Security News

ASUS has released new firmware with cumulative security updates that address vulnerabilities in multiple router models, warning customers to immediately update their devices or restrict WAN access until they're secured.As the company explains, the newly released firmware contains fixes for nine security flaws, including high and critical ones.

Two "Dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting attacks. "The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News.

Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database," the company said in an advisory released on June 9, 2023.

VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution. The most critical of the three vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 that could allow a malicious actor with network access to achieve remote code execution.

VMware issued multiple security patches today to address critical and high-severity vulnerabilities in VMware Aria Operations for Networks, allowing attackers to gain remote execution or access sensitive information. Previously known as vRealize Network Insight, this network visibility and analytics tool helps admins optimize network performance or manage and scale various VMware and Kubernetes deployments.

Prism Infosec has identified two high-risk vulnerabilities within the Aspect Control Engine building management system developed by ABB. ABB's Aspect BMS enables users to monitor a building's performance and combines real-time integrated control, supervision, data logging, alarming, scheduling and network management functions with internet connectivity and web serving capabilities. During a recent security testing engagement on behalf of a client, researchers discovered an ABB Aspect appliance and that the BMS was misconfigured to be publicly available over the internet.

The report offers a look back - and forward - at some of the most significant vulnerability patterns of the past year to help security and business leaders focus discovery, management, and remediation efforts on the riskiest vulnerabilities most likely to exist on their attack surface. The report analyzed over 300,000 anonymized findings from thousands of pentest engagements, spanning more than 240,000 hours of testing, to identify the most prevalent vulnerabilities across various industries - which include healthcare, retail, finance, and manufacturing.

Zyxel is warning customers of two critical-severity vulnerabilities in several of its firewall and VPN products that attackers could leverage without authentication. CVE-2023-33009: A buffer overflow vulnerability in the notification function in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions.

Ransomware groups are continuously weaponizing vulnerabilities and adding them to their arsenal to mount crippling and disruptive attacks on their victims. In Q1 2023, researchers identified 12 vulnerabilities newly associated with ransomware.

Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild. An anonymous researcher has been acknowledged for reporting the other two issues.