< ciso
brief />
Tag Banner

All news with #authentication bypass tag

344 articles · page 15 of 18

Hackers Exploit Triofox AV Feature to Deploy Remote Tools

⚠️ Hackers exploited a critical Triofox vulnerability (CVE-2025-12480) and abused the product's built-in antivirus configuration to achieve remote code execution as SYSTEM. Google Threat Intelligence Group traced the activity to UNC6485 targeting a Triofox server in August; attackers bypassed authentication via Host header/Referer spoofing and configured a malicious scanner to run a PowerShell downloader. Vendor patches are available; administrators should update and audit admin and scanner settings.
read more →

Why a Fully Passwordless Enterprise May Remain Elusive

🔒 Enterprises have pursued a passwordless future for more than a decade, yet deployment is stalling as legacy systems, industrial and IoT devices, and custom apps often lack support. A recent RSA report found 90% of organizations face coverage gaps or poor user experience, leaving most firms able to cover only about 75–85% of use cases. Experts warn that enrollment, recovery, and fallback mechanisms frequently reintroduce passwords and expand attack surfaces unless those flows are made as phishing-resistant as logins.
read more →

Triofox Authentication Bypass Leads to Remote Access

🔒 Google's Mandiant reported active n‑day exploitation of a critical authentication bypass in Gladinet's Triofox (CVE-2025-12480, CVSS 9.1) that lets attackers access configuration pages and execute arbitrary payloads. Adversaries abused the product's antivirus executable path to run a malicious batch, installing Zoho UEMS and remote‑access tools such as Zoho Assist and AnyDesk. Operators created admin accounts, escalated privileges, and established SSH tunnels for inbound RDP. Triofox customers should apply the vendor patch, remove unauthorized admins, and verify antivirus executable paths cannot run untrusted scripts.
read more →

Triofox CVE-2025-12480: Unauthenticated Access Leads to RCE

⚠️ Mandiant Threat Defense observed active exploitation of an unauthenticated access control vulnerability in Gladinet's Triofox (CVE-2025-12480) that allowed attackers to bypass authentication and reach administrative setup pages. By manipulating the HTTP Host header to impersonate localhost, attackers accessed protected admin workflows, created a native admin account, and configured the built-in anti‑virus engine to execute a malicious script as SYSTEM. The chain led to a PowerShell downloader, installation of a legitimate Zoho UEMS agent, and deployment of remote access tools; the vulnerability affected Triofox 16.4.10317.56372 and was mitigated in 16.7.10368.56560. Operators should upgrade immediately, audit admin accounts, and restrict anti‑virus engine paths.
read more →

Cisco Fixes Critical Authentication and RCE Flaws in CCX

🔒 Cisco has released security updates for Unified Contact Center Express (CCX) to address two critical vulnerabilities that can enable authentication bypass and remote code execution as root. The company issued software updates 15.0 ES01 and 12.5 SU3 ES07 and urged customers to apply them immediately. Cisco also fixed four medium-severity issues across CCX, CCE and UIC, and warned of a new attack variant affecting ASA and FTD devices tied to earlier patches.
read more →

Microsoft Teams Vulnerabilities Expose Trust Abuse Today

🔒 Check Point Research identified multiple vulnerabilities in Microsoft Teams that could let attackers impersonate executives, manipulate message content, and spoof in-app notifications. The flaws exploit trust mechanisms built into real-time collaboration features used by more than 320 million monthly active users, turning expectations of authenticity into an attack vector. Researchers emphasize that trust alone isn’t a security strategy and urge rapid remediation by vendors and mitigations by organizations. Administrators should prioritize updates, review messaging policies, and increase user awareness to reduce exposure.
read more →

CISA: Survision LPR Camera Missing Authentication Flaw

⚠️ Survision's License Plate Recognition (LPR) Camera contains a missing authentication for critical function, allowing unauthenticated access to the configuration wizard. The issue affects all versions and is tracked as CVE-2025-12108 with a CVSS v4 base score of 9.3 and a CVSS v3.1 score of 9.8, indicating remote, low-complexity exploitation with high impact. Survision released firmware v3.5 to address the vulnerability and recommends enabling configuration passwords, defining minimal-right user roles, and enforcing client certificate authentication where possible.
read more →

