Search results for: “network security”
-
Roundcube CVE-2025-68461: SVG XSS Vulnerability Enables Silent Email Account Takeover Through Malicious Animate Tags
Roundcube Webmail contains a Cross-Site Scripting vulnerability (CVE-2025-68461, CVSS 7.2) that enables attackers to hijack email accounts by sending malicious SVG files. The flaw exploits improper sanitization of SVG animate tags to execute JavaScript in victim browsers, granting full account access without credentials. Security patches are available for versions 1.5.12 and 1.6.12, but deployment lags…
-
SmarterTools SmarterMail CVE-2025-52691: Unauthenticated Arbitrary File Upload Enables Remote Code Execution on Email Gateways
SmarterTools SmarterMail CVE-2025-52691 (CVSS 10.0) allows unauthenticated attackers to upload arbitrary files to mail servers without authentication, enabling immediate remote code execution. Affects Build 9406 and earlier; patched in Build 9413 (Oct 9, 2025). Used by web hosting providers ASPnix, Hostek, simplehosting.ch managing thousands of customer domains.
-
IBM API Connect CVE-2025-13915: Critical Authentication Bypass Affecting Enterprise API Gateways at Major Financial and Telecom Organizations
IBM API Connect (CVSS 9.8) authentication bypass allows remote attackers to completely bypass login mechanisms and gain unauthorized access to centralized API gateways serving banks, airlines, and telecommunications companies. Affects versions 10.0.8.0-10.0.8.5, 10.0.11.0, 10.0.15.0 with no evidence of active exploitation yet.
-
n8n CVE-2025-68613: Expression Injection Enables Arbitrary Code Execution on 103,476 Workflow Automation Instances
A critical expression injection vulnerability in n8n workflow automation platform (CVSS 9.9) allows authenticated attackers to execute arbitrary code with process privileges. 103,476 exposed instances identified globally, with rapid patching required to prevent credential theft and lateral movement across integrated systems.
-
WatchGuard Fireware CVE-2025-14733: Out-of-Bounds Write in iked Enables Unauthenticated RCE on 117,490+ Exposed Firewalls
A critical out-of-bounds write vulnerability in WatchGuard Fireware OS allows unauthenticated remote attackers to execute arbitrary code on perimeter devices via malicious IKEv2 packets. 117,490 exposed instances globally, 35,600+ in the U.S., with active exploitation confirmed since December 2025.
-
RondoDox Botnet Exploits React2Shell CVSS 10.0 to Hijack 90,300+ IoT Devices and Web Servers
A sophisticated botnet campaign spanning nine months has targeted IoT devices and web applications worldwide, exploiting React2Shell CVE-2025-55182 (CVSS 10.0) as its primary initial access vector since December 2025. With 68,400 vulnerable instances in the U.S. alone, RondoDox systematically enrolls victims into cryptocurrency mining and botnet relay infrastructure.
-
Fortinet FortiOS CVE-2020-12812: Five-Year-Old 2FA Bypass Affecting 9,700+ Exposed Firewalls Under Active Exploitation
A five-year-old 2FA bypass vulnerability in Fortinet FortiOS continues to plague enterprise perimeter security. Over 9,700 unpatched FortiGate instances remain exposed globally as of January 2026, with active exploitation confirmed. An attacker can bypass two-factor authentication by simply altering username case and exploiting misconfigured LDAP group authentication—a trivial technique that has already been leveraged by…
-
Transparent Tribe APT36: Weaponized Shortcuts and Adaptive Persistence Target Indian Government Entities
Transparent Tribe (APT36) launches a sophisticated multi-stage malware campaign using weaponized Windows shortcut files embedded with PDF content, targeting Indian government and academic institutions. The RAT adapts its persistence mechanisms based on installed antivirus products, enabling long-term covert access and intelligence collection.
-
MongoDB MongoBleed CVE-2025-14847: Unauthenticated Memory Leak Under Active Exploitation
A critical pre-authentication memory disclosure vulnerability in MongoDB allows attackers to leak heap memory without credentials. With 87,000+ vulnerable instances globally and active exploitation confirmed, CISA has mandated patches for Federal agencies by January 19, 2026.
-
Russia Shutters Poland’s Consulate in Irkutsk in Tit-for-Tat Measure
Russia’s Foreign Ministry has announced the closure of Poland’s consulate in Irkutsk, a tit-for-tat measure responding to Warsaw’s recent decision to shut down one of Russia’s consulates. This leaves both nations with only one diplomatic mission each in their respective capitals.