Aggregator

漏洞修复后风险真的消失了吗？测试环境修复≠生产环境安全。缺失“上线确认”是常见管理盲区，本文探讨如何让漏洞状态回归真实。

Gartner 最新警告显示，对大多数组织而言，使用“智能体浏览器”（Agentic Browsers）依然过于危险，应在可预见的未来全面禁止。

Submit #674051 / VDB-336607

A vulnerability, which was classified as critical, has been found in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this issue is the function zfilev2_api.OpenSafe of the file /v2/file/safe/open of the component HTTP POST Request Handler. This manipulation of the argument safe_dir causes command injection. The identification of this vulnerability is CVE-2025-14108. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

A vulnerability classified as critical was found in ZSPACE Q2C NAS up to 1.1.0210050. Affected by this vulnerability is the function zfilev2_api.SafeStatus of the file /v2/file/safe/status of the component HTTP POST Request Handler. The manipulation of the argument safe_dir results in command injection. This vulnerability was named CVE-2025-14107. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

A vulnerability classified as critical has been found in ZSPACE Q2C NAS up to 1.1.0210050. Affected is the function zfilev2_api.CloseSafe of the file /v2/file/safe/close of the component HTTP POST Request Handler. The manipulation of the argument safe_dir leads to command injection. This vulnerability is uniquely identified as CVE-2025-14106. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure and confirmed the existence of the vulnerability. A technical fix is planned to be released.

韦氏词典（Merriam-Webster）的 2025 年度单词是 slop，反映了公众对互联网上泛滥成灾的低质量 AI 生成内容的感知和厌倦。韦氏词典总裁 Greg Barlow 表示这个单词非常形象，是 AI 这一变革性技术的一部分，人们对 其既着迷，又恼火，甚至有点荒谬感。“slop”一词最早出现于 18 世纪，原意是指软泥，后其含义逐渐扩展指代毫无价值的东西。如今其定义扩展为“通常通过 AI 大量生成的低质量数字内容”。

A vulnerability has been found in nopCommerce 4.90.0 and classified as problematic. Impacted is an unknown function of the component Content Management Area. The manipulation leads to cross site scripting. This vulnerability is referenced as CVE-2025-65590. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability, which was classified as problematic, was found in nopCommerce 4.90.0. This issue affects some unknown processing of the component Scheduled Task Handler. Executing manipulation can lead to cross-site request forgery. The identification of this vulnerability is CVE-2025-65593. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in Seiko Epson Web Config. This vulnerability affects unknown code of the component Data Handler. Performing manipulation results in stack-based buffer overflow. This vulnerability was named CVE-2025-66635. The attack may be initiated remotely. There is no available exploit.

ShinyHunters шантажируют Pornhub, заявляя о краже истории просмотров и поисков Premium-пользователей.

模拟API通信、木马远控功能复现、通信数据包分析

类似微软 Google 也在把 AI 功能甩在用户面前：搜索结果页第一个快捷键就是“AI Mode”。现在 Google 又在搜索主页 google.com 添加了一个“+”按钮，让用户可以上传图像和文件。这两项功能并非新功能，旨在突出用户可以通过 Google 完成不同任务，而不仅仅是搜索信息。这些功能可以与 AI Mode 和 AI Overviews 配合使用。该功能目前仅通过桌面 Web 版提供，尚未在移动版本上提供。

Кибератака на PDVSA остановила экспорт венесуэльской нефти на фоне конфликта с США.

A vulnerability classified as problematic was found in HCL DevOps Deploy. This affects an unknown part. Such manipulation leads to cleartext transmission of sensitive information. This vulnerability is uniquely identified as CVE-2025-62330. The attack can be launched remotely. No exploit exists.

A vulnerability classified as problematic has been found in Inaba Denki Sangyo CHOCO TEI WATCHER mini. Affected by this issue is some unknown functionality of the component Video Download Feature. This manipulation causes improper check for unusual conditions. This vulnerability is handled as CVE-2025-66357. The attack can be initiated remotely. There is not any exploit available.

A vulnerability described as critical has been identified in Inaba Denki Sangyo CHOCO TEI WATCHER mini. Affected by this vulnerability is an unknown functionality of the component Video Download Interface. The manipulation results in improper check for unusual conditions. This vulnerability is known as CVE-2025-61976. It is possible to launch the attack remotely. No exploit is available.

A vulnerability marked as problematic has been reported in Advantech SUSI Driver up to 5.0.24335. Affected is an unknown function in the library susi.sys. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2025-14252. An attack has to be approached locally. There is no exploit available.

A vulnerability labeled as problematic has been found in Keycloak on Red Hat. This impacts an unknown function of the component Admin API Endpoint. Executing manipulation can lead to authentication bypass by alternate name. This vulnerability appears as CVE-2025-14777. The attack may be performed from remote. There is no available exploit.

In this Help Net Security interview, Scott Bachand, CIO/CISO at Ro, discusses how telehealth reshapes the flow of patient data and what that means for security. He explains why organizations must strengthen data classification and visibility as systems and vendors multiply. He also outlines how regulations and new technologies are driving a more adaptive approach to protecting patient information. Telehealth creates a constant flow of sensitive data across cloud, mobile, and third-party platforms. What are … More →

The post Ro’s CISO on managing data flows in telehealth appeared first on Help Net Security.