CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

🚨 Marked as known exploited on April 10th, 2025 (3 months ago).
Description: Today is Microsoft's February 2025 Patch Tuesday, which includes security updates for 55 flaws, including four zero-day vulnerabilities, with two actively exploited in attacks. [...]
Source: BleepingComputer
February 11th, 2025 (5 months ago)
Description: After health agencies responded to Trump's executive order deeming there to be only "two sexes" by scrubbing sites of important resources, a judge ordered they have until midnight Tuesday to bring them back online.
Source: 404 Media
February 11th, 2025 (5 months ago)
Source: TheRegister
February 11th, 2025 (5 months ago)
Description: Impact Systems running registry version > 3.0.0-beta.1 with token authentication enabled. Patches Update to at least v3.0.0-rc.3 Workarounds There is no way to work around this issue without patching if your system requires token authentication. References The issue lies in how the JWK verification is performed. When a JWT contains a JWK header without a certificate chain, the code only checks if the KeyID (kid) matches one of the trusted keys, but doesn't verify that the actual key material matches. Here's the problematic flow: An attacker generates their own key pair They create a JWT and include their public key in the JWK header They set the kid in the JWK to match one of the trusted keys' IDs (which they could potentially discover) They sign the JWT with their private key The registry only checks if the kid exists in the trusted keys map but then uses the attacker's public key from the JWK to verify the signature References https://github.com/distribution/distribution/security/advisories/GHSA-phw4-mc57-4hwc https://github.com/distribution/distribution/commit/5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd https://github.com/advisories/GHSA-phw4-mc57-4hwc
Source: Github Advisory Database (Go)
February 11th, 2025 (5 months ago)
Description: A Cheat Sheet on Infrastructure as Code Landscape
Source: DarkWebInformer
February 11th, 2025 (5 months ago)
Description: A Threat Actor is Claiming to Sell Local Network Access to an Unidentified Company
Source: DarkWebInformer
February 11th, 2025 (5 months ago)
Description: Dark Strom Team Targeted the Official Portal of the Brazilian Government
Source: DarkWebInformer
February 11th, 2025 (5 months ago)
Description: Senator Dick Durbin presses Meta to explain why it can’t stop sending traffic to nonconsensual AI image generators that violate its policy.
Source: 404 Media
February 11th, 2025 (5 months ago)
Description: Mullvad has announced a partnership with Obscura VPN, a newly launched privacy-focused service that routes internet traffic through two separate VPN providers. Under this collaboration, Obscura will act as the initial entry point for users' connections before passing encrypted traffic to Mullvad’s WireGuard servers for final routing to the internet. The partnership, which began today, … The post Mullvad Partners with Obscura VPN to Offer Two-Hop VPN System appeared first on CyberInsider.
Source: CyberInsider
February 11th, 2025 (5 months ago)

CVE-2024-53704

Description: Security researchers at Bishop Fox have published complete exploitation details for the CVE-2024-53704 vulnerability that allows bypassing the authentication mechanism in certain versions of the SonicOS SSLVPN application. [...]
Source: BleepingComputer
February 11th, 2025 (5 months ago)