Content Paint
Search
Sign in
Membership

vulnerabilities

Security  | Jan 10, 2024
Pre-auth RCE zero days in Ivanti VPNs are being exploited by a Chinese APT and there won’t be a patch for weeks. Buckle up.
Pre-auth RCE zero days in Ivanti VPNs are being exploited by a Chinese APT and there won’t be a patch for weeks. Buckle up.

Attackers re-write JavaScript loaded by the VPN login page for the Appliance to capture credentials; also grabbed Veeam credentials, moved laterally for full SYSTEM control.

Security  | Jan 08, 2024
Software licensing bug percolates pre-auth RCE risk downstream to PLC-land
Software licensing bug percolates pre-auth RCE risk downstream to PLC-land

Another arguably more potent example and one actively exploited in the wild is CVE-2023-46604 – a CVSS 10 RCE vulnerability in Apache ActiveMQ; an open source message broker written in Java.

Patch Tuesday  | Dec 13, 2023
A December Patch Tuesday recap: Azure Logic Apps, Power Platform get critical fix
A December Patch Tuesday recap: Azure Logic Apps, Power Platform get critical fix

A CVSS 9,8 bug that lets attackers spoof legitimate connectors between Microsoft/Azure services is the pick of the bunch...

 |  Patch Tuesday  | Nov 14, 2023
Three Windows zero days are under attack: Patch up.
Three Windows zero days are under attack: Patch up.

"Loaded by default on just about every version of Windows, so it provides a broad attack surface"

SolarWinds  | Oct 31, 2023
SolarWinds sued by SEC over 2019 monster hack, CISO also charged with fraud, control failures
SolarWinds sued by SEC, SolarWinds CISO also charged with fraud

SolarWinds’ poor controls... false and misleading statements and omissions, and the other misconduct... would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack"

Security  | Oct 31, 2023
Citrix Bleed: Two ransomware groups now exploiting bug for initial access
Citrix Bleed: Two ransomware groups now exploiting bug for initial access

Here's what you need to do to reduce the threat posed by CVE-2023-4966. But don't delay.

Security  | Oct 27, 2023
Zero day in free Roundcube webmail service exploited to target governments
Zero day in free Roundcube webmail service exploited to target governments

Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because... a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

Security  | Oct 17, 2023
CVSS 10 Cisco bug is getting exploited, has no patch
CVSS 10 Cisco bug is getting exploited, has no patch

"We have also seen devices... getting the implant successfully installed through an as of yet undetermined mechanism."

 |  Software  | Oct 11, 2023
Patch Tuesday is 20: Curl fix lands, Skype’s under attack and there’s a wormable pre-auth RCE in the mix
Patch Tuesday is 20: Curl fix lands, Skype’s under attack and there’s a wormable pre-auth RCE in the mix

A CVSS 9.8, pre-auth RCE that lets an attacker execute arbitrary code without user interaction is wormable on systems where Message Queuing is enabled.

Interviews, insight, intelligence, and exclusive events for digital leaders.

© 2025 The Stack
©  2025 The Stack

Search the site
Your link has expired. Please request a new one.
Your link has expired. Please request a new one.
Your link has expired. Please request a new one.
Great! You've successfully signed up.
Great! You've successfully signed up.
Welcome back! You've successfully signed in.
Success! You now have access to additional content.