SecLists.Org Security Mailing List Archive

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe to nmap-dev here.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• nmap-devLatest Posts

Re: .NET Wrapper for Npcap Verde Denim (Jun 11)
Stop

.NET Wrapper for Npcap Altaffer, Steven via dev (Jun 11)
Not sure if this is off topic, Npcap took me to this mail list.

We developed a Visual C# app using Winpcap and PcapDotNet v1.0.4 wrapper to allow integrating into the C# project. I
have performed several searches for the equivalent wrapper or C++/CLI project for Npcap with no luck. If someone knows
of one out there, I would appreciate a link.

Thanks

Steve Altaffer - Donatech Corp

Issue with ssh2-enum-algos? Frank Bergmann (Jun 08)
Hi,

while playing around with the ssh protocol I noticed that ssh2-enum-algos
lists different algorithms for kex_algorithms, encryption_algorithms and
mac_algorithms than what I get from the same ssh server.

I also made a test with ssh itself for encryption_algorithms and it did show
up exactly the same list like I get with my own tool.
ssh2-enum-algos shows also aes256-cbc which doesn't appear in my tool and in
ssh client:

$...

Windows 10/11: Ncat: A message sent on a datagram socket was larger than the internal message buffer ... Ken Kayser (Feb 20)
*Describe the bug*
When listening to a port with ncat, as soon as a UDP packet is received, I
receive a constant stream of errors with the following text: "Ncat: A
message sent on a datagram socket was larger than the internal message
buffer or some other network limit, or the buffer used to receive a
datagram into was smaller than the datagram itself. ."

*To Reproduce*

1. In either a Windows command line or Powershell I enter...

Reverse DNS (issue #3007) Matteo Nicoli (Feb 13)
Hi all,

I noticed a cool feature proposal on GitHub (issue 3007 <https://github.com/nmap/nmap/issues/3007>). It basically
suggests a new feature for returning the (complete) list of DNS records obtained — through reverse DNS lookups — from
an IP address. If it matches with the map product roadmap, I’d like to start implementing it. Is there some maintainer
who could give me a brief feedback about it?

Cheers,
Matteo

Re: Mail stoppage Gordon Fyodor Lyon (Feb 12)
Yes, this was my fault. Mail to the Nmap dev list from non-subscribers
goes through moderation to keep out the spam. I regularly go through the
moderation queue to find and approve the "real" messages, but I was a bit
slow this time. We strongly recommend that folks posting to the list first
subscribe to it. This avoids the moderation delay and prevents them from
missing any responses which might only be sent to the list.

Cheers,...

Mail stoppage Dave Close (Feb 12)
Several messages received today seem to have been stuck on nmap.org for
up to a month. Example (edited for clarity):

Version: 7.94+SVN TypeError: Couldn't find foreign struct converter for 'cairo.Context' Hendrick Halim (Feb 12)
Version: 7.94+SVN
TypeError: Couldn't find foreign struct converter for 'cairo.Context'

topology tab crash Genny and Doug Kent (Feb 12)
zenmap crashes when topology tab clicked.

Output message below

Version: 7.94+SVN
TypeError: Couldn't find foreign struct converter for 'cairo.Context'

Doug Kent

PR #2954, Fix out of bounds reads in packet parsing Domen Puncer Kugler via dev (Feb 12)
Hi,

I've submitted a pull request a few months ago:
https://github.com/nmap/nmap/pull/2954

The PR includes following three commits:
- Fix out of bounds read in HopByHopHeader::validate
- Fix out of bounds read in PacketParser::split
- Add AFL test code for PacketParser

This was found as a part of a short Hackathon at NCC Group.
As far as I can tell, there is no security impact, but it would still be nice
to see this fixed.

Kind regards

High-Priority HTML Parsing script astrotoki via dev (Feb 12)
Hello,

I noticed that under the high priority script ideas was the need for a library that parses HTML info from sites. I
wrote a script that uses a web crawler and extracts html info from attached pages and accompanying urls within the html
body. Let me know if this is what yall were after?

Thanks!
Ryan LaPierre <Astro>_______________________________________________
Sent through the dev mailing list...

URL Pathfinder astrotoki via dev (Feb 12)
Hello all!

I just wrote up another script, trying to practice and maybe have some added to the master list for nmap. This script
enumerates possible hidden path extensions on urls. As always, Id love input on it, changes or updates.

Thanks all!
Ryan LaPierre <Astro>_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Null Byte Poisoning NSE astrotoki via dev (Feb 12)
Here is my submission of a script I wrote that should test a site for null byte poisoning vulnerabilities._______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Re: First Go astrotoki via dev (Feb 12)
Here is an updated version with more XSS patterns integrated into it. As well as some clean up!

I also created a separate .lua with just the http crawler function.

Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

First Go astrotoki via dev (Feb 12)
Hello!,

I just started learning Lua for writing NSEs and had a go at a HTTP crawler that identifies XSS vulnerabilities on
sites. I used Juice-Shop OWASP to confirm it works. (Thats why the source code uses port 3000 in addition to 80) Id
love feedback! Doing my best to learn as much as I can. I attached the http_xss_crawler.nse below!

PS. I had used ChatGPTo1 and Github CoPilot to aid in debugging and syntax issues. The overall code is my...

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe to stay informed.

• Current Year
• Archived Posts
• RSS Feed
• About List
• nmap-announceLatest Posts

Npcap Version 1.82 Released with VLAN Tagging and More Gordon Fyodor Lyon (Apr 28)
Dear Nmap Community,

In preparation for an imminent Nmap release (hopefully this week!), we have
released Version 1.82 of our Npcap Windows packet capture and transmission
driver. It builds upon the recent 1.81 release to add support for VLAN
tagging. This allows you to select for packets directed to a certain VLAN
or just inspect the VLAN headers on any packets received. It's especially
useful for Wireshark users. You can also now send...

