Security News

The Cybersecurity and Infrastructure Security Agency has added a critical severity Java deserialization vulnerability affecting multiple Zoho ManageEngine products to its catalog of bugs exploited in the wild."The exploit POC for the above vulnerability is available in public," ManageEngine warned customers in July when it issued security patches to address this issue.

The U.S. Cybersecurity and Infrastructure Security Agency has added half a dozen vulnerabilities to its catalog of Known Exploited Vulnerabilities and is ordering federal agencies to follow vendor's instructions to fix them. CISA is giving federal agencies until October 6th to patch security vulnerabilities that have been reported between 2010 and 2022.

CISA added two new vulnerabilities to its list of security bugs exploited in the wild today, including a Windows privilege escalation vulnerability and an arbitrary code execution flaw affecting iPhones and Macs. Apple also patched the arbitrary code execution vulnerability on Monday and confirmed that it was exploited in attacks as a zero-day bug in the iOS and macOS kernel.

CISA has added 12 more security flaws to its list of bugs exploited in attacks, including two critical D-Link vulnerabilities and two zero-days in Google Chrome and the Photo Station QNAP software. The Google Chrome zero-day was patched on September 2nd via an emergency security update after the company was made aware of in-the-wild exploitation.

The U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency have released tips today on securing the software supply chain. "Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said.

The U.S. Cybersecurity and Infrastructure Security Agency on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics. The development adds weight to the notion that adversaries are getting faster at exploiting newly published vulnerabilities when they are first disclosed, leading to indiscriminate and opportunistic scanning attempts that aim to take advantage of delayed patching.

Although quantum computing is not commercially available, CISA urges organizations to prepare for the dawn of this new age, which is expected to bring groundbreaking changes in cryptography, and how we protect our secrets. Quantum computers are systems that harness quantum mechanics to perform much more powerful computations than are available today on systems that rely on binary computations.

Software running Palo Alto Networks' firewalls is under attack, prompting U.S. Cybersecurity and Infrastructure Security Agency to issue a warning to public and federal IT security teams to apply available fixes. Any additional attacks exploiting the bug have either not occurred or been publicly reported.

The U.S. Cybersecurity and Infrastructure Security Agency on Monday added a security flaw impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.The high-severity vulnerability, tracked as CVE-2022-0028, is a URL filtering policy misconfiguration that could allow an unauthenticated, remote attacker to carry out reflected and amplified TCP denial-of-service attacks.

The security issue is a high-severity risk identified as CVE-2022-0028 that allows a remote threat actor to deploy reflected and amplified denial-of-service attacks without having to authenticate. While exploiting the flaw can only cause a DoS condition on the affected device, it has already been used for at least one attack.