Security News

ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models
2024-06-17 14:39

ASUS has shipped software updates to address a critical security flaw impacting its routers that could be exploited by malicious actors to bypass authentication. Tracked as CVE-2024-3080, the...

ASUS warns of critical remote authentication bypass on 7 routers
2024-06-15 15:17

ASUS has released a new firmware update that addresses a vulnerability impacting seven router models that allow remote attackers to log in to devices.The flaw, tracked as CVE-2024-3080, is an authentication bypass vulnerability allowing unauthenticated, remote attackers to take control of the device.

Exploit for Veeam Recovery Orchestrator auth bypass available, patch now
2024-06-13 17:21

A proof-of-concept exploit for a critical Veeam Recovery Orchestrator authentication bypass vulnerability tracked as CVE-2024-29855 has been released, elevating the risk of being exploited in attacks. CVE-2024-29855, rated 9.0 as per CVSS v3.1, is an authentication bypass vulnerability impacting Veeam Recovery Orchestrator versions 7.0.0.337 and 7.1.0.205 and older.

Exploit for critical Veeam auth bypass available, patch now
2024-06-10 15:05

A proof-of-concept exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates. Veeam issued a security bulletin about the critical flaw on May 21, warning about a critical vulnerability enabling remote unauthenticated attackers to log in to VBEM's web interface as any user.

Cox fixed an API auth bypass exposing millions of modems to attacks
2024-06-03 21:10

Cox Communications has fixed an authorization bypass vulnerability that enabled remote attackers to abuse exposed backend APIs to reset millions of modems' settings and steal customers' sensitive personal information. The attackers could've used this access to exploit any of the millions of Cox devices accessible through the vulnerable Cox APIs, overwriting configuration settings and executing commands on the device.

Exploit for critical Progress Telerik auth bypass released, patch now
2024-06-03 17:58

Researchers have published a proof-of-concept exploit script demonstrating a chained remote code execution vulnerability on Progress Telerik Report Servers. Cybersecurity researcher Sina Kheirkha developed the exploit with the help of Soroush Dalili and has now published a detailed write-up that describes the intricate process of exploiting two flaws, an authentication bypass and a deserialization issue, to execute code on the target.

GitHub fixes maximum severity Enterprise Server auth bypass bug (CVE-2024-4985)
2024-05-23 10:13

A critical, 10-out-of-10 vulnerability allowing unrestricted access to vulnerable GitHub Enterprise Server instances has been fixed by Microsoft-owned GitHub. There is a catch that may narrow down the pool of potential victims: instances are vulnerable to attack only if they use SAML single sign-on authentication AND have the encrypted assertions feature enabled.

Veeam fixes auth bypass flaw in Backup Enterprise Manager (CVE-2024-29849)
2024-05-22 08:32

Veeam has patched four vulnerabilities in Backup Enterprise Manager, one of which may allow attackers to bypass authentication and log in to its web interface as any user.Veeam Backup Enterprise Manager is an application that is used to manage the Veeam Backup & Replication solution - a backup/restore app for virtual and physical machines and cloud-based workloads - via a web console.

Critical Veeam Backup Enterprise Manager Flaw Allows Authentication Bypass
2024-05-22 03:45

Users of Veeam Backup Enterprise Manager are being urged to update to the latest version following the discovery of a critical security flaw that could permit an adversary to bypass authentication...

Veeam warns of critical Backup Enterprise Manager auth bypass bug
2024-05-21 22:24

VBEM is a web-based platform that enables administrators to manage Veeam Backup & Replication installations via a single web console. It's important to note that VBEM isn't enabled by default, and not all environments are susceptible to attacks exploiting the CVE-2024-29849 vulnerability, which Veeam has rated with a CVSS base score of 9.8/10. "This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user," the company explains.