SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all using the Site Search box above.

Insecure.Org Lists

nmap-dev logo

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe to nmap-dev here.

Re: .NET Wrapper for Npcap Verde Denim (Jun 11)
Stop

.NET Wrapper for Npcap Altaffer, Steven via dev (Jun 11)
Not sure if this is off topic, Npcap took me to this mail list.

We developed a Visual C# app using Winpcap and PcapDotNet v1.0.4 wrapper to allow integrating into the C# project. I
have performed several searches for the equivalent wrapper or C++/CLI project for Npcap with no luck. If someone knows
of one out there, I would appreciate a link.

Thanks

Steve Altaffer - Donatech Corp

Issue with ssh2-enum-algos? Frank Bergmann (Jun 08)
Hi,

while playing around with the ssh protocol I noticed that ssh2-enum-algos
lists different algorithms for kex_algorithms, encryption_algorithms and
mac_algorithms than what I get from the same ssh server.

I also made a test with ssh itself for encryption_algorithms and it did show
up exactly the same list like I get with my own tool.
ssh2-enum-algos shows also aes256-cbc which doesn't appear in my tool and in
ssh client:

$...

Windows 10/11: Ncat: A message sent on a datagram socket was larger than the internal message buffer ... Ken Kayser (Feb 20)
*Describe the bug*
When listening to a port with ncat, as soon as a UDP packet is received, I
receive a constant stream of errors with the following text: "Ncat: A
message sent on a datagram socket was larger than the internal message
buffer or some other network limit, or the buffer used to receive a
datagram into was smaller than the datagram itself. ."

*To Reproduce*

1. In either a Windows command line or Powershell I enter...

Reverse DNS (issue #3007) Matteo Nicoli (Feb 13)
Hi all,

I noticed a cool feature proposal on GitHub (issue 3007 <https://github.com/nmap/nmap/issues/3007>). It basically
suggests a new feature for returning the (complete) list of DNS records obtained — through reverse DNS lookups — from
an IP address. If it matches with the map product roadmap, I’d like to start implementing it. Is there some maintainer
who could give me a brief feedback about it?

Cheers,
Matteo

Re: Mail stoppage Gordon Fyodor Lyon (Feb 12)
Yes, this was my fault. Mail to the Nmap dev list from non-subscribers
goes through moderation to keep out the spam. I regularly go through the
moderation queue to find and approve the "real" messages, but I was a bit
slow this time. We strongly recommend that folks posting to the list first
subscribe to it. This avoids the moderation delay and prevents them from
missing any responses which might only be sent to the list.

Cheers,...

Mail stoppage Dave Close (Feb 12)
Several messages received today seem to have been stuck on nmap.org for
up to a month. Example (edited for clarity):

Version: 7.94+SVN TypeError: Couldn't find foreign struct converter for 'cairo.Context' Hendrick Halim (Feb 12)
Version: 7.94+SVN
TypeError: Couldn't find foreign struct converter for 'cairo.Context'

topology tab crash Genny and Doug Kent (Feb 12)
zenmap crashes when topology tab clicked.

Output message below

Version: 7.94+SVN
TypeError: Couldn't find foreign struct converter for 'cairo.Context'

Doug Kent

PR #2954, Fix out of bounds reads in packet parsing Domen Puncer Kugler via dev (Feb 12)
Hi,

I've submitted a pull request a few months ago:
https://github.com/nmap/nmap/pull/2954

The PR includes following three commits:
- Fix out of bounds read in HopByHopHeader::validate
- Fix out of bounds read in PacketParser::split
- Add AFL test code for PacketParser

This was found as a part of a short Hackathon at NCC Group.
As far as I can tell, there is no security impact, but it would still be nice
to see this fixed.

Kind regards

High-Priority HTML Parsing script astrotoki via dev (Feb 12)
Hello,

I noticed that under the high priority script ideas was the need for a library that parses HTML info from sites. I
wrote a script that uses a web crawler and extracts html info from attached pages and accompanying urls within the html
body. Let me know if this is what yall were after?

Thanks!
Ryan LaPierre <Astro>_______________________________________________
Sent through the dev mailing list...

URL Pathfinder astrotoki via dev (Feb 12)
Hello all!

I just wrote up another script, trying to practice and maybe have some added to the master list for nmap. This script
enumerates possible hidden path extensions on urls. As always, Id love input on it, changes or updates.

Thanks all!
Ryan LaPierre <Astro>_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Null Byte Poisoning NSE astrotoki via dev (Feb 12)
Here is my submission of a script I wrote that should test a site for null byte poisoning vulnerabilities._______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Re: First Go astrotoki via dev (Feb 12)
Here is an updated version with more XSS patterns integrated into it. As well as some clean up!

I also created a separate .lua with just the http crawler function.

Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

First Go astrotoki via dev (Feb 12)
Hello!,

I just started learning Lua for writing NSEs and had a go at a HTTP crawler that identifies XSS vulnerabilities on
sites. I used Juice-Shop OWASP to confirm it works. (Thats why the source code uses port 3000 in addition to 80) Id
love feedback! Doing my best to learn as much as I can. I attached the http_xss_crawler.nse below!

PS. I had used ChatGPTo1 and Github CoPilot to aid in debugging and syntax issues. The overall code is my...

nmap-announce logo

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe to stay informed.

Npcap Version 1.82 Released with VLAN Tagging and More Gordon Fyodor Lyon (Apr 28)
Dear Nmap Community,

In preparation for an imminent Nmap release (hopefully this week!), we have
released Version 1.82 of our Npcap Windows packet capture and transmission
driver. It builds upon the recent 1.81 release to add support for VLAN
tagging. This allows you to select for packets directed to a certain VLAN
or just inspect the VLAN headers on any packets received. It's especially
useful for Wireshark users. You can also now send...

