Tag

Vulnerabilities

All articles tagged with #vulnerabilities

technology3 hours ago•5 min saved

AI Could Turn Vulnerabilities into a Hacker Superweapon, Warn Experts

AI’s rising ability to identify and chain software vulnerabilities could empower hackers, creating a potential ‘Vulnpocalypse’ scenario. Anthropic withheld Mythos Preview over risk of misuse, while governments and major firms weigh defenses as experts predict such capabilities could spread within six to twelve months, risking outages and attacks on finance, healthcare, and critical infrastructure—even as a Hollywood-style catastrophe remains unlikely.

via NBC News|

#ai #critical-infrastructure #cybersecurity

technology2 days ago•6 min saved

Anthropic limits Mythos Preview to defense partners under Project Glasswing

Anthropic has limited Mythos Preview to select partners under Project Glasswing, granting access to more than 50 tech organizations with over $100 million in usage credits to identify and fix software vulnerabilities. The model reportedly detects thousands of high- to critical-severity bugs and can chain exploits to breach systems, prompting guarded optimism about defense benefits but raising safety concerns about a broader public release. Anthropic has briefed the U.S. government; the system card says Mythos Preview is not generally available. Many experts say results are preliminary and the potential for misuse remains a key worry.

via NBC News|

#anthropic #artificial-intelligence #cybersecurity

security1 month ago•3 min saved

Microsoft March 2026 Patch Tuesday Fixes 77+ Flaws, Highlights AI‑Driven Discovery

Microsoft released March 2026 Patch Tuesday with fixes for at least 77 vulnerabilities across Windows and related software; there are no new zero-days, but several high-severity flaws require attention, including CVE-2026-21262 (SQL Server privilege escalation), CVE-2026-26127 (.NET denial of service), and Office remote-code-execution flaws via the Preview Pane (CVE-2026-26113/26110). Additional privilege-escalation CVEs affect Windows components (CVE-2026-24291/24294/24289/25187). An AI-discovered CVE-2026-21536 in the Microsoft Devices Pricing Program is noted as an example of AI-driven vulnerability research. Microsoft also issued an out-of-band patch for Windows Server 2022 to fix a Windows Hello for Business certificate renewal issue; Adobe and Mozilla separately released updates for their products. For full details, see the SANS ISC Patch Tuesday post.

via Krebs on Security|

#ai #cve #microsoft

technology1 month ago•2 min saved

AI Shows its Strength and Limits: Claude Opus 4.6 Finds 22 Firefox Flaws

Anthropic’s Claude Opus 4.6 identified 22 Firefox vulnerabilities (14 high, 7 moderate, 1 low) during a two-week security review with Mozilla, with most fixes shipped in Firefox 148. The AI scanned about 6,000 C++ files, produced 112 reports, and in testing could automatically develop crude exploits for two issues (including CVE-2026-2796, a JIT miscompilation in WebAssembly), though only in sandbox-stripped environments; a task verifier helped determine exploit viability. Mozilla says AI-assisted analysis uncovered roughly 90 additional bugs and underscored AI as a powerful complement to security engineering, while noting patches remain under active refinement.

via The Hacker News|

#artificial-intelligence #cybersecurity #firefox

technology1 month ago•5 min saved

Security flaws expose therapy data in popular Android mental-health apps

Researchers found 1,575 vulnerabilities across 10 Android mental-health apps with more than 14.7 million total installs, including insecure URI handling, local data exposure, hardcoded API endpoints, and weak token generation, potentially exposing therapy transcripts and other sensitive data; it's unclear if the issues have been fixed.

via BleepingComputer|

#android #mental-health-apps #mobile-security

security1 month ago•2 min saved

CISA Flags Four Actively Exploited Flaws in KEV Update and Urges Patch

CISA added four flaws to the Known Exploited Vulnerabilities catalog due to active exploitation: CVE-2026-2441 (Chrome use-after-free), CVE-2024-7694 (TeamT5 ThreatSonar Anti-Ransomware arbitrary file upload leading to command execution), CVE-2020-7796 (Zimbra Collaboration Server SSRF), and CVE-2008-0015 (Windows Video ActiveX buffer overflow). Google confirms an in-the-wild exploit for CVE-2026-2441; GreyNoise documents about 400 IPs exploiting CVE-2020-7796 across several countries; the CVE-2008-0015 exploit can download additional malware like Dogkild and alter system files/hosts. The TeamT5 exploitation vector remains unclear. Federal agencies are urged to patch by March 10, 2026.

via The Hacker News|

#cisa #exploitation #kev

security1 month ago•17 min saved

Zero-knowledge claims tested: researchers reveal multiple flaws in top password managers

Researchers from ETH Zurich and USI Lugano analyzed Bitwarden, Dashlane, and LastPass and uncovered multiple attack vectors that can enable a compromised or malicious server to read or even modify vaults, especially when account-recovery, group enrollment, key escrow, or backward-compatibility features are enabled. Some attacks could allow theft of entire vaults or selective item data, and even breach older encryption configurations. While vendors defend their security audits and ongoing patching, the study argues that the term “zero-knowledge” can be misleading and urges stronger threat models and resilience measures across password managers.

