Latest Cybersecurity News & Insights
24 September 2025
Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks.
The critical-rated vulnerabilities in question, discovered by Trend Micro, are listed below -
CVE-2025-10643 (CVSS score: 9.1) - An authentication bypass vulnerability that
24 September 2025
Tracked as CVE-2025-59689, the command injection bug could be triggered via malicious emails containing crafted compressed attachments.
The post Libraesva Email Security Gateway Vulnerability Exploited by Nation-State Hackers appeared first on SecurityWeek.
24 September 2025
Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS).
The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to
24 September 2025
Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors.
The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity.
"Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious email containing a
23 September 2025
Binarly researchers have found a way to bypass a patch for a previously disclosed vulnerability.
The post Patch Bypassed for Supermicro Vulnerability Allowing BMC Hack appeared first on SecurityWeek.
23 September 2025
CVE-2025-26399 is a patch bypass of CVE-2024-28988, which is a patch bypass of the exploited CVE-2024-28986.
The post SolarWinds Makes Third Attempt at Patching Exploited Vulnerability appeared first on SecurityWeek.
23 September 2025
SolarWinds has released hot fixes to address a critical security flaw impacting its Web Help Desk software that, if successfully exploited, could allow attackers to execute arbitrary commands on susceptible systems.
The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects
23 September 2025
Cybersecurity researchers have disclosed details of a new botnet that customers can rent access to conduct distributed denial-of-service (DDoS) attacks against targets of interest.
The ShadowV2 botnet, according to Darktrace, predominantly targets misconfigured Docker containers on Amazon Web Services (AWS) cloud servers to deploy a Go-based malware that turns infected systems into attack nodes
22 September 2025
L1TF Reloaded is a vulnerability combining the old L1TF and half-Spectre hardware flaws to bypass deployed software mitigations.
The post Researchers Earn $150,000 for L1TF Exploit Leaking Data From Public Cloud appeared first on SecurityWeek.
22 September 2025
The security landscape now moves at a pace no patch cycle can match. Attackers aren’t waiting for quarterly updates or monthly fixes—they adapt within hours, blending fresh techniques with old, forgotten flaws to create new openings. A vulnerability closed yesterday can become the blueprint for tomorrow’s breach.
This week’s recap explores the trends driving that constant churn: how threat
22 September 2025
Tracked as CVE-2025-10035 (CVSS score of 10), the critical deserialization vulnerability could be exploited for command injection.
The post Fortra Patches Critical GoAnywhere MFT Vulnerability appeared first on SecurityWeek.
22 September 2025
A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant.
The vulnerability, tracked as CVE-2025-55241, has been assigned the maximum CVSS score of 10.0. It has been described by Microsoft as a privilege escalation flaw in Azure Entra. There is no
20 September 2025
Cybersecurity researchers have disclosed a zero-click flaw in OpenAI ChatGPT's Deep Research agent that could allow an attacker to leak sensitive Gmail inbox data with a single crafted email without any user action.
The new class of attack has been codenamed ShadowLeak by Radware. Following responsible disclosure on June 18, 2025, the issue was addressed by OpenAI in early August.
"The attack
19 September 2025
Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands.
The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity.
"A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged
19 September 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization's network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).
"Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server,"
18 September 2025
OpenAI has fixed this zero-click attack method called by researchers ShadowLeak.
The post ChatGPT Deep Research Targeted in Server-Side Data Theft Attack appeared first on SecurityWeek.
18 September 2025
An exploited type confusion in the V8 JavaScript engine tracked as CVE-2025-10585 was found by Google Threat Analysis Group this week.
The post Chrome 140 Update Patches Sixth Zero-Day of 2025 appeared first on SecurityWeek.
18 September 2025
Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild.
The zero-day vulnerability in question is CVE-2025-10585, which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine.
Type confusion vulnerabilities can have severe consequences as they can be
16 September 2025
Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild.
The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file.
"Apple is aware of a report that this issue may have been exploited in an
16 September 2025
The bootstrapped company will invest in an AI-powered unified enterprise platform combining configuration, compliance, patching, and vulnerability management.
The post Endpoint Security Firm Remedio Raises $65 Million in First Funding Round appeared first on SecurityWeek.