Nmap 7.95 released: OS and service detection signatures galore! Gordon Fyodor Lyon (May 05)
Dear Nmap Community,

I just arrived in San Francisco for the RSA conference and am delighted to
announce our Nmap Version 7.95 release! I'm most excited that we finally
tackled our backlog of OS and service detection fingerprint submissions.
We're not talking about dozens or hundreds of them-we processed more than
6,500 fingerprints!

For OS detection, we added 336 signatures, bringing the new total to 6,036.
Additions include iOS 15...

fulldisclosure logo

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

iOS Activation Flaw Enables Pre-User Device Compromise and Identity Exposure (iOS 18.5) josephgoyd via Fulldisclosure (Jun 30)
Title: iOS Activation Flaw Enables Pre-User Device Compromise

Reported to Apple: May 19, 2025
Reported to US-CERT: May 19, 2025
US-CERT Case #: VU#346053
Vendor Status: Silent
Public Disclosure: June 26, 2025

------------------------------------------------------------------------
Summary
------------------------------------------------------------------------

A critical vulnerability exists in Apple’s iOS activation pipeline that
allows...

Remote DoS in httpx 1.7.0 – Out-of-Bounds Read via Malformed <title> Tag Brian Carpenter via Fulldisclosure (Jun 25)
Hey list,

You can remotely crash httpx v1.7.0 (by ProjectDiscovery) by serving a malformed <title> tag on your website. The bug
is a classic out-of-bounds read in trimTitleTags() due to a missing bounds check when slicing the title string. It
panics with:

panic: runtime error: slice bounds out of range [9:6]

Affects anyone using httpx in their automated scanning pipeline. One malformed HTML response = scanner down. Unit
testing or...

CVE-2025-32978 - Quest KACE SMA Unauthenticated License Replacement Seralys Research Team via Fulldisclosure (Jun 23)
Seralys Security Advisory | https://www.seralys.com/research

======================================================================
Title: Unauthenticated License Replacement
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April...

CVE-2025-32977 - Quest KACE Unauthenticated Backup Upload Seralys Research Team via Fulldisclosure (Jun 23)
Seralys Security Advisory | https://www.seralys.com/research

======================================================================
Title: Unauthenticated Backup Upload
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April 2025...

CVE-2025-32976 - Quest KACE SMA 2FA Bypass Seralys Research Team via Fulldisclosure (Jun 23)
Seralys Security Advisory | https://www.seralys.com/research

======================================================================
Title: 2FA Bypass
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April 2025
Severity: HIGH...

CVE-2025-32975 - Quest KACE SMA Authentication Bypass Seralys Research Team via Fulldisclosure (Jun 23)
Seralys Security Advisory | https://www.seralys.com/research

======================================================================
Title: Authentication Bypass
Product: Quest KACE Systems Management Appliance (SMA)
Affected: Confirmed on 14.1 (older versions likely affected)
Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5),
14.1.101(Patch 4)
Vendor: Quest Software
Discovered: April 2025
Severity:...

RansomLord (NG v1.0) anti-ransomware exploit tool malvuln (Jun 23)
First official NG versioned release with significant updates, fixes
and new features
https://github.com/malvuln/RansomLord/releases/tag/v1.0

RansomLord (NG) v1.0 Anti-Ransomware exploit tool.
Proof-of-concept tool that automates the creation of PE files, used to
exploit ransomware pre-encryption.

Lang: C
SHA256: ACB0C4EEAB421761B6C6E70B0FA1D20CE08247525641A7CD03B33A6EE3D35D8A

Deweaponize feature PoC video:...

Disclosure Yealink Cloud vulnerabilities Jeroen Hermans via Fulldisclosure (Jun 23)
Dear all,

---Abstract---
Yealink RPS contains several vulnerabilities that can lead to leaking of
PII and/or MITM attacks.
Some vulnerabilities are unpatched even after disclosure to the
manufacturer.
---/Abstract---

We are Stefan Gloor and Jeroen Hermans. We are independent computer
security researchers working on a disclosure process for critical
vulnerabilities we found in Yealink telecommunication devices and
infrastructure.
In the...

: "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885) josephgoyd via Fulldisclosure (Jun 17)
"Glass Cage" – Sophisticated Zero-Click iMessage Exploit ChainEnabling Persistent iOS Compromise and Device Bricking

CVE-2025-24085, CVE-2025-24201(CNVD-2025-07885)

Author: Joseph Goydish II
Date: 06/10/2025
Release Type: Full Disclosure
Platform Affected: iOS 18.2 (confirmed zero-day at time of discovery)
Delivery Vector: iMessage (default configuration)
Impact: Remote Code Execution, Privilege Escalation, Keychain Exfiltration,...

SEC Consult SA-20250612-0 :: Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) SEC Consult Vulnerability Lab via Fulldisclosure (Jun 17)
SEC Consult Vulnerability Lab Security Advisory < 20250612-0 >
=======================================================================
title: Reflected Cross-Site Scripting
product: ONLYOFFICE Docs (DocumentServer)
vulnerable version: <=8.3.1
fixed version: 8.3.2 or higher
CVE number: CVE-2025-5301
impact: Medium
homepage: https://www.onlyoffice.com/...

SEC Consult SA-20250611-0 :: Undocumented Root Shell Access on SIMCom SIM7600G Modem SEC Consult Vulnerability Lab via Fulldisclosure (Jun 17)
SEC Consult Vulnerability Lab Security Advisory < 20250611-0 >
=======================================================================
title: Undocumented Root Shell Access
product: SIMCom - SIM7600G Modem
vulnerable version: Firmware Revision: LE20B03SIM7600M21-A
fixed version: -
CVE number: CVE-2025-26412
impact: Medium
homepage: https://www.simcom.com...

Call for Applications: ERCIM STM WG 2025 Award for the Best Ph.D. Thesis on Security and Trust Management (July 31, 2025) 0610648533 (Jun 17)
========================================================================

CALL FOR APPLICATIONS

ERCIM STM WG 2025 Award for the

Best Ph.D. Thesis on Security and Trust Management

========================================================================

The European Research Consortium in Informatics and Mathematics (ERCIM)
has a technical WG on Security and Trust Management (STM) for performing
a series of activities, as research projects,...

