Security News
Separately, the Cybersecurity and Infrastructure Security Agency in October warned that APT groups are exploiting the MobileIron flaw in combination with the severe Microsoft Windows Netlogon/Zerologon vulnerability. The flaw, first reported to MobileIron by Orange Tsai from DEVCORE, could allow an attacker to execute remote exploits without authentication.
The UK National Cyber Security Centre issued an alert yesterday, prompting all organizations to patch the critical CVE-2020-15505 remote code execution vulnerability in MobileIron mobile device management systems. NCSC is warning that they are aware of hacking groups actively using the MobileIron CVE-2020-1550 vulnerability to compromise the networks in the healthcare, local government, logistics, and legal sectors.
A security vulnerability in the infrastructure underlying Germany's official COVID-19 contact-tracing app, called the Corona-Warn-App, would have allowed pre-authenticated remote code execution. Researcher Alvaro Muñoz wrote in a report this week that he and his team at GitHub Security Lab was chasing down RCE vulnerabilities on the platform and found one in the infrastructure supporting CWA for Android and OS. The team said it worked with SAP to mitigate the issue, adding as a server-side issue, the mobile apps themselves were not impacted, and that no data was collected beyond a device's IP address.
Millions of malicious scans are rolling across the internet, looking for known vulnerabilities in the Epsilon Framework for building WordPress themes, according to researchers. "The security flaws on WordPress websites in themes using the Epsilon Framework are just another example of this content management system's inherent security risks," said Ameet Naik, security evangelist at PerimeterX, via email.
Cisco has published multiple security advisories concerning critical flaws in Cisco Security Manager a week after the networking equipment maker quietly released patches with version 4.22 of the platform. The flaws were responsibly reported to Cisco's Product Security Incident Response Team three months ago, on July 13.
The update patches a high-severity bug, which could allow a remote unauthenticated attacker to take over a targeted website via a narrowly tailored denial-of-service attack. Of the ten security bugs patched by WordPress a standout flaw, rated high-severity, could be exploited to allow an unauthenticated attacker to execute remote code on systems hosting the vulnerable website.
The flaw in the console component of the WebLogic Server, CVE-2020-14882, is under active attack, researchers warn. If an organization hasn't updated their Oracle WebLogic servers to protect them against a recently disclosed RCE flaw, researchers have a dire warning: "Assume it has been compromised."
A critical and easily exploitable remote code execution vulnerability in Oracle WebLogic Server is being targeted by attackers, SANS ISC has warned. Oracle WebLogic is a Java EE application server that is part of Oracle's Fusion Middleware portfolio and supports a variety of popular databases.
UPDATE. Link previews in popular chat apps on iOS and Android are a firehose of security and privacy issues, researchers have found. When a user sends a link through, it renders a short summary and a preview image in-line in the chat, so other users don't have to click the link to see what it points to.
One flaw exists in Microsoft's Visual Studio Code is a free source-code editor made by Microsoft for Windows, Linux and macOS. The other is in the Microsoft Windows Codecs Library; the codecs module provides stream and file interfaces for transcoding data in Windows programs. According to Microsoft, one "Important" severity flaw stems from the way that Microsoft Windows Codecs Library handles objects in memory.