Radiometrics VizAir: Critical Authentication Flaws

⚠️ CISA warns that Radiometrics VizAir systems (versions prior to 08/2025) contain multiple critical vulnerabilities — including missing authentication for admin functions and an exposed REST API key — assigned CVE-2025-61945, CVE-2025-54863, and CVE-2025-61956 and rated CVSS v4 10.0. Remote attackers could alter weather parameters, disable alerts, manipulate runway settings, and extract sensitive meteorological data, potentially disrupting airport operations. Radiometrics has deployed updates to affected systems; CISA recommends minimizing network exposure, isolating control networks, and using secure remote access methods.
read more →

Critical Auth Bypass in JobMonster WordPress Theme Attack

🔒 Threat actors are actively exploiting a critical authentication bypass in the JobMonster WordPress theme (CVE-2025-5397) that can lead to administrator account takeover under specific conditions. The flaw affects all versions up to 4.8.1 and is caused by the theme's check_login() function trusting external social login data without proper verification. To succeed, attackers typically need social login enabled and knowledge of an admin username or email. The issue is fixed in 4.8.2; immediate mitigations include upgrading, disabling social login, enabling two‑factor authentication, rotating credentials, and reviewing access logs.
read more →

CISA and NSA Issue Hardening Guidance for Exchange

🔒 CISA and the NSA, joined by the Australian Cyber Security Centre and the Canadian Centre for Cyber Security, released guidance to harden on-premises and hybrid Microsoft Exchange servers against attacks. The advisory emphasizes stronger authentication, minimized application attack surfaces, robust TLS configurations, and decommissioning unsupported servers after migration to Microsoft 365. It also recommends enabling emergency mitigations and built-in anti-spam and anti-malware protections and restricting administrative access to authorized workstations.
read more →

CISA Warns of Two Actively Exploited DELMIA Flaws Now

⚠️ CISA has confirmed active exploitation of two vulnerabilities in Dassault Systèmes' DELMIA Apriso: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Both flaws were patched by the vendor in early August 2025 and affect Releases 2020 through 2025. Federal agencies must remediate within three weeks under BOD 22-01, and CISA urges all organizations to prioritize vendor mitigations or discontinue use if no fixes exist.
read more →

QNAP: NetBak PC Backup Affected by Critical ASP.NET Flaw

🔔 QNAP has warned that its NetBak PC Agent, a Windows backup utility, may include an affected ASP.NET Core runtime vulnerable to CVE-2025-55315. The flaw resides in the Kestrel ASP.NET Core web server and can allow low-privileged attackers to hijack other users' credentials or bypass front-end security via HTTP request smuggling. QNAP recommends reinstalling the app or manually installing the latest ASP.NET Core Runtime (Hosting Bundle) from the .NET 8.0 downloads to secure systems.
read more →

Passwordless Authentication: Clearing Common Myths

🔐 Passwordless authentication reduces reliance on passwords by using device-bound keys and local verification. The post explains that passwordless is inherently multi-factor: a device factor plus a local secret such as a PIN or biometric. Biometrics and PINs unlock a private key stored on the device and are not transmitted or centralized, reducing theft and replay risks. It also describes protections that make this approach highly phishing-resistant.
read more →

ASKI Energy ALS-Mini S4/S8: Missing Authentication Flaw

⚠ An unauthenticated access vulnerability in the embedded web server of ASKI Energy ALS‑Mini‑S4 and ALS‑Mini‑S8 IP controllers allows remote actors to read and modify device configuration, potentially yielding full control. Tracked as CVE-2025-9574, the issue is a Missing Authentication for Critical Function (CWE‑306) with a CVSS v4 base score of 9.9. ABB reports these products reached end of life in 2022 and will not be patched; operators should remove internet exposure, place devices behind firewalls or secure proxies that enforce authentication and logging, restrict access to whitelisted IPs, monitor for unauthorized access with IDS/IPS, or physically disconnect the Ethernet port if web features are not required.
read more →

