Vulnerabilities
Vulnerabilities | News, how-tos, features, reviews, and videos
Supply chain attacks increased over 600% this year and companies are falling behind
Most companies believe they are using no open-source software libraries with known vulnerabilities, but new research finds them in 68% of selected enterprise applications.
Researchers extract master encryption key from Siemens PLCs
Global encryption keys were hardcoded on some programmable logic controller product lines. Siemens recommends upgrading all affected devices.
North Korea’s Lazarus group uses vulnerable Dell driver to blind security solutions
This first known exploit of the Dell vulnerability might inspire other malware developers who want to avoid detection of their code.
Microsoft mitigation for new Exchange Server zero-day exploits can be bypassed
No permanent fix for the Exchange Server vulnerabilities is yet available, but other steps can mitigate the risk.
![Digital bugs amid binary code. [security threats / malware / breach / hack / attack]](https://images.idgesg.net/images/article/2020/09/digital_bugs_amid_binary_code_security_threats_malware_breach_hack_attack_by_whatawin_gettyimages-1188254819_2400x1600-100858616-small.3x2.jpg?auto=webp&quality=85,70)
11 old software bugs that took way too long to squash
As these examples show, vulnerabilities can lurk within production code for years or decades—and attacks can come at any time.
Cyberespionage group developed backdoors tailored for VMware ESXi hypervisors
A possibly new threat actor packaged and deployed backdoors as vSphere Installation Bundles, gaining remote code execution and persistence capabilities.
Zoho ManageEngine flaw is actively exploited, CISA warns
Threat actors are exploiting unpatched ManageEngine instances. CISA adds the vulnerability to its catalog and Zoho urges customers to check their deployments.
Most common SAP vulnerabilities attackers try to exploit
Unpatched systems, misconfigurations and vulnerable custom code are making SAP environments a top target for cyberattacks.
The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
Heartbleed is a vulnerability in OpenSSL that came to light in April of 2014; it can be traced to a single line of code.
Up to 35% more CVEs published so far this year compared to 2021
A new report shows that significantly more CVEs will be published this year, and that some organizations are still vulnerable from older, unpatched CVEs.
Why patching quality, vendor info on vulnerabilities are declining
It's getting harder to assess the impact of patching or not patching, and too many patches don't fully fix the problem. It's time to pressure vendors.
New exploits can bypass Secure Boot and modern UEFI security protections
Two research groups demonstrate PC firmware vulnerabilities that are difficult to mitigate and likely to be exploited in the wild.
37 hardware and firmware vulnerabilities: A guide to the threats
Meltdown and Spectre raised the alarm over vulnerabilities that attackers can exploit in popular hardware and its firmware. This list, though not comprehensive, presents the most significant threats.
CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG
The investigation by the federal agency shows not only the indicators of compromise but also the reasons why the Log4j vulnerability will persist indefinitely.
Flashpoint says its VulnDB records vulnerabilities that MITRE CVE missed
Flashpoint reports that its vulnerability database recorded 11,860 cybersecurity vulnerability disclosures for the first half of 2022, 27.3 % of which were missed or not detailed by MITRE's CVE system.
July was a hot month for cybersecurity research
Malware-laden Google Play apps, a Russian hijack of cloud storage services, and “flaws” that aren’t really flaws in the Okta platform all made for interesting security research this month.
GPS trackers used for vehicle fleet management can be hijacked by hackers
At least one model of GPS tracking devices made by Chinese firm MiCODUS "lacks basic security protections needed to protect users from serious security issues."
10 industry-defining security incidents from the last decade
From Heartbleed to Apache Struts to SolarWinds, these are the 10 watershed security incidents of the past 10 years.
Cyber Safety Review Board warns that Log4j event is an “endemic vulnerability”
The CSRB report predicts the Log4J risk will continue for years and offers best practices for mitigating the threat.
