CND News and Blog

New Alerts for BD, NetApp, and Linux. BD  BD has published security updates for Alaris, Data Agent, and FACSymphony A3/A5/A1More info. NetApp  NetApp has published 10 new bulletins identifying vulnerabilities in third-party software included in their products. Highest CVSSv3 score of 9.8Two have patches.More info. Linux  SUSE has upd...

New Alerts for SysAid, Weidmüller, Johnson Controls, Microsoft Edge, and Linux. SysAid  A Patch Traversal vulnerability has been exploited as a 0-day in SysAid On-Prem Software. CVSSv3 score of 9.8More info. Weidmüller  Weidmüller products use WIBU CodeMeter Runtime. A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network s...

New Alert for Atlassian. Enjoy the break, in my experience tomorrow/next week will make up for it...  Atlassian  The Apache ActiveMQ RCE Vulnerability impacts Bamboo Data Center and Server. CVSSv3 score of 10.More info. Security Wizardry Cyber Threat Intelligence - The Radar Page https://radar.securitywizardry.com/ Security Wizardry Cyber...

New Alerts for Lanaccess, Softing, Dell, WithSecure, Google Chrome, and Linux. Lanaccess  An improper input validation vulnerability has been found in Lanaccess ONSAFE MonitorHM. This vulnerability could allow a remote attacker to exploit the checkbox element and perform remote code execution, compromising the entire infrastructure. CVSSv3 sco...

Monthly Patches are out for Google Android, Google Pixel, and Samsung. New Alerts for GE Gas Power, Hitachi, Dell, and Linux. GE GasPower  GE Gas Power products include the vulnerable web UI feature of Cisco IOS XE Software, although the feature is not on by default. If you turned it on, turn it off.More info. Google  Google Monthly Patch...

Monthly Patches are out for Qualcomm and MediaTek. New Alerts for Samsung, FRRouting, QNAP, NetApp, Veeam, NextGen Healthcare, and Linux. Qualcomm  Qualcomm Monthly Patches are out, with 16 vulnerabilities, 4 rated Critical, 7 rated High, and 5 rated Medium. Highest CVSSv3 score of 9.8More info. MediaTek  MediaTek Monthly Patches include ...

New Alerts for Weintek, Franklin Fueling System, Crimson, Microsoft Edge, Moxa, and Linux. Weintek  Weintek EasyBuilder Pro has a Use of Hard-coded Credentials vulnerability that could allow a remote attacker to obtain remote control of a victim's computer as a privileged user. CVSSv3 score of 9.8More info. Franklin Fueling System  Frankl...

New Alerts for Cisco, VMware, IBM, Mitsubishi Electric, Moxa, Hitachi Energy, and Linux. Cisco  Cisco has published 24 new bulletins, 1 rated Critical, 9 rated High, and 14 rated Medium. Highest CVSSv3 score of 9.9.More info.Vulnerabilities in Cisco FTD Software could allow an unauthenticated, remote attacker to cause a DoS. CVSSv3 score of 8....

New Alerts for Zavio (Exploit), INEA, Tenable, IBM, Google Chrome, and Linux.     Zavio Exploit Zavio IP Cameras contain several vulnerabilities, including Buffer Overflow and OS Command Injection. Highest CVSSv3 score of 9.8EoL, Zavio is out of business, pick another product and replace.More info. INEA  INEA EME RTU contai...

New Alerts for Atlassian, Hitachi, D-Link, and Linux. Atlassian  An Improper Authorization vulnerability exists in Confluence Data Center and Server. CVSSv3 score of 9.1More info. Hitachi  Cosminexus has been updated for Oracle Java.More info. D-Link  D-Link DSVS products contain 2 vulnerabilities that can be used for DDoS or RCE.Mor...

New Alerts for Apache ActiveMQ, ABB, Microsoft Edge, Dell, and NetApp. Apache  Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types. CVSSv3 score of 9.8More info. ABB Exploit COM600 product firm...

New Alerts for Sielco (Exploit), Dingtian (Exploit), F5, BD, and IBM. Sielco Exploit Sielco PolyEco1000 contains several vulnerabilities, including Session Fixation, Improper Restriction of Excessive Authentication Attempts, Improper Access Control. Highest CVSSv3 score of 9.8No response from vendor, exploit exists.More info.Analog FM Transmitters ...

New Alerts for Apple (Exploit), Tenable, Rockwell Automation, Meinberg, IBM, and Linux. Apple Exploit Apple has published updates for iOS, iPadOS, macOS, tvOS, watchOS, and Safari. One vulnerability is being exploited in older iOS versions. Highest CVSSv3 score of 9.8More info. Tenable  Tenable has updated Nessus Network Monitor with updates f...

New Alerts for Google Chrome, VMware, Mozilla, Tenable, SICK, IBM, F5, and OpenSSL. Google  Google has updated Chrome for Desktop with 2 security fixes.More info. VMware  vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. Highest CVSSv3 base score of 9.8.More info. Mozilla  Mozi...

New Alerts for VMware, Bosch, Squid, and Linux. VMware  Aria Operations for Logs contains an authentication bypass vulnerability. CVSSv3 score of 8.1More info. Bosch  The SLC-0-GPNT00300 from Bosch Rexroth contains technology from SICK AG, which contained an authentication bypass by capture-replay. Exploiting the vulnerability would allow...

New Alerts for Cisco, Microsoft Edge, IBM, HP, NETGEAR, and Linux. Cisco  Cisco has begun patching their products for the IOS XE Software bug reported 16 October, CVSSv3 score of 10. These patches are in the most current version, older versions are TBD, and then there will be the products that use IOS XE Software as their base.More info. Micro...

New Alerts for VMware, Baker Hughes, Yokogawa, GE Gas Power, NetApp, and Linux. VMware  VMware Aria Operations for Logs contains an authentication bypass vulnerability and a deserialization vulnerability. CVSSv3 score of 8.1More info. Baker Hughes  Baker Hughes – Bently Nevada 3500 System TDI Firmware has a vulnerability in the password r...

New Alerts for Google ChromeOS, Apache HTTP Server, and Dell. Google  Google has updated ChromeOS and ChromeOS Flex to fix an unspecified number of security vulnerabilities, some rated Critical.More info. Apache  Apache HTTP Server has been updated with 3 security fixes, 1 rated Moderate (HTTP/2 Rapid Reset) and 2 rated Low.More info. Del...

New Alerts for Sophos, Atlassian, Google Chrome, Rockwell Automation (Exploit), Dell, and Linux. Sophos  Sophos has fixed a password disclosure vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall when the password type is set to "specified by sender". Sophos has fixed. CVSSv3 score of 6.5More info. Atlassian Atlassian has...

Oracle Quarterly Patches are out today. New Alerts for Cisco (Exploit), Paessler, IBM, and Linux. Cisco Exploit Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet. This vulnerability allows a remote attacker to create an account on an affected syste...