SEC Consult SA-20250604-0 :: Local Privilege Escalation and Default Credentials in INDAMED - MEDICAL OFFICE (Medical practice management) Demo version SEC Consult Vulnerability Lab via Fulldisclosure (Jun 09)
SEC Consult Vulnerability Lab Security Advisory < 20250604-0 >
=======================================================================
title: Local Privilege Escalation and Default Credentials
product: INDAMED - MEDICAL OFFICE (Medical practice management)
Demo version
vulnerable version: Revision 18544 (II/2024)
fixed version: Q2/2025 (Privilege Escalation, Default Password)...

Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain → Secure Enclave Key Theft, Wormable RCE, Crypto Theft josephgoyd via Fulldisclosure (Jun 09)
Hello Full Disclosure,

This is a strategic public disclosure of a zero-click iMessage exploit chain that was discovered live on iOS 18.2 and
remained unpatched through iOS 18.4. It enabled Secure Enclave key theft, wormable remote code execution, and
undetectable crypto wallet exfiltration. Despite responsible disclosure, the research was suppressed by the vendor.
Apple issued a silent fix in iOS 18.4.1 (April 2025) without public...

Defense in depth -- the Microsoft way (part 89): user group policies don't deserve tamper protection Stefan Kanthak (Jun 03)
Hi @ll,

user group policies are stored in DACL-protected registry keys
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
respectively [HKEY_CURRENT_USER\Software\Policies] and below, where
only the SYSTEM account and members of the "Administrators" user group
are granted write access.

At logon the user's registry hive "%USERPROFILE%\ntuser.dat" is loaded
with exclusive (read, write and...

Other Excellent Security Lists

bugtraq logo

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

basics logo

Security Basics — A high-volume list which permits people to ask "stupid questions" without being derided as "n00bs". I recommend this list to network security newbies, but be sure to read Bugtraq and other lists as well.

pen-test logo

Penetration Testing — While this list is intended for "professionals", participants frequenly disclose techniques and strategies that would be useful to anyone with a practical interest in security and network auditing.

isn logo

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

firewall-wizards logo

Firewall Wizards — Tips and tricks for firewall administrators

focus-ids logo

IDS Focus — Technical discussion about Intrusion Detection Systems. You can also read the archives of a previous IDS list

webappsec logo

Web App Security — Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.

dailydave logo

Daily Dave — This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

On becoming a carpenter Dave Aitel via Dailydave (Jun 12)
[image: image.png]

Every so often I poke my head out, gopher-like, from the tunnels where I am
furiously vibe-coding, or as it's going to be known a couple years from
now, coding. I think it's probably true that coding used to be a high
octane sport for concentration freaks as deep in the zone as a sperm whale
hunting giant squid by listening to the faint echoes of pings off squishy
bodies leagues away. But coding is now a juggling...

Re: Typey typey Jordan Wiens via Dailydave (May 30)
Worth pointing out that the RE//verse videos are also online though I don't
think we advertised it super well:

https://www.youtube.com/watch?v=yzcNJn_EOwg&list=PLBKkldXXZQhAW5QKjUQOUWaMAHAxDtgio

Typey typey Dave Aitel via Dailydave (May 27)
https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-information-professionals-activity-7331470514927865856-
<https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-information-professionals-activity-7331470514927865856-yRnO>
yRnO

So I wanted to point this contracting gig out because I think it's a good
opportunity for someone who can do quick vulnerability triage and either
replicate or disprove that...

Announcing the Parity Release of Volatility 3 and the Deprecation of Volatility 2 Andrew Case via Dailydave (May 27)
The Volatility Team is very excited to announce the official Parity
Release of Volatility 3!

This release is not only capable of fully replacing all of Volatility
2’s features, but it also incorporates support for all the latest
operating system versions plus all the latest memory forensics
research.

With this release, Volatility 2 is now deprecated, and its GitHub
project has been archived.

Our announcement blog post details the new...

Re: Typey typey Dave Aitel via Dailydave (May 27)
https://www.linkedin.com/jobs/view/4233405535/

I am bad at links it seems ? Anyways, clicky clicky assuming you are the
type of person who uses Binja for fun and maybe a little bit of profit.

Also here is the OffensiveCon25 Youtube List - it's amazing to me they
managed to get these out so soon.
https://youtu.be/kF31SYIVob8?si=QWPps_--UsILr0mR

-dave

OpenAI Security Research Dave Aitel via Dailydave (Mar 28)
So a few things:
1. https://openai.com/index/security-on-the-path-to-agi/ I feel like this
blog is worth reading. :)
2. We're throwing a post-RSAC conference in SanFran to talk about AI and
Security (in particular, securing cybery things with AI) and if I'm very
lucky I'll even get to do a quick demo of the software I've been working
on, not that it will surprise anyone on this list! We have a few tickets
left I think and if...

Re: Cyber Reasoning Systems A K via Dailydave (Mar 28)
Have you already reviewed https://github.com/open-crs ?

Cyber Reasoning Systems Dave Aitel via Dailydave (Mar 04)
I continue to believe there are a lot of interesting questions around
building cyber reasoning systems for vuln finding. Even the very basics
seem hard to study and understand, and the eval datasets available
are....sparse or incomplete. For example, what you really want if you're
analyzing git repos is the commit a bug was introduced, and the commit it
was fixed. But usually you get "a commit where it maybe existed".

Likewise,...

on your child going to college in Christchurch, NZ and velvet worms Dave Aitel via Dailydave (Feb 11)
*on your child going to college in Christchurch, NZ and velvet worms*

By mid‑August the garden already practices absence — stems turning hollow,
the robin leaving its notes hanging in the air like torn corners of a song.
Under the chirp of palmetto bugs, a log eases itself back into earth.
Inside, hidden from the light, a velvet worm does the impossible: offers
herself to a spill of pale, blind threads. For days she is nothing but
hunger...

