Security News

Security researchers have created exploit code for CVE-2022-24086, the critical vulnerability affecting Adobe Commerce and Magento Open Source that Adobe that patched in an out-of-band update last Sunday. The vulnerability, which Adobe saw being "Exploited in the wild in very limited attacks," received a severity score of 9.8 out of 10 and adversaries exploiting it can achieve remote code execution on affected systems without the need to authenticate.

Make sure that the site where Magento or Adobe Commerce is actually running has downloaded and applied Adobe's latest patches. Adobe has released security updates for Adobe Commerce and Magento Open Source.

Based on the fingerprint data it automatically collected, Sniper filters through a list of exploits to find the right match. If the target is exploitable, Sniper automatically extracts all the artefacts, capturing them in the output report.

Cisco has released patches for multiple vulnerabilities in the Small Business RV Series router platform that could allow remote attackers to gain complete control over the device, in many cases, without authentication. In total, there are fifteen vulnerabilities fixed by these security updates, with five of them rated as Critical as threat actors can use them to gain 'root' privileges or remotely execute commands on the device.

Cisco has released patches for multiple vulnerabilities in the Small Business RV Series router platform that could allow remote attackers to gain complete control over the device, in many cases, without authentication. In total, there are fifteen vulnerabilities fixed by these security updates, with five of them rated as Critical as threat actors can use them to gain 'root' privileges or remotely execute commands on the device.

Security teams might have skipped January's Patch Tuesday after reports of it breaking servers, but it also included a patch for a privilege-escalation bug in Windows 10 that leaves unpatched systems open to malicious actors looking for administrative access. It's a bug that now has a proof-of-concept exploit available in the wild.

"Recently the QNAP Product Security Incident Response Team detected that cybercriminals are taking advantage of a patched vulnerability, described in the QNAP Security Advisory, to launch a cyberattack," the NAS maker said today. "On January 27, 2022, QNAP set the patched versions of system software as 'Recommended Version.' If auto update for 'Recommended Version' is enabled on your QNAP NAS, the system will automatically update to certain OS version to enhance security and protection of your QNAP NAS, mitigating the attack from criminals."

A security researcher has publicly disclosed an exploit for a Windows local privilege elevation vulnerability that allows anyone to gain admin privileges in Windows 10. The vulnerability affects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates.

Cybersecurity company Kaspersky said it logged and blocked 30,562 attempts by hackers to use the Log4Shell exploit that was discovered in December 2021. Log4Shell is an exploit that targets Apache's Log4j library, which is used to log requests for Java applications.

Exploit broker Zerodium has announced a pay jump to 400,000 for zero-day vulnerabilities that allow remote code execution in Microsoft Outlook email client. Zerodium's regular bounty for RCE vulnerability in Microsoft Outlook for windows is $250,000, expected to be "Accompanied by a fully functional and reliable exploit."