All news with #disclosure tag

UK and Portugal Move to Protect Security Researchers

🔒 Governments in the UK and Portugal have introduced proposals and legislation to provide legal protection for computer security researchers, recognizing that outdated laws can deter responsible vulnerability testing. UK security minister Dan Jarvis proposed amending the 1990 Computer Misuse Act to create a statutory defense for good-faith research that meets defined safeguards. Portugal's new law similarly shields researchers who do not seek financial advantage and who respect data protection rules, aligning with measures already adopted in the Netherlands, France, and Belgium.

CISA Releases Three New Industrial Control Advisories

🔔 CISA published three Industrial Control Systems (ICS) advisories addressing vulnerabilities in Universal Boot Loader (U-Boot) (ICSA-25-343-01), the Festo LX Appliance (ICSA-25-343-02), and several India-based CCTV camera models (ICSA-25-343-03). Each advisory provides technical details, impact assessments, and recommended mitigations. CISA urges system operators, vendors, and administrators to review the advisories promptly and apply available updates or compensating controls to reduce operational risk.

Malicious VSCode Extensions on Marketplace Drop Infostealers

🛡️ Two malicious Visual Studio Code extensions on Microsoft's Marketplace, Bitcoin Black and Codo AI, were found delivering an information-stealing payload that can capture screenshots, harvest credentials and crypto wallets, and hijack browser sessions. Published under the developer name 'BigBlack', Codo AI remained live with under 30 downloads at the time of reporting while Bitcoin Black showed a single install. Researchers at Koi Security observed that Bitcoin Black uses a wildcard activation and executes PowerShell or a hidden batch script to download a DLL and executable that leverage DLL hijacking to run the infostealer as 'runtime.exe'.

Critical XML External Entity (XXE) Flaw in Apache Tika

🔒 A critical XML External Entity (XXE) vulnerability, tracked as CVE-2025-66516, has been disclosed in Apache Tika and carries a CVSS score of 10.0. The flaw allows XXE via a crafted XFA file inside PDFs and affects tika-core, tika-parser-pdf-module, and tika-parsers across multiple versions. Users are strongly advised to upgrade to the patched releases immediately to mitigate file disclosure and potential remote code execution.

Critical React2Shell RCE in React.js and Next.js Servers

⚠️React.js and Next.js servers are vulnerable to a critical remote code execution flaw dubbed React2Shell (CVE-2025-55182), disclosed to Meta on 29 November 2025. The bug targets server-side React Server Function endpoints and default Next.js App Router setups, enabling unauthenticated attackers to execute arbitrary code with a single HTTP request. Researchers report near‑100% exploitability in default configurations and published proof‑of‑concepts; security teams should upgrade affected packages to the fixed versions immediately and verify PoC sources before testing.

Intellexa's Predator Spyware Continues Despite Sanctions

📣 Leaked documents and coordinated technical reports indicate the Intellexa surveillance consortium continues to develop, sell and operate its Predator spyware despite multiple sanctions. Analyses from Google Threat Intelligence Group, Recorded Future and Amnesty’s Security Lab attribute numerous mobile browser zero-day exploits and new infection methods to the vendor. Amnesty disclosed a novel Aladdin zero-click vector that abuses the mobile advertising ecosystem to deliver malicious ads which infect devices on view, while Recorded Future and Google documented Intellexa’s outsized share of exploited zero-days. The combined findings point to active customers, new nexus entities and ongoing global operations.

NCSC launches Proactive Notifications pilot for UK orgs

🔔 The UK National Cyber Security Centre (NCSC) is piloting Proactive Notifications, a service delivered via Netcraft that scans publicly available internet data to identify exposed software and missing security services. The NCSC will email affected organizations — messages originate from netcraft.com, contain no attachments, and do not request payments or personal data. The pilot covers UK domains and IPs on UK ASNs and focuses on notifying about specific CVEs and general weaknesses like weak encryption.

Socomec DIRIS Digiware M Series and PDF XChange Flaws

🔒 Cisco Talos disclosed an out‑of‑bounds read in PDF‑XChange Editor (CVE‑2025‑58113) and ten vulnerabilities affecting Socomec DIRIS Digiware M series and Easy Config. The issues range from information disclosure and authentication bypass to multiple denial‑of‑service and buffer overflow flaws. Vendors have released patches; administrators should apply updates and deploy Snort rules to detect exploitation.

Critical React2Shell RCE Affects React and Next.js Servers

🚨 React and Next.js applications are affected by a maximum-severity deserialization vulnerability dubbed React2Shell, which enables unauthenticated remote code execution via the React Server Components (RSC) "Flight" protocol. Discovered by researcher Lachlan Davidson and reported on November 29, the flaw received a 10/10 severity rating and has been assigned CVE-2025-55182 for React (Next.js received CVE-2025-66478, later rejected by the NVD). Affected default packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, and researchers warn many deployments are exploitable without additional misconfiguration. Developers should apply the published patches and audit environments immediately.

Johnson Controls OpenBlue Mobile Forced Browsing Fix

🔒 Johnson Controls reported a Direct Request (Forced Browsing) vulnerability (CVE-2025-26381) in the OpenBlue Mobile Web Application for OpenBlue Workplace. Versions 2025.1.2 and earlier may allow remote attackers to gain unauthorized access to sensitive information; CISA cites a CVSS v3.1 score of 9.3 and a CVSS v4 score of 6.5. Johnson Controls recommends upgrading to patch level 2025.1.3 when available; until then, administrators should disable the mobile app in IIS or use the primary Workplace web interface as a mitigation.

