Security News

Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild. Additional details about the flaw are currently unavailable.

Details have emerged about a now-patched actively exploited security flaw in Microsoft Windows that could be abused by a threat actor to gain elevated privileges on affected systems. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft disclosed in an advisory issued last month as part of Patch Tuesday updates.

Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as Lace Tempest. "Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team said in a series of tweets today.

Security researchers and the US government have sounded the alarm on a flaw in Progress Software's MOVEit Transfer that criminals have been "Mass exploiting" for at least a month to break into IT environments and steal data. There's now MOVEit Transfer 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, and 2021.0.6 available to fix the insecure code.

Apple has issued a bushel of security updates and warned that three of the flaws it's fixed are under active attack. The three are CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, all of which impact the WebKit browser engine that Apple champions and employs in its Safari browser - and demands be used by other browsers on iOS. CVE-2023-32409 means "A remote attacker may be able to break out of Web Content sandbox." Clément Lecigne of Google's Threat Analysis Group and Donncha Cearbhaill of Amnesty International's Security Lab found the flaw - who knew Amnesty did that?

A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites. Successful exploitation of the flaw could permit a threat actor to reset the password of any arbitrary user as long as the malicious party is aware of their username.

The U.S. Cybersecurity and Infrastructure Security Agency has added three flaws to the Known Exploited Vulnerabilities catalog, based on evidence of active exploitation. The second flaw to be added to the KEV catalog is CVE-2021-45046, a remote code execution affecting the Apache Log4j2 logging library that came to light in December 2021.

Print management software provider PaperCut said that it has "Evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro. "PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC," it further added.

The U.S. Cybersecurity and Infrastructure Security Agency has added two vulnerabilities to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation. The development comes as tech news site Ars Technica disclosed late last month that Android apps digitally signed by China's e-commerce company Pinduoduo weaponized the flaw to seize control of the devices and steal sensitive data, citing analysis from mobile security firm Lookout.

When Adobe released security updates for its ColdFusion application development platform last month, it noted that one of the vulnerabilities had been exploited in the wild "In very limited attacks." CVE-2023-26360 is an improper access control vulnerability that could result in arbitrary code execution in the context of the current user, and was reported to Adobe by security consultants Charlie Arehart and Pete Freitag.