24h | 7d | 30d

Overview

  • 7-Zip
  • 7-Zip

19 Nov 2025
Published
21 Nov 2025
Updated

CVSS v3.0
HIGH (7.0)
EPSS
0.34%

KEV

Description

7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.

Statistics

  • 8 Posts
  • 2 Interactions

Last activity: 4 hours ago

Fediverse

Profile picture

🧩 3️⃣ Vulnerabilidad crítica en 7-Zip: hackers la están explotando ahora.

Una falla grave en el popular programa de compresión 7-Zip (CVE-2025-11001) permite a atacantes ejecutar código de forma remota cuando un usuario descomprime un archivo ZIP malicioso.

El problema radica en cómo 7-Zip maneja enlaces simbólicos (symlinks): un ZIP confeccionado puede hacer que el programa acceda a carpetas no deseadas y ejecute código con permisos elevados.

La vulnerabilidad afecta a todas las versiones anteriores a la 25.00 (es decir, versiones usadas desde 21.02 hasta 24.09).

Ya existe un exploit de prueba de concepto (PoC) público, lo que facilita que delincuentes lo usen en ataques reales.

Aunque 7-Zip lanzó el parche en julio de 2025, muchos sistemas siguen sin actualizarlo: la recomendación urgente es que actualices a la versión 25.00 o superior lo antes posible.

🔒 ¿Herramienta de compresión útil o puerta de entrada para malware?

#Privacidad #Ciberseguridad #7Zip #Vulnerabilidad #Actualiza

thehackernews.com/2025/11/hack

  • 1
  • 0
  • 0
  • 5h ago
Profile picture

Advierten sobre un exploit PoC para una vulnerabilidad en 7-Zip (CVE-2025-11001)

Vía: @seguinfo

blog.segu-info.com.ar/2025/11/

  • 0
  • 1
  • 1
  • 9h ago

Bluesky

Profile picture
⚠️ 7-Zip RCE Vulnerability CVE-2025-11001: Critical vulnerability in 7-Zip! A malicious ZIP file can allow remote code execution on your computer. Simply opening the file is enough. ❕ Users are advised to update to 7-Zip version 25.00 or later.
  • 0
  • 0
  • 0
  • 15h ago
Profile picture
Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
  • 0
  • 0
  • 0
  • 7h ago
Profile picture
Blog: "Exploit PoC para una vulnerabilidad en 7-Zip (CVE-2025-11001)"
  • 0
  • 0
  • 1
  • 7h ago
Profile picture
7-Zipの脆弱性 CVE-2025-11001 のPoCが公開-引き続きアップデート推奨 rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security
  • 0
  • 0
  • 0
  • 4h ago

Overview

  • Microsoft
  • Azure Bastion Developer

20 Nov 2025
Published
26 Nov 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.10%

KEV

Description

Azure Bastion Elevation of Privilege Vulnerability

Statistics

  • 1 Post
  • 42 Interactions

Last activity: 19 hours ago

Fediverse

Profile picture
  • 18
  • 24
  • 0
  • 19h ago

Overview

  • Oracle Corporation
  • Identity Manager

21 Oct 2025
Published
22 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
60.96%

Description

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Statistics

  • 3 Posts
  • 1 Interaction

Last activity: 12 hours ago

Bluesky

Profile picture
A critical flaw in Oracle's Identity Manager has been exploited in the wild, marking the latest threat for customers of the enterprise software giant. CVE-2025-61757 is a remote code execution (RCE) vulnerability in the Identity Manager solution for Oracle Fusion Middleware.
  • 0
  • 1
  • 0
  • 12h ago
Profile picture
Oracle OIM zero‑day: Pre‑auth RCE forces rapid patching across enterprises (CVE-2025-61757) #patchmanagement
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • Mozilla
  • Firefox

11 Nov 2025
Published
25 Nov 2025
Updated

CVSS
Pending
EPSS
0.05%

KEV

Description

Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.

Statistics

  • 2 Posts
  • 6 Interactions

Last activity: 16 hours ago

Fediverse

Profile picture

🚨 Attention all Firefox users: A vulnerability (CVE‑2025‑13016) in WebAssembly handling could let attackers execute code on your device. Researchers say over 180 million users might have been exposed. The fix is live, update immediately.

Read: hackread.com/update-firefox-pa

#Cybersecurity #Infosec #Firefox #Vulnerability #Privacy

  • 3
  • 3
  • 0
  • 16h ago
Profile picture
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • ASUS
  • MyASUS

25 Nov 2025
Published
25 Nov 2025
Updated

CVSS v4.0
HIGH (8.5)
EPSS
0.01%

KEV

Description

A local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM. For more information, please refer to section Security Update for MyASUS in the ASUS Security Advisory.

