All news with #vulnerability disclosure tag

🔒 Siemens has disclosed a Least Privilege Violation in the Wibu CodeMeter runtime that affects the Desigo CC product family and SENTRON Powermanager series. The issue (CVE-2025-47809) can allow local privilege escalation immediately after installation if the CodeMeter Control Center is present and not restarted. A CVSS v3.1 base score of 8.2 has been assigned. Siemens and WIBU recommend updating to CodeMeter v8.30a and restarting systems; CISA advises network segmentation and minimizing exposure.

⚠️ The Siemens Mendix SAML module contains an improper verification of cryptographic signature that can be exploited remotely and has been assigned CVE-2025-40758 with a CVSS v3.1 base score of 8.7. Affected versions prior to V3.6.21, V4.0.3, and V4.1.2 (depending on Mendix compatibility) may allow unauthenticated attackers to hijack accounts in specific SSO configurations. Siemens recommends updating to the fixed versions, enabling UseEncryption, and reducing network exposure using firewalls and secure VPNs.

🔒 Researchers have identified a chain of four Bluetooth vulnerabilities collectively named PerfektBlue in the OpenSynergy Blue SDK, used in millions of vehicles. An attacker that pairs via Bluetooth can exploit AVRCP flaws to execute code on the head unit and inherit its Bluetooth privileges, potentially accessing microphones, location data, and personal information. Vehicle owners should update head-unit firmware when patches are available and disable Bluetooth when not in use.

⚠️ Microsoft released its August 2025 Patch Tuesday updates addressing 111 vulnerabilities, including 13 marked critical. The fixes span remote code execution, elevation-of-privilege and information-disclosure flaws across Windows, Hyper-V, Microsoft Office, GDI+ and cloud services. Microsoft reports no observed in-the-wild exploitation but notes several issues where exploitation is assessed as “more likely.” Talos is issuing Snort detection rules and urges administrators to apply vendor updates and intrusion-detection signatures promptly.

🛡️ Microsoft’s August 2025 Patch Tuesday addresses 107 CVEs, including one publicly disclosed Windows Kerberos zero‑day (CVE-2025-53779) and 13 Critical flaws. Notable fixes cover high‑severity RCEs in the Windows Graphics Component and GDI+ and an NTLM elevation‑of‑privilege issue. Microsoft has released patches; organizations should apply updates promptly and use Falcon Exposure Management to prioritize and visualize exposure.

🔒 Microsoft has expanded the .NET Bounty Program, increasing maximum awards to $40,000 and broadening coverage to include all supported .NET and ASP.NET versions, adjacent technologies like F#, templates, and GitHub Actions. The program simplifies award tiers, aligns impact categories with other Microsoft bounty programs, and defines report quality as complete (working exploit) or not complete, encouraging detailed, actionable submissions.

🛡️ Microsoft has updated the .NET Bounty Program, expanding scope and increasing maximum payouts to $40,000 for high-impact vulnerabilities. The program now covers all supported versions of .NET and ASP.NET (including Blazor and F#), repository templates, and GitHub Actions in .NET repositories. Awards are now tied to explicit severity and report quality criteria, with higher payments for complete, exploit-backed reports.

🏆 The Microsoft Security Response Center (MSRC) announced its 2025 Most Valuable Researchers (MVRs), recognizing security researchers who submitted valid vulnerability reports under Coordinated Vulnerability Disclosure. The Top 10 MVRs were ranked by total points earned for valid reports submitted between July 1, 2024 and June 30, 2025, and MSRC also highlights annual Technical Leaderboards by product area such as Azure, Office, Windows, and Dynamics 365. Awardees receive digital badges and MSRC swag boxes, and badges recognize achievements for Accuracy, Impact, and Volume.

🏆 Congratulations to the researchers recognized on the MSRC 2025 Q2 Leaderboard. The top three overall are wkai, Brad Schlintz (nmdhkr), and 0x140ce, with category leaders across Azure, Office, Windows, and Dynamics. The leaderboard reflects assessments completed April 1–June 30, 2025, and includes cases submitted earlier but assessed in Q2. MSRC also notes that Researcher Recognition points are now visible in the researcher portal to improve transparency.

🔒 At 13, Dylan became the youngest researcher to collaborate with the Microsoft Security Response Center (MSRC), demonstrating notable technical skill, persistence, and professional communication. He progressed from Scratch to HTML and source-code analysis, discovering vulnerabilities in Teams and other services and reporting them responsibly. His findings influenced bug bounty terms to admit younger researchers while he continues to balance school, competitions, and extracurriculars.