Aggregator

A critical warning regarding a severe authentication vulnerability affecting Iskra’s iHUB and iHUB Lite intelligent metering gateways used in energy infrastructure worldwide. The flaw, tracked as CVE-2025-13510, carries a CVSS v4 severity score of 9.3, indicating an exploit that requires minimal technical complexity for attackers. The vulnerability stems from the absence of an authentication mechanism […]

The post CISA Warns of Iskra iHUB Vulnerability Allowing Remote Device Reconfiguration appeared first on Cyber Security News.

新变种、老对手：360再度“封杀”银狐木马

强强联手

好的，用户希望我总结一篇文章的内容，控制在100字以内，而且不需要特定的开头。我需要先理解文章的主题。看起来文章主要讲的是当前环境异常，用户需要完成验证才能继续访问。里面提到了“环境异常”和“去验证”的按钮。 接下来，我要确保总结简洁明了，涵盖关键点：环境问题、验证步骤和访问恢复。还要注意字数限制，不能超过100字。可能会用到“当前环境异常”、“完成验证后即可继续访问”这样的句子。 最后，检查一下是否符合用户的要求，没有使用“文章内容总结”之类的开头，并且信息准确传达。 当前环境异常，需完成验证后方可继续访问。

好的，我现在需要帮用户总结一篇文章的内容，控制在100字以内。用户的要求是直接写描述，不需要用“文章内容总结”之类的开头。首先，我得仔细阅读文章内容，抓住主要信息。 文章标题是“环境异常”，里面提到当前环境异常，完成验证后可以继续访问，并有一个“去验证”的按钮。看起来这是一个提示用户需要进行某种验证的页面，可能是安全验证或者身份验证。 接下来，我需要将这些信息浓缩成一句话。要简洁明了，同时涵盖关键点：环境异常、需要验证、继续访问。所以，我可以这样表达：“当前环境出现异常，需完成验证后方可继续访问。” 检查一下字数，这句话刚好在100字以内。同时，符合用户的要求，没有使用任何开头的固定格式。这样应该能满足用户的需求了。 当前环境出现异常，需完成验证后方可继续访问。

Submit #692774 / VDB-334164

A vulnerability identified as critical has been detected in ESTsoft ALZip up to 12.28 on Windows. This vulnerability affects unknown code. Performing manipulation results in protection mechanism failure. This vulnerability is identified as CVE-2025-29864. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.

A vulnerability categorized as problematic has been discovered in Perforce BlazeMeter Plugin up to 4.26 on Jenkins. This affects an unknown part. Such manipulation leads to missing authorization. This vulnerability is referenced as CVE-2025-13472. It is possible to launch the attack remotely. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability was found in ABRT up to 2.17.6. It has been rated as critical. Affected by this issue is some unknown functionality. This manipulation causes os command injection. The identification of this vulnerability is CVE-2025-12744. The attack can only be executed locally. There is no exploit available. Upgrading the affected component is advised.

A vulnerability was found in Wireshark up to 4.4.10/4.6.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component MEGACO Dissector. The manipulation results in infinite loop. This vulnerability was named CVE-2025-13946. The attack may be performed from remote. There is no available exploit. It is recommended to upgrade the affected component.

Submit #692213 / VDB-334163

A vulnerability was found in Wireshark 4.6.0. It has been classified as problematic. Affected is an unknown function of the component HTTP3 Dissector. The manipulation leads to improperly controlled sequential memory allocation. This vulnerability is uniquely identified as CVE-2025-13945. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is recommended.

一个伊斯兰极端组织对马里首都巴马科的燃料车队发动持续攻击，摧毁超130辆油罐车。该组织通过经济战施压军政府，破坏燃料运输使全国陷入瘫痪。

Хотели посмотреть YouTube без тормозов, а посмотрели, как уходят деньги с карты.

