Security News

Microsoft on Wednesday acknowledged that a newly disclosed critical security flaw in Exchange Server has been actively exploited in the wild, a day after it released fixes for the vulnerability as...

QNAP Systems has patched two unauthenticated OS command injection vulnerabilities in various versions of the operating systems embedded in the firmware of their popular network-attached storage devices. "Prior to the publication of CVE-2023-47565, Unit 42 researchers initially suspected the ATP-observed vulnerability to affect QNAP NAS systems running QTS firmware. However, on November 17, 2023, Unit 42 conducted reverse engineering and additional investigation of QTS firmware images and discovered the vulnerability now known as CVE-2023-50358. The two vulnerabilities are somewhat similar, but affect different software components in different classes of devices."

On February 2024 Patch Tuesday, Microsoft has delivered fixes for 72 CVE-numbered vulnerabilities, including two zero-days that are being leveraged by attackers in the wild. CVE-2024-21412 allows attackers to bypass the Microsoft Defender SmartScreen security feature with booby-trapped Internet Shortcut files.

Hackers are actively exploiting a vulnerability in Ivanti Connect Secure, Policy Secure and Neurons for ZTA to inject a "Previously unknown and interesting backdoor" dubbed DSLog. Ivanti disclosed CVE-2024-21893 - a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure, Policy Secure and Neurons for ZTA - in late January, when it issued patches for affected devices.

CVE-2023-43770, a vulnerability in the Roundcube webmail software that has been fixed in September 2023, is being exploited by attackers in the wild, CISA has warned by adding the vulnerability to its Known Exploited Vulnerabilities catalog. CVE-2023-43770 is a vulnerability that allows attackers to mount cross-site scripting attacks through specially crafted links in plain text email messages.

Fortinet has patched critical remote code execution vulnerabilities in FortiOS, one of which is "Potentially" being exploited in the wild. The exploitation-in-the-wild has been confirmed by CISA, by adding it to its Known Exploited Vulnerabilities catalog, though details about the attacks are still undisclosed.

NVD published two advisories this week for critical command injection vulnerabilities purportedly impacting Fortinet's FortiSIEM products, but there's more to what meets the eye. BleepingComputer has confirmed that these CVEs are not "New," but duplicates of a previously known FortiSIEM vulnerability and were issued in error.

JetBrains has patched a critical authentication bypass vulnerability affecting TeamCity On-Premises continuous integration and deployment servers. CVE-2024-23917 could allow an unauthenticated threat actor with HTTP(S) access to a TeamCity server to bypass authentication controls and gain administrative privileges on the server.

CVE-2024-21893, a server-side request forgery vulnerability affecting Ivanti Connect Secure VPN gateways and Policy Secure, is being exploited by attackers.Its existence, along with that of CVE-2024-21888, a privilege escalation vulnerability affecting the same Ivanti Connect Secure and Policy Secure versions, was revealed by Ivanti in late January.

Five days after Mastodon developers pushed out fixes for a remotely exploitable account takeover vulnerability, over 66% of Mastodon servers out there have been upgraded to close the hole. Mastodon is open-source software for running self-hosted social networking services within the wider Fediverse.