Aggregator

CDN 服务商 Cloudflare 指责 AI 搜索引擎公司 Perplexity 使用隐蔽策略绕过网站禁止抓取的指令。Cloudflare 称它收到了客户的投诉，客户通过 robots.txt 以及 Web 应用防火墙屏蔽了 Perplexity 的搜索爬虫，然而尽管采取了这些措施 Perplexity 的爬虫仍然继续访问网站内容。Cloudflare 随后展开了调查，发现当 Perplexity 注意到 robots.txt 或防火墙规则屏蔽其爬虫后，它会使用一个隐蔽的机器人爬虫，使用一系列策略掩盖其活动。此举意味着 Perplexity 违反了实施了 30 多年的互联网规范。

Dynamic Application Security Testing (DAST) is a black-box security testing method that analyzes running applications for vulnerabilities by emulating real-world attacks against their exposed interfaces. Instead of analyzing source code, DAST using manual and automated tools interact with a live deployment of the application (web app, APIs, mobile backend, etc.) and inject malicious payloads to […]

The post How Can Dynamic Application Security Testing (DAST) Help Your Organization? appeared first on Kratikal Blogs.

The post How Can Dynamic Application Security Testing (DAST) Help Your Organization? appeared first on Security Boulevard.

A critical vulnerability chain in NVIDIA’s Triton Inference Server that allows unauthenticated attackers to achieve complete remote code execution (RCE) and gain full control over AI servers.  The vulnerability chain, identified as CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334, exploits the server’s Python backend through a sophisticated three-step attack process involving shared memory manipulation. Key Takeaways1. CVE-2025-23319 chain […]

The post NVIDIA Triton Vulnerability Chain Let Attackers Take Over AI Server Control appeared first on Cyber Security News.

ИИ меняет свою цифровую внешность, чтобы обходить блокировки сайтов.

In this Help Net Security interview, Aayush Choudhury, CEO at Scrut Automation, discusses why many security tools built for large enterprises don’t work well for leaner, cloud-native teams. He explains how simplicity, integration, and automation are key for SMBs with limited resources. Choudhry also shares how AI is beginning to make a difference for mid-market companies in managing risk and compliance. What are some specific examples of security tooling or vendor approaches that simply don’t … More →

The post Security tooling pitfalls for small teams: Cost, complexity, and low ROI appeared first on Help Net Security.

Security researchers have discovered a new type of cyberattack that exploits how AI tools process legal text, successfully tricking popular language models into executing dangerous code. Cybersecurity firm Pangea has unveiled a sophisticated attack method called “LegalPwn” that embeds malicious instructions within seemingly innocent legal disclaimers, terms of service, and copyright notices. The technique represents […]

The post LegalPwn Attack Tricks AI Tools Like ChatGPT and Gemini into Running Malicious Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Один секретный инструмент меняет всё представление об установке системы.

SpecterOps has released BloodHound 8.0, the latest iteration of its open-source attack path management platform, featuring major enhancements and expanded capabilities. BloodHound OpenGraph The release introduces BloodHound OpenGraph, a major advancement in identity attack path management that uncovers attack paths across the entire technology stack. It enables users to ingest data from diverse systems such as GitHub, Snowflake, and Microsoft SQL Server and build tailored threat models that reflect their environments. “To date, most of … More →

The post BloodHound 8.0 debuts with major upgrades in attack path management appeared first on Help Net Security.

AI时代安全建设的关键范式参考

滥用合法服务来传递恶意有效负载并不是什么新鲜事，但利用链接包装安全特性是网络钓鱼领域的最新发展。

Только один алгоритм выживет в беспощадном турнире на выбывание.

A vulnerability, which was classified as critical, was found in givanz Vvvebjs up to 2.0.4. Affected is an unknown function of the file /save.php of the component node.js. The manipulation of the argument File leads to path traversal. This vulnerability is traded as CVE-2025-8522. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability has been found in RiderLike Fruit Crush-Brain App 1.0 on Android and classified as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.fruitcrush.fun. The manipulation leads to improper export of android application components. This vulnerability is known as CVE-2025-8523. It is possible to launch the attack on the local host. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Boquan DotWallet App 2.15.2 on Android and classified as problematic. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.boquanhash.dotwallet. The manipulation leads to improper export of android application components. This vulnerability is handled as CVE-2025-8524. The attack needs to be approached locally. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Exrick xboot up to 3.3.4. It has been rated as critical. This issue affects some unknown processing of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java of the component Swagger. The manipulation of the argument loginUrl leads to server-side request forgery. The identification of this vulnerability is CVE-2025-8527. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. This vulnerability is traded as CVE-2025-8528. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical was found in cloudfavorites favorites-web up to 1.3.0. Affected by this vulnerability is the function getCollectLogoUrl of the file app/src/main/java/com/favorites/web/CollectController.java. The manipulation of the argument url leads to server-side request forgery. This vulnerability is known as CVE-2025-8529. The attack can be launched remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as problematic, has been found in cronoh NanoVault up to 1.2.1. This issue affects the function executeJavaScript of the file /main.js of the component xrb URL Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2025-8535. The attack may be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in Genetec Security Center. This affects an unknown part of the component Archiver. The manipulation leads to sql injection. This vulnerability is uniquely identified as CVE-2025-2928. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Dell Encryption and Security Management Server up to 11.10.x. It has been classified as critical. Affected is an unknown function. The manipulation leads to link following. This vulnerability is traded as CVE-2025-36611. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.