Re: (the root of the root and the bud of the bud) Sean Heelan via Dailydave (Jan 13)
As it happens, I’ve found the most effective way to use LLMs is to de-anthropomorphise them entirely and treat them
very like fuzzers (large scale generation of results, lots of false positives/nonsense, filtered by some oracle).

The “conversation with an AI” approach where you imagine yourself as having a single artificial brain to interact with
is (currently at least) practically far less useful than one in which you are content with...

Anthropological "Hacker" Map A K via Dailydave (Jan 13)
Hi all,

In the latest "Security Weekly" (https://www.youtube.com/watch?v=CXefYdEGW04
)
they present the Anthropological "Hacker" Map
https://wherewarlocksstayuplate.com/map/

While the map is incomplete (how can it ever be complete?), I think it is
one of the few times, outside of David Aitel's writings about the cross-cut
between the "underground" (for a lack of a better term) and subsequent
commercial...

Re: (the root of the root and the bud of the bud) Don A. Bailey via Dailydave (Jan 12)
I designed one of the first working fuzzers (albeit unintentionally) back
in the late 90's. I don't remember if I published it, but I still have the
code. It, however, worked - badly - but it worked. I was heavily flamed,
however, because as you stated - it was not hip. It only attacked
environment variable and command-line argument based vulnerabilities. But,
in the 90's and early 00's, we had no shortage of local suid-based...

Re: (the root of the root and the bud of the bud) Thomas Dullien via Dailydave (Jan 12)
Hey,

I have one quibble: We are using "reasoning" in a qualitative, not
descriptive, form here -- "fuzzing is or is not reasoning", "LLMs reason or
do not reason". I am not sure this is helpful. Fuzzing is empirically
successful at finding crashes. Somebody that needs to light a fire and
smashes two stones together until they throw sparks does not, once the fire
burns, need to justify that 'stones perform...

Re: (the root of the root and the bud of the bud) Darren Bounds via Dailydave (Jan 12)
Everything old is new and the way we reason is the same way LLMs reason. It's
not about looking for the same problem the same way it's about going to
searching for that flaw the same way with unlimited (nearly) resources.

Traditional human-led vulnerability research and discovery is, today, a short
lived venture.

Things will change very rapidly over the coming 24 months.

Memories and thoughts are the same thing, someone tried to...

(the root of the root and the bud of the bud) Dave Aitel via Dailydave (Jan 11)
Memories and thoughts are the same thing, someone tried to explain to me
recently. You have to think to remember, in other words. This is hard to
grasp for a lot of people because they *think *they have *memories*. They
wrongly think memory is a noun instead of a verb, which is ok in philosophy
and psychology but in cutting edge computer science we have to be precise
about these sorts of things.

Twenty-five years ago, when I first started...

pauldotcom logo

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

honeypots logo

Honeypots — Discussions about tracking attackers by setting up decoy honeypots or entire honeynet networks.

microsoft logo

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

funsec logo

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

cert logo

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Apple Releases Security Updates for Multiple Products CISA (Mar 28)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated and is now available.

Apple Releases Security Updates for Multiple Products [
https://www.cisa.gov/news-events/alerts/2023/03/28/apple-releases-security-updates-multiple-products ] 03/28/2023 01:00
PM EDT

Apple...

CISA Releases Six Industrial Control Systems Advisories CISA (Mar 23)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA Releases Six Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/23/cisa-releases-six-industrial-control-systems-advisories ] 03/23/2023
08:00 AM EDT...

CISA Releases Eight Industrial Control Systems Advisories CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA Releases Eight Industrial Control Systems Advisories [
https://www.cisa.gov/news-events/alerts/2023/03/21/cisa-releases-eight-industrial-control-systems-advisories ]
03/21/2023 08:00 AM...

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management CISA (Mar 21)
Cybersecurity and Infrastructure Security Agency (CISA) - Defend Today, Secure Tomorrow

You are subscribed to Cybersecurity Advisories for Cybersecurity and Infrastructure Security Agency. This information
has recently been updated, and is now available.

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management [...

oss-sec logo

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

CVE-2025-53367: An exploitable OOB write in DjVuLibre Kevin Backhouse (Jul 03)
DjVuLibre version 3.5.29 was released today. It fixes CVE-2025-53367
(GHSL-2025-055), an out-of-bounds write in the MMRDecoder::scanruns
method. The vulnerability could be exploited to gain code execution on
a Linux Desktop system when the user tries to open a crafted document.

DjVu is a document file format that can be used for similar purposes
to PDF. It is supported by evince and papers, the default document
viewers on many Linux...

DoS segfault (NULL pointer deref) in SOPE / SOGo Stefan Bühler (Jul 02)
Hello,

I found a DoS bug in SOPE, the set of Objective-C frameworks powering
SOGo [1].

It is way too easy to trigger with curl:

curl -d 'x=' 'https://.../SOGo/?x=&apos;

As far as I can tell all versions since SOGo-2.0.2 (2012-10-29) are
affected.

# Details

I found it inspecting multiple SOGo crashes triggered by someone
hitting URLs like `/OA_HTML/BneViewerXMLService?bne:uueupload=TRUE`
with `POST` that my search engine...

CVE-2025-38089: Linux kernel: NFS server remote DoS via NULL pointer dereference tianshuo han (Jul 02)
Hello,

A security vulnerability in the Linux kernel SUNRPC subsystem has been
assigned CVE-2025-38089. This issue allows a remote attacker to
trigger a kernel crash (NULL pointer dereference) by sending a
specially crafted RPC request to an affected NFS server.

Details:
- CVE: CVE-2025-38089
- Subsystem: NFS/SUNRPC
- Impact: Remote Denial of Service (kernel crash)
- Affected versions: Mainline Linux kernel since commit...

CVE-2025-46647: Apache APISIX: improper validation of issuer from introspection discovery url in plugin openid-connect Junxu Chen (Jul 02)
Severity: important

Affected versions:

- Apache APISIX before 3.12.0

Description:

A vulnerability of plugin openid-connect in Apache APISIX.

