network security | Breaking Cybersecurity News | The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting N-able N-central to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.  N-able N-central is a Remote Monitoring and Management (RMM) platform designed for Managed Service Providers (MSPs), allowing customers to efficiently manage and secure their clients' Windows, Apple, and Linux endpoints from a single, unified platform. The vulnerabilities in question are listed below - CVE-2025-8875 (CVSS score: N/A) - An insecure deserialization vulnerability that could lead to command execution CVE-2025-8876 (CVSS score: N/A) - A command injection vulnerability via improper sanitization of user input Both shortcomings have been addressed in N-central versions 2025.3.1 and 2024.6 HF2 released on August 13, 2025. N-able is also urging customers to make sure that multi-factor authentication (MFA) is enabled, particularly for admin...

Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution.  The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation. "Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access," Zoom said in a security bulletin on Tuesday. The issue, reported by its own Offensive Security team, affects the following products - Zoom Workplace for Windows before version 6.3.10 Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12) Zoom Rooms for Windows before version 6.3.10 Zoom Rooms Controller for Windows before version 6.3.10 Zoom Meeting SDK for Windows before version 6.3.10 The disclosure comes as multiple vulnerabiliti...

Fortinet is alerting customers of a critical security flaw in FortiSIEM for which it said there exists an exploit in the wild. The vulnerability, tracked as CVE-2025-25256 , carries a CVSS score of 9.8 out of a maximum of 10.0. "An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests," the company said in a Tuesday advisory. The following versions are impacted by the flaw - FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 (Migrate to a fixed release) FortiSIEM 6.7.0 through 6.7.9 (Upgrade to 6.7.10 or above) FortiSIEM 7.0.0 through 7.0.3 (Upgrade to 7.0.4 or above) FortiSIEM 7.1.0 through 7.1.7 (Upgrade to 7.1.8 or above) FortiSIEM 7.2.0 through 7.2.5 (Upgrade to 7.2.6 or above) FortiSIEM 7.3.0 through 7.3.1 (Upgrade to 7.3.2 or above) FortiSIEM 7.4 (Not affected) Fortinet acknowledged i...

Cybersecurity researchers are warning of a "significant spike" in brute-force traffic aimed at Fortinet SSL VPN devices. The coordinated activity, per threat intelligence firm GreyNoise, was observed on August 3, 2025, with over 780 unique IP addresses participating in the effort. As many as 56 unique IP addresses have been detected over the past 24 hours. All the IP addresses have been classified as malicious, with the IPs originating from the United States, Canada, Russia, and the Netherlands. Targets of the brute-force activity include the United States, Hong Kong, Brazil, Spain, and Japan. "Critically, the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet's SSL VPNs," GreyNoise said . "This was not opportunistic -- it was focused activity." The company also pointed out that it identified two distinct assault waves spotted before and after August 5: One, a long-running, brute-force a...

The Dutch National Cyber Security Centre (NCSC-NL) has warned of cyber attacks exploiting a recently disclosed critical security flaw impacting Citrix NetScaler ADC products to breach organizations in the country. The NCSC-NL said it discovered the exploitation of CVE-2025-6543 targeting several critical organizations within the Netherlands, and that investigations are ongoing to determine the extent of the impact. CVE-2025-6543 (CVSS score: 9.2) is a critical security vulnerability in NetScaler ADC that results in unintended control flow and denial-of-service (DoS) when the devices are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. The vulnerability was first disclosed in late June 2025, with patches released in the following versions - NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46 NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19 NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP ...

Cybersecurity researchers have discovered a fresh set of security issues in the Terrestrial Trunked Radio (TETRA) communications protocol, including in its proprietary end-to-end encryption (E2EE) mechanism that exposes the system to replay and brute-force attacks, and even decrypt encrypted traffic. Details of the vulnerabilities – dubbed 2TETRA:2BURST – were presented at the Black Hat USA security conference last week by Midnight Blue researchers Carlo Meijer, Wouter Bokslag, and Jos Wetzels. TETRA is a European mobile radio standard that's widely used by law enforcement, military, transportation, utilities, and critical infrastructure operators. It was developed by the European Telecommunications Standards Institute (ETSI). It encompasses four encryption algorithms: TEA1, TEA2, TEA3, and TEA4. The disclosure comes a little over two years after the Netherlands-based cybersecurity company discovered a set of security vulnerabilities in TETRA standard called TETRA:BURST, c...

