Security News

Cisco is warning of a critical flaw in the web server of its IP phones. Cisco issued patches in a Wednesday advisory for the flaw, which affects various versions of its Cisco IP phones for small- to medium-sized businesses.

Among the vulnerabilities fixed are critical flaws affecting a variety of Cisco IP phones and Cisco UCS Director and Cisco UCS Director Express for Big Data, its unified infrastructure management solutions for data center operations. Jacob Baines, a research engineer with Tenable, unearthed two critical flaws affecting the Cisco Wireless IP Phone 8821.

SAP this week released its latest set of security patches, which brings a total of 23 Security Notes, including five that address Hot News vulnerabilities. Another Hot News Security Note released as part of the April 2020 SAP Security Patch Day addresses a directory traversal vulnerability in SAP NetWeaver.

Oracle this week released its April 2020 collection of security patches, which includes a total of 397 fixes for vulnerabilities affecting two dozen products. Roughly 60 of the newly addressed vulnerabilities are considered critical severity, with more than 55 of them featuring a CVSS score of 9.8.

As hospitals around the world are struggling to respond to the coronavirus crisis, cybercriminals-with no conscience and empathy-are continuously targeting healthcare organizations, research facilities, and other governmental organizations with ransomware and malicious information stealers. While the security firm didn't name the latest victims, it said a Canadian government healthcare organization and a Canadian medical research university both suffered ransomware attacks, as criminal groups seek to exploit the crisis for financial gain.

The Wired article argued that it is essential to engineer a way to provide remote access to control system environments for critical infrastructure services such as water, electricity, and fuel refining during the coronavirus crisis. Through server replication, critical infrastructure sites enable 100% real-time visibility into protected networks, 100% protection from remote attacks, with a number of options for truly secure remote access in this time of crisis.

VMware has fixed a critical vulnerability affecting vCenter Server, which can be exploited to extract highly sensitive information that could be used to compromise vCenter Server or other services which depend on the VMware Directory Service for authentication. vCenter Server is server management software for controlling VMware vSphere environments.

A critical information-disclosure bug in VMware's Directory Service could lay bare the contents of entire corporate virtual infrastructures, if exploited by cyberattackers. The vmdir in turn is a central component to the vCenter SSO. Also, vmdir is used for certificate management for the workloads governed by vCenter, according to VMware.

The Hoaxcalls botnet is actively targeting a recently patched SQL injection vulnerability in Grandstream UCM6200 series devices, security researchers warn. Tracked as CVE-2020-5722 and rated critical severity, the vulnerability exists in the HTTP interface of the impacted IP PBX appliance.

Most enterprises believe embracing the public cloud is critical to fuel innovation, but the majority are not equipped to operate in the cloud securely, according to a DivvyCloud survey of nearly 2,000 IT professionals. "Only 35% of respondents do not believe security impedes developers' self-service access to best-in-class cloud services to drive innovation-meaning 65% believe they must choose between giving developers self-service access to tools that fuel innovation and remaining secure."