Security News

Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems. Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "Unauthorized remote code execution, which means an attacker would have the power to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the controller," Armis said in a statement shared with The Hacker News.

Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild. Additional details about the flaw are currently unavailable.

SonicWall warned customers today to urgently patch multiple critical vulnerabilities impacting the company's Global Management System firewall management and Analytics network reporting engine software suites."This suite of vulnerabililtes, which was responsibility disclosed, includes four vulnerabilities with a CVSSv3 rating of CRITICAL, that allows an attacker to bypass authentication and could potentially result in exposure of sensitive information to an unauthorized actor," SonicWall said.

Ghostscript, an open-source interpreter for PostScript language and PDF files widely used in Linux, has been found vulnerable to a critical-severity remote code execution flaw. The flaw is tracked as CVE-2023-3664, having a CVSS v3 rating of 9.8, and impacts all versions of Ghostscript before 10.01.2, which is the latest available version released three weeks ago.

Fortinet has disclosed a critical severity flaw impacting FortiOS and FortiProxy, allowing a remote attacker to perform arbitrary code execution on vulnerable devices."A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection," warns Fortinet in a new advisory.

The second-ever Apple Rapid Security Response just came out. The last point above is surprisingly important, given that Apple absolutely will not allow you to uninstall full-on system updates to your iPhones or iPads, even if you find that they cause genuine trouble and you wish you hadn't applied them in the first place.

VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments. Recently, VMware issued another alert about a now-patched critical bug in VMware Aria Operations for Networks, allowing remote command execution as the root user and being actively exploited in attacks.

Mastodon, the free and open-source decentralized social networking platform, has patched four vulnerabilities, one of them critical that allows hackers to create arbitrary files on the server using specially crafted media files. Mastodon has about 8.8 million users spread across 13,000 separate servers hosted by volunteers to support distinct yet inter-connected communities.

Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer.The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database.

Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. Mastodon is known for its federated model, consisting of thousands of separate servers called "Instances," and it has over 14 million users across more than 20,000 instances.