🔎 CVE-2025-11544 (CRITICAL, CVSS 9.5): Sharp Display Solutions projectors let attackers upload unauthorized firmware—remote, no auth needed. All models vulnerable. Urgently segment, restrict, and monitor! https://radar.offseq.com/threat/cve-2025-11544-cwe-912-hidden-functionality-in-sha-156315c0 #OffSeq #CVE2025 #infosec #embeddedsecurity

🚨 Active exploitation confirmed: CVE-2025-11953

VulnCheck is reporting active exploitation attempts in the wild against the React Native Metro server.

The issue? It binds to 0.0.0.0 by default, exposing a "local" dev tool to the internet.

⚠️ Crucial Detail: While the exposure is general, the current RCE exploit specifically targets Windows environments.

We’ve updated Pentest-Tools.com to help you validate this:

Network Scanner: Detects exposed Metro servers.

Sniper Auto-Exploiter: Safely executes a PoC (on Windows) to confirm RCE.

Fix: Update @react-native-community/cli-server-api to v20.0.0+ or bind to 127.0.0.1.

Validate your risk.

🔗 https://pentest-tools.com/vulnerabilities-exploits/react-native-community-cli-development-server-remote-code-execution_28151

#InfoSec #AppSec #RedTeam #VulnerabilityManagement #ReactNative #CVE202511953

ReDoS in Fedify.

https://www.cve.org/CVERecord?id=CVE-2025-68475

Very good question! I hope you’ll forgive me for a long response, it is something I have a lot of thoughts on.

I used to think newer is better, but after plenty of distro-hopping (I had a real good time on Arch), I realized that Debian’s version of "stability" is actually its greatest feature. Here is how I’ve come to see it, using your Fedora experience as a comparison:

Fist, with Debian, stable means unchanging. Fedora is a fast-moving target. It was an early adopter for Wayland and Pipewire. That is exciting, but it can feel like a version of whiplash. Debian is the opposite. Once a version is released, the APIs, file locations, and package behaviors are locked in. Its predictability means my system feels the same on Day 1 as it does on Day 300.

Debian prioritizes reliability over cutting-edge performance. While Fedora pushes the new thing, Debian’s conservative defaults ensure maximum compatibility. It is the "just works" philosophy. It is not just that it doesn't crash, it is that it doesn't surprise you.

I also find APT to be incredibly satisfying compared to DNF. The sheer size of the repositories is massive, but APT Pinning is THE feature for me. Being able to set numeric priorities in /etc/apt/preferences allows me to do things like pull a specific package from Backports while keeping the rest of the system on the Stable branch. It gives you control over dependency resolution that is hard to match.

Regarding your question on security, Debian is unique because it is a 100% community-led project. Unlike Fedora (Red Hat) or Ubuntu (Canonical), there is no corporate entity at the top. This is one of the most important traits to me. If Red Hat wanted to, Fedora could start showing ads in the application menu with the next update. I don’t think that will happen with Fedora, but who knows, Canonical is now showing ads in the cli. Enough is enough.

I also appreciate Debian’s focus on inclusion. It is one of the most inclusive projects in tech. As a member of the queer community, it is important to me to use tools that are created and supported by those who do not hate me for being different. To quote their Diversity Statement: “No matter how you identify yourself or how others perceive you: we welcome you. We welcome contributions from everyone as long as they interact constructively with our community.” They forbid discrimination against any person or group. Because it is a global meritocracy, you have contributors from every corner of the world. This diversity is actually a security feature because with so many different eyes on the code, it is much harder for a backdoor or a bias to slip through unnoticed.

For your "backdoor-proof" concern, Debian’s Social Contract and strict adherence to free software guidelines mean every line of code is scrutinized by volunteers around the world. It is transparent by design. While no distro/OS is unhackable, Debian’s slow and steady release cycle means security patches are thoroughly vetted before they hit your machine, reducing the risk of zero day regressions. Fedora has been vulnerable to zero day attacks in the past and will probably continue to be in the future. For instance, because Fedora is always on the latest versions, Fedora Users are often vulnerable to new attack. Earlier in 2025, the latest kernel which Fedora had pushed to users had a zero day vulnerability. Debian stable users did not have that vulnerability because they would not see that update for quite some time.

Sources:

Ubuntu Showing Ads in Terminal - https://linuxiac.com/ubuntu-once-again-angered-users-by-placing-ads/

Debian Social Contract - https://www.debian.org/social_contract

Debian Diversity Statement - https://www.debian.org/intro/diversity

Zero day vulnerability mentioned -https://www.cve.org/CVERecord?id=CVE-2025-37899

#Debian

🚨 CVE-2025-11543 (CRITICAL, CVSS 9.5): Sharp projectors (all models/versions) let attackers deploy rogue firmware via network—no auth needed. Segment, restrict, and monitor devices. No patch yet. Details: https://radar.offseq.com/threat/cve-2025-11543-cwe-354-improper-validation-of-inte-576d4b82 #OffSeq #CVE2025_11543 #Vuln #IoTSecurity