Security News

Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution vulnerability in version 5.0.4 and older. The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site.

Exploit broker Zerodium has announced a pay jump to 400,000 for zero-day vulnerabilities that allow remote code execution in Microsoft Outlook email client. Zerodium's regular bounty for RCE vulnerability in Microsoft Outlook for windows is $250,000, expected to be "Accompanied by a fully functional and reliable exploit."

Researchers have discovered two critical bugs in Control Web Panel - a popular web hosting management software used by 200K+ servers - that could allow for remote code execution as root on vulnerable Linux servers. CWP, formerly known as CentOS Web Panel, is an open-source Linux control panel software used for creating and managing web hosting environments.

Successful exploitation can let remote unauthenticated attackers execute code as the 'nobody' user in compromised SonicWall appliances. "There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible," the company said in December after releasing CVE-2021-20038 security updates adding that it found no evidence the bug was exploited in the wild at the time.

There's a dangerous remote-code execution bug in the Dark Souls video game that could let attackers brick the PCs of online players. The main problem is with Dark Souls III, but the remote code-execution vulnerability also affects earlier games in the Dark Soul series, leading the developers to temporarily turn off player-versus-player servers across Dark Souls Remastered, Dark Souls II and Dark Souls III. PvP refers to players being able to interact and duel with each other.

Bandai Namco has deactivated the online PvP mode for the Dark Souls role-playing game, taking its servers offline to investigate reports about a severe security issue that may pose a risk to players. The issue became widely known on Saturday in a post on Discord clarifying that the game developer received details about the RCE vulnerability in a responsible disclosure report straight from the person who discovered it.

Researchers have disclosed details of two critical security vulnerabilities in Control Web Panel that could be abused as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers. Tracked as CVE-2021-45467, the issue concerns a case of a file inclusion vulnerability, which occurs when a web application is tricked into exposing or running arbitrary files on the web server.

Cisco Systems has rolled out fixes for a critical security flaw affecting Redundancy Configuration Manager for Cisco StarOS Software that could be weaponized by an unauthenticated, remote attacker to execute arbitrary code and take over vulnerable machines. "An attacker could exploit this vulnerability by connecting to the device and navigating to the service with debug mode enabled," Cisco said in an advisory.

Phishers are targeting Office 365 users by exploiting Adobe CloudPhishers are creating Adobe Creative Cloud accounts and using them to send phishing emails capable of thwarting traditional checks and some advanced threat protection solutions, Avanan security researcher Jeremy Fuchs warns. Microsoft fixes wormable RCE in Windows Server and WindowsThe first Patch Tuesday of 2022 is upon us, and Microsoft has delivered patches for 96 CVE-numbered vulnerabilities, including a wormable RCE flaw in Windows Server.

Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month. The issue, tracked as CVE-2021-42392, is the " first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading," JFrog researchers Andrey Polkovnychenko and Shachar Menashe said.