Search

COMMENTARY: AI isn't waiting for security teams to catch up. It's running full-steam ahead, without any regard for what may stand in its way. The recent security issue that hit the news surrounding DeepSeek—where Wiz researchers uncovered extensive vulnerabilities including exposed databases, we...

Ongoing intrusions leveraging five Advantive VeraCore and Ivanti Endpoint Manager security issues have prompted their inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, with federal agencies ordered to remediate the bugs by the end of the mo...

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus bu...

Singaporean and Thai law enforcement agencies have arrested suspected Singaporean threat actor Omid16B, who had deployed cyberattacks in the Asia-Pacific region, North America, and Europe, as well as exposed data from more than 90 organizations worldwide since 2020, according to SecurityWeek. ...

Japan had organizations in the energy, manufacturing, and materials industries targeted by Chinese state-sponsored hacking operation Winnti, also known as APT41, as part of the RevivalStone attack campaign last March, according to The Hacker News. Intrusions involved the exploitat...

We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS ...

Security Affairs reports that the United Nations' International Civil Aviation Organization has confirmed that data from 11,929 individuals were compromised a month after threat actor natohub claimed to exfiltrate 42,000 application records from its recruitment database between April...

The U.S. government is warning of a new exploit against multiple flaws in cloud applications. The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are chaining a number of CVE-listed vulnerabilities into a single exploit script. The flaws in question are present i...

What’s in store for appsec in 2025? Sure, there'll be some XSS and SQL injection, but what about trends that might influence how appsec teams plan? Cody Scott shares five cybersecurity and privacy predictions and we take a deep dive into three of them. We talk about finding value to appsec from AI, ...

Apache’s maintainers on Dec. 23 released patches for a critical 9.9 vulnerability in the Traffic Ops component of Apache Traffic Control versions 8.0.0 and 8.0.1. The flaw — CVE-2024-45387 — lets attackers with privileged roles such as “admin” or “operations” inject malicious SQL commands throug...

Hotfixes have been revealed for three vulnerabilities affecting Sophos Firewall versions 21.0 GA and older, two of which were of critical severity, reports The Hacker News.Potential exploitation of the critical pre-auth SQL injection bug, tracked as CVE-2024-12727, and critical weak ...

Organizations in Brazil, Peru, France, Spain, Switzerland, Croatia, Namibia, India, Turkey, Mongolia, Indonesia, and the United Arab Emirates have been targeted in attacks targeting Fortinet FortiClient EMS instances affected by the critical SQL injection vulnerability, tracked as CVE-2023-487...

BleepingComputer reports that a zero-day vulnerability in the WordPress plugin called Hunk Companion is being actively exploited by threat actors, who are using it to install outdated and vulnerable plugins from the WordPress.org repository. The installed plugins contain exploitable flaws, such ...

A U.S. man was sentenced to 69 months on criminal hacking charges related to a data-stealing malware operation. Vitali Antonenko, 32, will spend the better part of the next six years as a guest of the federal government thanks to convictions for conspiracy to engage in computer hacking, traffick...

Major South European business-to-business IT service providers have been targeted by a suspected Chinese cyberespionage operation as part of the Operation Digital Eye attack campaign between June and July that involved the exploitation of Visual Studio Code Remote Tunnels and Microsoft Az...

Chinese cybersecurity firm Sichuan Silence has been sanctioned by the U.S. Treasury Department for its role in the widespread exploitation of the Sophos XG firewall zero-day SQL injection flaw, tracked as CVE-2020-12271, to compromise critical infrastructure entities in the U.S. and other parts of ...

BleepingComputer reports that more than 85,000 cyberattacks from across 33 countries were disclosed by Romania's Intelligence Service to have been launched against the country's election systems last month. After compromising the Romanian Permanent Electoral Authority's IT infrastructure on...

A proof-of-concept exploit has been released for CVE-2024-8785, a critical remote code execution vulnerability in Progress WhatsUp Gold, according to BleepingComputer. The flaw is rated 9.8 on the CVSS scale and affects WhatsUp Gold versions from 2023.1.0 to before 24.0.1. It resides in the NmAP...

COMMENTARY: Modern cyberattacks don't happen in a single wave. When attackers infiltrate organizations, they perform a series of steps prior to launching an attack. This preliminary period serves as a window of opportunity for defenders to detect and block attackers before they spread too much harm...