Security News

Cisco has patched a cross-site scripting vulnerability in two VPN routers it sells to small businesses and branch offices. By default, the management feature is disabled for remote users, though it is enabled for people on the same LAN. "A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information," Cisco explained in its advisory yesterday.

Netgear has now patched 28 out of 79 vulnerable router models, six months after infosec researchers first noticed security problems potentially allowing an attacker to remotely execute code as root. Over the past few weeks Netgear has been pushing out fixes, having so far plugged problems with 28 of the 79 models it says are affected by the unwanted remote-superuser flaw.

UPDATED. Researchers this week said they discovered an unpatched, zero-day vulnerability in firmware for Netgear routers that put 79 device models at risk for full takeover, they said. The flaw, a memory-safety issue present in the firmware's httpd web server, allows attackers to bypass authentication on affected installations of Netgear routers, according to two separate reports: One on the Zero Day Initiative by a researcher called "d4rkn3ss" from the Vietnam Posts and Telecommunications Group; and a separate blog post by Adam Nichols of cybersecurity firm Grimm.

Cisco is warning of three high-severity flaws in its popular Webex web conferencing app, including one that could allow an unauthenticated attacker to remotely execute code on impacted systems. "An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site," according to Cisco's security update.

D-Link is urging customers to replace its now obsolete line of DIR-865L Wireless Routers in reaction to a recently discovered critical command-injection bug that leaves users open to a denial-of-service attack. "The vulnerabilities were found in the DIR-865L model of D-Link routers, which are meant for home network use," researchers wrote.

D-Link is urging customers to replace its now obsolete line of DIR-865L Wireless Routers in reaction to a recently discovered critical command-injection bug that leaves users open to a denial-of-service attack. "The vulnerabilities were found in the DIR-865L model of D-Link routers, which are meant for home network use," researchers wrote.

Cisco this week announced that it has patched tens of vulnerabilities in its IOS software, including a dozen security flaws that impact the company's industrial routers and switches. A dozen vulnerabilities appear to impact the company's industrial products.

Cisco has fixed more than two dozen critical and high-severity security vulnerabilities affecting operating systems running on the company's carrier-grade and industrial routers and switches. Cisco IOS - a family of network operating systems used on many Cisco Systems routers and network switches.

GhostDNS is used to compromise a wide range of routers to facilitate phishing - perhaps more accurately, pharming - for banking credentials. Malvertising allows the EK to directly attack the router from a computer that uses the router.

The flaw exists in Cisco IOS XE. This Linux-based version of Cisco's Internetworking Operating System is used in Cisco software-defined wide area network routers. In March, Cisco issued 24 patches tied to vulnerabilities in its IOS XE operating system.