Security
Headlines
HeadlinesLatestCVEs

Tag

#web

20 Million OpenAI accounts offered for sale

A cybercriminal calling themselves emirking is offering 20 million OpenAI accounts for sale on a Dark Web forum

Malwarebytes
#vulnerability#web#microsoft#auth
ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC

The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated WebSocket implementation that allows an attacker to execute the tcpdump command. This command captures network traffic and filters it on serial ports 4855 and 4851, which are relevant to the device's services. The vulnerability can be exploited in a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial of service (DoS) conditions, and potential data exfiltration. The lack of authentication on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump processes, amplifying the attack's impact.

ABB Cylon FLXeon 9.3.4 (runtimeSetup.sh) Hidden Backdoor Account

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

S. Korea’s Notorious Sex Crime Hub Ya-moon Hacked, User Data Leaked

Ya-moon, S. Korea’s notorious sex crime hub operating since 1990, hacked; user data leaked, exposing CSAM, exploitation, and illicit activities.

7AI Streamlines Security Operations With Autonomous AI Agents

Cybereason co-founders launch their second act with a security startup focused on offering a platform that uses agentic AI to offload repetitive tasks commonly performed by security analysts.

Researcher Outsmarts, Jailbreaks OpenAI's New o3-mini

OpenAI's latest tech can reason better than its previous models could, but not well enough to ferret out careful social engineering.

Experts Flag Security, Privacy Risks in DeepSeek AI App

New mobile apps from the Chinese artificial intelligence (AI) company DeepSeek have remained among the top three "free" downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek's design choices -- such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies -- introduce a number of glaring security and privacy risks.

DeepSeek Phishing Sites Pursue User Data, Crypto Wallets

Riding the wave of notoriety from the Chinese company's R1 AT chatbot, attackers are spinning up lookalike sites for different malicious use cases.

Changing the tide: Reflections on threat data from 2024

Thorsten examines last year’s CVE list and compares it to recent Talos Incident Response trends. Plus, get all the details on the new vulnerabilities disclosed by Talos’ Vulnerability Research Team.

GHSA-2hjh-495w-hmxc: Sylius allows unrestricted brute-force attacks on user accounts

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users.