复旦大学系统软件与安全实验室荣获“华为安全奖励计划特别贡献奖”，持续为智能化软件生态安全贡献力量。

Three critical security flaws have been disclosed in an open-source utility called Picklescan that could allow malicious actors to execute arbitrary code by loading untrusted PyTorch models, effectively bypassing the tool's protections. Picklescan, developed and maintained by Matthieu Maitre (@mmaitre314), is a security scanner that's designed to parse Python pickle files and detect suspicious

好的，我现在需要帮用户总结一篇文章的内容，控制在100字以内。用户已经提供了文章的详细内容，所以我得先仔细阅读并理解文章的主要信息。 首先，文章讲的是一个开源工具Picklescan发现了三个关键的安全漏洞。这些漏洞可以让恶意攻击者绕过工具的保护，执行任意代码。Picklescan是用来扫描Python的pickle文件，检测可疑导入或函数调用的工具，特别是在机器学习中使用PyTorch模型时。 接下来，文章提到JFrog的研究人员发现了这些漏洞，每个漏洞都有不同的绕过方法。比如CVE-2025-10155是通过文件扩展名绕过，CVE-2025-10156是通过引入CRC错误来绕过ZIP扫描，CVE-2025-10157则是绕过全局检查。这些漏洞可能导致供应链攻击。 然后，文章提到这些问题已经被修复，在Picklescan 0.0.31版本中解决了。最后还讨论了AI库的发展速度和安全工具之间的差距，强调了需要更智能的安全代理来保护模型。 现在我需要把这些信息浓缩到100字以内。重点包括：Picklescan的三个漏洞、恶意代码执行、供应链攻击风险、修复情况以及AI安全挑战。 可能的结构是：Picklescan发现三个漏洞，允许恶意代码执行和供应链攻击；修复已发布；AI库复杂性带来安全挑战。 现在检查字数是否符合要求，并确保信息准确无误。 开源工具Picklescan被发现存在三个关键安全漏洞，允许恶意攻击者绕过其保护机制，在加载不受信任的PyTorch模型时执行任意代码。这些漏洞可能导致供应链攻击风险，并已被修复。研究揭示了AI库复杂性与安全工具之间的差距，强调了对智能安全代理的需求以应对新兴威胁。

A concerning development has emerged within the cybercriminal ecosystem as threat actors continue distributing K.G.B RAT, a remote access trojan bundled with advanced detection evasion capabilities. According to recent reports, this tool combination surfaced on underground forums and has caught the attention of security researchers worldwide. The malware package includes not only the K.G.B RAT […]

The post Threat Actors Allegedly Promoting Fully Undetectable K.G.B RAT on Hacker Forums appeared first on Cyber Security News.

嗯，用户让我用中文总结这篇文章，控制在100字以内，而且不需要用“文章内容总结”之类的开头。好的，我先仔细读一下文章。 文章讲的是印度政府要求消息应用必须与用户的活跃SIM卡绑定，以防止欺诈和滥用。他们修改了2024年的电信网络安全规则，要求像WhatsApp、Telegram这样的应用在90天内实施这一政策，并在120天内报告执行情况。此外，网页版应用的会话必须在6小时内自动登出，以防止长期会话被滥用。 用户的需求是得到一个简洁的总结，重点突出政策内容和目的。所以我要抓住几个关键点：印度政府强制消息应用与SIM卡绑定、防止欺诈、修改规则的时间、实施期限以及网页版的自动登出机制。 接下来，我需要把这些信息浓缩到100字以内。要注意用词简洁明了，避免冗余。例如，“强制”比“要求”更直接，“防范”比“防止”更正式一些。 最后检查一下是否符合用户的所有要求：中文、100字以内、不使用特定开头。看起来没问题了。 印度政府要求消息应用与活跃SIM卡绑定以防范欺诈和滥用，修改2024年电信网络安全规则，规定90天内实施并120天内报告。网页版会话需6小时自动登出，遏制长期会话被滥用。