Aggregator

Multiple critical vulnerabilities in Qualcomm Technologies’ proprietary Data Network Stack and Multi-Mode Call Processor that permit remote attackers to execute arbitrary code.  These flaws, tracked as CVE-2025-21483 and CVE-2025-27034, each carry a CVSS score of 9.8 and exploit buffer-corruption weaknesses to compromise device security. Key Takeaways1. CVE-2025-21483 & CVE-2025-27034 allow remote RCE.2. Affects Snapdragon 8 […]

The post Critical Qualcomm Vulnerabilities Allow Attackers to Execute Arbitrary Code Remotely appeared first on Cyber Security News.

A vulnerability has been found in GitLab Community Edition and Enterprise Edition up to 18.0.5/18.1.3/18.2.1 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability is referenced as CVE-2025-7734. Remote exploitation of the attack is possible. No exploit is available. The affected component should be upgraded.

A vulnerability was found in GitLab Enterprise Edition up to 18.0.5/18.1.3/18.2.1. It has been rated as problematic. The impacted element is an unknown function of the component Merge Request Handler. Performing manipulation results in authorization bypass. This vulnerability is cataloged as CVE-2025-8770. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

A critical security vulnerability has emerged in Azure Active Directory (Azure AD) configurations that exposes sensitive application credentials, providing attackers with unprecedented access to cloud environments.  This vulnerability centers around the exposure of appsettings.json files containing ClientId and ClientSecret credentials, effectively handing adversaries the keys to entire Microsoft 365 tenants. The vulnerability was identified during […]

The post Azure Active Directory Vulnerability Exposes Credentials and Enables Attackers to Deploy Malicious Apps appeared first on Cyber Security News.

A vulnerability, which was classified as critical, was found in SonarSource sonarqube-scan-action up to 5.3.0. The impacted element is an unknown function of the component Scan GitHub Action Handler. Such manipulation leads to command injection. This vulnerability is uniquely identified as CVE-2025-58178. Local access is required to approach this attack. No exploit exists. You should upgrade the affected component.

A vulnerability was found in MobSF Mobile-Security-Framework-MobSF 4.4.0. It has been classified as critical. Affected is an unknown function. The manipulation leads to path traversal. This vulnerability is referenced as CVE-2025-58162. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is recommended.

A vulnerability classified as critical has been found in Tenda CH22 1.0.0.1. This issue affects the function formSetSambaConf of the file /goform/SetSambaConf. The manipulation of the argument samba_userNameSda leads to buffer overflow. This vulnerability is traded as CVE-2025-9813. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, has been found in alaneuler batteryKid up to 2.1 on macOS. The affected element is an unknown function of the file PrivilegeHelper/PrivilegeHelper.swift of the component NSXPCListener. This manipulation causes missing authentication. This vulnerability is handled as CVE-2025-9815. It is possible to launch the attack on the local host. Additionally, an exploit exists.

OSR 将在中国密码学会2025年密码测评学术会议亮相，带来主题为 “大语言模型驱动的侧信道攻击测试新范式” 的报告。

根据 Institute for Family Studies 的研究报告《The Sex Recession》，美国人性生活频率处于历史最低水平，甚至低于新冠疫情期间。研究人员分析了芝加哥大学全国民意研究中心 (NORC)最新调查报告 General Social Survey 中有关性和亲密关系的数据。调查数据于 2024 年收集，今年五月公布。结果显示，只有 37% 的 18-64 岁人群每周至少有一次性生活，低于 1990 年的 55%。年轻人中间的下降幅度更为惊人：近四分之一或 24% 的 18-29 岁人群表示过去一年没有性生活；这一数字是 2010 年的两倍。研究表明，性生活下降的趋势适用于 64 岁以下所有性取向的人群，无论已婚还是单身。研究人员表示，大于 64 岁的人群性生活次数没有显著变化，主要是因为该群体报告的性生活频率本来就较低。

一、事件概述：网络安全公司ESET近期披露了全球已知首款基于人工智能（AI）技术开发的勒索软件——Prompt

Over the past two years, Fox-IT and NCC Group have tracked a sophisticated Lazarus subgroup targeting financial and cryptocurrency firms. This actor overlaps with AppleJeus, Citrine Sleet, UNC4736 and Gleaming Pisces campaigns and leverages three distinct remote access trojans (RATs)—PondRAT, ThemeForestRAT and RemotePE—to infiltrate and control compromised systems. In a 2024 incident response case, the […]

The post Lazarus Hackers Exploit 0-Day to Deploy Three Remote Access Trojans appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

JetBrains取消LSP API订阅层级限制, 免费用户也可使用, 开发者可为所有用户提供插件支持, LSP API作为基本功能加入社区免费版, 但无法完全替代PSI接口。

Exploring how far cyber security approaches can help mitigate risks in generative AI systems

Nmap has remained at the forefront of network discovery and security assessment for nearly three decades. Originally introduced on September 1, 1997, in Phrack magazine as a modest, 2,000-line Linux-only port scanner, Nmap has since matured into a sprawling toolkit encompassing OS and version detection, scripting, packet crafting, and more. As Nmap celebrates its 28th […]

The post 28 Years of Nmap – From Simple Port Scanner to Comprehensive Network Security Suite appeared first on Cyber Security News.

Как недочёт в админке открыл двери для атак.

文章分析了近2000条网络敲诈信息及其比特币地址数据，揭示威胁行为者操作模式及成功率。数据显示多数地址仅使用数天，支付金额差异大（250美元至4万美元），但超半数地址未收到款项。研究显示网络敲诈成功率可能随时间下降。

无数企业都在尝试生成式 AI，但试用过的人都知道 AI 很难产生能直接使用的令人满意的最终产品，于是出现了雇佣人类调试和修改 AI 生成内容的新职业。自由职业者表示此类工作的报酬比不上其专业领域的传统零工，但一部分人表示这至少能帮助他们支付账单。自由职业平台 Upwork、Freelancer 和 Fiverr 的最新数据表明，此类创意工作的需求在激增。客户也日益希望找到能与 AI 技术协同工作，不完全依赖或拒绝 AI 的人。AI 辅助编程（vibe coding）日益流行，但企业发现此类工具无法达到他们预想的效果，企业仍然需要人类程序员，以避免辅助编程带来的麻烦。印度程序员 Harsh Kumar 说，客户使用 AI 辅助编程产生的网站或应用常常不稳定或无法使用。

Microsoft announced that it will enforce mandatory multi-factor authentication (MFA) for all sign-in attempts to the Azure portal and other administrative interfaces. The new requirement, which builds on Microsoft’s long-standing commitment to security, aims to block unauthorized access to high-value cloud resources by adding an extra layer of verification beyond passwords. According to Microsoft’s own research, enabling […]

The post Microsoft to Require Multi-Factor Authentication on Azure Portal Logins appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

谷歌否认了关于25亿Gmail用户因重大安全问题需更改密码的谣言，称相关报道被福布斯等媒体误解和夸大。实际上，谷歌仅建议用户定期更换密码以提高安全性，并未发生数据库泄露事件。