#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
DevSecOps

Application Security | Breaking Cybersecurity News | The Hacker News

Category — Application Security
Progress Software Patches High-Severity LoadMaster Flaws Affecting Multiple Versions

Progress Software Patches High-Severity LoadMaster Flaws Affecting Multiple Versions

Feb 11, 2025 Network Security / Vulnerability
Progress Software has addressed multiple high-severity security flaws in its LoadMaster software that could be exploited by malicious actors to execute arbitrary system commands or download any file from the system. Kemp LoadMaster is a high-performance application delivery controller (ADC) and load balancer that provides availability, scalability, performance, and security for business-critical applications and websites. The identified vulnerabilities are listed below - CVE-2024-56131 , CVE-2024-56132 , CVE-2024-56133 , and CVE-2024-56135 (CVSS scores: 8.4) - A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request CVE-2024-56134 (CVSS score: 8.4) - An improper input validation vulnerability that allows remote malicious actors who gain access to the management interface of LoadMaster and...
Watch Out For These 8 Cloud Security Shifts in 2025

Watch Out For These 8 Cloud Security Shifts in 2025

Feb 04, 2025 Threat Detection / Cloud Security
As cloud security evolves in 2025 and beyond, organizations must adapt to both new and evolving realities, including the increasing reliance on cloud infrastructure for AI-driven workflows and the vast quantities of data being migrated to the cloud. But there are other developments that could impact your organizations and drive the need for an even more robust security strategy. Let's take a look… #1: Increased Threat Landscape Encourages Market Consolidation Cyberattacks targeting cloud environments are becoming more sophisticated, emphasizing the need for security solutions that go beyond detection. Organizations will need proactive defense mechanisms to prevent risks from reaching production. Because of this need, the market will favor vendors offering comprehensive, end-to-end security platforms that streamline risk mitigation and enhance operational efficiency. #2: Cloud Security Unifies with SOC Priorities Security operations centers (SOC) and cloud security functions are c...
Navigating the Future: Key IT Vulnerability Management Trends

Navigating the Future: Key IT Vulnerability Management Trends 

Feb 11, 2025Vulnerability / Threat Detection
As the cybersecurity landscape continues to evolve, proactive vulnerability management has become a critical priority for managed service providers (MSPs) and IT teams. Recent trends indicate that organizations increasingly prioritize more frequent IT security vulnerability assessments to identify and address potential security flaws. Staying informed on these trends can help MSPs and IT teams remain one step ahead of potential cyber-risks. The Kaseya Cybersecurity Survey Report 2024 navigates this new frontier of cyber challenges. The data is clear: Organizations are becoming increasingly reliant on vulnerability assessments and plan to prioritize these investments in 2025. Companies are increasing the frequency of vulnerability assessments  In 2024, 24% of respondents said they conduct vulnerability assessments more than four times per year, up from 15% in 2023. This shift highlights a growing recognition of the need for continuous monitoring and quick response to emerging t...
Lightning AI Studio Vulnerability Could've Allowed RCE via Hidden URL Parameter

Lightning AI Studio Vulnerability Could've Allowed RCE via Hidden URL Parameter

Jan 30, 2025 Vulnerability / Cloud Security
Cybersecurity researchers have disclosed a critical security flaw in the Lightning AI Studio development platform that, if successfully exploited, could have allowed for remote code execution. The vulnerability, rated a CVSS score of 9.4, enables "attackers to potentially execute arbitrary commands with root privileges" by exploiting a hidden URL parameter, application security firm Noma said in a report shared with The Hacker News. "This level of access could hypothetically be leveraged for a range of malicious activities, including the extraction of sensitive keys from targeted accounts," researchers Sasi Levi, Alon Tron, and Gal Moyal said. The issue is embedded in a piece of JavaScript code that could facilitate unfettered access to a victim's development environment, as well as run arbitrary commands on an authenticated target in a privileged context. Noma said it found a hidden parameter called "command" in user-specific URLs – e.g., ...
cyber security

Webinar: 5 Ways New AI Agents Can Automate Identity Attacks | Register Now

websitePush SecurityAI Agents / Identity Security
Watch how Computer-Using Agents can be used by attackers to automate account takeover and exploitation.
Do We Really Need The OWASP NHI Top 10?

Do We Really Need The OWASP NHI Top 10?