This vulnerability will only have an impact if all of the following conditions are met:
1. Use the openid-connect plugin with introspection mode
2. The auth service connected to openid-connect provides services to multiple issuers
3. Multiple issuers share the same private key and relies only on the...

CVE-2024-35164: Apache Guacamole: Improper input validation of console codes Michael Jumper (Jul 01)
Severity: moderate
Base CVSS Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Affected versions:

- Apache Guacamole 0.8.0 through 1.5.5

Description:

The terminal emulator of Apache Guacamole 1.5.5 and older does not
properly validate console codes received from servers via text-based
protocols like SSH. If a malicious user has access to a text-based
connection, a specially-crafted sequence of console codes could allow
arbitrary...

Xen Security Advisory 470 v2 (CVE-2025-27465) - x86: Incorrect stubs exception handling for flags recovery Xen . org security team (Jul 01)
Xen Security Advisory CVE-2025-27465 / XSA-470
version 2

x86: Incorrect stubs exception handling for flags recovery

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

Certain instructions need intercepting and emulating by Xen. In some
cases Xen emulates the instruction by replaying it, using an executable
stub. Some instructions may raise an...

CVE-2025-32463: sudo local privilege escalation via chroot option Todd C. Miller (Jun 30)
An attacker can leverage sudo's -R (--chroot) option to run
arbitrary commands as root, even if they are not listed in the
sudoers file.

Sudo versions affected:

Sudo versions 1.9.14 to 1.9.17 inclusive are affected.

CVE ID:

This vulnerability has been assigned CVE-2025-32463 in the
Common Vulnerabilities and Exposures database.

Details:

Sudo's -R (--chroot) option is intended to allow the user to
run a command...

CVE-2025-32462: sudo local privilege escalation via host option Todd C. Miller (Jun 30)
Sudo's host (-h or --host) option is intended to be used in
conjunction with the list option (-l or --list) to list a user's
sudo privileges on a host other than the current one. However, due
to a bug it was not restricted to listing privileges and could be
used when running a command via `sudo` or editing a file with
sudoedit. Depending on the rules present in the sudoers file
this could allow a local privilege escalation attack....

CVE-2024-39954: Apache EventMesh Runtime: SSRF Xue Weiming (Jun 29)
Severity: low

Affected versions:

- Apache EventMesh Runtime (org.apache.eventmesh:eventmesh-runtime) 1.6.0 through 1.11.0

Description:

CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g.
allows the attacker can abuse functionality on the server to read or update internal resources.
Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes...

CVE-2025-32897: Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server Min Ji (Jun 28)
Severity: low

Affected versions:

- Apache Seata (incubating) 2.0.0 before 2.3.0

Description:

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).

This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552
definition is too narrow.
This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0.

Users are recommended to upgrade to version 2.3.0, which...

libssh 0.11.2 security and bugfix release Alan Coopersmith (Jun 27)
https://www.libssh.org/2025/06/24/libssh-0-11-2-security-and-bugfix-release/
announces:

https://www.libssh.org/security/advisories/CVE-2025-4877.txt says:

https://www.libssh.org/security/advisories/CVE-2025-4878.txt declares:

https://www.libssh.org/security/advisories/CVE-2025-5318.txt discloses:

https://www.libssh.org/security/advisories/CVE-2025-5351.txt divulges:

https://www.libssh.org/security/advisories/CVE-2025-5372.txt states:...

Re: CVE-2025-52555 Ceph: CephFS Permission Escalation Vulnerability in Ceph Fuse mounted FS Jacob Bachmeyer (Jun 26)
From that patch:

    bool allowed = false;
[...]
    if ((in->mode & (S_ISUID | S_ISGID)) != (stx->stx_mode & (S_ISUID |
S_ISGID)) &&
        (in->mode & ~(S_ISUID | S_ISGID)) == (stx->stx_mode & ~(S_ISUID
| S_ISGID))) {
      allowed = true;
    }
[...]
    if (perms.uid() != 0 && perms.uid() != in->uid && !allowed)
      goto out;

Am I misreading the...

CVE-2025-52555 Ceph: CephFS Permission Escalation Vulnerability in Ceph Fuse mounted FS Sage [They / Them] McTaggart (Jun 26)
Hello all,
A flaw was found in CephFS. An unprivileged user can escalate to root
privileges in a ceph-fuse mounted CephFS by chmod 777 a directory owned by
root to gain access.

The result of this is that a user could read, write and execute to any
directory owned by root as long as they chmod 777 it. This impacts
confidentiality, integrity, and availability.

Our public advisory may be found at the following URL...

Re: sox_ng fixes 20 CVEs in sox Martin Guy (Jun 25)
Yes, it should be ../src/soxconfig.h and there *should* be a symlink

in libdolbyb configure.h->../src/soxconfig.h but it doesn't seem to be
working.

The other thing is that libopusfile detection is broken, so opus support
is not

included (opus support in sox seems to be cursed, has come and gone several

times and is even not included in the ancient Debian package (for yet
another reason!).

Thanks for the compiler warnings too;...

Re: xdg-open bypassing SameSite=Strict Lucas Holt (Jun 24)
I would think that all browsers should implement the safe behavior or
URL handler registrations and allow the user (or enterprise) to adjust
the policy within settings.  This would limit the issue for the vast
majority of users, but allow folks to turn on the old behavior until
applications can be fixed.  I suspect this could break some auth flows
that rely on handlers right now within many apps.  (game launchers,
enterprise tools, etc)...

securecoding logo

Secure Coding — The Secure Coding list (SC-L) is an open forum for the discussion on developing secure applications. It is moderated by the authors of Secure Coding: Principles and Practices.

educause logo

Educause Security Discussion — Securing networks and computers in an academic environment.