Nmap 7.95 released: OS and service detection signatures galore! Gordon Fyodor Lyon (May 05)
Dear Nmap Community,

I just arrived in San Francisco for the RSA conference and am delighted to
announce our Nmap Version 7.95 release! I'm most excited that we finally
tackled our backlog of OS and service detection fingerprint submissions.
We're not talking about dozens or hundreds of them-we processed more than
6,500 fingerprints!

For OS detection, we added 336 signatures, bringing the new total to 6,036.
Additions include iOS 15...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

• Current Month
• Archived Posts
• RSS Feed
• About List
• fulldisclosureLatest Posts

: "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885) josephgoyd via Fulldisclosure (Jun 17)
"Glass Cage" – Sophisticated Zero-Click iMessage Exploit ChainEnabling Persistent iOS Compromise and Device Bricking

CVE-2025-24085, CVE-2025-24201(CNVD-2025-07885)

Author: Joseph Goydish II
Date: 06/10/2025
Release Type: Full Disclosure
Platform Affected: iOS 18.2 (confirmed zero-day at time of discovery)
Delivery Vector: iMessage (default configuration)
Impact: Remote Code Execution, Privilege Escalation, Keychain Exfiltration,...

SEC Consult SA-20250612-0 :: Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) SEC Consult Vulnerability Lab via Fulldisclosure (Jun 17)
SEC Consult Vulnerability Lab Security Advisory < 20250612-0 >
=======================================================================
title: Reflected Cross-Site Scripting
product: ONLYOFFICE Docs (DocumentServer)
vulnerable version: <=8.3.1
fixed version: 8.3.2 or higher
CVE number: CVE-2025-5301
impact: Medium
homepage: https://www.onlyoffice.com/...

SEC Consult SA-20250611-0 :: Undocumented Root Shell Access on SIMCom SIM7600G Modem SEC Consult Vulnerability Lab via Fulldisclosure (Jun 17)
SEC Consult Vulnerability Lab Security Advisory < 20250611-0 >
=======================================================================
title: Undocumented Root Shell Access
product: SIMCom - SIM7600G Modem
vulnerable version: Firmware Revision: LE20B03SIM7600M21-A
fixed version: -
CVE number: CVE-2025-26412
impact: Medium
homepage: https://www.simcom.com...

Call for Applications: ERCIM STM WG 2025 Award for the Best Ph.D. Thesis on Security and Trust Management (July 31, 2025) 0610648533 (Jun 17)
========================================================================

CALL FOR APPLICATIONS

ERCIM STM WG 2025 Award for the

Best Ph.D. Thesis on Security and Trust Management

========================================================================

The European Research Consortium in Informatics and Mathematics (ERCIM)
has a technical WG on Security and Trust Management (STM) for performing
a series of activities, as research projects,...

SEC Consult SA-20250604-0 :: Local Privilege Escalation and Default Credentials in INDAMED - MEDICAL OFFICE (Medical practice management) Demo version SEC Consult Vulnerability Lab via Fulldisclosure (Jun 09)
SEC Consult Vulnerability Lab Security Advisory < 20250604-0 >
=======================================================================
title: Local Privilege Escalation and Default Credentials
product: INDAMED - MEDICAL OFFICE (Medical practice management)
Demo version
vulnerable version: Revision 18544 (II/2024)
fixed version: Q2/2025 (Privilege Escalation, Default Password)...

Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft josephgoyd via Fulldisclosure (Jun 09)
Hello Full Disclosure,

This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and
remained unpatched through iOS 18.4. It enabled Secure Enclave key theft, wormable remote code execution, and
undetectable crypto wallet exfiltration. Despite responsible disclosure, the research was suppressed by the vendor.
Apple issued a silent fix in iOS 18.4.1 (April 2025) without public...

Defense in depth -- the Microsoft way (part 89): user group policies don't deserve tamper protection Stefan Kanthak (Jun 03)
Hi @ll,

user group policies are stored in DACL-protected registry keys
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
respectively [HKEY_CURRENT_USER\Software\Policies] and below, where
only the SYSTEM account and members of the "Administrators" user group
are granted write access.

At logon the user's registry hive "%USERPROFILE%\ntuser.dat" is loaded
with exclusive (read, write and...

CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0 Sanjay Singh (Jun 03)
Hello Full Disclosure list,

I am sharing details of a newly assigned CVE affecting an open-source
educational software project:

------------------------------------------------------------------------
CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP
Project v1.0
------------------------------------------------------------------------

Product: CloudClassroom PHP Project
Vendor:...

ERPNext v15.53.1 Stored XSS in bio Field Allows Arbitrary Script Execution in Profile Page Ron E (Jun 03)
An authenticated attacker can inject JavaScript into the bio field of their
user profile. When the profile is viewed by another user, the injected
script executes.

*Proof of Concept:*

POST
/api/method/frappe.desk.page.user_profile.user_profile.update_profile_info
HTTP/2
Host: --host--

profile_info={"bio":"\"><img src=x onerror=alert(document.cookie)>"}

ERPNext v15.53.1 Stored XSS in user_image Field Allows Script Execution via Injected Image Path Ron E (Jun 03)
An authenticated user can inject malicious JavaScript into the user_image
field of the profile page using an XSS payload within the file path or HTML
context. This field is rendered without sufficient sanitization, allowing
stored script execution in the context of other authenticated users.

*Proof of Concept:*POST
/api/method/frappe.desk.page.user_profile.user_profile.update_profile_info
HTTP/2
Host: --host--...

Local information disclosure in apport and systemd-coredump Qualys Security Advisory via Fulldisclosure (Jun 03)
Qualys Security Advisory

Local information disclosure in apport and systemd-coredump
(CVE-2025-5054 and CVE-2025-4598)

========================================================================
Contents
========================================================================

Summary
Mitigation
Local information disclosure in apport (CVE-2025-5054)
- Background
- Analysis
- Proof of concept
Local information disclosure in systemd-coredump...