Malicious actors have been observed exploiting a now-patched critical security flaw impacting Erlang/Open Telecom Platform (OTP) SSH as early as beginning of May 2025, with about 70% of detections originating from firewalls protecting operational technology (OT) networks. The vulnerability in question is CVE-2025-32433 (CVSS score: 10.0), a missing authentication issue that could be abused by an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code. It was patched in April 2025 with versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Then in June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. "At the heart of Erlang/OTP's secure communication capabilities lies its native SSH implementation — responsible for encrypted connections, file transfers and most importantly, command execution," Palo Alto Networks U...

A novel attack technique could be weaponized to rope thousands of public domain controllers (DCs) around the world to create a malicious botnet and use it to conduct powerful distributed denial-of-service (DDoS) attacks. The approach has been codenamed Win-DDoS by SafeBreach researchers Or Yair and Shahak Morag, who presented their findings at the DEF CON 33 security conference today. "As we explored the intricacies of the Windows LDAP client code, we discovered a significant flaw that allowed us to manipulate the URL referral process to point DCs at a victim server to overwhelm it," Yair and Morag said in a report shared with The Hacker News. "As a result, we were able to create Win-DDoS, a technique that would enable an attacker to harness the power of tens of thousands of public DCs around the world to create a malicious botnet with vast resources and upload rates. All without purchasing anything and without leaving a traceable footprint." In transfor...

Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks. "The attack results in pre-authentication remote code execution on Axis Device Manager, a server used to configure and manage fleets of cameras, and the Axis Camera Station, client software used to view camera feeds," Claroty researcher Noam Moshe said . "Furthermore, using internet scans of exposed Axis.Remoting services, an attacker can enumerate vulnerable servers and clients, and carry out granular, highly targeted attacks." The list of identified flaws is below - CVE-2025-30023 (CVSS score: 9.0) - A flaw in the communication protocol used between client and server that could lead to an authenticated user performing a remote code execution attack (Fixed in Camera Station Pro 6.9, Camera Station 5.58, and Device Manager 5.32) CVE-2025-30024 (CVSS score: 6.8) - A f...

SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse. "We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability," the company said . "Instead, there is a significant correlation with threat activity related to CVE-2024-40766." CVE-2024-40766 (CVSS score: 9.3) was first disclosed by SonicWall in August 2024, calling it an improper access control issue that could allow malicious actors unauthorized access to the devices. "An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash," it noted in an advisory at the time. SonicWall also said it's investigating less than 40 incidents related to this activity, and that many of ...

Trend Micro has released mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities ( CVE-2025-54948 and CVE-2025-54987 ), both rated 9.4 on the CVSS scoring system, have been described as management console command injection and remote code execution flaws. "A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations," the cybersecurity company said in a Tuesday advisory. While both shortcomings are essentially the same, CVE-2025-54987 targets a different CPU architecture. The Trend Micro Incident Response (IR) Team and Jacky Hsieh at CoreCloud Tech have been credited with reporting the two flaws. According to ZeroPath , CVE-2025-54948 stems from a lack of sufficient input validation in the management console's backend, thereby...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three old security flaws impacting D-Link Wi-Fi cameras and video recorders to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation in the wild. The high-severity vulnerabilities, which are from 2020 and 2022, are listed below - CVE-2020-25078 (CVSS score: 7.5) - An unspecified vulnerability in D-Link DCS-2530L and DCS-2670L devices that could allow for remote administrator password disclosure CVE-2020-25079 (CVSS score: 8.8) - An authenticated command injection vulnerability in the cgi-bin/ddns_enc.cgi component affecting D-Link DCS-2530L and DCS-2670L devices CVE-2020-40799 (CVSS score: 8.8) - A download of code without an integrity check vulnerability in D-Link DNR-322L that could allow an authenticated attacker to execute operating system-level commands on the device There are currently no details on how these shortcomings are being exploited in th...

SonicWall said it's actively investigating reports to determine if there is a new zero-day vulnerability following reports of a spike in Akira ransomware actors in late July 2025. "Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled," the network security vendor said in a statement Monday. "We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible." While SonicWall is digging deeper, organizations using Gen 7 SonicWall firewalls are advised to follow the steps below until further notice - Disable SSL VPN services where practical Limit SSL VPN connectivity to trusted IP addresses Activate services such as Botnet Protection and Geo-IP Filtering Enforce multi-factor authentication Remove inactive or unused local user ac...

