Security News

Cybersecurity researchers have identified a number of security shortcomings in photovoltaic system management platforms operated by Chinese companies Solarman and Deye that could enable malicious actors to cause disruption and power blackouts. "If exploited, these vulnerabilities could allow an attacker to control inverter settings that could take parts of the grid down, potentially causing blackouts," Bitdefender researchers said in an analysis published last week.

Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the Windows files with older versions. The second vulnerability also concerns a case of privilege escalation in Windows systems that support VBS, effectively allowing an adversary to replace current versions of Windows system files with outdated versions.

A researcher has developed a downgrade attack that can make Windows machines covertly, persistently and irreversibly vulnerable, even if they were fully patched before that. A downgrade attack exploiting the Windows Update process.

The study uncovered that OT and IoT cellular routers and those used in small offices and homes contain outdated software components associated with known vulnerabilities. The research showed that widely used OT/IoT router firmware images have, on average, 20 exploitable n-day vulnerabilities affecting the kernel, leading to increasing security risks.

The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The...

Cybersecurity researchers have uncovered security shortcomings in SAP AI Core cloud-based platform for creating and deploying predictive artificial intelligence workflows that could be exploited to get hold of access tokens and customer data. "The vulnerabilities we found could have allowed attackers to access customers' data and contaminate internal artifacts - spreading to related services and other customers' environments," security researcher Hillai Ben-Sasson said in a report shared with The Hacker News.

CISA and the FBI urged software companies on Wednesday to review their products and eliminate path OS command injection vulnerabilities before shipping. "OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS," today's joint advisory explains.

Google has launched kvmCTF, a new vulnerability reward program first announced in October 2023 to improve the security of the Kernel-based Virtual Machine hypervisor that comes with $250,000 bounties for full VM escape exploits. An active and key KVM contributor, Google developed kvmCTF as a collaborative platform to help identify and fix vulnerabilities, bolstering this vital security layer.

Last year alone, over 30,000 new vulnerabilities were published, with a new vulnerability emerging approximately every 17 minutes - averaging 600 new vulnerabilities per week, according to Skybox Security. The report highlights a critical gap in remediation efforts, with the average time to patch exceeding 100 days, contrasted against the finding that 75% of new vulnerabilities are exploited in 19 days or less.