Stored XSS via File Upload - adaptcmsv3.0.3 Andrey Stoykov (Jun 03)
# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS via File Upload #1:

Steps to Reproduce:

1. Login with low privilege user and visit "Profile" > "Edit Your Profile"

2. Click on "Choose File" and upload the following file

html-xss.html

<!DOCTYPE html>...

IDOR "Change Password" Functionality - adaptcmsv3.0.3 Andrey Stoykov (Jun 03)
# Exploit Title: IDOR "Change Password" Functionality - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

IDOR "Change Password" Functionality #1:

Steps to Reproduce:

1. Login as user with low privilege and visit profile page
2. Select "Edit Your Profile" and click "Submit"
3. Trap the HTTP POST request
4. Set...

Stored XSS "Send Message" Functionality - adaptcmsv3.0.3 Andrey Stoykov (Jun 03)
# Exploit Title: Stored XSS "Send Message" Functionality - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS "Send Message" Functionality #1:

Steps to Reproduce:

1. Login as normal user and visit "Profile" > "Message" > "Send Message"
2. In "Message" field enter the...

Authenticated File Upload to RCE - adaptcmsv3.0.3 Andrey Stoykov (Jun 03)
# Exploit Title: Authenticated File Upload to RCE - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Authenticated File Upload to RCE #1:

Steps to Reproduce:

1. Login as admin user and visit "System" > "Appearance" > "Themes" >
"Default" > "Theme Files" and choose "Add New File"...

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

• Archived Posts
• RSS Feed
• About List

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

• Archived Posts
• RSS Feed
• About List

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

• Archived Posts
• RSS Feed
• About List

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

• Archived Posts
• RSS Feed
• About List

Firewall Wizards — Tips and tricks for firewall administrators

• Archived Posts
• RSS Feed
• About List

IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list

• Archived Posts
• RSS Feed
• About List

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

• Archived Posts
• RSS Feed
• About List

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• dailydaveLatest Posts

On becoming a carpenter Dave Aitel via Dailydave (Jun 12)
[image: image.png]

Every so often I poke my head out, gopher-like, from the tunnels where I am
furiously vibe-coding, or as it's going to be known a couple years from
now, coding. I think it's probably true that coding used to be a high
octane sport for concentration freaks as deep in the zone as a sperm whale
hunting giant squid by listening to the faint echoes of pings off squishy
bodies leagues away. But coding is now a juggling...

Re: Typey typey Jordan Wiens via Dailydave (May 30)
Worth pointing out that the RE//verse videos are also online though I don't
think we advertised it super well:

https://www.youtube.com/watch?v=yzcNJn_EOwg&list=PLBKkldXXZQhAW5QKjUQOUWaMAHAxDtgio

Typey typey Dave Aitel via Dailydave (May 27)
https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-information-professionals-activity-7331470514927865856-
<https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-information-professionals-activity-7331470514927865856-yRnO>
yRnO

So I wanted to point this contracting gig out because I think it's a good
opportunity for someone who can do quick vulnerability triage and either
replicate or disprove that...

Announcing the Parity Release of Volatility 3 and the Deprecation of Volatility 2 Andrew Case via Dailydave (May 27)
The Volatility Team is very excited to announce the official Parity
Release of Volatility 3!

This release is not only capable of fully replacing all of Volatility
2’s features, but it also incorporates support for all the latest
operating system versions plus all the latest memory forensics
research.

With this release, Volatility 2 is now deprecated, and its GitHub
project has been archived.

Our announcement blog post details the new...

Re: Typey typey Dave Aitel via Dailydave (May 27)
https://www.linkedin.com/jobs/view/4233405535/

I am bad at links it seems ? Anyways, clicky clicky assuming you are the
type of person who uses Binja for fun and maybe a little bit of profit.

Also here is the OffensiveCon25 Youtube List - it's amazing to me they
managed to get these out so soon.
https://youtu.be/kF31SYIVob8?si=QWPps_--UsILr0mR

-dave

OpenAI Security Research Dave Aitel via Dailydave (Mar 28)
So a few things:
1. https://openai.com/index/security-on-the-path-to-agi/ I feel like this
blog is worth reading. :)
2. We're throwing a post-RSAC conference in SanFran to talk about AI and
Security (in particular, securing cybery things with AI) and if I'm very
lucky I'll even get to do a quick demo of the software I've been working
on, not that it will surprise anyone on this list! We have a few tickets
left I think and if...

Re: Cyber Reasoning Systems A K via Dailydave (Mar 28)
Have you already reviewed https://github.com/open-crs ?

Cyber Reasoning Systems Dave Aitel via Dailydave (Mar 04)
I continue to believe there are a lot of interesting questions around
building cyber reasoning systems for vuln finding. Even the very basics
seem hard to study and understand, and the eval datasets available
are....sparse or incomplete. For example, what you really want if you're
analyzing git repos is the commit a bug was introduced, and the commit it
was fixed. But usually you get "a commit where it maybe existed".

Likewise,...

on your child going to college in Christchurch, NZ and velvet worms Dave Aitel via Dailydave (Feb 11)
*on your child going to college in Christchurch, NZ and velvet worms*

By mid‑August the garden already practices absence — stems turning hollow,
the robin leaving its notes hanging in the air like torn corners of a song.
Under the chirp of palmetto bugs, a log eases itself back into earth.
Inside, hidden from the light, a velvet worm does the impossible: offers
herself to a spill of pale, blind threads. For days she is nothing but
hunger...

