#auth

### Impact During recovery, a Coordinator only verifies that a given recovery key decrypts the sealed state, not if this key was provided by a party with access to one of the recovery keys defined in the manifest. This allows an attacker to manually craft a sealed state using their own recovery keys, and a manifest that does not match the rest of the state. If network traffic is redirected from the legitimate coordinator to the attacker's Coordinator, a remote party is susceptible to impersonation if they verify the Coordinator without comparing the root certificate of the Coordinator against a trusted reference. Under these circumstances, an attacker can trick a remote party into trusting the malicious Coordinator by presenting a manifest that does not match the actual state of the deployment. This issue does **not** affect the following: * secrets and state of the legitimate Coordinator instances * integrity of workloads * certificates chaining back to the legitimate Coordinator...

Ransomware actors are offering individuals millions to turn on their employers and divulge private company information, in a brand-new cybercrime tactic.

Funnull CDN rents IPs from legitimate cloud service providers and uses them to host criminal websites, continuously cycling cloud resources in and out of use and acquiring new ones to stay ahead of cyber-defender detection.

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

### Summary Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking (CSWSH) attacks. ### Details When [`api` option](https://vitest.dev/config/#api) is enabled (Vitest UI enables it), Vitest starts a WebSocket server. This WebSocket server did not check Origin header and did not have any authorization mechanism and was vulnerable to CSWSH attacks. https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L32-L46 This WebSocket server has `saveTestFile` API that can edit a test file and `rerun` API that can rerun the tests. An attacker can execute arbitrary code by injecting a code in a test file by the `saveTestFile` API and then running that file by calling the `rerun` API. https://github.com/vitest-dev/vitest/blob/9a581e1c43e5c02b11e2a8026a55ce6a8cb35114/packages/vitest/src/api/setup.ts#L66-L76 ### PoC 1. Open Vitest UI. 2. Access a malicious ...

### Summary `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by [`browser.api.host: true`](https://vitest.dev/guide/browser/config.html#browser-api), an attacker can send a request to that handler from remote to get the content of arbitrary files. ### Details This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130 This code was added by https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f. ### PoC 1. Create a directory and change the current directory to that directory 1. Run `npx vitest init browser` 1. Run `npm run test:browser` 2. Run `curl http://localhost:63315/__screenshot-error?file=/path/to/any/file` ### Impact Users explicitly exposing the browser mode server to th...

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/users/password endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the newPassword PUT parameter. The issue arises in users.js, where the new password is hashed and improperly escaped before being passed to ChildProcess.exec() within a usermod command, allowing out of band (blind) command injection.

Organizations and development teams need to evolve from "being prepared" to "managing the risk" of security breaches.

Austin, TX, USA, 4th February 2025, CyberNewsWire

About Remote Code Execution – Microsoft Configuration Manager (CVE-2024-43468) vulnerability. This vulnerability is from the October 2024 MSPT. Microsoft Configuration Manager (ConfigMgr) is used to manage large groups of computers, providing remote control, patch management, software distribution, operating system deployment, etc. According to Microsoft, the vulnerability allowed an unauthenticated attacker to execute commands at the […]