Security News

A proof-of-concept exploit for a critical Veeam Recovery Orchestrator authentication bypass vulnerability tracked as CVE-2024-29855 has been released, elevating the risk of being exploited in attacks. CVE-2024-29855, rated 9.0 as per CVSS v3.1, is an authentication bypass vulnerability impacting Veeam Recovery Orchestrator versions 7.0.0.337 and 7.1.0.205 and older.

A proof-of-concept exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates. Veeam issued a security bulletin about the critical flaw on May 21, warning about a critical vulnerability enabling remote unauthenticated attackers to log in to VBEM's web interface as any user.

Cox Communications has fixed an authorization bypass vulnerability that enabled remote attackers to abuse exposed backend APIs to reset millions of modems' settings and steal customers' sensitive personal information. The attackers could've used this access to exploit any of the millions of Cox devices accessible through the vulnerable Cox APIs, overwriting configuration settings and executing commands on the device.

Researchers have published a proof-of-concept exploit script demonstrating a chained remote code execution vulnerability on Progress Telerik Report Servers. Cybersecurity researcher Sina Kheirkha developed the exploit with the help of Soroush Dalili and has now published a detailed write-up that describes the intricate process of exploiting two flaws, an authentication bypass and a deserialization issue, to execute code on the target.

A critical, 10-out-of-10 vulnerability allowing unrestricted access to vulnerable GitHub Enterprise Server instances has been fixed by Microsoft-owned GitHub. There is a catch that may narrow down the pool of potential victims: instances are vulnerable to attack only if they use SAML single sign-on authentication AND have the encrypted assertions feature enabled.

Veeam has patched four vulnerabilities in Backup Enterprise Manager, one of which may allow attackers to bypass authentication and log in to its web interface as any user.Veeam Backup Enterprise Manager is an application that is used to manage the Veeam Backup & Replication solution - a backup/restore app for virtual and physical machines and cloud-based workloads - via a web console.

Users of Veeam Backup Enterprise Manager are being urged to update to the latest version following the discovery of a critical security flaw that could permit an adversary to bypass authentication...

VBEM is a web-based platform that enables administrators to manage Veeam Backup & Replication installations via a single web console. It's important to note that VBEM isn't enabled by default, and not all environments are susceptible to attacks exploiting the CVE-2024-29849 vulnerability, which Veeam has rated with a CVSS base score of 9.8/10. "This vulnerability in Veeam Backup Enterprise Manager allows an unauthenticated attacker to log in to the Veeam Backup Enterprise Manager web interface as any user," the company explains.

GitHub has rolled out fixes to address a maximum severity flaw in the GitHub Enterprise Server (GHES) that could allow an attacker to bypass authentication protections. Tracked...

GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single...