The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Buzzy Chinese artificial intelligence (AI) startup DeepSeek , which has had a meteoric rise in popularity in recent days, left one of its databases exposed on the internet, which could have allowed malicious actors to gain access to sensitive data. The ClickHouse database "allows full control over database operations, including the ability to access internal data," Wiz security researcher Gal Nagli said . The exposure also includes more than a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information, such as API Secrets and operational metadata. DeepSeek has since plugged the security hole following attempts by the cloud security firm to contact them. The database, hosted at oauth2callback.deepseek[.]com:9000 and dev.deepseek[.]com:9000, is said to have enabled unauthorized access to a wide range of information. The exposure, Wiz noted, allowed for complete database control and potential privilege escalati...

Three security flaws have been disclosed in the open-source PHP package Voyager that could be exploited by an attacker to achieve one-click remote code execution on affected instances. "When an authenticated Voyager user clicks on a malicious link, attackers can execute arbitrary code on the server," Sonar researcher Yaniv Nizry said in a write-up published earlier this week. The identified issues, which remain unpatched to date despite responsible disclosure on September 11, 2024, are listed below - CVE-2024-55417 - An arbitrary file write vulnerability in the "/admin/media/upload" endpoint CVE-2024-55416 - A reflected cross-site scripting (XSS) vulnerability in the "/admin/compass" endpoint CVE-2024-55415 - An arbitrary file leak and deletion vulnerability  A malicious attacker could leverage Voyager's media upload feature to upload a malicious file in a manner that bypasses MIME type verification, and make use of a polyglot file that ap...

A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks. The vulnerability in question is CVE-2024-41710 (CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor to execute arbitrary commands within the context of the phone. It affects Mitel 6800 Series, 6900 Series, 6900w Series SIP Phones, and Mitel 6970 Conference Unit. It was addressed by Mitel in mid-July 2024. A proof-of-concept (PoC) exploit for the flaw became publicly available in August. Outside of CVE-2024-41710, some of the other vulnerabilities targeted by the botnet include CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a remote code execution flaw targeting Linksys E-series devices.  "Aquabot is a botnet that was built off the Mirai fram...

SaaS Adoption is Skyrocketing, Resilience Hasn't Kept Pace SaaS platforms have revolutionized how businesses operate. They simplify collaboration, accelerate deployment, and reduce the overhead of managing infrastructure. But with their rise comes a subtle, dangerous assumption: that the convenience of SaaS extends to resilience. It doesn't. These platforms weren't built with full-scale data protection in mind . Most follow a shared responsibility model — wherein the provider ensures uptime and application security, but the data inside is your responsibility. In a world of hybrid architectures, global teams, and relentless cyber threats, that responsibility is harder than ever to manage. Modern organizations are being stretched across: Hybrid and multi-cloud environments with decentralized data sprawl Complex integration layers between IaaS, SaaS, and legacy systems Expanding regulatory pressure with steeper penalties for noncompliance Escalating ransomware threats and inside...

The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard's STRIKE team said in a new report shared with The Hacker News. "This administrative layer was consistent across all the C2 servers analyzed, even as the attackers varied their payloads and obfuscation techniques to evade detection." The hidden framework has been described as a comprehensive system and a hub that allows attackers to organize and manage exfiltrated data, maintain oversight of their compromised hosts, and handle payload delivery. The web-based admin panel has been identified in connection with a supply chain attack campaign dubbed Operation ...

Curious about the buzz around AI in cybersecurity? Wonder if it's just a shiny new toy in the tech world or a serious game changer? Let's unpack this together in a not-to-be-missed webinar that goes beyond the hype to explore the real impact of AI on cybersecurity. Join Ravid Circus , a seasoned pro in cybersecurity and AI, as we peel back the layers of AI in cybersecurity through a revealing survey of 200 industry insiders. This isn't your average tech talk; it's a down-to-earth, insightful discussion about what AI is actually doing for us today. Why Tune In? Get the Inside Scoop: How are real-world security teams using AI right now? Learn about the genuine perks and the real snags, from data hiccups to transparency troubles. Boost Your Cyber Defenses: Discover which cybersecurity corners AI is revolutionizing the most. It's about pinpointing where AI can really beef up your security measures. Walk Away With a Game Plan: This isn't just about high-level idea...