Re: (the root of the root and the bud of the bud) Sean Heelan via Dailydave (Jan 13)
As it happens, I’ve found the most effective way to use LLMs is to de-anthropomorphise them entirely and treat them
very like fuzzers (large scale generation of results, lots of false positives/nonsense, filtered by some oracle).

The “conversation with an AI” approach where you imagine yourself as having a single artificial brain to interact with
is (currently at least) practically far less useful than one in which you are content with...

Anthropological "Hacker" Map A K via Dailydave (Jan 13)
Hi all,

In the latest "Security Weekly" (https://www.youtube.com/watch?v=CXefYdEGW04
)
they present the Anthropological "Hacker" Map
https://wherewarlocksstayuplate.com/map/

While the map is incomplete (how can it ever be complete?), I think it is
one of the few times, outside of David Aitel's writings about the cross-cut
between the "underground" (for a lack of a better term) and subsequent
commercial...

Re: (the root of the root and the bud of the bud) Don A. Bailey via Dailydave (Jan 12)
I designed one of the first working fuzzers (albeit unintentionally) back
in the late 90's. I don't remember if I published it, but I still have the
code. It, however, worked - badly - but it worked. I was heavily flamed,
however, because as you stated - it was not hip. It only attacked
environment variable and command-line argument based vulnerabilities. But,
in the 90's and early 00's, we had no shortage of local suid-based...

Re: (the root of the root and the bud of the bud) Thomas Dullien via Dailydave (Jan 12)
Hey,

I have one quibble: We are using "reasoning" in a qualitative, not
descriptive, form here -- "fuzzing is or is not reasoning", "LLMs reason or
do not reason". I am not sure this is helpful. Fuzzing is empirically
successful at finding crashes. Somebody that needs to light a fire and
smashes two stones together until they throw sparks does not, once the fire
burns, need to justify that 'stones perform...

Re: (the root of the root and the bud of the bud) Darren Bounds via Dailydave (Jan 12)
Everything old is new and the way we reason is the same way LLMs reason. It's
not about looking for the same problem the same way it's about going to
searching for that flaw the same way with unlimited (nearly) resources.

Traditional human-led vulnerability research and discovery is, today, a short
lived venture.

Things will change very rapidly over the coming 24 months.

Memories and thoughts are the same thing, someone tried to...

(the root of the root and the bud of the bud) Dave Aitel via Dailydave (Jan 11)
Memories and thoughts are the same thing, someone tried to explain to me
recently. You have to think to remember, in other words. This is hard to
grasp for a lot of people because they *think *they have *memories*. They
wrongly think memory is a noun instead of a verb, which is ok in philosophy
and psychology but in cutting edge computer science we have to be precise
about these sorts of things.

Twenty-five years ago, when I first started...

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

• Archived Posts
• RSS Feed
• About List

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

• Archived Posts
• RSS Feed
• About List

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

• Archived Posts
• RSS Feed
• About List

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

• Archived Posts
• RSS Feed
• About List

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

• Archived Posts
• RSS Feed
• About List
• certLatest Posts

Apple Releases Security Updates for Multiple Products CISA (Mar 28)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated and is now available.

Apple Releases Security Updates for Multiple Products [
https://www.cisa.gov/news-events/alerts/2023/03/28/apple-releases-security-updates-multiple-products ] 03/28/2023 01:00
PM EDT

Apple...

CISA Releases Six Industrial Control Systems Advisories CISA (Mar 23)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA Releases Six Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/23/cisa-releases-six-industrial-control-systems-advisories ] 03/23/2023
08:00 AM EDT...

CISA Releases Eight Industrial Control Systems Advisories CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA Releases Eight Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/21/cisa-releases-eight-industrial-control-systems-advisories ]
03/21/2023 08:00 AM...

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management [...

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• oss-secLatest Posts

[kubernetes] CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks Rita Zhang (Jun 18)
Hello Kubernetes Community,

A vulnerability exists in the NodeRestriction admission controller where
nodes can bypass dynamic resource allocation authorization checks. When the
DynamicResourceAllocation feature gate is enabled, the controller properly
validates resource claim statuses during pod status updates but fails to
perform equivalent validation during pod creation. This allows a
compromised node to create mirror pods that access...

Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Jun 18)
Addendum to yesterday's X.Org Security Advisory for CVE-2025-49176:

There is another case where the BigRequest length can cause an overflow,
so that requires an additional fix:

Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b

Thanks to Peter Harris for pointing this out.

A fix will be issued in xorg-server-21.1.18 and xwayland-24.1.8 shortly.

Re: CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks Jakub Wilk (Jun 17)
* Qualys Security Advisory <qsa () qualys com>, 2025-06-17 20:00:

I reported this back in 2014:
https://bugs.debian.org/761600

[ANNOUNCE] Apache Traffic Server has an ACL issue, and also has a vulnerability in ESI processing Masakazu Kitajo (Jun 17)
Description:
Apache Traffic Server has an ACL issue, and also has a vulnerability in ESI
processing

CVE:
CVE-2025-31698 - Client IP address from PROXY protocol is not used for ACL
CVE-2025-49763 - Remote DoS via memory exhaustion in ESI Plugin

Reported By:
Masakazu Kitajo (CVE-2025-31698)
Yohann Sillam (CVE-2025-49763)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 9.0.0 to 9.2.10
ATS 10.0.0 to 10.0.5

Mitigation:
9.x users...

Re: CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks Simon McVittie (Jun 17)
The upcoming Debian 13 release no longer does this by default
(https://bugs.debian.org/1018260) and presumably neither do newer Ubuntu
releases.

I think the underlying problem here is that PAM has historically made it
ambiguous whether environment variables are trusted (trustable) or not.
The result is that some components (like pam_systemd's use of
XDG_SESSION_ID) behave as though the PAM environment is a trusted
channel through...