NTLM/LDAP Authentication Bypass (CVE-2025-54918) Analysis

🔍 This analysis examines CVE-2025-54918, a critical NTLM/LDAP authentication bypass that enables privilege escalation from a standard domain user to SYSTEM on Domain Controllers. The vulnerability chains coercion (PrinterBug-style) with NTLM relay and packet manipulation to evade channel binding and LDAP signing. The post outlines the attack flow, detection indicators such as empty usernames and LOCAL_CALL flags, and mitigations using CrowdStrike Falcon capabilities.
read more →

TP-Link Omada Gateways Vulnerable to Critical RCE Flaw

⚠️ TP-Link has disclosed two command injection vulnerabilities affecting Omada gateway devices that allow execution of arbitrary OS commands. One issue, CVE-2025-6542 (CVSS 9.3), can be exploited remotely without authentication; the other, CVE-2025-6541 (CVSS 8.6), requires access to the web management interface. Thirteen models are listed as impacted and TP-Link has released firmware updates to address the flaws; administrators are urged to apply patches and verify configurations after upgrading.
read more →

Updates enforce SID checks, causing Windows login failures

🔒 Microsoft confirmed that Windows updates released on and after August 29, 2025 enforce additional SID checks that can break Kerberos and NTLM authentication on devices with duplicate Security Identifiers (SIDs). Affected systems — including Windows 11 24H2, Windows 11 25H2, and Windows Server 2025 — may experience failed Remote Desktop sessions, SEC_E_NO_CREDENTIALS event errors, and "access denied" messages. The fault commonly arises when images are duplicated without using Sysprep. Microsoft recommends rebuilding impacted machines with supported imaging procedures or obtaining a temporary Group Policy from Support as an interim measure.
read more →

Siemens SIMATIC S7-1200 Vulnerabilities and Patches Updates

⚠️ Siemens has published an advisory for SIMATIC S7-1200 CPU V1/V2 devices describing two high-severity vulnerabilities: an Improper Input Validation flaw (CVE-2011-20001) that can force a controller into a stop/defect state via malformed HTTP traffic, and an Authentication Bypass by Capture-Replay (CVE-2011-20002) that allows replay of engineering commands. CVSS v4 scores are high (up to 8.7); Siemens recommends updating firmware (V2.0.3/V2.0.2) and disabling the web server where possible, while CISA advises network segmentation, firewalling, and avoiding direct Internet exposure.
read more →

Raisecomm RAX701-GC SSH Authentication Bypass Vulnerability

🔒 A critical authentication bypass in Raisecomm RAX701-GC devices permits SSH sessions without completing user authentication, potentially granting unauthenticated root shell access. The flaw is tracked as CVE-2025-11534 with a CVSS v3.1 score of 9.8 and CVSS v4 score of 9.3, exploitable remotely with low attack complexity. Affected firmware versions include 5.5.27_20190111, 5.5.13_20180720, and 5.5.36_20190709. CISA recommends isolating affected devices from the internet, placing control networks behind firewalls, and using secure remote access methods such as updated VPNs while contacting vendor support.
read more →

Reducing Abuse of Microsoft 365 Exchange Online Direct Send

🛡️ Cisco Talos warns that Microsoft 365 Exchange Online’s Direct Send feature, intended for legacy devices and line‑of‑business appliances, is being abused to bypass standard authentication and content inspection. Attackers are leveraging these unauthenticated SMTP flows in phishing and BEC campaigns by impersonating internal users and embedding obfuscated lures such as QR codes and empty‑body messages. Talos recommends a phased approach — inventorying dependencies, migrating devices to authenticated SMTP or partner connectors, and validating mailflows before enabling RejectDirectSend — to reduce risk without disrupting critical workflows.
read more →