Statistics

  • 2 Posts
  • 2 Interactions

Last activity: 9 hours ago

Fediverse

Profile picture

Asus veröffentlichte drängend-dringende SicherheitsUpdates für alle (!) AUSUS-PCs

Wenn sie einen Asus-PC nutzen, sollten Sie sofort handeln und die empfohlenen Updates einspielen!
ASUS hat wichtige Sicherheitsupdates für den ASUS System Control Interface Service in MyASUS veröffentlicht. Konkret geht es um die Schwachstelle CVE-2025-59373 (Score von 8,5).

Mehr: maniabel.work/archiv/568

#MyAsus #Asus #infosec #infosecnews #BeDiS

  • 1
  • 0
  • 0
  • 9h ago

Overview

  • Shenzhen Aitemi E Commerce Co. Ltd.
  • M300 Wi-Fi Repeater

07 Aug 2025
Published
21 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
34.82%

KEV

Description

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

Statistics

  • 1 Post
  • 7 Interactions

Last activity: 7 hours ago

Fediverse

Profile picture

Shenzhen WiFi repeater command injection is EITW.

cve.org/CVERecord?id=CVE-2025-

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

attackerkb.com/topics/vOQYG5Nn

Unlike many consumer IoT vulnerabilities that remain purely theoretical, CVE-2025-34152 has been observed actively exploited in the wild. In September 2025, multiple Aitemi M300 devices exposed to the internet were found compromised.

cc: @Dio9sys @da_667

  • 3
  • 4
  • 0
  • 7h ago

Overview

  • Digital Bazaar
  • node-forge

25 Nov 2025
Published
25 Nov 2025
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Statistics

  • 1 Post
  • 4 Interactions

Last activity: 9 hours ago

Fediverse

Profile picture

Resetting the "It has been __ days since an ASN.1 vuln."

cve.org/CVERecord?id=CVE-2025-

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

  • 1
  • 3
  • 0
  • 9h ago

Overview

  • Monsta Limited of New Zealand
  • Monsta FTP

07 Nov 2025
Published
19 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.04%

KEV

Description

Monsta FTP versions 2.11 and earlier contain a vulnerability that allows unauthenticated arbitrary file uploads. This flaw enables attackers to execute arbitrary code by uploading a specially crafted file from a malicious (S)FTP server.

Statistics

  • 3 Posts
  • 4 Interactions

Last activity: 16 hours ago

Bluesky

Profile picture
🚨 A critical Monsta FTP flaw (CVE-2025-34299) is still exposing hundreds of servers weeks after disclosure. Many remain unpatched and internet-facing. Full article 👉 basefortify.eu/posts/2025/1... #CyberSecurity #CVE2025 #MonstaFTP #RCE #BaseFortify
  • 0
  • 2
  • 0
  • 16h ago
Profile picture
🛡️ Want automated detection of risks like CVE-2025-34299? BaseFortify maps threats to your systems and gives clear mitigation guidance. Register free 👉 basefortify.eu/register #BaseFortify #CyberSecurity #VulnManagement #BlueTeam
  • 0
  • 1
  • 0
  • 16h ago
Profile picture
⚠️ CVE-2025-34299 lets attackers upload malicious files and gain remote code execution. Shadowserver still sees ~800 vulnerable Monsta FTP servers exposed today. More technical details here ⬇️ basefortify.eu/cve_reports/... #InfoSec #CVE2025 #MonstaFTP #RCE #CyberAlert
  • 0
  • 1
  • 0
  • 16h ago

Overview

  • lunary-ai
  • lunary-ai/lunary

25 Nov 2025
Published
25 Nov 2025
Updated

CVSS v3.0
CRITICAL (9.3)
EPSS
0.07%

KEV

Description

lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 20 hours ago

Bluesky

Profile picture
⚡ CVE-2025-9803 — Lunary AI Flawed Google OAuth validation lets attackers hijack accounts using tokens from rogue apps. Update to 1.9.35! 🔗 basefortify.eu/cve_reports/... #CVE #Lunary #OAuth #AccountTakeover #Infosec
  • 0
  • 2
  • 0
  • 20h ago

Overview

  • Grafana
  • Grafana Enterprise

21 Nov 2025
Published
24 Nov 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
0.02%

KEV

Description

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 7 hours ago

Bluesky

Profile picture
🚨 #CVE-2025-41115: critical vulnerability in #Grafana user identity handling. Update to the latest platform version. #Vulnerable versions with #SCIM provisioning enabled can let a malicious SCIM client use a numeric “externalId" to override user IDs, risking impersonation or privilege escalation.
  • 0
  • 1
  • 0
  • 7h ago
Showing 1 to 10 of 36 CVEs