Re: CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks Qualys Security Advisory (Jun 17)
Hi all,

Attached to this email are the two libblockdev/udisks patches that we
sent to the linux-distros@openwall last week.

Thank you very much! We are at your disposal for questions, comments,
and further discussions.

With best regards,

CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks Qualys Security Advisory (Jun 17)
Qualys Security Advisory

CVE-2025-6018: LPE from unprivileged to allow_active in *SUSE 15's PAM
CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks

========================================================================
Contents
========================================================================

Summary
CVE-2025-6018: LPE from unprivileged to allow_active in *SUSE 15's PAM
- Analysis
- Proof of concept
-...

Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Jun 17)
======================================================================
X.Org Security Advisory: June 17, 2025

Issues in X.Org X server prior to 21.1.17 and Xwayland prior to 24.1.7
======================================================================

Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.17 and xwayland-24.1.7.

1)...

[kubernetes] Race Condition in Go allows Volume Deletion in older Kubernetes versions Craig Ingram (Jun 17)
Hello Kubernetes Community,

The Go team has released a fix in Go versions 1.21.11 and 1.22.4 addressing
a symlink race condition when using os.RemoveAll. The Kubernetes Security
Response Committee received a report that this issue could be abused in
Kubernetes to delete arbitrary directories on a Node with root permissions
by a local non-root user with the same UID as the user in a Pod.

The Go team has not issued a CVE for this, as it is...

pam: pam_namespace local privilege escalation (CVE-2025-6020) BAL-PETRE Olivier (Jun 17)
Hello,

This is a report about a potential privilege escalation in the
pam_namespace.so PAM module. This module is one of the core PAM
modules from the linux-pam project [1].

The vulnerability has been fixed in linux-pam v1.7.1 [2] and is tracked
as CVE-2025-6020 and GHSA-f9p8-gjr4-j9gx [3].

In addition to upgrading to the latest version, users of pam_namespace
may want to update their namespace.init script if they do not use the
one provided...

5 security issues disclosed in libxml2 Alan Coopersmith (Jun 16)
As discussed in https://gitlab.gnome.org/GNOME/libxml2/-/issues/913 the
security policy of libxml2 has been changed to disclose vulnerabilities
before fixes are available so that people other than the maintainer can
contribute to fixing security issues in this library.

As part of this, the following 5 CVE's have been disclosed recently:

(CVE-2025-49794) Heap use after free (UAF) leads to Denial of service (DoS)...

CVE-2025-4748: Erlang/OTP 17.0–28.0.0 absolute-path traversal in zip:unzip/zip:extract Jonatan Männchen (Jun 16)
Hi all,

An absolute-path traversal flaw has been found in the Erlang/OTP
standard-library ZIP routines `zip:unzip/1,2` and `zip:extract/1,2`.
If the caller does **not** supply the `memory` option, archive entries whose
file names start with "/" are written to disk verbatim. An attacker can
therefore create or overwrite arbitrary files writable by the Erlang VM. The
issue is tracked as **CVE-2025-4748**.

### Affected releases

* 17.0...

CVE-2025-48976: Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers Gary D. Gregory (Jun 16)
Severity: important

Affected versions:

- Apache Commons FileUpload (commons-fileupload:commons-fileupload) 1.0 before 1.6
- Apache Commons FileUpload (org.apache.commons:commons-fileupload2) 2.0.0-M1 before 2.0.0-M4

Description:

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons
FileUpload.

This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1...

CVE-2025-49124: Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows Mark Thomas (Jun 16)
Severity: low

Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.7
- Apache Tomcat 10.1.0 through 10.1.41
- Apache Tomcat 9.0.23 through 9.0.105

Description:

Untrusted Search Path vulnerability in Apache Tomcat installer for
Windows. During installation, the Tomcat installer for Windows used
icacls.exe without specifying a full path.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from
10.1.0 through 10.1.41, from...

CVE-2025-49125: Apache Tomcat: Security constraint bypass for pre/post-resources Mark Thomas (Jun 16)
Severity: moderate

Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.7
- Apache Tomcat 10.1.0-M1 through 10.1.41
- Apache Tomcat 9.0.0.M1 through 9.0.105

Description:

Authentication Bypass Using an Alternate Path or Channel vulnerability
in Apache Tomcat. When using PreResources or PostResources mounted
other than at the root of the web application, it was possible to access
those resources via an unexpected path. That path was...

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

• Archived Posts
• RSS Feed
• About List

Educause Security Discussion — Securing networks and computers in an academic environment.

• Archived Posts
• RSS Feed
• About List

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

• Current Month
• Archived Posts
• RSS Feed
• About List
• nanogLatest Posts

Weekly Global IPv4 Routing Table Report Routing Table Analysis Role Account via NANOG (Jun 13)
This is an automated weekly mailing describing the state of the Global
IPv4 Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
UKNOF, TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.

Daily listings are sent to bgp-stats () lists apnic net.

For historical data, please see https://thyme.apnic.net.

If you have any comments please contact Philip Smith...

Re: LDP interop with RSVP and SR Andrey Kostin via NANOG (Jun 13)
Hi Saku,

IIRC, this kind of interop between RSVP and LDP used to be done via LDP
tunneling, although it requires LDP to be running on all routers and not
far from full-mesh tLDP approach.
Your idea looks neat and seems has already been implemented to certain
extend for SR-ISIS to RSVP-TE interaction. Quick googling gave me some
links:...

Re: AS18881 Telefonica Brazil contact Nielsen Kaezer via NANOG (Jun 11)
You can try

csa.cgpcarriers.br () telefonica com
carriers.br () telefonica com
csa.cgpcarriers () ATENTO com br

However, they require a circuit number.
Maybe they can give you a valid contact number.