Jan 27, 2025 Application Security / API Security
The Open Web Application Security Project has recently introduced a new Top 10 project - the Non-Human Identity (NHI) Top 10. For years, OWASP has provided security professionals and developers with essential guidance and actionable frameworks through its Top 10 projects, including the widely used API and Web Application security lists.  Non-human identity security represents an emerging interest in the cybersecurity industry, encompassing the risks and lack of oversight associated with API keys, service accounts , OAuth apps, SSH keys, IAM roles, secrets, and other machine credentials and workload identities.  Considering that the flagship OWASP Top 10 projects already cover a broad range of security risks developers should focus on, one might ask - do we really need the NHI Top 10? The short answer is - yes . Let's see why, and explore the top 10 NHI risks.  Why we need the NHI Top 10 While other OWASP projects might touch on related vulnerabilities, such as secret...
Researcher Uncovers Critical Flaws in Multiple Versions of Ivanti Endpoint Manager

Researcher Uncovers Critical Flaws in Multiple Versions of Ivanti Endpoint Manager

Jan 16, 2025 Vulnerability / Endpoint Security
Ivanti has rolled out security updates to address several security flaws impacting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical bugs that could lead to information disclosure. All the four critical security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern instances of absolute path traversal that allow a remote unauthenticated attacker to leak sensitive information. The flaws are listed below - CVE-2024-10811 CVE-2024-13161  CVE-2024-13160, and CVE-2024-13159 The shortcomings affect EPM versions 2024 November security update and prior, and 2022 SU6 November security update and prior. They have been addressed in EPM 2024 January-2025 Security Update and EPM 2022 SU6 January-2025 Security Update. Horizon3.ai security researcher Zach Hanley has been credited with discovering and reporting all four vulnerabilities in question. Also patched by Ivanti are multiple high-severity bugs in Avalanche vers...
Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Jan 09, 2025 AI Security / SaaS Security
As SaaS providers race to integrate AI into their product offerings to stay competitive and relevant, a new challenge has emerged in the world of AI: shadow AI.  Shadow AI refers to the unauthorized use of AI tools and copilots at organizations. For example, a developer using ChatGPT to assist with writing code, a salesperson downloading an AI-powered meeting transcription tool, or a customer support person using Agentic AI to automate tasks – without going through the proper channels. When these tools are used without IT or the Security team's knowledge, they often lack sufficient security controls, putting company data at risk. Shadow AI Detection Challenges Because shadow AI tools often embed themselves in approved business applications via AI assistants, copilots, and agents they are even more tricky to discover than traditional shadow IT. While traditional shadow apps can be identified through network monitoring methodologies that scan for unauthorized connections based on...
CISA Adds Acclaim USAHERDS Vulnerability to KEV Catalog Amid Active Exploitation

CISA Adds Acclaim USAHERDS Vulnerability to KEV Catalog Amid Active Exploitation

Dec 24, 2024 Vulnerability / Software Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched high-severity security flaw impacting Acclaim Systems USAHERDS to the Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation in the wild. The vulnerability in question is CVE-2021-44207 (CVSS score: 8.1), a case of hard-coded, static credentials in Acclaim USAHERDS that could allow an attacker to ultimately execute arbitrary code on susceptible servers. Specifically, it concerns the use of static ValidationKey and DecryptionKey values in version 7.4.0.1 and prior that could be weaponized to achieve remote code execution on the server that runs the application. That said, an attacker would have to leverage some other means to obtain the keys in the first place. "These keys are used to provide security for the application ViewState," Google-owned Mandiant said in advisory for the flaw back in December 2021. "A threat actor with knowledge ...
North Korean Hackers Target macOS Using Flutter-Embedded Malware

North Korean Hackers Target macOS Using Flutter-Embedded Malware

Nov 12, 2024 Malware / Application Security
Threat actors with ties to the Democratic People's Republic of Korea (DPRK aka North Korea) have been found embedding malware within Flutter applications, marking the first time this tactic has been adopted by the adversary to infect Apple macOS devices. Jamf Threat Labs, which made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month, said the Flutter-built applications are part of a broader activity that includes malware written in Golang and Python. It's currently not known how these samples are distributed to victims, and if it has been used against any targets, or if the attackers are switching to a new delivery method. That said, North Korean threat actors are known to engage in extensive social engineering efforts targeting employees of cryptocurrency and decentralized finance businesses. "We suspect these specific examples are testing," Jaron Bradley, director at Jamf Threat Labs, told The Hacker News. "It's p...
AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks

AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks

Oct 24, 2024 Vulnerability / Cloud Security
Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances. "The impact of this issue could, in certain scenarios, allow an attacker to gain administrative access to a target AWS account, resulting in a full account takeover," Aqua researchers Ofek Itach and Yakir Kadkoda said in a report shared with The Hacker News. Following responsible disclosure on June 27, 2024, the issue was addressed by the project maintainers in CDK version 2.149.0 released in July. AWS CDK is an open-source software development framework for defining cloud application resources using Python, TypeScript, or JavaScript and provisioning them via CloudFormation. The problem identified by Aqua builds upon prior findings from the cloud security firm about shadow resources in AWS, and how predefined naming conventions for AWS Simple Storage Service (S3) buckets ...
CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)

CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)

Oct 23, 2024 Vulnerability / Threat Intelligence
A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities ( KEV ) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-38094 (CVSS score: 7.2), has been described as a deserialization vulnerability impacting SharePoint that could result in remote code execution. "An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server," Microsoft said in an alert for the flaw. Patches for the security defect were released by Redmond as part of its Patch Tuesday updates for July 2024. The exploitation risk is compounded by the fact that proof-of-concept (PoC) exploits for the flaw are available in the public domain. "The PoC script [...] automates authentication to a target SharePoint site using NTLM, creates a spe...
Guide:  The Ultimate Pentest Checklist for Full-Stack Security

Guide:  The Ultimate Pentest Checklist for Full-Stack Security

Oct 21, 2024 Penetration Testing / API Security
Pentest Checklists Are More Important Than Ever Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization's attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically uncover vulnerabilities in various assets like networks, applications, APIs, and systems. They ensure no critical area is overlooked and guide the testing process, making it more efficient and effective at identifying security weaknesses that could be exploited by attackers. A pentest checklist essentially leaves no stone unturned and is a detailed and comprehensive list of every type of vulnerability in which to simulate an attack against. Each asset being tested, however, requires a different pentest checklist tailored to its specific characteristics and risks. For example, a checklist fo...
Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

Urgent: GitLab Patches Critical Flaw Allowing Unauthorized Pipeline Job Execution

Sep 12, 2024 DevSecOps / Vulnerability
GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user. The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0 "An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances," the company said in an alert. The vulnerability, along with three high-severity, 11 medium-severity, and two low-severity bugs, have been addressed in versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). It's worth noting that CVE-2024-6678 is the fourth such flaw that GitLab has patched over the past year after CVE-2023-5009 (CVSS score: 9.6), CVE-2024-5655 (CVSS score: 9.6), and CVE-2024...
Wing Security SaaS Pulse: Continuous Security & Actionable Insights — For Free

Wing Security SaaS Pulse: Continuous Security & Actionable Insights — For Free

Sep 09, 2024 SaaS Security / Risk Management
Designed to be more than a one-time assessment— Wing Security's SaaS Pulse provides organizations with actionable insights and continuous oversight into their SaaS security posture—and it's free! Introducing SaaS Pulse: Free Continuous SaaS Risk Management  Just like waiting for a medical issue to become critical before seeing a doctor, organizations can't afford to overlook the constantly evolving risks in their SaaS ecosystems. New SaaS apps, shifting permissions, and emerging threats mean risks are always in motion. SaaS Pulse makes it easy to treat SaaS risk management as an ongoing practice, not just an occasional check-up. Security teams instantly get a real-time security "health" score, prioritized risks, contextualized threat insights, and the organization's app inventory—without setups or integrations. SaaS is a Moving Target SaaS stacks don't stand still. Business critical apps can easily slip into a state of vulnerability (i.e. supply chain attacks, account takeo...
New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access

New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access

Sep 03, 2024 Endpoint Security / Cyber Threat
Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system's permissions-based model, which revolves around the Transparency, Consent, and Control ( TCC ) framework. "If successful, the adversary could gain any privileges already granted to the affected Microsoft applications," Cisco Talos said . "For example, the attacker could send emails from the user account without the user noticing, record audio clips, take pictures, or record videos without any user interaction." The shortcomings span various applications such as Outlook, Teams, Word, Excel PowerPoint, and OneNote. The cybersecurity company said malicious libraries could be injected into these applications and gain their entitlements and user-granted permissions, which could then be weaponized for extracting sensitive information depending on the access granted ...
Expert Insights / Articles Videos
Cybersecurity Resources