Aggregator

Секретное сотрудничество привело к неожиданному прорыву в защите.

Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city's public transportation agency. Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London and Owen Flowers, 18, from Walsall, West Midlands

2025年9月8日至9月12日，vivo在内部圆满举办了第四届 • 2025安全与隐私主题周活动，本次主题周活动以“出海有界、安全无疆”为主题。

A sophisticated new attack tool targeting jailbroken iOS devices has emerged, representing a significant escalation in digital identity fraud capabilities.  The discovery by iProov’s threat intelligence team reveals a highly specialized tool designed to perform advanced video injection attacks on iOS 15 and later devices, specifically engineered to bypass weak biometric verification systems and exploit […]

The post New iOS Video Injection Tool Bypasses Biometric Verification with Jailbroken iPhones appeared first on Cyber Security News.

CICADA8 запустила платформу нового поколения для управления уязвимостями во внутреннем периметре.

A vulnerability labeled as critical has been found in aonetheme Service Finder SMS System Plugin up to 2.0.0 on WordPress. Affected is an unknown function. Such manipulation leads to authentication bypass using alternate channel. This vulnerability is referenced as CVE-2025-5955. It is possible to launch the attack remotely. No exploit is available.

A vulnerability was found in aonetheme Service Finder Bookings Plugin up to 6.0 on WordPress. It has been classified as critical. This vulnerability affects the function claim_business. Performing manipulation results in authorization bypass. This vulnerability is reported as CVE-2025-5948. The attack is possible to be carried out remotely. No exploit exists.

Google 官方博客宣布为所有美国用户的 Chrome 桌面浏览器集成 Gemini AI 功能。浏览器添加了一个瞩目的 Gemini 按钮，点击之后用户可以与 Gemini 聊天机器人进行对话，它能回答当前网页内容相关的问题，也能综合多个网页的信息。不喜欢该功能的用户也可以在界面移除 Gemini 按钮。Google 还计划未来为 Gemini 引入更强大的功能，如控制浏览器光标执行将商品添加到购物车等任务。

比赛链接：https://wmctf.wm-team.cn/ 比赛时间：2025年09月20日 10:00 (UTC+8) ~ 2025年09月21日 10:00 (UTC+8) QQ群：727697644 邮 箱：ctf[AT]wm-team.cn Discord: https://discord.gg/UrYYynD5ww 合作伙伴：陌陌安全、永信至诚

文章介绍了由复旦大学团队开发的AI学术工具WisPaper，旨在帮助研究人员高效检索和阅读外文文献。该工具支持智能搜索、精准翻译及核心总结功能，可快速定位高质量文献并提取关键内容，提升科研效率。

文章探讨了子域名在网络安全中的重要性及其潜在价值。黑客通过发现和利用被遗忘或未受保护的子域名进行攻击或漏洞挖掘。企业往往忽视这些隐藏的网络资源，导致安全风险增加。文章还介绍了如何通过漏洞赏金计划负责任地报告和利用这些子域名来赚取收益，并提供了相关工具和案例分析。

文章探讨了供应链攻击的威胁与策略，指出攻击者通过破坏企业依赖的第三方软件或服务来绕过传统安全措施。常见攻击手段包括恶意软件包、篡改开发者工具及利用更新机制。文章还分析了多个APT组织的供应链攻击案例，并强调了检测与防范的重要性。

A vulnerability has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831 and classified as critical. This issue affects some unknown processing of the file /index.php/Login/login. Performing manipulation of the argument Username results in sql injection. This vulnerability is cataloged as CVE-2025-10712. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as problematic, was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This vulnerability affects unknown code of the file /index.php/sysmanage/Login. Such manipulation of the argument Name leads to cross site scripting. This vulnerability is listed as CVE-2025-10711. The attack may be performed from remote. In addition, an exploit is available. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as problematic, has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 20250831. This affects an unknown part of the file /index.php. This manipulation of the argument Name causes cross site scripting. This vulnerability is tracked as CVE-2025-10710. The attack is possible to be carried out remotely. Moreover, an exploit is present. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.

本文探讨了CTF（捕获旗帜）比赛如何激发安全学习者的兴趣和技能培养，并提供了一份从侦察到获取权限的详细指南。

本文提供一份2025年Ready的Active Directory战术指南，涵盖网络扫描、枚举、域发现、密码喷射攻击等技术，并结合真实实验室案例演示如何利用工具如nmap、CrackMapExec和BloodHound进行渗透测试与防御。

JavaScript文件中隐藏着关键漏洞，如硬编码密钥和未记录API端点。这些常被忽视因代码混淆繁琐。系统方法可高效挖掘。

Submit #644970 / VDB-325000