Some of the most devastating cyberattacks don't rely on brute force, but instead succeed through stealth. These quiet intrusions often go unnoticed until long after the attacker has disappeared. Among the most insidious are man-in-the-middle (MITM) attacks, where criminals exploit weaknesses in communication protocols to silently position themselves between two unsuspecting parties Fortunately, protecting your communications from MITM attacks doesn't require complex measures. By taking a few simple steps, your security team can go a long way in securing users' data and keeping silent attackers at bay. Know your enemy In a MITM attack , a malicious actor intercepts communications between two parties (such as a user and a web app) to steal sensitive information. By secretly positioning themselves between the two ends of the conversation, MITM attackers can capture data like credit card numbers,  login credentials , and account details. This stolen information o...

Telecommunications organizations in Southeast Asia have been targeted by a state-sponsored threat actor known as CL-STA-0969 to facilitate remote control over compromised networks. Palo Alto Networks Unit 42 said it observed multiple incidents in the region, including one aimed at critical telecommunications infrastructure between February and November 2024. The attacks are characterized by the use of several tools to enable remote access, as well as the deployment of Cordscan, which can collect location data from mobile devices. However, the cybersecurity company said it found no evidence of data exfiltration from the networks and systems it investigated. Nor were any efforts made by the attackers to track or communicate with target devices within mobile networks. "The threat actor behind CL-STA-0969 maintained high operational security (OPSEC) and employed various defense evasion techniques to avoid detection," security researchers Renzon Cruz, Nicolas Bareil, and Nav...

SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. "In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs," Arctic Wolf Labs researcher Julian Tuin said in a report. The cybersecurity company suggested that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meaning a zero-day vulnerability, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn't been ruled out. The uptick in attacks involving SonicWall SSL VPNs was first registered on July 15, 2025, although Arctic Wolf said that it has observed similar malicious VPN logins as far back as October 2024 , suggesting sustained efforts to target the devices. "A short interval was obser...

The Russian nation-state threat actor known as Secret Blizzard has been observed orchestrating a new cyber espionage campaign targeting foreign embassies located in Moscow by means of an adversary-in-the-middle ( AitM ) attack at the Internet Service Provider (ISP) level and delivering a custom malware dubbed ApolloShadow. "ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection," the Microsoft Threat Intelligence team said in a report shared with The Hacker News. The activity is assessed to be ongoing since at least 2024, with the campaign posing a security risk to diplomatic personnel relying on local ISPs or telecommunications services in Russia. Secret Blizzard (formerly Krypton), affiliated with the Russian Federal Security Service, is also tracked by the broader cybersecurity commu...

The financially motivated threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack. The cyber-physical attack involved the adversary leveraging their physical access to install the Raspberry Pi device and have it connected directly to the same network switch as the ATM, effectively placing it within the target bank's network, Group-IB said. It's currently not known how this access was obtained. "The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data," security researcher Nam Le Phuong said in a Wednesday report. "Using the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain. This setup enabled continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses." UNC2891 was first documented by Googl...

Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices. "The flaws, affecting the device's ONVIF protocol and file upload handlers, allow unauthenticated attackers to execute arbitrary commands remotely, effectively taking over the device," Bitdefender said in a report shared with The Hacker News. The vulnerabilities, tracked as CVE-2025-31700 and CVE-2025-31701 (CVSS scores: 8.1), affect the following devices running versions with built timestamps before April 16, 2025 - IPC-1XXX Series IPC-2XXX Series IPC-WX Series IPC-ECXX Series SD3A Series SD2A Series SD3D Series SDT2A Series SD2C Series It's worth noting that users can view the build time by logging in to the web interface of the device and then navigating to Settings -> System Information -> Version . Both shortcomings are classified as...

Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridium's Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances. "These vulnerabilities are fully exploitable if a Niagara system is misconfigured, thereby disabling encryption on a specific network device," Nozomi Networks Labs said in a report published last week. "If chained together, they could allow an attacker with access to the same network — such as through a Man-in-the-Middle (MiTM) position — to compromise the Niagara system." Developed by Tridium, an independent business entity of Honeywell, the Niagara Framework is a vendor-neutral platform used to manage and control a wide range of devices from different manufacturers, such as HVAC, lighting, energy management, and security, making it a valuable solution in building management, industrial automation, and smart infrastructure environments. I...