Latest News

This spring has seen another spate of stories about juice jacking, including a new, more sophisticated form of attack. But how much of a threat is it, really?

Europol targets extremist online content exploiting minors, tackling rising use of AI, propaganda, and grooming across Europe’s digital platforms.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.6 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure Power Build Rapsody Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution on the affected device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Schneider Electric product is affected: EcoStruxure Power Build Rapsody: v2.7.12 FR and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121 Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute arbitrary code while the end user opens a malicious project file (SSD file) provided by the attacker. CVE-2025-3916 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). A CVSS v4 score has also been...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Wiser AvatarOn 6K Freelocate, Wiser Cuadro H 5P Socket Vulnerability: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to inject code or bypass authentication. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Schneider Electric products are affected: Wiser AvatarOn 6K Freelocate: All versions Wiser Cuadro H 5P Socket: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Out-of-bounds Write, Download of Code Without Integrity Check vulnerability in Silicon Labs Gecko Bootloader on ARM (Firmware Update File Parser modules) allows Code Injection, Authentication Bypass. This issue affects "Standalon...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: MELSEC iQ-F Series Vulnerability: Improper Validation of Specified Index, Position, or Offset in Input 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read confidential information, cause a denial-of-service condition, or stop operations by sending specially crafted packets. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSEC iQ-F Series are affected. Products with [Note *1] are sold in limited regions: FX5U-xMy/z x=32, 64, 80, y=T, R, z=ES,DS, ESS, DSS: All versions FX5UC-xMy/z x=32, 64, 96, y=T, z=D, DSS: All versions FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions FX5UJ-xMy/z x=24, 40, 60, y=T, R, z=ES,DS,ESS,DSS: All versions FX5UJ-xMy/ES-A[Note *1] x=24, 40, 60, y=T, R: All versions FX5S-xMy/z x=30, 40, 60, 80[Note *1], y=T, R, z= ES,DS,ESS,...

In the wake of high-profile attacks on UK retailers Marks & Spencer and Co-op, Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption caused — currently looking like hundreds of millions in lost profits for M&S alone.  This coverage is extremely valuable for the cybersecurity community as it raises

A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim's contacts list. "Recent

Google has revealed that it will no longer trust digital certificates issued by Chunghwa Telecom and Netlock citing "patterns of concerning behavior observed over the past year." The changes are expected to be introduced in Chrome 139, which is scheduled for public release in early August 2025. The current major version is 137.  The update will affect all Transport Layer Security (TLS)

Microsoft and CrowdStrike have announced that they are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping. "By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence," Vasu Jakkal, corporate vice president at Microsoft

### Impact When using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed. With the affected versions <v2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users with <v2.0. Nethertheless with XSS, other attack vectors like redirection or crypto mining would be possble. ### Patches This CVE has been fixed in v2.0.0 ### Workarounds If you are the only authenticated user using Gokapi, you are not affected. A workaround would be to disable end-to-end encryption.