Security News

Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw
2024-05-07 17:07

Nearly 52,000 internet-exposed Tinyproxy instances are vulnerable to CVE-2023-49606, a recently disclosed critical remote code execution flaw. Cisco warned at the time that despite its efforts to alert Tinyproxy's developers of the critical flaw, it received no response, and no patch was available for users to download. On Saturday, Censys reported seeing 90,000 internet-exposed Tinyproxy services online, of which about 57% were vulnerable to CVE-2023-49606.

Bug hunters can get up to $450,000 for an RCE in Google’s Android apps
2024-05-03 14:13

Google has drastically increased the rewards bug hunters can get for reporting vulnerabilities in Android apps it develops and maintains. "We increased reward amounts by up to 10x in some categories," Google information security engineer Kristoffer Blasiak has pointed out.

Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks
2024-05-03 04:50

HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems. Of...

HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
2024-05-01 22:31

HPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.ArubaOS 10.5.1.0 and below, 10.4.1.0 and older, 8.11.2.1 and below, and 8.10.0.10 and older.

Google now pays up to $450,000 for RCE bugs in some Android apps
2024-04-30 18:33

Google has increased rewards for reporting remote code execution vulnerabilities within select Android apps by ten times, from $30,000 to $300,000, with the maximum reward reaching $450,000 for exceptional quality reports. The list of in-scope apps includes Google Play Services, the Android Google Search app, Google Cloud, and Gmail.

Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs
2024-04-09 17:34

Today is Microsoft's April 2024 Patch Tuesday, which includes security updates for 150 flaws and sixty-seven remote code execution bugs. More than half of the RCE flaws are found within Microsoft SQL drivers, likely sharing a common flaw.

Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks
2024-04-08 22:17

Attackers are now actively targeting over 92,000 end-of-life D-Link Network Attached Storage devices exposed online and unpatched against a critical remote code execution zero-day flaw. Mirai variants are usually designed to add infected devices to a botnet that can be used in large-scale distributed denial-of-service attacks.

New Ivanti RCE flaw may impact 16,000 exposed VPN gateways
2024-04-05 17:40

Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways exposed on the internet are likely vulnerable to a remote code execution flaw the vendor addressed earlier this week. The flaw is tracked as CVE-2024-21894 and is a high-severity heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x, potentially allowing unauthenticated users to cause denial of service or achieve RCE by sending specially crafted requests.

Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks
2024-04-03 17:29

While Ivanti said the remote code execution risks are limited to "Certain conditions," the company didn't provide details on the vulnerable configurations. "We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure," Ivanti added.

CISA tags Microsoft SharePoint RCE bug as actively exploited
2024-03-27 16:24

CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks. These two SharePoint Server security vulnerabilities can be chained by unauthenticated attackers to gain RCE on unpatched servers, as STAR Labs researcher Nguyễn Tiến Giang demonstrated during last year's March 2023 Pwn2Own contest in Vancouver.