< ciso
brief />
Tag Banner

All news with #information disclosure tag

54 articles · page 2 of 3

CISA Flags Actively Exploited Wing FTP Info Leak Patch

⚠️ CISA has added a medium-severity information-disclosure bug, CVE-2025-47813, affecting Wing FTP to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw can leak the application's installation path when a long value is supplied in the UID session cookie and impacts versions up to 7.4.3. Vendor fixes were released in May with Wing FTP 7.4.4, which also addresses a separate critical RCE (CVE-2025-47812). Federal agencies are advised to apply updates by March 30, 2026.
read more →

CISA Adds KEV Entry for Wing FTP Server Vulnerability

🛡️ CISA has added CVE-2025-47813, an information disclosure vulnerability affecting Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is frequently abused by threat actors and poses a notable risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV items by the specified due dates. CISA urges all organizations to prioritize timely remediation as part of standard vulnerability management.
read more →

March Patch Tuesday: High-Severity Microsoft Office Flaws

🛡️ Microsoft’s March Patch Tuesday addresses 78 vulnerabilities, led by three high-severity flaws in Microsoft Office, including an Excel information-disclosure bug (CVE-2026-26144) and two remote-code-execution issues (CVE-2026-26113, CVE-2026-26110). While Microsoft reports no known zero-day exploitation, experts urge expedited patching, restricting outbound Office traffic, and limiting AI automation such as Copilot Agent to mitigate potential silent exfiltration and preview-pane attack vectors.
read more →

Android Mental Health Apps Found with Security Flaws

⚠️ Security researchers found widespread vulnerabilities across ten Android mental-health apps that together exceed 14.7 million installs and could expose highly sensitive therapy and medical data. Oversecured's scans from January 22–23, 2026 identified 1,575 issues — 54 high-, 538 medium-, and 983 low-severity — which could enable credential interception, HTML injection, spoofing, and location leaks. Findings include use of Intent.parseUri() on external input, plaintext API endpoints and hardcoded Firebase URLs, insecure token generation with java.util.Random, and overly permissive local file access.
read more →

Side-Channel Attacks Expose Metadata Leakage in LLMs

🔎 Three recent papers show that encrypted LLM traffic can leak sensitive information through timing, packet-size, and speculative-decoding side channels. The studies demonstrate that attackers can infer conversation topics, fingerprint prompts, and in some cases recover PII or confidential datastore tokens on open-source and production systems. The authors evaluate mitigations such as padding, batching, and token aggregation, but find trade-offs and no complete solution yet.
read more →

ZOLL ePCR iOS App Vulnerability Exposes Local Data

🔒 The ZOLL ePCR iOS mobile application (version 2.6.7) contains a WebView input-sanitization flaw (CVE-2025-12699) that can reflect attacker-controlled strings into rendered HTML/JavaScript. Proof-of-concept testing shows injected scripts may read local application files, potentially exposing device telemetry and protected health information (PHI). CISA assigns a CVSS v3.1 base score of 5.5 (MEDIUM), notes the issue is not remotely exploitable, and reports no known public exploitation. ZOLL decommissioned the iOS app in May 2025 and has no replacement planned.
read more →

AVEVA PI to CONNECT Agent Log Information Exposure

⚠️ AVEVA reported that PI to CONNECT Agent (<=v2.4.2520) contains a vulnerability that can record sensitive proxy connection details in event logs. An attacker with local Event Log Reader (S-1-5-32-573) privileges could extract proxy URLs and credentials from those logs and gain unauthorized access to the proxy server. The issue is not remotely exploitable; the vendor’s fix is v2.5.2790 or later. Users should review and sanitize logs, rotate proxy credentials, avoid plain-text passwords in proxy URLs, and restrict Event Log Reader privileges.
read more →

Researcher Shows Private Instagram Profiles Leaking

🔍 A security researcher published evidence that some Instagram private profiles returned links to user photos and captions inside the page HTML, making them visible to unauthenticated visitors on certain mobile devices. Researcher Jatin Banga showed the polaris_timeline_connection JSON object embedded encoded CDN links pointing to images that should have been private. In tests of private accounts he controlled or had permission to use, about 28% exposed captions and CDN links. Banga reported the issue to Meta on October 12, 2025; Meta later closed the report as "not applicable" and did not provide a root-cause analysis, though the behavior ceased roughly October 16.
read more →

Schneider Electric Foxboro DCS Intel Side-Channel Issue

⚠️ Schneider Electric published an advisory about a side‑channel vulnerability disclosed by Intel (CVE-2018-12130) that affects EcoStruxure Foxboro DCS Virtualization Server (V91) and Standard Workstation (H92). An authenticated user with local access could exploit the CPU issue to enable information disclosure, risking loss of system functionality or unauthorized access. Schneider Electric directs customers to migrate to updated server (V95) and workstation (Dell D96) hardware or, if immediate migration is not feasible, to apply BIOS and OS security patches and follow layered defense-in-depth recommendations.
read more →

MongoBleed (CVE-2025-14847): Critical MongoDB Memory Leak

🔴 On Dec. 19, 2025, MongoDB disclosed MongoBleed (CVE-2025-14847), a critical unauthenticated memory-disclosure in MongoDB Server stemming from handling of zlib-compressed wire messages. An attacker with network access to TCP/27017 can cause the server to return heap memory that may include cleartext credentials, API keys, session tokens, and PII. A public PoC and active exploitation were observed; MongoDB Atlas was auto-patched while self-hosted deployments require immediate manual updates and mitigations such as disabling zlib compression and restricting inbound access.
read more →