Internet Issues and Infrastructure

nanog logo

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...] Michael Thomas via NANOG (Jul 03)
The idea is to train people that something might be wrong. Not that
something is right. He's wrong if he thinks that is what the intent was.
That would be bad read of history.

Mike

Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...] Alex Buie via NANOG (Jul 03)
I agree with you they are not a substitute and that is foolish. There are
many who come to say they have the one and final true solution to spam and
email auth though. My argument is anything purporting to do so is
attempting to critically think for the user.

While the incremental improvement to auth is good, one could argue the user
experience implementing is not, as I think Rich is saying, and I agree. We
are training people to only check for...

Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...] Michael Thomas via NANOG (Jul 03)
Good thing nobody thought that it's a substitute. Making incremental
improvements don't have to be viewed as, uh, cure-alls. That would be,
uh, foolish.

Mike

Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...] Alex Buie via NANOG (Jul 03)
I'm not saying to get rid of any of these things. I'm just saying expecting
them to replace user training in critical thinking is foolish, and overall,
the point Rich made makes sense. If you tell people "as long as you check
these things you can trust it" they are way more likely to believe
something unbelievable if it has all those "you can trust me" flags.

Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...] Michael Thomas via NANOG (Jul 03)
So by all means, let's get rid of TLS as well. ::eyeroll::

Mike

Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...] Alex Buie via NANOG (Jul 03)
"the more you try to outsource critical thinking to a machine that cannot
critically think, the more and more you will get duped by scammers"

SPF/DKIM/DMARC are all automated ways to try and outsource truthiness
checks to machines. they make people feel comfortable with their result. so
much so they stop actually using their brains to protect themselves.

Re: SPF/DKIM/DMARC et.al.: REALLY LONG [was: is it just me or...] Tom Beecher via NANOG (Jul 03)
Sir, this is a Wendy's.

Take Advantage of Early Bird Pricing! N94 Pics Have Been Published! + More! Nanog News via NANOG (Jul 03)
*** Take Advantage of Early Bird Pricing!*
------------------------------------------------------------
*Early Bird Pricing will End Monday, July 14*

****Please Note Important Room Block Information: *Access to the room block
is restricted to registered attendees only. More info here. (
https://nanog.org/events/nanog-95/venue/)

REGISTER NOW (https://nanog.org/events/nanog-95/register/)

*** N94 Pics Are Ready!*...

Re: Captchas on Cloudflare-Proxied Sites Constantine A. Murenin via NANOG (Jul 03)
Sometimes it takes an outsider to see the inefficiency in the process.

The bottom line is that there's absolutely no justification for having
captchas everywhere, and especially on ecommerce and other cacheable
things.

And as the quote goes:

'It is difficult to get a man to understand something, when his salary
depends on his not understanding it.'

That absolutely does make sense, but then why are you complaining
about the bots...

Small DC\Colo Mike Hammett via NANOG (Jul 03)
I've been asked to market a small DC\colo. What are some low-effort ways of accomplishing this? Is there a Connectbase
for colo?

-----
Mike Hammett
Intelligent Computing Solutions

Midwest Internet Exchange

The Brothers WISP

Re: address fragmentation Brandon Butterworth via NANOG (Jul 03)
I don't see a difference, if I assign a customer a block of
any size it is going to be very hard to have them renumber,
probably equally hard if they lease it as the problems
for them are exactly the same.

A leaser probably has it easier as there would be a specific term
to the lease which they can let lapse if they won't agree to
a change. The lease would contain any terms necessary for in
term changes, if it doesn't then the...

Re: address fragmentation Lu Heng via NANOG (Jul 03)
Hi Brandon:

The difference is control.

If you lease to a different network, or give an IP to a server you rented
to a customer, yes, in both cases you will have customer consensus to
renumber them, but since leasing at minimum /24, but most hosting customer
are in single IP, the difficulty and challenge are quite different.

The discussion I like to see if there will be an best operation practice in
assigning those IPs to avoid fragmentation in...

Re: address fragmentation Brandon Butterworth via NANOG (Jul 03)
On 03/07/2025 08:49:07, "Lu Heng via NANOG" <nanog () lists nanog org>
wrote

How is that different from a regular provider assigning space
(a LIR in RIPE terms)? They just need to keep the RIR data current
for all their assignments, they are in no sense a mini RIR, that
is a different function.

As they are just renting out space that otherwise would have been
allocated to a LIR then they should operate as a LIR.

brandon

Re: Captchas on Cloudflare-Proxied Sites niels=nanog--- via NANOG (Jul 03)
* Constantine A. Murenin [Thu 03 Jul 2025, 00:46 CEST]:

Tell me you don't know how modern e-commerce works without saying
you don't know how modern e-commerce works.

Say you're a modern seller. You have widgets you're looking to sell.
You have a certain number on hand and will need to order more in time
to satisfy future demand.

The moment somebody places a widget in their shopping basket you make
a reservation in the...

address fragmentation Lu Heng via NANOG (Jul 03)
Dear NANOG community,

With the increasing prevalence of address‐space leasing—effectively
operating as “mini‐RIRs” for IP distribution—fragmentation of address
blocks has become a critical concern. How are network operators and
registry practitioners today tackling the challenge of fragmentation in IP
address allocation?

-

Are there any comprehensive research studies or white papers that survey
fragmentation mitigation...

interesting-people logo

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

risks logo

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

(no subject) RISKS List Owner (Jun 28)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.69

RISKS-LIST: Risks-Forum Digest Saturday 28 June 2025 Volume 34 : Issue 69

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org...

(no subject) RISKS List Owner (Jun 23)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.68

RISKS-LIST: Risks-Forum Digest Monday 23 June 2025 Volume 34 : Issue 68

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org...

Risks Digest 34.66 RISKS List Owner (May 29)
RISKS-LIST: Risks-Forum Digest Thursday 29 May 2025 Volume 34 : Issue 66

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.66>
The current issue can also be found at
<...

Risks Digest 34.65 RISKS List Owner (May 27)
RISKS-LIST: Risks-Forum Digest Tuesday 27 May 2025 Volume 34 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.65>
The current issue can also be found at
<...

