Latest News

The ABB BMS/BAS controller is operating with default and hard-coded credentials contained in install package while exposed to the Internet.

Mozilla has introduced a feature called Privacy Preserving Attribution and turned it on by default, much to the chagrin of a privacy watchdog.

Imagine trying to find a needle in a haystack, but the haystack is on fire, and there are a million other needles you also need to find. That's what dealing with security alerts can feel like. SIEM was supposed to make this easier, but somewhere along the way, it became part of the problem. Too many alerts, too much noise, and not enough time to actually stop threats. It's time for a change.

Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy. The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima. "These samples enhance Sparkling Pisces' already extensive arsenal

As Israel intensifies its attacks on Lebanon, eerie messages have been arriving on the phones of civilians on both sides of the border, with authorities in each country accusing the other of psychological warfare.

League of Legends fans beware! A new malware campaign targeting the League of Legends World Championship is spreading…

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Low attack complexity Vendor: Advantech Equipment: ADAM-5550 Vulnerabilities: Weak Encoding for Password, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow a remote attacker to intercept the easily decodable credentials of a legitimate user to gain full access to the device and could plant malicious code on the web page of the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Advantech's ADAM, are affected: Advantech ADAM 5550: All versions 3.2 Vulnerability Overview 3.2.1 WEAK ENCODING FOR PASSWORD CWE-261 User credentials are shared with a low level of encryption, consisting of base 64 encoding. CVE-2024-37187 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2024-37187. A base score of 6.8 has been c...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Low attack complexity Vendor: goTenna Equipment: Pro series Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Improper Restriction of Communication Channel to Intended Endpoints, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of goTenna Pro series, mesh networking device, are affected: goTenna Pro App: versions 1.6.1 and prior 3.2 Vulnerability Overview 3.2.1 Weak Password Requirements CWE...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Advantech Equipment: ADAM-5630 Vulnerabilities: Use of Persistent Cookies Containing Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to hijack a legitimate user's session, perform cross-site request forgery, or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Advantech's ADAM are affected: Advantech ADAM-5630: versions prior to v2.5.2 3.2 Vulnerability Overview 3.2.1 USE OF PERSISTENT COOKIES CONTAINING SENSITIVE INFORMATION CWE-539 Cookies of authenticated users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user. CVE-2024-39275 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Low attack complexity Vendor: goTenna Equipment: Pro ATAK Plugin Vulnerabilities: Weak Password Requirements, Insecure Storage of Sensitive Information, Missing Support for Integrity Check, Cleartext Transmission of Sensitive Information, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Weak Authentication, Insertion of Sensitive Information Into Sent Data, Observable Response Discrepancy, Insertion of Sensitive Information Into Sent Data 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality and integrity of the communications between the affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of goTenna Pro ATAK Plugin, a mesh networking device, are affected: goTenna Pro ATAK Plugin: Versions 1.9.12 and prior 3.2 Vulnerability Overview 3.2.1 Weak Password Requirements CWE-521 The goTenna Pro ATAK Plugin uses a wea...