All news with #vulnerability disclosure tag

🔒 After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains. Using the open-source tool TruffleHog and an AWS-driven pipeline (SQS queue and Lambda workers), the researcher completed the scan in just over 24 hours at a cost of $770. Notifications were automated with Claude Sonnet 3.7 and scripts; affected parties revoked many credentials and the researcher collected $9,000 in bug bounties, though some secrets remain exposed.

⚠️ Google’s AI-assisted coding tool Antigravity, launched in early November, has a critical vulnerability discovered by researchers at Mindgard within 24 hours that can install a persistent backdoor and execute malicious code each time the application starts. The flaw arises because the assistant follows custom user rules unconditionally and gives excessive weight to rules embedded in project source, while a global configuration directory can hold files specifying arbitrary commands that are read and acted on at startup. Mindgard also identified two additional vulnerabilities that could expose user data, and no patch is yet available.

⚠️ Google’s newly released Antigravity IDE has drawn security warnings after researchers reported vulnerabilities that can allow malicious repositories to compromise developer workspaces and install persistent backdoors. Mindgard, Adam Swanda, and others disclosed indirect prompt injection and trusted-input handling flaws that could enable data exfiltration and remote command execution. Google says it is aware, has updated its Known Issues page, and is working with product teams to address the reports.

🔒 Security researchers at watchTowr discovered that two popular code utility sites — JSON Formatter and Code Beautify — inadvertently exposed thousands of developer submissions containing sensitive secrets and credentials. By querying a public API and the sites’ “Recent Links” listings, the team extracted over 80,000 submissions spanning years, including API keys, private keys, database and cloud credentials, JWTs, and PII. The exposure remained until the sites disabled the save feature; watchTowr also confirmed active scraping by third parties and reported limited response from affected organizations.

🔒 New research from watchTowr Labs found over 80,000 files saved to online code-formatting tools, exposing thousands of passwords, API keys, repository tokens and other sensitive credentials across government, telecoms, finance, healthcare and critical infrastructure. The datasets comprise five years of JSONFormatter content and one year of CodeBeautify content (about 5GB), and both services used predictable, shareable URLs and a Recent Links page that made mass crawling trivial. Researchers uploaded decoy AWS keys that were abused within 48 hours, and both sites have temporarily disabled save functionality while implementing enhanced content-prevention measures.

⚠️ Researchers disclosed five vulnerabilities in Fluent Bit, the open-source telemetry agent, that can be chained to bypass authentication, write or overwrite files, execute code, corrupt logs, and cause denial-of-service conditions. CERT/CC noted many issues require network access, and fixes were released in Fluent Bit 4.1.1 and 4.0.12 with AWS participating in coordinated disclosure. Operators are urged to update immediately and apply mitigations such as avoiding dynamic tags, mounting configs read-only, and running the agent as a non-root user.

⚠️ Fluent Bit, a widely deployed telemetry agent, has multiple critical vulnerabilities disclosed by Oligo Security affecting inputs, tag processing and output handling. Patches are available in Fluent Bit v4.1.1 and v4.0.12 released in early October 2025; older releases remain at risk. Operators are advised to update immediately, avoid dynamic tags, lock down output file parameters, run with least privilege and mount configuration directories read-only to reduce exposure.

⚠️ This week’s recap spotlights multiple actively exploited vulnerabilities, supply‑chain compromises, and a record cloud DDoS that forced rapid vendor responses. Fortinet disclosed a FortiWeb OS command injection (CVE-2025-58034) that was observed chained with a recent critical fix, raising concerns about silent patching and disclosure timing. Google patched an actively exploited Chrome V8 0‑day (CVE-2025-13223), and attackers continued to abuse browser notifications, malicious updates, and SaaS integrations to phish and persist. The incidents underscore urgent priorities: patch quickly, scrutinize integrations, and strengthen monitoring and response.

⚠️ Security firm SquareX disclosed a previously undocumented MCP API inside the AI browser Comet that enables embedded extensions to execute arbitrary commands and launch applications — capabilities mainstream browsers normally block. The API can be triggered covertly from pages such as perplexity.ai, creating an execution channel exploitable via compromised extensions, XSS, MITM, or phishing. SquareX highlights that the analytics and agentic extensions are hidden and cannot be uninstalled, leaving devices exposed by default.

⚠️ Festo disclosed a hidden test‑mode vulnerability in the MSE6 product family that could be abused by a remote, authenticated low‑privileged attacker. The issue, tracked as CVE-2023-3634, carries a CVSS v3.1 score of 8.8 and may permit complete loss of confidentiality, integrity, and availability. Festo plans documentation updates in the next product release; CISA recommends isolating devices, minimizing network exposure, and using firewalls and secured VPNs as mitigations.

⚠️ A remotely exploitable OS command injection in the Opto 22 Groov Manage REST API allows attackers with administrative credentials to inject shell commands that execute as root on affected GRV-EPIC and groov RIO devices. The issue is tracked as CVE-2025-13087 and carries a CVSS v4 base score of 7.5. Opto 22 has released firmware 4.0.3 to address the flaw; users should apply the update promptly. CISA also recommends isolating control networks, minimizing Internet exposure, and monitoring API and system logs for suspicious activity.

🔒 CISA reports that iCam365 ROBOT PT Camera P201 and Night Vision Camera QC021 (versions 43.4.0.0 and prior) allow unauthenticated access to ONVIF and RTSP services. Successful exploitation could expose live video streams and camera configuration data. Two CVEs were assigned (CVE-2025-64770 and CVE-2025-62674), with CISA-calculated CVSS v4 base scores of 7.0 and CVSS v3.1 scores of 6.8. iCam365 did not respond to CISA; recommended mitigations include network isolation, firewalling, and use of secure remote access methods.

⚠ Emerson's Appleton UPSMON-PRO contains a stack-based buffer overflow that can be triggered remotely via UDP port 2601. A crafted UDP packet can overwrite stack memory and enable arbitrary code execution with SYSTEM privileges if UPSMONProService traffic is not validated; the issue is tracked as CVE-2024-3871 and carries high severity (CVSS v3.1 9.8; CVSS v4 9.3). Affected versions are 2.6 and earlier; Emerson lists the product as End of Life, and CISA advises replacing unsupported units or applying mitigations such as blocking UDP 2601, isolating monitoring networks, filtering oversized packets, and monitoring for service crashes.

🔒 Festo reported a path traversal vulnerability in Siemens TIA Portal (V15–V18) as deployed on Festo Didactic hardware. Tracked as CVE-2023-26293 with a CVSS v3.1 base score of 7.8, the flaw can allow creation or overwriting of arbitrary files and could lead to arbitrary code execution if a user opens a crafted project file. The issue requires user interaction and is not remotely exploitable; Festo and CISA recommend applying Siemens updates and following standard protections against malicious files and social engineering.

🔒 Automated Logic's WebCTRL servers and related products are affected by an open redirect (CVE-2024-8527) and a reflected XSS vulnerability (CVE-2024-8528) impacting versions 6.1, 7.0, 8.0, and 8.5. The open redirect carries high severity (CVSS v3.1 9.3; v4 8.6) while the XSS stems from an unsanitized "wbs" GET parameter (CVSS v3.1 7.5; v4 5.4). Automated Logic reports remediation in WebCTRL 9.0 and advises upgrades; CISA recommends minimizing device exposure, using firewalls and secure remote access, and following anti-phishing best practices. CISA notes no known public exploitation and states the vulnerabilities are not remotely exploitable as described.

🔒 Security researchers have uncovered Operation WrtHug, a global campaign that has hijacked thousands of largely end-of-life ASUS WRT routers by chaining at least six known vulnerabilities. Over roughly six months analysts identified about 50,000 unique infected IPs, predominantly in Taiwan, using a distinctive malicious self-signed AiCloud certificate with a 100-year lifetime as an indicator of compromise. Owners are urged to apply ASUS firmware updates or replace unsupported models and disable remote-access features to mitigate risk.

🔒 Kendra Albert's USENIX talk, highlighted by Bruce Schneier, argues that modern managed bug bounty programs often impose contractual confidentiality that prevents researchers from publicly sharing vulnerabilities. These restrictions can flip the original bargain of coordinated vulnerability disclosure, silencing researchers while allowing vendors to delay or avoid fixes. Schneier urges platforms and companies to prohibit mandatory non‑disclosure terms and restore the balance between researcher reporting and vendor remediation.

🔔 Fortinet has issued an advisory about a newly discovered FortiWeb vulnerability, CVE-2025-58034, rated CVSS 6.7 and reported as being exploited in the wild. The flaw is an OS command injection that allows an authenticated attacker, who has gained access by other means, to execute arbitrary commands via crafted HTTP requests or CLI input. Fortinet provides version-based upgrade guidance to remediate the issue and credited a Trend Micro researcher for reporting the bug.

✉️ A vulnerability in DoorDash's DoorDash for Business platform allowed an attacker to create a free account, add an 'Employee' entry containing arbitrary HTML in a budget name field, and send emails that appeared to originate from no-reply@doordash.com using official templates. The researcher known as doublezero7 supplied a proof-of-concept showing stored HTML rendered in outgoing messages, enabling persuasive phishing. DoorDash patched the flaw after public pressure, and a dispute over disclosure and alleged extortion followed.

⚠️ ASUS has released new firmware to patch a critical authentication bypass vulnerability tracked as CVE-2025-59367 that enables remote, unauthenticated attackers to log into vulnerable DSL routers exposed online. The update — firmware 1.1.2.3_1010 — addresses the issue for DSL-AC51, DSL-N16, and DSL-AC750. ASUS urges users to install the update immediately and, if they cannot, to disable Internet-facing services (remote access, port forwarding, DDNS, VPN server, DMZ, FTP) and use strong, unique passwords as temporary mitigations.