Risks Digest 34.63 RISKS List Owner (May 17)
RISKS-LIST: Risks-Forum Digest Saturday 17 May 2025 Volume 34 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.63>
The current issue can also be found at
<...

Risks Digest 34.62 RISKS List Owner (May 11)
RISKS-LIST: Risks-Forum Digest Sunday 11 May 2025 Volume 34 : Issue 62

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.62>
The current issue can also be found at
<...

Risks Digest 34.61 RISKS List Owner (Apr 18)
RISKS-LIST: Risks-Forum Digest Friday 18 April 2025 Volume 34 : Issue 61

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.61>
The current issue can also be found at
<...

Risks Digest 34.60 RISKS List Owner (Apr 01)
RISKS-LIST: Risks-Forum Digest Tuesday 1 April 2025 Volume 34 : Issue 60

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.60>
The current issue can also be found at
<...

Risks Digest 34.58 RISKS List Owner (Mar 15)
RISKS-LIST: Risks-Forum Digest Saturday 15 Mar 2025 Volume 34 : Issue 58

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.58>
The current issue can also be found at
<...

Risks Digest 34.56 RISKS List Owner (Feb 16)
RISKS-LIST: Risks-Forum Digest Sunday 16 Feb 2025 Volume 34 : Issue 56

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.56>
The current issue can also be found at
<...

Risks Digest 34.54 RISKS List Owner (Feb 06)
RISKS-LIST: Risks-Forum Digest Thursday 6 Jan 2025 Volume 34 : Issue 54

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.54>
The current issue can also be found at
<...

Risks Digest 34.53 RISKS List Owner (Jan 26)
RISKS-LIST: Risks-Forum Digest Sunday 26 Jan 2025 Volume 34 : Issue 53

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.53>
The current issue can also be found at
<...

(no subject) RISKS List Owner (Jan 11)
Risks Digest 34.52

RISKS-LIST: Risks-Forum Digest Saturday 11 January 2025 Volume 34 : Issue 52

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.52>
The current issue can also be found at...

dataloss logo

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Healthcare organizations face rising ransomware attacks – and are paying up Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/healthcare-ransomware-pay-sophos/

Healthcare organizations, already an attractive target for ransomware given
the highly sensitive data they hold, saw such attacks almost double between
2020 and 2021, according to a survey released this week by Sophos.

The outfit's team also found that while polled healthcare orgs are quite
likely to pay ransoms, they rarely get all of their data returned if they
do...

A digital conflict between Russia and Ukraine rages on behind the scenes of war Matthew Wheeler (Jun 03)
https://wskg.org/npr_story_post/a-digital-conflict-between-russia-and-ukraine-rages-on-behind-the-scenes-of-war/

SEATTLE — On the sidelines of a conference in Estonia on Wednesday, a
senior U.S. intelligence official told British outlet Sky News that the
U.S. is running offensive cyber operations in support of Ukraine.

“My job is to provide a series of options to the secretary of defense and
the president, and so that’s what I do,” said...

Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network Matthew Wheeler (Jun 03)
https://thehackernews.com/2022/06/researchers-uncover-malware-controlling.html

The Parrot traffic direction system (TDS) that came to light earlier this
year has had a larger impact than previously thought, according to new
research.

Sucuri, which has been tracking the same campaign since February 2019 under
the name "NDSW/NDSX," said that "the malware was one of the top infections"
detected in 2021, accounting for more than...

FBI, CISA: Don't get caught in Karakurt's extortion web Matthew Wheeler (Jun 03)
https://www.theregister.com/2022/06/03/fbi_cisa_warn_karakurt_extortion/

The Feds have warned organizations about a lesser-known extortion gang
Karakurt, which demands ransoms as high as $13 million and, some
cybersecurity folks say, may be linked to the notorious Conti crew.

In a joint advisory [PDF] this week, the FBI, CISA and US Treasury
Department outlined technical details about how Karakurt operates, along
with actions to take,...

DOJ Seizes 3 Web Domains Used to Sell Stolen Data and DDoS Services Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/06/doj-seizes-3-web-domains-used-to-sell.html

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of
three domains used by cybercriminals to trade stolen personal information
and facilitate distributed denial-of-service (DDoS) attacks for hire.

This includes weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com, the
former of which allowed its users to traffic hacked personal data and
offered a...

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability Matthew Wheeler (Jun 02)
https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html

An advanced persistent threat (APT) actor aligned with Chinese state
interests has been observed weaponizing the new zero-day flaw in Microsoft
Office to achieve code execution on affected systems.

"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using
URLs to deliver ZIP archives which contain Word Documents that use the
technique,"...

US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command Matthew Wheeler (Jun 02)
https://www.three.fm/news/world-news/us-military-hackers-conducting-offensive-operations-in-support-of-ukraine-says-head-of-cyber-command/

US military hackers have conducted offensive operations in support of
Ukraine, the head of US Cyber Command has told Sky News.

In an exclusive interview, General Paul Nakasone also explained how "hunt
forward" operations were allowing the United States to search out foreign
hackers and identify...

SideWinder Hackers Launched Over a 1, 000 Cyber Attacks Over the Past 2 Years Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/sidewinder-hackers-launched-over-1000.html

An "aggressive" advanced persistent threat (APT) group known as SideWinder
has been linked to over 1,000 new attacks since April 2020.

"Some of the main characteristics of this threat actor that make it stand
out among the others, are the sheer number, high frequency and persistence
of their attacks and the large collection of encrypted and obfuscated...

Hackers are Selling US University Credentials Online, FBI Says Matthew Wheeler (May 31)
https://tech.co/news/hackers-are-selling-us-university-credentials-online-fbi-says

The Federal Bureau of Investigation has warned US universities and colleges
that it has found banks of login credentials and other data relating to VPN
access circulating on cybercriminals forums.

The fear is that such data will be sold and subsequently used by malicious
actors to orchestrate attacks on other accounts owned by the same students,
in the hope...

