Aggregator

其一，滥用配置不当的GitLab OIDC信任策略，实现从低权限用户到敏感角色的权限提升；其二，利用暴露的Spring Boot Actuator端点构造SSRF，窃取实例元数据并绕过S3存储桶的VPC端点限制。

An advisory from Unity — which makes the software behind dozens of popular games — warns developers to patch a vulnerability that could allow an attacker to execute code via an affected app.

The threat group Scattered Lapsus$ Hunters, which last month said it was shutting down operations, is back with a data leak site listing dozens of high-profile Salesforce customers and claiming to have stolen almost 1 billion data files. The group is demanding that Salesforce negotiate with it or risk the data being released.

The post Scattered Lapsus$ Hunters Extorts Victims, Demands Salesforce Negotiate appeared first on Security Boulevard.

Western Reserve Academy Balances Security and Privacy in Google Workspace and Microsoft 365 Western Reserve Academy is an independent boarding and day school in Hudson, Ohio that prides itself on providing a top-tier learning environment supported by modern technology.  Matt Gerber, Chief Information Officer, and Brian Schwartz, Director of Network Administration, lead the school’s technology ...

The post Cloud Monitor Provides Affordable Visibility and Control at Western Reserve Academy appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post Cloud Monitor Provides Affordable Visibility and Control at Western Reserve Academy appeared first on Security Boulevard.

Хакеры ушли с миллионами, но вернулись за миллиардом.

Credential-based attacks happen in seconds. Learn how to block weak or stolen passwords instantly, safeguard accounts in real time, and reduce helpdesk headaches with automated defense. Enzoic delivers lightweight APIs that: Block weak or compromised passwords at creation/reset Stop stolen username/password pairs at login in real time Deploy in minutes with no added friction for users Make every authentication attempt a security checkpoint. Download eBook: Defending Identity Security the Moment It’s Threatened

The post eBook: Defending Identity Security the Moment It’s Threatened appeared first on Help Net Security.

Most orgs. felt secure, but 75% had a SaaS incident. Learn why, and how to bridge the SaaS security confidence gap.

The post 75% of Orgs. Had a SaaS Security Incident Despite High Confidence in Their Security. Here’s Why. appeared first on AppOmni.

The post 75% of Orgs. Had a SaaS Security Incident Despite High Confidence in Their Security. Here’s Why. appeared first on Security Boulevard.

A critical security vulnerability has been discovered in Zabbix Agent and Agent 2 for Windows that allows attackers with local system access to escalate their privileges through DLL injection attacks.  The flaw, tracked as CVE-2025-27237 with a CVSS score of 7.3 (High), affects multiple versions of the popular network monitoring solution and has prompted immediate […]

The post Zabbix Agent and Agent 2 for Windows Vulnerability Let Attackers Escalate Privileges appeared first on Cyber Security News.

A sophisticated malware campaign dubbed TamperedChef has successfully compromised European organizations by masquerading as a legitimate PDF editor application, according to new research from WithSecure’s Strategic Threat Intelligence & Research Group (STINGR). The campaign demonstrates how threat actors can leverage convincing advertising strategies and fully functional decoy applications to harvest sensitive credentials and establish persistent […]

The post TamperedChef Malware Disguised as PDF Editor Hijacks Browser Credentials and Opens Backdoors appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project last year. [...]

In the era of rapidly advancing artificial intelligence (AI) and cloud technologies, organizations are increasingly implementing security measures to protect sensitive data and ensure regulatory compliance. Among these measures, AI-SPM (AI Security Posture Management) solutions have gained traction to secure AI pipelines, sensitive data assets, and the overall AI ecosystem. These solutions help

The cyber world never hits pause, and staying alert matters more than ever. Every week brings new tricks, smarter attacks, and fresh lessons from the field. This recap cuts through the noise to share what really matters—key trends, warning signs, and stories shaping today’s security landscape. Whether you’re defending systems or just keeping up, these highlights help you spot what’s coming

A security flaw in Zabbix Agent and Agent2 for Windows has been discovered that could allow a local attacker to gain higher system privileges. The issue, tracked as CVE-2025-27237, stems from the way the agent loads its OpenSSL configuration file. By exploiting this weakness, an attacker with limited rights on a Windows host could escalate […]

The post Zabbix Agent/Agent2 for Windows Vulnerability Could Allow Privilege Escalation appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks. The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle

Cybersecurity researchers have shed light on a Chinese-speaking cybercrime group codenamed UAT-8099 that has been attributed to search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data.  The attacks are designed to target Microsoft Internet Information Services (IIS) servers, with most of the infections reported in India, Thailand

Зачем инженеры КНР придумали альтернативу мировому интернету.

The Cl0p extortion gang exploited multiple Oracle E-Business Suite (EBS) vulnerabilities, including one zero-day flaw (CVE-2025-61882), “to steal large amounts of data from several victim[s] in August 2025,” Charles Carmakal, CTO at Mandiant – Google Cloud, stated on Sunday. “Clop has been sending extortion emails to several victims since last Monday. However, please note they may not have attempted to reach out to all victims yet,” he added. The extortion email (Source: Mandiant) About CVE-2025-61882 … More →

The post Cl0p exploits Oracle E-Business Suite zero-day in data theft, extortion campaign (CVE-2025-61882) appeared first on Help Net Security.

With the release of Kali Linux 2025.3, penetration testers and security professionals gain access to an innovative AI-powered assistant, the Gemini Command-Line Interface (CLI). This open-source package brings Google’s Gemini AI directly into the terminal, offering natural language–driven automation for common pentesting workflows. The integration of Gemini CLI marks a significant leap forward in the […]

The post Integrate Gemini CLI into Your Kali Terminal to Speed Up Pentesting Tasks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

2025年第三届陇剑杯网络安全大赛 RHG决赛wp

We are nearly one year out from the 2026 midterm elections, and it’s far too early to predict the outcomes. But it’s a safe bet that artificial intelligence technologies will once again be a major storyline.

The widespread fear that AI would be used to manipulate the 2024 U.S. election seems rather quaint in a year where the president posts AI-generated images of himself as the pope on official White House accounts. But AI is a lot more than an information manipulator. It’s also emerging as a politicized issue. Political first-movers are adopting the technology, and that’s opening a ...

The post AI in the 2026 Midterm Elections appeared first on Security Boulevard.