Em sex., 6 de jun. de 2025 às 21:07, Marco Moock via NANOG <
nanog () lists nanog org> escreveu:

Re: IP Transit provider with Flowspec and NetFlow(sFlow) of dropped - Utopian? Saku Ytti via NANOG (Jun 11)
I wouldn't hold my breath, only very few will buy or use any value add
services. I suspect it would be difficult to even recover the
investment and support costs.

If in addition to blackholing communities we'd offer communities to
downgrade traffic, I expect almost no one would use it. In this
service you'd set QoS-downgrade BGP community on DADDR and get as much
dirty traffic in as you can without congesting any non-dirty...

IP Transit provider with Flowspec and NetFlow(sFlow) of dropped - Utopian? Douglas Fischer via NANOG (Jun 11)
Today, from the point of view of coordinating DDoS attack mitigation, the
biggest challenge is having a reference on whether the propagated external
actions are having results or not.
FlowSpec rules (or another method) are sent and we are left blind here, not
knowing what is happening there and in what volume.

It is no longer news that there are IP Transit Providers that support
Flowspec. Some limit it to 100 rules, some reach 500... And I am...

Root Zone DNSSEC Operational Update Wessels, Duane via NANOG (Jun 10)
Verisign, in its role as the root zone ZSK operator, is transitioning
to a new Hardware Security Module (HSM) product for the root zone's
Zone Signing Key (ZSK). The current HSM vendor, Ultra Intelligence &
Communications, has announced their KeyperPLUS will no longer be supported
by them. Verisign will use an HSM product from Thales for the root zone
ZSK going forward.

On July 1, 2025 we will begin using the Thales HSM to sign the root...

LACNOG 2025 – Call for Presentations Hernan Moguilevsky via NANOG (Jun 09)
LACNOG 2025 - Call for Presentations

LACNOG, the Latin American and Caribbean Network Operators Group, will
hold its LACNOG 2025 conference on 6 - 10 October 2025, together with
the LACNIC 44 event to be held in San Salvador, El Salvador.

Presentation formats include:

·Lightning talks: Brief, 10-minute presentations (including an
additional 5-minute space for questions).

·Presentations: 20-minute presentations (including an additional...

Freedom fi / Mosolabs CBRS EnB rest ? Faisal Imtiaz via NANOG (Jun 08)
Hello Everyone,

A bit of a long shot question, anyone knows how to reset a Freedomfi/Mosolabs Helium EnB so that they can be reused
for private LTE ?

Many thanks in advance !

Regards,

Faisal Imtiaz

Spoofer Report for NANOG for May 2025 CAIDA Spoofer Project via NANOG (Jun 08)
In response to feedback from operational security communities,
CAIDA's source address validation measurement project
(https://spoofer.caida.org) is automatically generating monthly
reports of ASes originating prefixes in BGP for systems from which
we received packets with a spoofed source address.
We are publishing these reports to network and security operations
lists in order to ensure this information reaches operational
contacts in these...

LDP interop with RSVP and SR Saku Ytti via NANOG (Jun 07)
I just want to double check that I'm not confused.

Since day1 we have had excellent LDP/SR interop, that is, for your SR
network, connecting LDP-only nodes or islands doesn't require soiling
your entire SR network with LDP state.

Do we really not have a similar solution for RSVP?

Let's imagine an RSVP-only network, where we add a single LDP-only speaker.

Instead of tLDP from every RSVPOnly to RSVPBorder and then LDP between...

Re: AS18881 Telefonica Brazil contact Marco Moock via NANOG (Jun 06)
Sadly, I didn't receive a reply.

STOP SPAM! AS3292/tdc.dk/tdk.net/Tele Danmark Soha Jin via NANOG (Jun 06)
Hi! AS3292/tdc.dk/tdk.net/Tele Danmark, are you watching the list?

Or is there anyone who knows people there?

Your mail system keeps spamming 200+ recipients in the last 14 hours,
all mails are sent from `peering () tdk net`.

On PeeringDB, the NOC address is also `peering () tdk net`. I have tried
contact you via email 10 hours ago.

The ticket system tries to reply EVERY email starting with `Re:`, but
your list, `peering () tdc dk`, is...

Weekly Global IPv4 Routing Table Report Routing Table Analysis Role Account via NANOG (Jun 06)
This is an automated weekly mailing describing the state of the Global
IPv4 Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
UKNOF, TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.

Daily listings are sent to bgp-stats () lists apnic net.

For historical data, please see https://thyme.apnic.net.

If you have any comments please contact Philip Smith...

NANOG 94 Starts Monday! Last Chance to Register for Hackathon, Workshops + More! Nanog News via NANOG (Jun 05)
*** The Countdown Begins!*
------------------------------------------------------------

*NANOG 94 will Kick-Off Monday*
Join us in person (June 9–11) or virtually from anywhere in the world. Have
you signed up for our workshops? Sign-up is available in NANOG 94 Agenda.

+ The Easy Way to IPv6: IPv6 Migration for Enterprises
+ RPKI Nuts and Bolts
+ IPv6 Clinic w/ AWS

REGISTER NOW (https://nanog.org/events/nanog-94/register/)

*** Final Call...

Tayga users? Andrew via NANOG (Jun 02)
Is anyone deploying Tayga in any capacity (production, test networks, at home, with clatd, …)?

I’ve decided to ‘adopt’ the open source project, given it’s ability to both be very standards compliant (at least to
the standards as they were in 2011), and act in virtually any translation-related role (not restricted to just CLAT or
just NAT64 or just SIIT)

But I’m interested in hearing how you are using it, what friction you have in...

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

• Archived Posts
• RSS Feed
• About List

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• risksLatest Posts

Risks Digest 34.66 RISKS List Owner (May 29)
RISKS-LIST: Risks-Forum Digest Thursday 29 May 2025 Volume 34 : Issue 66

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.66>
The current issue can also be found at
<...