Johnson Controls iSTAR TLS Certificate Expiration Issue

🔒 Johnson Controls reported an improper validation of certificate expiration in iSTAR access control panels that can prevent devices from re-establishing communication when the default certificate expires. The flaw, tracked as CVE-2025-61736, carries a CVSS v4 base score of 7.1 and a CVSS v3.1 score of 6.5. Affected units are those running versions prior to TLS 1.2. Recommended mitigations include deploying host-based certificates, migrating clusters to TLS 1.3 (requires firmware/C•CURE updates), or upgrading legacy panels to G2 hardware.

Mitsubishi Electric GX Works2 Cleartext Credential Risk

🔒 CISA warns that Mitsubishi Electric GX Works2 contains a cleartext storage vulnerability (CVE-2025-3784) that can expose credentials stored in project files. The issue affects all versions and may allow a local attacker with file access to open password-protected projects and read or modify project data. A vendor fix is under development; organizations should restrict access, block untrusted remote logins, and follow the mitigations recommended by Mitsubishi Electric and CISA.

Malicious Chrome and Edge Extensions Abused by ShadyPanda

🛡️Researchers at Koi Security uncovered a multi-year campaign by an actor dubbed ShadyPanda that abused trusted Chrome and Edge extensions to harvest browsing data, manipulate search results and traffic, and install a backdoor. The group amassed roughly 4.3 million infected browser instances by publishing legitimate-looking add-ons and later pushing malicious updates. Although many extensions have been removed from stores, infected browsers remain at risk because extensions auto-update and marketplaces generally review only at submission.

Google Antigravity AI coding tool vulnerable to exploits

⚠️ Google’s AI-assisted coding tool Antigravity, launched in early November, has a critical vulnerability discovered by researchers at Mindgard within 24 hours that can install a persistent backdoor and execute malicious code each time the application starts. The flaw arises because the assistant follows custom user rules unconditionally and gives excessive weight to rules embedded in project source, while a global configuration directory can hold files specifying arbitrary commands that are read and acted on at startup. Mindgard also identified two additional vulnerabilities that could expose user data, and no patch is yet available.

node-forge patched for ASN.1 signature verification bypass

🔒 The popular JavaScript cryptography library node-forge received a security update after researchers found a high-severity flaw that can bypass signature verification. Tracked as CVE-2025-12816, the issue stems from an ASN.1 validation interpretation conflict that allows crafted, malformed structures to pass schema checks while remaining cryptographically invalid. Maintainers released version 1.3.2; developers are strongly advised to upgrade immediately because applications relying on node-forge for PKI or signature enforcement could face authentication bypasses or signed-data tampering.

Code formatters left 80,000+ secrets exposed publicly

🔓 Researchers at external attack surface management firm watchTowr discovered more than 80,000 JSON snippets saved via JSONFormatter and CodeBeautify's unprotected Recent Links feature, exposing credentials, private keys, tokens, and configuration files. The platforms generated predictable, shareable URLs when users saved snippets and stored them without access controls, allowing anyone to scrape content via the services' APIs. Leaked material spans government, finance, healthcare, telecoms, and other sensitive sectors. watchTowr's Canarytoken test showed attackers accessed planted fake AWS keys after links had expired, indicating active scanning.

SiRcom SMART Alert Missing Authentication Vulnerability

⚠️ SiRcom SMART Alert (SiSA) version 3.0.48 contains a Missing Authentication for Critical Function vulnerability that allows unauthenticated access to backend APIs and bypass of the login screen using browser developer tools. Assigned CVE-2025-13483, the issue has a CVSS v3.1 base score of 9.1 and a CVSS v4 base score of 8.8. Exploitation could enable remote activation or manipulation of emergency sirens, and CISA reports no vendor coordination; network isolation and secure remote access are recommended.

Pre-auth RCE in Oracle Identity Manager Forces Patching

⚠️ The Cybersecurity and Infrastructure Security Agency (CISA) added a critical pre-authenticated remote code execution flaw in Oracle Identity Manager (CVE-2025-61757) to its Known Exploited Vulnerabilities catalog after active exploitation was observed. Searchlight Cyber reported that a flawed authentication filter combined with matrix/query parameters lets attackers bypass auth and reach a Groovy compile endpoint, enabling RCE through compile-time annotation processing. Oracle fixed the issue in its October 2025 Critical Patch Update; federal agencies must remediate by December 12, 2025.

Iberia Notifies Customers of Vendor-Related Data Leak

🔔 Iberia has informed customers of a security incident after unauthorized access to a supplier's systems exposed limited customer information. The airline says affected fields may include full name, email address, and Iberia Club loyalty identification numbers, while login credentials and payment card data were not accessed. Iberia says it activated its security protocol, added verification codes for email changes, is monitoring systems, and has notified authorities as it works with the third-party vendor. Customers are urged to watch for suspicious messages and report anomalies to the airline.

Google Adds AirDrop Compatibility to Quick Share on Pixel 10

📡 Google updated Quick Share to interoperate with Apple's AirDrop, enabling direct file transfers between Pixel 10 devices and iPhone, iPad, and macOS. Transfers require the Apple device to be discoverable to Everyone for 10 minutes, while Android users must set Quick Share visibility to Everyone or use Receive mode. Google said the implementation is built in memory-safe Rust, avoids routing data through servers, and was independently assessed and hardened after a low-severity information-disclosure issue was fixed.