A critical security vulnerability has been discovered in Zendesk's Android SDK implementation that allows attackers to perform mass account takeovers without any user interaction. The flaw, which earned a $3,000 bug bounty payout, stems from predictable token generation mechanisms that enable unauthorized access to all Zendesk support tickets across affected organizations. Key Takeaways1. Predictable JWT
Among the variety of cyber-attacks that we witness happening around us, Zero-day attacks are remarkably insidious in nature. Due to the fact that these attacks exploit the unknown vulnerabilities, zero-day...
I wrote detailed walkthrough for HackTheBox machine Authority which showcases, cracking password-protected files, and password reuse vulnerabilities, and for Privilege escalation, one of the most common and easiest vulnerability in Active directory Certificate ESC1, and also extracting public and private key from administrator certificate and using it for other services. Perfect for beginners...
Security Information and Event Management (SIEM) systems act as the primary tools for detecting suspicious activity in enterprise networks, helping organizations identify and respond to potential attacks in real time. However, the new Picus Blue Report 2025, based on over 160 million real-world attack simulations, revealed that organizations are only detecting 1 out of 7 simulated attacks,
A critical security flaw in Tableau Server could enable attackers to upload and execute malicious files, potentially leading to complete system compromise. The vulnerability, tracked as CVE-2025-26496 with a CVSS score of 9.6, affects multiple versions of both Tableau Server and Tableau Desktop across Windows and Linux platforms. Key Takeaways1. Tableau Server allows malicious file
Hey everyone, I've recently been tasked with building a vulnerability management program from zero at my company, and I'd love to hear how others here have structured theirs. For context, we have a mid to large scale IT operations system including Cloud, Endpoint, Compliance, SOC, IAM, etc. and the current plan is to build the process top-down. My focus will be to create a baseline + questionnaire (5 - 10 questions for each stakeholder team) to capture expectations, develop an Incident...
A detailed proof-of-concept exploit and comprehensive vulnerability analysis have been released for CVE-2025-43300, a critical zero-click remote code execution flaw affecting Apple's image processing infrastructure. The vulnerability, discovered in Apple's implementation of JPEG Lossless Decompression within the RawCamera.bundle, allows attackers to achieve code execution without any user interaction through maliciously crafted DNG (Digital Negative) files.
arXiv:2405.15089v4 Announce Type: replace Abstract: In a Proof-of-Work blockchain such as Bitcoin mining hashrate is increasing in the block reward. An increase in hashrate reduces network vulnerability to attack (a reduction in security cost) while increasing carbon emissions and electricity cost (an increase in externalities cost). This implies a tradeoff in total cost at different levels of hashrate and the existence of a hashrate interval where total cost is minimized. Targeted Nakamoto is...
arXiv:2508.15778v1 Announce Type: new Abstract: Deep learning-based lane detection (LD) plays a critical role in autonomous driving and advanced driver assistance systems. However, its vulnerability to backdoor attacks presents a significant security concern. Existing backdoor attack methods on LD often exhibit limited practical utility due to the artificial and conspicuous nature of their triggers. To address this limitation and investigate the impact of more ecologically valid backdoor...
This past week was packed with high-severity disclosures and active exploitation reports across the global threat landscape. At the forefront, Apple rushed out emergency patches for yet another zero-day vulnerability affecting iOS, iPadOS, and macOS devices. The flaw, reportedly being exploited in the wild, highlights the continued trend of nation-state and surveillance actors leveraging critical
submitted by /u/campuscodi [link] [comments]
FortiWeb has recently released details of a vulnerability (CVE-2025-52970) - for which a technical exploit write-up exists but no public POC as of yet. Someone has now reversed the write-up and is actively attempting exploitation. I run a set of FortiWeb honeypots and got detections on this on three separate honeypots: GET /api/v2.0/system/status.systemstatus HTTP/1.1 Host: xxxxxxx User-Agent: Mozilla/5.0 (CentOS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0...
Imagine a malicious instruction hidden in plain sight, invisible to you but not to the AI. This is a vulnerability discovered in Windsurf Cascade, it follows invisible instructions. This means there can be instructions in a file or result of a tool call that the developer cannot see, but the LLM does. Some LLMs interpret invisible Unicode Tag characters as instructions, which can lead to hidden prompt injection. As far as I can tell the Windsurf SWE-1 model can also "see" these invisible...
The battle against cybercrime continues to be a significant topic for organizations across all industries, however the threat to the health care industry is possibly the most serious. Financial losses...
Microsoft has officially confirmed that its August 2025 security update is causing significant performance problems for users of NDI (Network Device Interface) technology. Content creators, broadcasters, and IT professionals who installed the update are reporting severe lag, stuttering, and choppy audio/video when streaming between PCs, effectively disrupting production workflows that rely on the popular IP
submitted by /u/digicat [link] [comments]
submitted by /u/digicat [link] [comments]
As mentioned in the thread: Remote execution MMS vulnerability in Apple and Android products : r/cybersecurity time is up! You can find the code to perform the exploit here If you have any questions regarding the code, feel free to drop a comment. Enjoy! submitted by /u/Firewolf386 [link] [comments]
.webp)
CISA has issued an urgent warning regarding a critical zero-day vulnerability affecting Apple's iOS, iPadOS, and macOS operating systems that threat actors are actively exploiting. The vulnerability, tracked as CVE-2025-43300, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, signaling immediate action is required from organizations and individual users to protect their systems from
A critical vulnerability in Microsoft Azure's API Connection infrastructure enabled attackers to compromise resources across different Azure tenants worldwide. The flaw, which earned Gulbrandsrud a $40,000 bounty and a Black Hat presentation slot, exploited Azure's shared API Management (APIM) instance architecture to gain unauthorized access to Key Vaults, Azure SQL databases, and third-party services like