Risks Digest 34.65 RISKS List Owner (May 27)
RISKS-LIST: Risks-Forum Digest Tuesday 27 May 2025 Volume 34 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.65>
The current issue can also be found at
<...

Risks Digest 34.63 RISKS List Owner (May 17)
RISKS-LIST: Risks-Forum Digest Saturday 17 May 2025 Volume 34 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.63>
The current issue can also be found at
<...

Risks Digest 34.62 RISKS List Owner (May 11)
RISKS-LIST: Risks-Forum Digest Sunday 11 May 2025 Volume 34 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.62>
The current issue can also be found at
<...

Risks Digest 34.61 RISKS List Owner (Apr 18)
RISKS-LIST: Risks-Forum Digest Friday 18 April 2025 Volume 34 : Issue 61

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.61>
The current issue can also be found at
<...

Risks Digest 34.60 RISKS List Owner (Apr 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 April 2025 Volume 34 : Issue 60

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.60>
The current issue can also be found at
<...

Risks Digest 34.58 RISKS List Owner (Mar 15)
RISKS-LIST: Risks-Forum Digest Saturday 15 Mar 2025 Volume 34 : Issue 58

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.58>
The current issue can also be found at
<...

Risks Digest 34.56 RISKS List Owner (Feb 16)
RISKS-LIST: Risks-Forum Digest Sunday 16 Feb 2025 Volume 34 : Issue 56

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.56>
The current issue can also be found at
<...

Risks Digest 34.54 RISKS List Owner (Feb 06)
RISKS-LIST: Risks-Forum Digest Thursday 6 Jan 2025 Volume 34 : Issue 54

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.54>
The current issue can also be found at
<...

Risks Digest 34.53 RISKS List Owner (Jan 26)
RISKS-LIST: Risks-Forum Digest Sunday 26 Jan 2025 Volume 34 : Issue 53

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.53>
The current issue can also be found at
<...

(no subject) RISKS List Owner (Jan 11)
Risks Digest 34.52

RISKS-LIST: Risks-Forum Digest Saturday 11 January 2025 Volume 34 : Issue 52

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.52>
The current issue can also be found at...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

• Archived Posts
• RSS Feed
• About List
• datalossLatest Posts

Healthcare organizations face rising ransomware attacks – and are paying up Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/healthcare-ransomware-pay-sophos/

Healthcare organizations, already an attractive target for ransomware given
the highly sensitive data they hold, saw such attacks almost double between
2020 and 2021, according to a survey released this week by Sophos.

The outfit's team also found that while polled healthcare orgs are quite
likely to pay ransoms, they rarely get all of their data returned if they
do...

A digital conflict between Russia and Ukraine rages on behind the scenes of war Matthew Wheeler (Jun 03)
https://wskg.org/npr_story_post/a-digital-conflict-between-russia-and-ukraine-rages-on-behind-the-scenes-of-war/

SEATTLE — On the sidelines of a conference in Estonia on Wednesday, a
senior U.S. intelligence official told British outlet Sky News that the
U.S. is running offensive cyber operations in support of Ukraine.

“My job is to provide a series of options to the secretary of defense and
the president, and so that’s what I do,” said...

Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network Matthew Wheeler (Jun 03)
https://thehackernews.com/2022/06/researchers-uncover-malware-controlling.html

The Parrot traffic direction system (TDS) that came to light earlier this
year has had a larger impact than previously thought, according to new
research.

Sucuri, which has been tracking the same campaign since February 2019 under
the name "NDSW/NDSX," said that "the malware was one of the top infections"
detected in 2021, accounting for more than...

FBI, CISA: Don't get caught in Karakurt's extortion web Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/fbi_cisa_warn_karakurt_extortion/

The Feds have warned organizations about a lesser-known extortion gang
Karakurt, which demands ransoms as high as $13 million and, some
cybersecurity folks say, may be linked to the notorious Conti crew.

In a joint advisory [PDF] this week, the FBI, CISA and US Treasury
Department outlined technical details about how Karakurt operates, along
with actions to take,...

DOJ Seizes 3 Web Domains Used to Sell Stolen Data and DDoS Services Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/06/doj-seizes-3-web-domains-used-to-sell.html

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of
three domains used by cybercriminals to trade stolen personal information
and facilitate distributed denial-of-service (DDoS) attacks for hire.

This includes weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com, the
former of which allowed its users to traffic hacked personal data and
offered a...

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html

An advanced persistent threat (APT) actor aligned with Chinese state
interests has been observed weaponizing the new zero-day flaw in Microsoft
Office to achieve code execution on affected systems.

"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using
URLs to deliver ZIP archives which contain Word Documents that use the
technique,"...

US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command Matthew Wheeler (Jun 02)
https://www.three.fm/news/world-news/us-military-hackers-conducting-offensive-operations-in-support-of-ukraine-says-head-of-cyber-command/

US military hackers have conducted offensive operations in support of
Ukraine, the head of US Cyber Command has told Sky News.

In an exclusive interview, General Paul Nakasone also explained how "hunt
forward" operations were allowing the United States to search out foreign
hackers and identify...

SideWinder Hackers Launched Over a 1, 000 Cyber Attacks Over the Past 2 Years Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html

An "aggressive" advanced persistent threat (APT) group known as SideWinder
has been linked to over 1,000 new attacks since April 2020.

"Some of the main characteristics of this threat actor that make it stand
out among the others, are the sheer number, high frequency and persistence
of their attacks and the large collection of encrypted and obfuscated...

Hackers are Selling US University Credentials Online, FBI Says Matthew Wheeler (May 31)
https://tech.co/news/hackers-are-selling-us-university-credentials-online-fbi-says

The Federal Bureau of Investigation has warned US universities and colleges
that it has found banks of login credentials and other data relating to VPN
access circulating on cybercriminals forums.

