24h | 7d | 30d

Overview

  • 7-Zip
  • 7-Zip

19 Nov 2025
Published
21 Nov 2025
Updated

CVSS v3.0
HIGH (7.0)
EPSS
0.38%

KEV

Description

7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.

Statistics

  • 7 Posts
  • 5 Interactions

Last activity: 16 hours ago

Fediverse

Profile picture

🧩 3️⃣ Vulnerabilidad crítica en 7-Zip: hackers la están explotando ahora.

Una falla grave en el popular programa de compresión 7-Zip (CVE-2025-11001) permite a atacantes ejecutar código de forma remota cuando un usuario descomprime un archivo ZIP malicioso.

El problema radica en cómo 7-Zip maneja enlaces simbólicos (symlinks): un ZIP confeccionado puede hacer que el programa acceda a carpetas no deseadas y ejecute código con permisos elevados.

La vulnerabilidad afecta a todas las versiones anteriores a la 25.00 (es decir, versiones usadas desde 21.02 hasta 24.09).

Ya existe un exploit de prueba de concepto (PoC) público, lo que facilita que delincuentes lo usen en ataques reales.

Aunque 7-Zip lanzó el parche en julio de 2025, muchos sistemas siguen sin actualizarlo: la recomendación urgente es que actualices a la versión 25.00 o superior lo antes posible.

🔒 ¿Herramienta de compresión útil o puerta de entrada para malware?

#Privacidad #Ciberseguridad #7Zip #Vulnerabilidad #Actualiza

thehackernews.com/2025/11/hack

  • 2
  • 2
  • 0
  • 17h ago
Profile picture

Advierten sobre un exploit PoC para una vulnerabilidad en 7-Zip (CVE-2025-11001)

Vía: @seguinfo

blog.segu-info.com.ar/2025/11/

  • 0
  • 1
  • 1
  • 21h ago

Bluesky

Profile picture
Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
  • 0
  • 0
  • 0
  • 19h ago
Profile picture
Blog: "Exploit PoC para una vulnerabilidad en 7-Zip (CVE-2025-11001)"
  • 0
  • 0
  • 1
  • 19h ago
Profile picture
7-Zipの脆弱性 CVE-2025-11001 のPoCが公開-引き続きアップデート推奨 rocket-boys.co.jp/security-mea... #セキュリティ対策Lab #セキュリティ #Security
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • ASUS
  • MyASUS

25 Nov 2025
Published
25 Nov 2025
Updated

CVSS v4.0
HIGH (8.5)
EPSS
0.01%

KEV

Description

A local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM. For more information, please refer to section Security Update for MyASUS in the ASUS Security Advisory.

Statistics

  • 3 Posts
  • 2 Interactions

Last activity: 5 hours ago

Fediverse

Profile picture

Asus veröffentlichte drängend-dringende SicherheitsUpdates für alle (!) AUSUS-PCs

Wenn sie einen Asus-PC nutzen, sollten Sie sofort handeln und die empfohlenen Updates einspielen!
ASUS hat wichtige Sicherheitsupdates für den ASUS System Control Interface Service in MyASUS veröffentlicht. Konkret geht es um die Schwachstelle CVE-2025-59373 (Score von 8,5).

Mehr: maniabel.work/archiv/568

#MyAsus #Asus #infosec #infosecnews #BeDiS

  • 1
  • 0
  • 0
  • 21h ago
Profile picture

ASUS has patched a high-severity local privilege escalation flaw (CVE-2025-59373) in MyASUS that allowed elevation to NT AUTHORITY/SYSTEM via the System Control Interface Service. Patch now shipped through Windows Update with updated versions for x64 and ARM.

Full details:
technadu.com/asus-fixes-high-s

  • 0
  • 0
  • 0
  • 5h ago

Bluesky

Profile picture
ASUS has issued a fix for a high-severity MyASUS privilege escalation flaw (CVE-2025-59373) that allowed SYSTEM-level access with minimal requirements. Updates are now rolling out through Windows Update. #CyberSecurity #ASUS #InfoSec #WindowsSecurity
  • 0
  • 1
  • 0
  • 5h ago

Overview

  • factionsecurity
  • faction

26 Nov 2025
Published
26 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.7)
EPSS
0.18%

KEV

Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.