Interpol Nabs 3 Nigerian Scammers Behind Malware-based Attacks Matthew Wheeler (May 31)
https://thehackernews.com/2022/05/interpol-nabs-3-nigerian-scammers.html

Interpol on Monday announced the arrest of three suspected global scammers
in Nigeria for using remote access trojans (RATs) such as Agent Tesla to
facilitate malware-enabled cyber fraud.

"The men are thought to have used the RAT to reroute financial
transactions, stealing confidential online connection details from
corporate organizations, including oil and gas...

U.S. Warns Against North Korean Hackers Posing as IT Freelancers Matthew Wheeler (May 18)
https://thehackernews.com/2022/05/us-warns-against-north-korean-hackers.html

Highly skilled software and mobile app developers from the Democratic
People's Republic of Korea (DPRK) are posing as "non-DPRK nationals" in
hopes of landing freelance employment in an attempt to enable the regime's
malicious cyber intrusions.

That's according to a joint advisory from the U.S. Department of State, the
Department of the...

FBI and NSA say: Stop doing these 10 things that let the hackers in Matthew Wheeler (May 18)
https://www.zdnet.com/article/fbi-and-nsa-say-stop-doing-these-10-things-that-let-the-hackers-in/

Cyber attackers regularly exploit unpatched software vulnerabilities, but
they "routinely" target security misconfigurations for initial access, so
the US Cybersecurity and Infrastructure Security Agency (CISA) and its
peers have created a to-do list for defenders in today's heightened threat
environment.

CISA, the FBI and National...

Fifth of Businesses Say Cyber-Attack Nearly Broke Them Matthew Wheeler (May 18)
https://www.infosecurity-magazine.com/news/fifth-of-businesses-cyber-attack/

A fifth of US and European businesses have warned that a serious
cyber-attack nearly rendered them insolvent, with most (87%) viewing
compromise as a bigger threat than an economic downturn, according to
Hiscox.

The insurer polled over 5000 businesses in the US, UK, Ireland, France,
Spain, Germany, the Netherlands and Belgium to compile its annual Hiscox
Cyber...

Hacker And Ransomware Designer Charged For Use And Sale Of Ransomware, And Profit Sharing Arrangements With Cybercriminals Matthew Wheeler (May 18)
https://www.shorenewsnetwork.com/2022/05/16/hacker-and-ransomware-designer-charged-for-use-and-sale-of-ransomware-and-profit-sharing-arrangements-with-cybercriminals/

A criminal complaint was unsealed today in federal court in Brooklyn, New
York, charging Moises Luis Zagala Gonzalez (Zagala), also known as
“Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” a citizen of France and
Venezuela who resides in Venezuela, with attempted...

State of Ransomware shows huge growth in threat and impacts Matthew Wheeler (May 04)
https://www.continuitycentral.com/index.php/news/technology/7275-state-of-ransomware-shows-huge-growth-in-threat-and-impacts

Sophos has released its annual survey and review of real-world ransomware
experiences in its ‘State of Ransomware 2022’ report. This shows that 66
percent of organizations surveyed were hit with ransomware in 2021, up from
37 percent in 2020.

The average ransom paid by organizations that had data encrypted in their...

Open Source Tool Development

metasploit logo

Metasploit — Development discussion for Metasploit, the premier open source remote exploitation tool

wireshark logo

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

snort logo

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Snort Subscriber Rules Update 2025-07-03 Research via Snort-sigs (Jul 03)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-07-01 Research via Snort-sigs (Jul 01)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Talos Snort Rules change.log verification Upadhyay, Raman via Snort-sigs (Jun 26)
Hi All

I got the Talos advisories change.log for newly added and modified snort rules. But the newly added rules are not
showing in snortrules-snapshot-29200.tar.gz in the same category rule file which is mentioned in change.log. Kindly let
me know how I can verify the change.log's modification in snortrules-snapshot-29200.tar.gz file.

Regards
Raman

Snort Subscriber Rules Update 2025-06-26 Research via Snort-sigs (Jun 26)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc,
os-windows and server-webapp rule sets to provide coverage for emerging
threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-24 Research via Snort-sigs (Jun 24)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the
indicator-compromise, server-mail and server-webapp rule sets to
provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-18 Research via Snort-sigs (Jun 18)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-17 Research via Snort-sigs (Jun 17)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-12 Research via Snort-sigs (Jun 12)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
deleted, file-office and server-webapp rule sets to provide coverage
for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-10 Research via Snort-sigs (Jun 10)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2025-32713:
A coding deficiency exists in Microsoft Windows Common Log File System
Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with:
Snort 2: GID 1, SID 1:65038, 1:65039,...

Snort Subscriber Rules Update 2025-06-05 Research via Snort-sigs (Jun 05)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the os-linux, os-windows
and server-webapp rule sets to provide coverage for emerging threats
from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-06-03 Research via Snort-sigs (Jun 03)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the app-detect,
file-pdf, malware-cnc, malware-other, malware-tools, server-mail and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-05-29 Research via Snort-sigs (May 29)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2025-05-27 Research via Snort-sigs (May 27)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-office,
file-other, protocol-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Request for Documentation on Snort's Capabilities in Detecting/Preventing Covert Malware Communications Jerwill via Snort-sigs (May 16)
Dear Snort Users,

I am writing as a subscriber and user of Snort to respectfully request assistance in obtaining at least one official
documentation or reference material that details how Snort is capable of detecting and/or preventing covert malware
communications across various channels.

Our organization is currently undergoing a compliance audit, and this documentation is critical in demonstrating our
capabilities in network-based threat...

Snort Subscriber Rules Update 2025-05-15 Research via Snort-sigs (May 15)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-other,
malware-cnc, malware-other, policy-other, protocol-other and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

More Lists

We also maintain archives for these lists (some are currently inactive):

Related Resources

Read some old-school private security digests such as Zardoz at SecurityDigest.Org

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.