Security News

The Cybersecurity and Infrastructure Security Agency has added three more security flaws to its list of bugs exploited in attacks, including a Bitbucket Server RCE and two Microsoft Exchange zero-days.While Microsoft hasn't yet released security updates to address this pair of actively exploited bugs, it shared mitigation measures requiring customers to add an IIS server blocking rule that would block attack attempts.

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday added a recently disclosed security flaw in Zoho ManageEngine to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. "Zoho ManageEngine PAM360, Password Manager Pro, and Access Manager Plus contain an unspecified vulnerability which allows for remote code execution," the agency said in a notice.

The Cybersecurity and Infrastructure Security Agency has added a critical severity Java deserialization vulnerability affecting multiple Zoho ManageEngine products to its catalog of bugs exploited in the wild."The exploit POC for the above vulnerability is available in public," ManageEngine warned customers in July when it issued security patches to address this issue.

The U.S. Cybersecurity and Infrastructure Security Agency has added half a dozen vulnerabilities to its catalog of Known Exploited Vulnerabilities and is ordering federal agencies to follow vendor's instructions to fix them. CISA is giving federal agencies until October 6th to patch security vulnerabilities that have been reported between 2010 and 2022.

CISA added two new vulnerabilities to its list of security bugs exploited in the wild today, including a Windows privilege escalation vulnerability and an arbitrary code execution flaw affecting iPhones and Macs. Apple also patched the arbitrary code execution vulnerability on Monday and confirmed that it was exploited in attacks as a zero-day bug in the iOS and macOS kernel.

CISA has added 12 more security flaws to its list of bugs exploited in attacks, including two critical D-Link vulnerabilities and two zero-days in Google Chrome and the Photo Station QNAP software. The Google Chrome zero-day was patched on September 2nd via an emergency security update after the company was made aware of in-the-wild exploitation.

The U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency have released tips today on securing the software supply chain. "Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said.

The U.S. Cybersecurity and Infrastructure Security Agency on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics. The development adds weight to the notion that adversaries are getting faster at exploiting newly published vulnerabilities when they are first disclosed, leading to indiscriminate and opportunistic scanning attempts that aim to take advantage of delayed patching.

Although quantum computing is not commercially available, CISA urges organizations to prepare for the dawn of this new age, which is expected to bring groundbreaking changes in cryptography, and how we protect our secrets. Quantum computers are systems that harness quantum mechanics to perform much more powerful computations than are available today on systems that rely on binary computations.

Software running Palo Alto Networks' firewalls is under attack, prompting U.S. Cybersecurity and Infrastructure Security Agency to issue a warning to public and federal IT security teams to apply available fixes. Any additional attacks exploiting the bug have either not occurred or been publicly reported.