A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has demonstrated two new side-channel attacks targeting Apple silicon that could be exploited to leak sensitive information from web browsers like Safari and Google Chrome. The attacks have been codenamed Data Speculation Attacks via Load Address Prediction on Apple Silicon ( SLAP ) and Breaking the Apple M3 CPU via False Load Output Predictions ( FLOP ). Apple was notified of the issues in May and September 2024, respectively. The vulnerabilities, like the previously disclosed iLeakage attack, build on Spectre , arising when speculative execution "backfires," leaving traces of mispredictions in the CPU's microarchitectural state and the cache. Speculative execution refers to a performance optimization mechanism in modern processors that are aimed at predicting the control flow the CPU should take and execute instructions along the branch beforehand. In the event of a mi...

Ransomware attacks have reached an unprecedented scale in the healthcare sector, exposing vulnerabilities that put millions at risk. Recently, UnitedHealth revealed that 190 million Americans had their personal and healthcare data stolen during the Change Healthcare ransomware attack, a figure that nearly doubles the previously disclosed total.  This breach shows just how deeply ransomware can infiltrate critical systems, leaving patient trust and care hanging in the balance. One of the groups that targets this already fragile sector is the Interlock ransomware group. Known for their calculated and sophisticated attacks, they focus on hospitals, clinics, and other medical service providers. Interlock Ransomware Group: An Active Threat to Healthcare The Interlock ransomware group is a relatively recent but dangerous player in the world of cybercrime, known for employing double-extortion tactics.  This method involves encrypting a victim's data to disrupt operations and th...

A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances. The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0. "Due to a flaw in the multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response," the project maintainers said in an advisory released this week. "When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability." Successful exploitation of the vulnerability could permit an authenticated user with device management permissions to execute arbitrary code in the server, and steal, edit, or delete sensitive data. CVE-2025-22604 affects all versions of the software prior to and includ...

The advanced persistent threat (APT) group known as UAC-0063 has been observed leveraging legitimate documents obtained by infiltrating one victim to attack another target with the goal of delivering a known malware dubbed HATVIBE. "This research focuses on completing the picture of UAC-0063's operations, particularly documenting their expansion beyond their initial focus on Central Asia, targeting entities such as embassies in multiple European countries, including Germany, the U.K., the Netherlands, Romania, and Georgia," Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News. UAC-0063 was first flagged by the Romanian cybersecurity company in May 2023 in connection with a campaign that targeted government entities in Central Asia with a data exfiltration malware known as DownEx (aka STILLARCH). It's suspected to share links with a known Russian state-sponsored actor called APT28. Merely weeks later, the Compu...

Broadcom has alerted of a high-severity security flaw in VMware Avi Load Balancer that could be weaponized by malicious actors to gain entrenched database access. The vulnerability, tracked as CVE-2025-22217 (CVSS score: 8.6), has been described as an unauthenticated blind SQL injection. "A malicious user with network access may be able to use specially crafted SQL queries to gain database access," the company said in an advisory issued Tuesday. Security researchers Daniel Kukuczka and Mateusz Darda have been acknowledged for discovering and reporting the vulnerability. It affects the following version of the software - VMware Avi Load Balancer 30.1.1 (Fixed in 30.1.2-2p2) VMware Avi Load Balancer 30.1.2 (Fixed in 30.1.2-2p2) VMware Avi Load Balancer 30.2.1 (Fixed in 30.2.1-2p5) VMware Avi Load Balancer 30.2.2 (Fixed in 30.2.2-2p2) Broadcom further noted that versions 22.x and 21.x are not susceptible to CVE-2025-22217, and that users running version 30.1.1 must...

Cybersecurity researchers are warning that a critical zero-day vulnerability impacting Zyxel CPE Series devices is seeing active exploitation attempts in the wild. "Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration," GreyNoise researcher Glenn Thorpe said in an alert published Tuesday. The vulnerability in question is CVE-2024-40891, a critical command injection vulnerability that has neither been publicly disclosed nor patched. The existence of the bug was first reported by VulnCheck in July 2024. Statistics gathered by the threat intelligence firm show that attack attempts have originated from dozens of IP addresses , with a majority of them located in Taiwan. According to Censys, there are more than 1,500 vulnerable devices online. "CVE-2024-40891 is very similar to CVE-2024-40890, with the main difference being that the former is Teln...