Hidden Telegram proxy links can expose your IP in one click

🔒 Researchers showed that tapping what looks like a Telegram username can trigger the app to auto-connect to a proxy and reveal your real IP address. The issue arises from how MTProto proxy links (t.me/proxy?...) are parsed on Android and iOS: the client performs an automatic test connection before the proxy is added. Attackers can host malicious proxies and disguise links as benign usernames or URLs to log IPs for location, profiling, or DDoS. Telegram says IP visibility is not unique to its platform and will add warnings for proxy links; users should be cautious with unfamiliar t.me links.
read more →

BreachForums User Database Leak Exposes 324,000 Accounts

🔐 A backup of the BreachForums MyBB users table and an associated PGP key were published in a 7Zip archive, exposing 323,988 account records and administrator key material. The leaked archive includes a databoose.sql users table and a passphrase-protected PGP private key; without the passphrase the key cannot be used to sign messages. Analysis found most IPs were set to a local loopback (127.0.0.9), but roughly 70,296 records map to public IPs, creating OPSEC risks for affected users and potential intelligence value for law enforcement. The forum administrator acknowledged the leak, saying the files were temporarily left in an unsecured folder during recovery and recommending disposable email addresses for members.
read more →

MongoDB zlib Flaw Lets Unauthenticated Clients Read Heap

🔒 A high-severity vulnerability in MongoDB can allow unauthenticated clients to read uninitialized heap memory by exploiting mismatched length fields in zlib-compressed protocol headers. Tracked as CVE-2025-14847 with a CVSS score of 8.7, the flaw stems from improper handling of inconsistent length parameters. It affects a broad set of releases from 3.6 through 8.2, and MongoDB has published fixes (including 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32 and 4.4.30); administrators unable to upgrade immediately are advised to disable zlib compression or restrict compressors to snappy or zstd.
read more →

React fixes RSC DoS and code-leak flaws in server components

⚠️ The React team released patches for three vulnerabilities affecting React Server Components that could enable pre-authentication denial-of-service and disclosure of Server Function source code. Two high-severity DoS issues arise from unsafe deserialization and an incomplete remediation, while a lower-severity information-leak bug can return function source when arguments are stringified. The flaws impact react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack across multiple 19.x releases. Users are urged to upgrade to 19.0.3, 19.1.4, or 19.2.3 immediately, especially given active exploration of a related critical bug.
read more →

PCIe IDE Flaws in PCIe 5.0+ Allow Faulty Data Handling

⚠️ The PCI Special Interest Group (PCI-SIG) disclosed three vulnerabilities in the PCIe Integrity and Data Encryption (IDE) ECN that affect PCIe Base Specification Revision 5.0 and later, potentially allowing reordering, completion timeout redirection, and delayed posted redirection of encrypted PCIe traffic. The issues, tracked as CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614, could permit information disclosure, privilege escalation, or denial of service if an attacker gains local or low-level access. Intel and AMD products are listed as affected; vendors should provide firmware updates and users must apply patches and follow PCIe 6.0 Erratum #1 guidance.
read more →

Critical XML External Entity (XXE) Flaw in Apache Tika

🔒 A critical XML External Entity (XXE) vulnerability, tracked as CVE-2025-66516, has been disclosed in Apache Tika and carries a CVSS score of 10.0. The flaw allows XXE via a crafted XFA file inside PDFs and affects tika-core, tika-parser-pdf-module, and tika-parsers across multiple versions. Users are strongly advised to upgrade to the patched releases immediately to mitigate file disclosure and potential remote code execution.
read more →

WhatsApp flaw allowed discovery of 3.5B registered numbers

🔍 Researchers from the University of Vienna and SBA Research found a flaw in WhatsApp's contact discovery that let them enumerate valid numbers globally, confirming about 3.5 billion registered accounts. By abusing the lookup mechanism they could probe numbers across 245 countries at rates exceeding 100 million checks per hour from a single IP. The technique also exposed public (non-private) keys, timestamps, profile photos and About text, enabling inference of device OS, account age and linked secondary devices, prompting Meta to add rate limits and tighter visibility rules.
read more →

Siemens COMOS: Critical RCE and Data Exposure Fixes

Siemens warns that COMOS contains two high‑severity vulnerabilities — CVE-2023-45133 (CVSS 9.3) and CVE-2024-0056 (CVSS 8.7) — which can enable remote code execution or expose sensitive information. Siemens has released a patch in COMOS V10.4.5 and advises operators to update promptly. Implement network segmentation, avoid direct internet exposure of control systems, and follow Siemens and CISA guidance for secure remote access and system hardening.
read more →

Balancer V2 Exploit Drains Over $120 Million in Crypto

🚨 Balancer announced an exploit of its V2 Compostable Stable Pools on Ethereum at 07:48 UTC that resulted in reported losses exceeding $128 million. Initial analysis from GoPlus Security points to a precision rounding error in the Vault’s swap calculations that an attacker chained via batchSwap, while other researchers suggest improper authorization and callback handling in V2 vaults. Balancer says the issue is isolated to V2 Compostable Stable Pools, with V3 and other pools unaffected, and the team is working with security researchers on a full post‑mortem. Users are warned to remain vigilant for scams and phishing attempts following the incident.
read more →

GDI Vulnerabilities in Windows Enable RCE and Data Leak

🔒 Microsoft has issued updates to address three previously unknown flaws in the Windows Graphics Device Interface (GDI) that could permit remote code execution and information disclosure. The issues, rooted in malformed EMF/EMF+ records, cause out-of-bounds memory access in GdiPlus.dll and gdi32full.dll during image rendering, thumbnailing and print initialization. Patches were released across the May, July and August 2025 Patch Tuesdays (KB5058411, KB5062553, KB5063878); administrators should apply updates promptly and avoid opening untrusted EMF files.
read more →