The fear is that such data will be sold and subsequently used by malicious
actors to orchestrate attacks on other accounts owned by the same students,
in the hope...

Interpol Nabs 3 Nigerian Scammers Behind Malware-based Attacks Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/interpol-nabs-3-nigerian-scammers.html

Interpol on Monday announced the arrest of three suspected global scammers
in Nigeria for using remote access trojans (RATs) such as Agent Tesla to
facilitate malware-enabled cyber fraud.

"The men are thought to have used the RAT to reroute financial
transactions, stealing confidential online connection details from
corporate organizations, including oil and gas...

U.S. Warns Against North Korean Hackers Posing as IT Freelancers Matthew Wheeler (May 18)
https://thehackernews.com/2022/05/us-warns-against-north-korean-hackers.html

Highly skilled software and mobile app developers from the Democratic
People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in
hopes of landing freelance employment in an attempt to enable the regime's
malicious cyber intrusions.

That's according to a joint advisory from the U.S. Department of State, the
Department of the...

FBI and NSA say: Stop doing these 10 things that let the hackers in Matthew Wheeler (May 18)
https://www.zdnet.com/article/fbi-and-nsa-say-stop-doing-these-10-things-that-let-the-hackers-in/

Cyber attackers regularly exploit unpatched software vulnerabilities, but
they "routinely" target security misconfigurations for initial access, so
the US Cybersecurity and Infrastructure Security Agency (CISA) and its
peers have created a to-do list for defenders in today's heightened threat
environment.

CISA, the FBI and National...

Fifth of Businesses Say Cyber-Attack Nearly Broke Them Matthew Wheeler (May 18)
https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/

A fifth of US and European businesses have warned that a serious
cyber-attack nearly rendered them insolvent, with most (87%) viewing
compromise as a bigger threat than an economic downturn, according to
Hiscox.

The insurer polled over 5000 businesses in the US, UK, Ireland, France,
Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox
Cyber...

Hacker And Ransomware Designer Charged For Use And Sale Of Ransomware, And Profit Sharing Arrangements With Cybercriminals Matthew Wheeler (May 18)
https://www.shorenewsnetwork.com/2022/05/16/hacker-and-ransomware-designer-charged-for-use-and-sale-of-ransomware-and-profit-sharing-arrangements-with-cybercriminals/

A criminal complaint was unsealed today in federal court in Brooklyn, New
York, charging Moises Luis Zagala Gonzalez (Zagala), also known as
“Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and
Venezuela who resides in Venezuela, with attempted...

State of Ransomware shows huge growth in threat and impacts Matthew Wheeler (May 04)
https://www.continuitycentral.com/index.php/news/technology/7275-state-of-ransomware-shows-huge-growth-in-threat-and-impacts

Sophos has released its annual survey and review of real-world ransomware
experiences in its ‘State of Ransomware 2022’ report. This shows that 66
percent of organizations surveyed were hit with ransomware in 2021, up from
37 percent in 2020.

The average ransom paid by organizations that had data encrypted in their...

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

• Archived Posts
• RSS Feed
• About List

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

• Archived Posts
• RSS Feed
• About List

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

• Current Quarter
• Archived Posts
• RSS Feed
• About List
• snortLatest Posts

Snort Subscriber Rules Update 2025-06-18 Research via Snort-sigs (Jun 18)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-17 Research via Snort-sigs (Jun 17)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-12 Research via Snort-sigs (Jun 12)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
deleted, file-office and server-webapp rule sets to provide coverage
for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-10 Research via Snort-sigs (Jun 10)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2025-32713:
A coding deficiency exists in Microsoft Windows Common Log File System
Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with:
Snort 2: GID 1, SID 1:65038, 1:65039,...

Snort Subscriber Rules Update 2025-06-05 Research via Snort-sigs (Jun 05)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the os-linux, os-windows
and server-webapp rule sets to provide coverage for emerging threats
from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-03 Research via Snort-sigs (Jun 03)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the app-detect,
file-pdf, malware-cnc, malware-other, malware-tools, server-mail and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-05-29 Research via Snort-sigs (May 29)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-05-27 Research via Snort-sigs (May 27)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-office,
file-other, protocol-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Request for Documentation on Snort's Capabilities in Detecting/Preventing Covert Malware Communications Jerwill via Snort-sigs (May 16)
Dear Snort Users,

I am writing as a subscriber and user of Snort to respectfully request assistance in obtaining at least one official
documentation or reference material that details how Snort is capable of detecting and/or preventing covert malware
communications across various channels.

Our organization is currently undergoing a compliance audit, and this documentation is critical in demonstrating our
capabilities in network-based threat...

Snort Subscriber Rules Update 2025-05-15 Research via Snort-sigs (May 15)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-other,
malware-cnc, malware-other, policy-other, protocol-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-05-13 Research via Snort-sigs (May 13)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2025-24063:
A coding deficiency exists in Microsoft Kernel Streaming Service Driver
that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with:
Snort 2: GID 1, SID 1:64848, 1:64849,
Snort...

Snort Subscriber Rules Update 2025-05-08 Research via Snort-sigs (May 08)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the os-other,
os-windows, policy-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-05-06 Research via Snort-sigs (May 06)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the os-other,
policy-other and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-05-01 Research via Snort-sigs (May 01)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the os-windows and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

IPFirewall and paid Subscripion Rules KMPollock via Snort-sigs (Apr 30)
I have Personal Subscription - Paid

I have a current Registration OinkCode (from before the Subscription)

if I supply the Registered Oinkcode inside IPFire’s Talos Registered field, will IPFire still pull only the delayed
Registered rules,

not the fresher Subscription rules?

Currently I have manually installed the Personal Subscription Rules, 

  KMPollock

| KMPollock () pm me  | 📞 +1 (605) 981-3791  ——  +1 (404) 410-1733 ...