Aggregator

User Scanner: Scan a username across multiple social, developer, gaming and creator platforms to see if it’s available

Session 5C: Federated Learning 1

Authors, Creators & Presenters: Duanyi Yao (Hong Kong University of Science and Technology), Songze Li (Southeast University), Xueluan Gong (Wuhan University), Sizai Hou (Hong Kong University of Science and Technology), Gaoning Pan (Hangzhou Dianzi University)

PAPER
URVFL: Undetectable Data Reconstruction Attack on Vertical Federated Learning

Vertical Federated Learning (VFL) is a collaborative learning paradigm designed for scenarios where multiple clients share disjoint features of the same set of data samples. Albeit a wide range of applications, VFL is faced with privacy leakage from data reconstruction attacks. These attacks generally fall into two categories: honest-but-curious (HBC), where adversaries steal data while adhering to the protocol; and malicious attacks, where adversaries breach the training protocol for significant data leakage. While most research has focused on HBC scenarios, the exploration of malicious attacks remains limited. Launching effective malicious attacks in VFL presents unique challenges: 1) Firstly, given the distributed nature of clients' data features and models, each client rigorously guards its privacy and prohibits direct querying, complicating any attempts to steal data; 2) Existing malicious attacks alter the underlying VFL training task, and are hence easily detected by comparing the received gradients with the ones received in honest training. To overcome these challenges, we develop URVFL, a novel attack strategy that evades current detection mechanisms. The key idea is to integrate a discriminator with auxiliary classifier that takes a full advantage of the label information and generates malicious gradients to the victim clients: on one hand, label information helps to better characterize embeddings of samples from distinct classes, yielding an improved reconstruction performance; on the other hand, computing malicious gradients with label information better mimics the honest training, making the malicious gradients indistinguishable from the honest ones, and the attack much more stealthy. Our comprehensive experiments demonstrate that URVFL significantly outperforms existing attacks, and successfully circumvents SOTA detection methods for malicious attacks. Additional ablation studies and evaluations on defenses further underscore the robustness and effectiveness of URVFL

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – URVFL: Undetectable Data Reconstruction Attack On Vertical Federated Learning appeared first on Security Boulevard.

DorkAgent: LLM-powered agent for automated Google Dorking in bug hunting & pentesting

GitHub: Threat Actor Usernames Scrape

Безопасно ли направлять гигаваттные лазеры на Землю? Разбираем риски.

A vulnerability has been found in Rapid7 AppSpider Pro 6.14.053/6.14.060 and classified as problematic. This affects an unknown part of the component Configuration File Handler. The manipulation of the argument ScanName leads to cross site scripting. This vulnerability is documented as CVE-2025-4951. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.

A vulnerability marked as problematic has been reported in Icinga DB Web up to 1.2.1. This affects an unknown part. Performing manipulation results in information disclosure. This vulnerability was named CVE-2025-53840. The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability marked as critical has been reported in Linux Kernel up to 6.1.15/6.2.2. The impacted element is the function iocore_0. This manipulation causes allocation of resources. This vulnerability is tracked as CVE-2023-53366. The attack is only possible within the local network. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.4.11. It has been classified as critical. This impacts the function user_mappings. The manipulation leads to memory leak. This vulnerability is uniquely identified as CVE-2023-53367. The attack can only be initiated within the local network. No exploit exists. Upgrading the affected component is recommended.

A vulnerability classified as critical was found in Linux Kernel up to 6.5.2. Affected is the function rb_end_commit of the file kernel/trace/ring_buffer.c of the component tracing. Executing manipulation can lead to buffer overflow. This vulnerability is registered as CVE-2023-53368. The attack requires access to the local network. No exploit is available. Upgrading the affected component is advised.

A vulnerability classified as critical was found in Linux Kernel up to 5.4.219/5.10.149/5.15.74/5.19.16/6.0.2. The affected element is the function fsl_lpuart of the component tty. Executing manipulation can lead to denial of service. The identification of this vulnerability is CVE-2022-50375. The attack needs to be done within the local network. There is no exploit available. Upgrading the affected component is advised.

A vulnerability was found in Linux Kernel up to 5.4.228/5.10.162/5.15.85/6.0.15/6.1.1. It has been classified as critical. Affected by this vulnerability is an unknown functionality of the component Orangefs Module. Performing manipulation results in memory leak. This vulnerability is cataloged as CVE-2022-50376. The attack must originate from the local network. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.0.2. The impacted element is the function btrfs_quota_enable. The manipulation leads to use after free. This vulnerability is referenced as CVE-2022-50379. The attack needs to be initiated within the local network. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 5.15.74/5.19.16/6.0.2. It has been declared as critical. Affected by this issue is the function __list_del_entry_valid. Executing manipulation can lead to use after free. This vulnerability is registered as CVE-2022-50378. The attack requires access to the local network. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 5.15.75 and classified as critical. Affected is the function smaps_rollup of the file /proc/pid/smaps_rollup of the component mm. Such manipulation leads to null pointer dereference. This vulnerability is listed as CVE-2022-50380. The attack must be carried out from within the local network. There is no available exploit. It is suggested to upgrade the affected component.

The convergence of physical and digital security is driving a shift toward software-driven, open-architecture edge computing. Access control has typically been treated as a physical domain problem — managing who can open which doors, using specialized systems largely isolated from broader enterprise IT. However, the boundary between physical and digital security is increasingly blurring. With..

The post Rethinking Security as Access Control Moves to the Edge appeared first on Security Boulevard.

OT oversight is an expensive industrial paradox. It’s hard to believe that an area can be simultaneously underappreciated, underfunded, and under increasing attack. And yet, with ransomware hackers knowing that downtime equals disaster and companies not monitoring in kind, this is an open and glaring hole across many ecosystems. Even a glance at the numbers..

The post Hacks Up, Budgets Down: OT Oversight Must Be An IT Priority appeared first on Security Boulevard.

There’s a major problem in application security: Organizations secure code before release, but attackers strike in production. This gap is exactly where runtime application security comes in.

The post Backbase CISO: Defending Banking Apps at Runtime appeared first on Security Boulevard.

A vulnerability classified as critical has been found in pipeshub-ai PipesHub. Affected by this issue is some unknown functionality of the file /api/v1/record/buffer/convert of the component Endpoint. Performing manipulation results in path traversal. This vulnerability was named CVE-2025-67506. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Shopware up to 6.7.5.1. This affects an unknown part of the file AuthController.php of the component Request Parameter Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-67648. The attack is possible to be carried out remotely. No exploit exists. It is advisable to upgrade the affected component.