On Friday June 2, 2023 we reported about a MOVEit Transfer vulnerability that was actively being exploited. If your organization uses MOVEit Transfer and you haven’t patched yet, it really is time to move it. Excuse the bad pun, but yesterday we saw the first victims of this vulnerability come forward. MOVEit Transfer is a widely used file transfer sof

On May 31, 2023, Progress Software released a security bulletin about a critical vulnerability in MOVEit Transfer. The security bulletin states: “a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the da

On May 31, 2023, Progress Software released a security bulletin concerning a critical vulnerability within MOVEit Transfer, a widely used secure file transfer system. TrustedSec has performed analysis on the vulnerability and post-exploitation activities. At the time of publication, there is no associated CVE or CVS score. This post will describe the rese

Researchers discovered an Apple vulnerability that threat actors can use to deploy undeletable malware. In order to exploit CVE-2023-32369, hackers need to previously gain root privileges over the device.The Apple bug enables them to bypass System Integrity Protection (SIP) and access the victim`s private data by evading Transparency, Consent, and Control (T

On May 20, Barracuda Networks issued a patch for a zero day vulnerability in its Email Security Gateway (ESG) appliance. The vulnerability existed in a module which initially screens the attachments of incoming emails, and was discovered on May 19. Barracuda's investigation showed that the vulnerability resulted in unauthorized access to a subset of ema

SEC Consult Vulnerability Lab Security Advisory < 20230517-0 >======================================================================= title: Stored XSS vulnerability in rename functionality product: Wekan (Open-Source kanban) vulnerable version: <=6.74 fixed version: 6.75 or higher CVE number: CVE-2023-28485

WordPress plugins are under fire once more, and you’re advised to update your version of Beautiful Cookie Consent Banner as soon as possible. The plugin, which is installed on more than 40,000 sites, has been impacted by a “bizarre campaign”  being actively used since at least February 5 of this year. The plugin is designed to present

Google introduced Mobile VRP (vulnerability rewards program), a new bug bounty program for reporting vulnerabilities in its mobile applications. Google announced a new bug bounty program, named Mobile VRP (vulnerability rewards program), that covers its mobile applications. Google’s Mobile VRP is a bug bounty program for reporting vulnerabilities in

US CISA added the vulnerability CVE-2023-21492 flaw affecting Samsung devices to its Known Exploited Vulnerabilities Catalog. US CISA added the vulnerability CVE-2023-21492 vulnerability (CVSS score: 4.4) affecting Samsung devices to its Known Exploited Vulnerabilities Catalog. The issue affects Samsung mobile devices running Android 11, 12, and 13, it

KeePass is a free open source password manager, which helps you to manage your passwords and stores them in encrypted form. In fact, KeePass encrypts the whole database, i.e. not only your passwords, but also your user names, URLs, notes, etc. That encrypted database can only be opened with the master password. You absolutely do not want an attacker to get h

An app designed to restrict screen time and add a “kids' mode” for children on smart devices has been found to have a broad range of security issues.  The app, “Parental Control - Kids Place” is an Android app which is incredibly popular, sporting 5M+ downloads on its Google Play page. In terms of what the app does with user&r

Along with six older vulnerabilities, the Cybersecurity and Infrastructure Agency (CISA) has added a vulnerability in multiple Ruckus wireless products to the Known Exploited Vulnerabilities Catalog. This means that  Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by June 2, 2023. The Common Vulnerabilities and

There is a new Linux NetFilter kernel flaw that allows unprivileged local users to escalate their privileges to root level, giving them complete control over the system. The vulnerability has been assigned the CVE-2023-32233 identifier, but its severity level has not yet been determined.Netfilter nf_tables accepts invalid configuration updates, allowing spec

Researchers shared technical details about a flaw in Windows MSHTML platform, tracked as CVE-2023-29324, that could be abused to bypass security protections. Cybersecurity researchers have shared details about a now-patched security flaw, tracked as CVE-2023-29324 (CVSS score: 6.5), in Windows MSHTML platform. An attacker can exploit the vulnerability

AndoryuBot new malware aims to infect unpatched Wi-Fi access points to enlist them in DDoS attacks. To this end, threat actors exploit a critical Ruckus vulnerability in the Wireless Admin panel.The flaw is tracked as CVE-2023-25717 and enables hackers to perform remote code execution (RCE) by sending unauthenticated HTTP GET requests to unpatched devices.Th