions Server 2025.3.1 through 2025.3.12

🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-0610/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack