Security
Headlines
HeadlinesLatestCVEs

Latest News

AMD SEV-SNP Vulnerability Allows Malicious Microcode Injection with Admin Access

A security vulnerability has been disclosed in AMD's Secure Encrypted Virtualization (SEV) that could permit an attacker to load a malicious CPU microcode under specific conditions. The flaw, tracked as CVE-2024-56161, carries a CVSS score of 7.2 out of 10.0, indicating high severity. "Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local

The Hacker News
Open in Source
#vulnerability#amd#The Hacker News
Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score

Microsoft has released patches to address two Critical-rated security flaws impacting Azure AI Face Service and Microsoft Account that could allow a malicious actor to escalate their privileges under certain conditions. The flaws are listed below - CVE-2025-21396 (CVSS score: 7.5) - Microsoft Account Elevation of Privilege Vulnerability CVE-2025-21415 (CVSS score: 9.9) - Azure AI Face Service

Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104

Google has shipped patches to address 47 security flaws in its Android operating system, including one it said has come under active exploitation in the wild. The vulnerability in question is CVE-2024-53104 (CVSS score: 7.8), which has been described as a case of privilege escalation in a kernel component known as the USB Video Class (UVC) driver. Successful exploitation of the flaw could lead

Microsoft SharePoint Connector Flaw Could've Enabled Credential Theft Across Power Platform

Cybersecurity researchers have disclosed details of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform that, if successfully exploited, could allow threat actors to harvest a user's credentials and stage follow-on attacks. This could manifest in the form of post-exploitation actions that allow the attacker to send requests to the SharePoint API on behalf

Hackers Hide Malware in Fake DeepSeek PyPI Packages

Malicious DeepSeek packages on PyPI spread malware, stealing sensitive data like API keys. Learn how this attack targeted developers and how to protect yourself.

ABB Cylon FLXeon 9.3.4 (cert.js) Authenticated Root Remote Code Execution

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/cert endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the affected parameters. The issue arises due to improper input validation in cert.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

GHSA-qwp8-x4ff-5h87: ZX Allows Environment Variable Injection for dotenv API

### Impact This vulnerability is an **Environment Variable Injection** issue in `dotenv.stringify`, affecting `google/zx` version **8.3.1**. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to **arbitrary command execution** or **unexpected behavior** in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through `dotenv.stringify` are particularly vulnerable. ### Patches This issue has been **patched** in version **8.3.2**. Users should **immediately upgrade** to this version to mitigate the vulnerability. ### Workarounds If upgrading is not feasible, users can mitigate the vulnerability by **sanitizing user-controlled environment variable values** before passing them to `dotenv.stringify`. Specifically, avoid using `"`, `'`, and backticks in values, or enforce strict validation of environment variables before u...