Security News

A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information. "Depending on infrastructure and device configurations, these vulnerabilities allow for real time decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning," the Netherlands-based cybersecurity company said.

Multiple security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, that could be potentially exploited by malicious actors to seize control of admin accounts and run malicious code on susceptible servers. "The acquired admin privileges can further be leveraged to exploit another vulnerability allowing attackers to execute arbitrary code on the Apache OpenMeetings server."

Newly discovered vulnerabilities in distributed control systems could allow attackers access to systems supporting industrial, energy, chemical and other operations. Security company Armis, in collaboration with operational technology company Honeywell, identified new vulnerabilities in Honeywell Experion distributed control system platforms.

Attackers are exploiting two Adobe ColdFusion vulnerabilities to breach servers and install web shells to enable persistent access and allow remote control of the system, according to Rapid7 researchers. CVE-2023-29298, a critical improper access control flaw that could allow attackers to bypass a security feature CVE-2023-29300, a deserialization of untrusted data that could be exploited for arbitrary code execution CVE-2023-29301, another security feature bypass vulnerability.

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.

Rockwell Automation has fixed two vulnerabilities in the communication modules of its ControlLogix industrial programmable logic controllers, ahead of expected in-the-wild exploitation. "An unreleased exploit capability leveraging these vulnerabilities is associated with an unnamed APT group," industrial cybersecurity company Dragos has stated on Wednesday.

The numerical score can be represented as a qualitative severity rating to help organizations properly assess and prioritize their vulnerability management processes and prepare defences against cyber-attacks.CVSS version 1 was released in February 2005, developed then by a small group of pioneers with the aim of industry-wide adoption, with FIRST appointed that April to drive the future development of what would become a critical tool in the sector's arsenal.

SonicWall on Wednesday urged customers of Global Management System firewall management and Analytics network reporting engine software to apply the latest fixes to secure against a set of 15 security flaws that could be exploited by a threat actor to circumvent authentication and access sensitive information. "The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve," SonicWall said.

Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. The Windows makers said it's aware of targeted attacks against defense and government entities in Europe and North America that attempt to exploit CVE-2023-36884 by using specially-crafted Microsoft Office document lures related to the Ukrainian World Congress, echoing the latest findings from BlackBerry.

Oxeye has uncovered two critical security vulnerabilities and recommends immediate action to mitigate risk. The vulnerabilities were discovered in Owncast and EaseProbe, two open-source platforms written in Go. Owncast vulnerability.