Collaborate Disseminate
There are now several public proof-of-concept (PoC) exploits for a maximum-severity vulnerability in the Erlang/OTP SSH server (CVE-2025-32433) unveiled last week. “All users running an SSH server based on the Erlang/OTP SSH library are likely to… Continue reading PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433)
Did you know that when participating in a Zoom call, you can grant permission to other participants to control your computer remotely? While this feature may come in handy when dealing with trusted family, friends and colleagues, threat actors have sta… Continue reading The Zoom attack you didn’t see coming
CVE-2021-20035, an old vulnerability affecting Sonicwall Secure Mobile Access (SMA) 100 series appliances, is being exploited by attackers. Sonicwall confirmed it by updating the original security advisory to reflect the new state of play, and by chang… Continue reading Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
CVE-2025-24054, a Windows NTLM hash disclosure vulnerability that Microsoft has issued patches for last month, has been leveraged by threat actors in campaigns targeting government and private institutions in Poland and Romania. “Active exploitat… Continue reading Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054)
Apple has released emergency security updates for iOS/iPadOS, macOS, tvOS and visionOS that fix two zero-day vulnerabilities (CVE-2025-31200, CVE-2025-31201) that have been exploited “in an extremely sophisticated attack against specific targeted… Continue reading Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201)
APT29 (aka Cozy Bear, aka Midnight Blizzard) is, once again, targeting European diplomats with fake invitations to wine-tasting events, Check Point researchers have shared. Cozy Bear uses wine-tastings and dinners as a lure In early 2024, Zscaler flagg… Continue reading Cozy Bear targets EU diplomats with wine-tasting invites (again)
The future of the Common Vulnerabilities and Exposures (CVE) program hangs in the balance: MITRE, the not-for-profit US organization that runs it, could lose the US federal funding that helps them maintain it. But others have been waiting in the wings … Continue reading Funding uncertainty may spell the end of MITRE’s CVE program
American car rental company Hertz has suffered a data breach linked to last year’s exploitation of Cleo zero-day vulnerabilities by a ransomware gang. The breach resulted in information of an unknown number of customers of Hertz and Hertz’s… Continue reading Hertz data breach: Customers in US, EU, UK, Australia and Canada affected
The Nagios Security Team has fixed three critical vulnerabilities affecting popular enterprise log management and analysis platform Nagios Log Server. About the flaws The vulnerabilities, discovered and reported by security researchers Seth Kraft and A… Continue reading Critical flaws fixed in Nagios Log Server
LLMs’ tendency to “hallucinate” code packages that don’t exist could become the basis for a new type of supply chain attack dubbed “slopsquatting” (courtesy of Seth Larson, Security Developer-in-Residence at the Pyth… Continue reading Package hallucination: LLMs may deliver malicious code to careless devs