Statistics

  • 2 Posts
  • 2 Interactions

Last activity: 8 hours ago

Fediverse

Profile picture

⚠️ CVE-2025-66022: Critical RCE in Faction (<1.7.1). Unauthenticated attackers can upload extensions, execute commands, and fully compromise systems. Patch to 1.7.1 now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

Bluesky

Profile picture
🚨 CVE-2025-66022 — Faction Framework RCE Unauthenticated attackers can upload malicious extensions and execute commands on the server. This is full remote compromise. Patch immediately to v1.7.1. 🔗 basefortify.eu/cve_reports/... #CVE #CyberSecurity #RCE #OpenSource #PatchNow
  • 0
  • 2
  • 0
  • 8h ago

Overview

  • Mozilla
  • Firefox

11 Nov 2025
Published
25 Nov 2025
Updated

CVSS
Pending
EPSS
0.05%

KEV

Description

Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 10 hours ago

Bluesky

Profile picture
Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users – Hackread – Cybersecurity News, Data Breaches, Tech, AI, Crypto and More https://hackread.com/update-firefox-patch-cve-2025-13016-vulnerability/
  • 0
  • 1
  • 0
  • 11h ago
Profile picture
📌 Critical Firefox Vulnerability (CVE-2025-13016) Exposes 180 Million Users to Arbitrary Code Execution https://www.cyberhub.blog/article/16006-critical-firefox-vulnerability-cve-2025-13016-exposes-180-million-users-to-arbitrary-code-execution
  • 0
  • 0
  • 0
  • 10h ago

Overview

  • Microsoft
  • Azure App Gateway

26 Nov 2025
Published
26 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.09%

KEV

Description

Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network.

Statistics

  • 2 Posts

Last activity: 8 hours ago

Fediverse

Profile picture

⚠️ CRITICAL: CVE-2025-64657 in Azure App Gateway enables unauthenticated remote code execution (RCE) via stack-based buffer overflow. No patch yet—limit network access, monitor traffic, and prepare for urgent updates. Full system compromise risk. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 16h ago

Bluesky

Profile picture
🚨 CVE-2025-64657 — Azure Application Gateway A stack buffer overflow allows remote attackers to escalate privileges across the network. Cloud admins should patch immediately. 🔗 basefortify.eu/cve_reports/... #CVE #Azure #CloudSecurity #PrivilegeEscalation
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • Shenzhen Aitemi E Commerce Co. Ltd.
  • M300 Wi-Fi Repeater

07 Aug 2025
Published
21 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
34.82%

KEV

Description

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

Statistics

  • 1 Post
  • 8 Interactions

Last activity: 19 hours ago

Fediverse

Profile picture

Shenzhen WiFi repeater command injection is EITW.

cve.org/CVERecord?id=CVE-2025-

An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

attackerkb.com/topics/vOQYG5Nn

Unlike many consumer IoT vulnerabilities that remain purely theoretical, CVE-2025-34152 has been observed actively exploited in the wild. In September 2025, multiple Aitemi M300 devices exposed to the internet were found compromised.

cc: @Dio9sys @da_667

  • 4
  • 4
  • 0
  • 19h ago

Overview

  • glib

26 Nov 2025
Published
26 Nov 2025
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Statistics

  • 1 Post
  • 8 Interactions

Last activity: 2 hours ago

Fediverse

Profile picture

That's an avenue that I admit I hadn't thought to check before. Seems so simple though.

access.redhat.com/security/cve

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

  • 2
  • 6
  • 0
  • 2h ago

Overview

  • Linux
  • Linux

20 May 2025
Published
26 May 2025
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 9 hours ago

Fediverse

Profile picture

Accessibilité et design

#NotesHebdo

#accessibilité #design #LLM #NotesHebdo #opensource #security

lascapi.fr/blog/2025/11/26/acc

  • 2
  • 0
  • 0
  • 9h ago

Overview

  • Digital Bazaar
  • node-forge

25 Nov 2025
Published
25 Nov 2025
Updated

CVSS
Pending
EPSS
0.06%

KEV

Description

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Statistics

  • 1 Post
  • 4 Interactions

Last activity: 21 hours ago

Fediverse

Profile picture

Resetting the "It has been __ days since an ASN.1 vuln."

cve.org/CVERecord?id=CVE-2025-

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

  • 1
  • 3
  • 0
  • 21h ago

Overview

  • Red Hat
  • Red Hat Enterprise Linux 10
  • libtiff

23 Sep 2025
Published
24 Nov 2025
Updated

CVSS
Pending
EPSS
0.03%

KEV

Description

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

Statistics

  • 1 Post
  • 4 Interactions

Last activity: 10 hours ago

Fediverse

Profile picture

To be a little more specific about the problem I'm interested in solving, this is a potential building block for an image processing pipeline for ActivityPub software. Mastodon uses ImageMagick, which is an old and well tested image manipulation tool, but it's only as sandboxed as the Mastodon server itself. Any vulnerability in ImageMagick leaves an attacker in a position to do anything the Mastodon server can do. That's an uncomfortable place to be because image library compromise isn't an outlandish possibility. It has happened a lot (check out this recent libtiff CVE: nvd.nist.gov/vuln/detail/CVE-2). And I don't mean to say their developers are bad at what they do. Images are complex and this is a really hard problem!

  • 1
  • 3
  • 0
  • 10h ago
Showing 1 to 10 of 36 CVEs