Latest Cybersecurity News & Insights
31 December 2025
IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application.
The vulnerability, tracked as CVE-2025-13915, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw.
"IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain
30 December 2025
The Cyber Security Agency of Singapore (CSA) has issued a bulletin warning of a maximum-severity security flaw in SmarterTools SmarterMail email software that could be exploited to achieve remote code execution.
The vulnerability, tracked as CVE-2025-52691, carries a CVSS score of 10.0. It relates to a case of arbitrary file upload that could enable code execution without requiring any
29 December 2025
Tracked as CVE-2020-12812, the exploited FortiOS flaw allows threat actors to bypass two-factor authentication.
The post Fortinet Warns of New Attacks Exploiting Old Vulnerability appeared first on SecurityWeek.
29 December 2025
A recently disclosed security vulnerability in MongoDB has come under active exploitation in the wild, with over 87,000 potentially susceptible instances identified across the world.
The vulnerability in question is CVE-2025-14847 (CVSS score: 8.7), which allows an unauthenticated attacker to remotely leak sensitive data from the MongoDB server memory. It has been codenamed MongoBleed.
"A flaw
27 December 2025
A high-severity security flaw has been disclosed in MongoDB that could allow unauthenticated users to read uninitialized heap memory.
The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the
26 December 2025
A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection.
LangChain Core (i.e., langchain-core) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building
25 December 2025
Fortinet on Wednesday said it observed "recent abuse" of a five-year-old security flaw in FortiOS SSL VPN in the wild under certain configurations.
The vulnerability in question is CVE-2020-12812 (CVSS score: 5.2), an improper authentication vulnerability in SSL VPN in FortiOS that could allow a user to log in successfully without being prompted for the second factor of authentication if the
25 December 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2023-52163 (CVSS score: 8.8), relates to a case of command injection that allows post-authentication remote code
23 December 2025
A critical security vulnerability has been disclosed in the n8n workflow automation platform that, if successfully exploited, could result in arbitrary code execution under certain circumstances.
The vulnerability, tracked as CVE-2025-68613, carries a CVSS score of 9.9 out of a maximum of 10.0. The package has about 57,000 weekly downloads, according to statistics on npm.
"Under certain
22 December 2025
The critical-severity bug in the Fireware OS’s iked process leads to unauthenticated remote code execution.
The post WatchGuard Patches Firebox Zero-Day Exploited in the Wild appeared first on SecurityWeek.
19 December 2025
WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks.
Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code.
"This vulnerability affects both the
19 December 2025
Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that leaves them susceptible to early-boot direct memory access (DMA) attacks across architectures that implement a Unified Extensible Firmware Interface (UEFI) and input–output memory management unit (IOMMU).
UEFI and IOMMU are designed to enforce a security
18 December 2025
ASRock, Asus, Gigabyte, and MSI motherboards are vulnerable to early-boot DMA attacks.
The post UEFI Vulnerability in Major Motherboards Enables Early-Boot Attacks appeared first on SecurityWeek.
18 December 2025
Tracked as CVE-2025-37164, the critical flaw could allow unauthenticated, remote attackers to execute arbitrary code.
The post HPE Patches Critical Flaw in IT Infrastructure Management Software appeared first on SecurityWeek.
18 December 2025
Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution.
The critical vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a
18 December 2025
Tracked as CVE-2025-59374, the issue is a software backdoor implanted in Asus Live Update in a supply chain attack.
The post CISA Warns of Exploited Flaw in Asus Update Tool appeared first on SecurityWeek.
18 December 2025
The medium-severity flaw has been exploited in combination with a critical bug for remote code execution.
The post SonicWall Patches Exploited SMA 1000 Zero-Day appeared first on SecurityWeek.
18 December 2025
The critical zero-day is tracked as CVE-2025-20393 and it impacts Secure Email Gateway and Secure Email and Web Manager appliances.
The post China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear appeared first on SecurityWeek.
18 December 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-59374 (CVSS score: 9.3), has been described as an "embedded malicious code vulnerability" introduced by means of a supply chain compromise
17 December 2025
Cisco has alerted users of a maximum-severity zero-day flaw in Cisco AsyncOS software that has been actively exploited by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 in attacks targeting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
The networking equipment major said it became aware of the intrusion campaign on December 10, 2025, and that it