via Ars Technica|

#account-recovery #encryption #password-managers

security1 month ago•6 min saved

Researchers uncover 27 attack scenarios targeting cloud password managers

Swiss researchers disclosed 27 attack scenarios across Bitwarden, LastPass, Dashlane and 1Password that could let attackers view or modify vaults, challenging the science of end-to-end encryption and exploiting issues in onboarding, key escrow, and item-level encryption. A notable attack demonstrated is ‘malicious auto-enrolment’ against Bitwarden, which could allow a server-controlled attacker to hijack a vault during organization onboarding. Vendors are patching (Bitwarden, LastPass, Dashlane) while 1Password defends its SRP-based design. The paper recommends stronger authentication, key separation and ciphertext integrity. Users should check remediation status with providers and ask for audits.)

via Infosecurity Magazine|

#cloud-security #cryptography #end-to-end-encryption

technology1 month ago•53 min saved

Windows 11 Patch KB5077181 Triggers Infinite Restart on Some Devices

Microsoft's February 10, 2026 security update KB5077181 for Windows 11 versions 24H2 and 25H2 appears to trigger boot loops on affected devices, forcing multiple restarts; while it patches 58 vulnerabilities (including six zero-days) and ships new Secure Boot certificates to improve boot integrity, users report login failures with System Event Notification Service errors, DHCP connectivity losses, and install errors such as 0x800f0983/0x800f0991, prompting uninstall guidance via Control Panel or Windows Recovery Environment and a suggested SFC scan; enterprises should test via WSUS and monitor health while Microsoft has not publicly acknowledged the issues.

via CybersecurityNews|

#boot-loop #kb5077181 #security-update

cybersecurity2 months ago•3 min saved

CISA warns four enterprise flaws actively exploited across Versa, Zimbra, Vite, and Prettier

CISA has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-31125 and CVE-2025-34026 affecting Versa software (including the Concerto SD-WAN) via dev-exposure and Traefik misconfig, CVE-2025-68645 in Zimbra Webmail Classic UI (local file inclusion), and a supply-chain issue in eslint-config-prettier (CVE-2025-54313) tied to Prettier. Patches or mitigations exist for affected products; US federal agencies must apply updates or stop using the products by February 12, 2026. The status of ransomware-related exploitation remains unknown.

via BleepingComputer|

#cisa #cybersecurity #enterprise-software

technology2 months ago•13 min saved

WhisperPair Flaws Threaten Hundreds of Millions of Bluetooth Audio Devices

Researchers have revealed WhisperPair, a set of security flaws in Google's Fast Pair Bluetooth protocol that affect 17 audio devices from 10 brands. The vulnerabilities allow attackers within Bluetooth range to silently pair with devices, hijack audio streams, eavesdrop via microphones, or track users through Google's Find Hub, potentially even if the target uses an iPhone. Patches exist, but installation can be inconsistent, and researchers note bypasses to Google's patches; they advocate a cryptographic fix to enforce owner authentication for pairings to address the root issue.

via WIRED|

#bluetooth #fast-pair #privacy

technology3 months ago•1 min saved

Urgent: Update Your Devices Now to Fix Critical Security Flaws

The U.S. government has issued urgent warnings for iPhone and Android users to update their devices immediately due to active attacks exploiting multiple vulnerabilities, including WebKit and Chromium flaws, driven by commercial spyware. Deadlines for federal agencies to update are set between December 23 and January 5, emphasizing the critical need for all users to apply updates to prevent exploitation.

via Forbes|

#android #cybersecurity #iphone

world3 months ago•5 min saved

Florida's Surge Causes 2025 Execution Rate to Hit 15-Year High

Executions in the U.S. nearly doubled in 2025, with Florida conducting a record number of executions, driven by political support and federal policies, despite declining public support for the death penalty overall.

via NPR|

#death-penalty #executions-2025 #florida

technology3 months ago•3 min saved

Amazon Kindle Hack: New Malware Threatens Account Security

A researcher exploited vulnerabilities in Kindle e-readers to hijack Amazon accounts via malicious ebooks, highlighting security risks associated with side-loading books from third-party sources. Amazon has fixed these critical flaws following disclosure, emphasizing the importance of device security and cautious downloading practices.

via The Times|

#amazon #hacking #kindle

technology4 months ago•2 min saved

Google Patches 107 Android Flaws, Including Two Zero-Days

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a mandatory update warning for Android devices due to two critical vulnerabilities that could allow remote denial of service attacks. Google and Samsung have confirmed fixes, with a deadline of December 23 for federal users and a recommended update for all others. The vulnerabilities, particularly affecting Samsung devices, involve remote memory access issues, emphasizing the need for timely updates to mitigate risks.

via Forbes|

#android #cisa #security