#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

Vulnerability | Breaking Cybersecurity News | The Hacker News

Category — Vulnerability
Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console

Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console

Dec 04, 2024 Vulnerability / Ransomware
Veeam has released security updates to address a critical flaw impacting Service Provider Console (VSPC) that could pave the way for remote code execution on susceptible instances. The vulnerability, tracked as CVE-2024-42448, carries a CVSS score of 9.9 out of a maximum of 10.0. The company noted that the bug was identified during internal testing. "From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine," Veeam said in an advisory. Another defect patched by Veeam relates to a vulnerability (CVE-2024-42449, CVSS score: 7.1) that could be abused to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine. Both the identified vulnerabilities affect Veeam Service Provider Console 8.1.0.21377 and all earlier versions of 7 and 8 builds. They have been addressed in version 8.1.0.21999. Veeam furt...
Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

Dec 04, 2024 Vulnerability / Software Security
A critical security vulnerability has been disclosed in SailPoint's IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory. The flaw, tracked as CVE-2024-10905 , has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions. IdentityIQ "allows HTTP access to static content in the IdentityIQ application directory that should be protected," according to a description of the flaw on NIST's National Vulnerability Database (NVD). The vulnerability has been characterized as a case of improper handling of file names that identify virtual resources ( CWE-66 ), which could be abused to read otherwise inaccessible files. There are currently no other details available about the flaw, nor has SailPoint released a security advisory. The exact list of versions impacted by CVE-2024-10905 is listed below - 8.4 and all 8.4 pa...
Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability

Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability

Dec 03, 2024 Vulnerability / Network Security
Cisco on Monday updated an advisory to warn customers of active exploitation of a decade-old security flaw impacting its Adaptive Security Appliance (ASA). The vulnerability, tracked as CVE-2014-2120 (CVSS score: 4.3), concerns a case of insufficient input validation in ASA's WebVPN login page that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a targeted user of the appliance. "An attacker could exploit this vulnerability by convincing a user to access a malicious link," Cisco noted in an alert released in March 2014. As of December 2, 2024, the networking equipment major has revised its bulletin to note that it has become aware of "additional attempted exploitation" of the vulnerability in the wild. The development comes shortly after cybersecurity firm CloudSEK revealed that the threat actors behind AndroxGh0st are leveraging an extensive list of security vulnerabilities in various internet-faci...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks

Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks

Nov 29, 2024 AI Security / Cloud Security
Microsoft has addressed four security flaws impacting its artificial intelligence (AI), cloud, enterprise resource planning, and Partner Center offerings, including one that it said has been exploited in the wild. The vulnerability that has been tagged with an "Exploitation Detected" assessment is CVE-2024-49035 (CVSS score: 8.7), a privilege escalation flaw in partner.microsoft[.]com. "An improper access control vulnerability in partner.microsoft[.]com allows an unauthenticated attacker to elevate privileges over a network," the tech giant said in an advisory released this week. Microsoft credited Gautam Peri, Apoorv Wadhwa, and an anonymous researcher for reporting the flaw, but did not reveal any specifics on how it's being exploited in real-world attacks. Fixes for the shortcomings are being rolled out automatically as part of updates to the online version of Microsoft Power Apps. Also addressed by Redmond are three other vulnerabilities, two of which...
Over Two Dozen Flaws Identified in Advantech Industrial Wi-Fi Access Points – Patch ASAP

Over Two Dozen Flaws Identified in Advantech Industrial Wi-Fi Access Points – Patch ASAP

Nov 28, 2024 IoT Security / Vulnerability
Nearly two dozen security vulnerabilities have been disclosed in Advantech EKI industrial-grade wireless access point devices, some of which could be weaponized to bypass authentication and execute code with elevated privileges. "These vulnerabilities pose significant risks, allowing unauthenticated remote code execution with root privileges, thereby fully compromising the confidentiality, integrity, and availability of the affected devices," cybersecurity company Nozomi Networks said in a Wednesday analysis. Following responsible disclosure, the weaknesses have been addressed in the following firmware versions - 1.6.5 (for EKI-6333AC-2G and EKI-6333AC-2GD) 1.2.2 (for EKI-6333AC-1GPO) Six of the identified 20 vulnerabilities have been deemed critical, allowing an attacker to obtain persistent access to internal resources by implanting a backdoor, trigger a denial-of-service (DoS) condition, and even repurpose infected endpoints as Linux workstations to enable latera...
Expert Insights / Articles Videos
Cybersecurity Resources