tldrdailynews.com logo
Tag

Vulnerability

All articles tagged with #vulnerability

AI-Driven Cyber Threats Push Defenders Into a Two-Year Sprint
technology14 days ago

AI-Driven Cyber Threats Push Defenders Into a Two-Year Sprint

At RSA Conference, security leaders warn AI is accelerating vulnerability discovery and enabling autonomous, scalable cyber offenses, creating a two-year window of upheaval where defenders struggle to patch faster than attackers weaponize. They foresee AI-driven exploits, faster patch cycles, and a need to rethink defense—potentially with machine-speed autonomous responses and a reimagined cyber defense ecosystem—while noting national-security implications. Optimism rests on rapid, defensible AI advances, but the timeline remains tight: two years, maybe longer, to harden defenses.

via cyberscoop.com|
#artificial-intelligence#cybersecurity#defense-in-depth
Critical UniFi Flaws Allow Full System Takeover, Patch Now
cybersecurity21 days ago

Critical UniFi Flaws Allow Full System Takeover, Patch Now

Ubiquiti disclosed two critical-to-high vulnerabilities in UniFi Network Application: CVE-2026-22557, a path-traversal flaw that can allow unauthenticated attackers to seize full control of the underlying host, and CVE-2026-22558, an authenticated NoSQL injection enabling privilege escalation. Affected versions include UniFi Network App 10.1.85 and earlier, 10.2.93 and earlier, and UniFi Express Network App 9.0.114 and earlier. Patches are available: official 10.1.89+ (or RC 10.2.97+; UX 4.0.13+) bundling Network App 9.0.118+. Given the CVSS 10 rating for CVE-2026-22557, patch immediately and implement network segmentation/firewall controls for the UniFi management interface.

via CyberSecurityNews|
#cybersecurity#nosql-injection#path-traversal
Chrome patches two in-the-wild zero-days hit Skia and V8
technology29 days ago

Chrome patches two in-the-wild zero-days hit Skia and V8

Google released Chrome security updates to fix two high-severity zero-days exploited in the wild: CVE-2026-3909 (out-of-bounds write in Skia) and CVE-2026-3910 (V8 sandbox escape). Users should update to Chrome 146.0.7680.75/76 on Windows/macOS and 146.0.7680.75 on Linux; CISA added these flaws to the KEV catalog with a March 27, 2026 deadline for federal agencies.

via The Hacker News|
#chrome#exploit#security
Chrome Gets Urgent Patch for Two In-The-Wild Zero-Days
technology29 days ago

Chrome Gets Urgent Patch for Two In-The-Wild Zero-Days

Google released emergency Chrome updates to fix two high-severity zero-days actively exploited in the wild: CVE-2026-3909 (an out-of-bounds write in Skia) and CVE-2026-3910 (an issue in the V8 engine). Patches rolled out to Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75) in the Stable channel, with automatic updates available. Google says exploits exist in the wild but will keep bug details restricted until most users are updated. These are the second and third Chrome zero-days exploited in 2026; Google previously fixed CVE-2026-2441 in February, and it paid over $17 million to 747 researchers through its VRP in 2025.

via BleepingComputer|
#chrome#skia#technology
Chrome Gemini Flaw Lets Attackers Hijack Camera and Microphone Through Privileged AI Panel (CVE-2026-0628)
cybersecurity1 month ago

Chrome Gemini Flaw Lets Attackers Hijack Camera and Microphone Through Privileged AI Panel (CVE-2026-0628)

Researchers from Palo Alto Networks" Unit 42 disclosed a high-severity vulnerability (CVE-2026-0628) in Chrome's Gemini AI panel that could be exploited by a malicious extension to inject code with the panel’s elevated privileges, enabling silent camera and microphone access, local file theft, screenshots, and phishing. The flaw arises from how Chrome handles the declarativeNetRequest API for gemini.google.com; when loaded inside the Gemini panel it gains browser-level rights, unlike in a normal tab. Google patched the issue on January 5, 2026, so users should update Chrome immediately; organizations should apply the patch across endpoints to mitigate enterprise risk from trusted-panel attacks.

via CybersecurityNews|
#chrome#cve-2026-0628#cybersecurity
Security Flaw Lets Remote Hackers Command Thousands of Camera-Equipped Robot Vacuums
security1 month ago

Security Flaw Lets Remote Hackers Command Thousands of Camera-Equipped Robot Vacuums

A security vulnerability in DJI's Romo robot vacuums allowed a remote attacker to hijack about 6,700 devices across 24 countries using only their 14-digit serial numbers, granting access to live video, audio, and home floor plans. The flaw was demonstrated by Sammy Azdoufal and has been fixed by DJI, but the incident underscores ongoing privacy and security risks in internet-connected home devices.

via WIRED|
#dji-romo#iot-security#privacy
Microsoft Fixes Privilege Escalation Flaw in Windows Admin Center (CVE-2026-26119)
security1 month ago

Microsoft Fixes Privilege Escalation Flaw in Windows Admin Center (CVE-2026-26119)

Microsoft patched CVE-2026-26119, a high-severity improper authentication flaw in Windows Admin Center that could allow an authenticated attacker to elevate privileges to the user running the affected app; the fix arrived with Windows Admin Center v2511 (Dec 2025). While there are no confirmed exploits in the wild, Microsoft flags exploitation as more likely and researchers warn it could enable domain compromise under certain conditions.

via The Hacker News|
#cve-2026-26119#microsoft#privilege-escalation
technology1 month ago

Chromium CSS zero-day CVE-2026-2441 appears in the wild

A zero-day use-after-free in Chromium’s CSS engine (CVE-2026-2441) has surfaced in the wild, potentially enabling heap corruption via crafted HTML and affecting Chromium-based browsers like Chrome, Edge, and Opera. The discussion centers on the vulnerability’s impact, possible exploit chains, and bug-bounty economics, with experts noting that attackers may combine a renderer bug with a sandbox escape for broader access. The thread also touches on how bug bounties compare to gray-market payouts for high-severity exploits and the reality that “in the wild” exploits often come with additional complications and risk for researchers.

via Hacker News|
#chromium#css#cve-2026-2441
Feds told to patch BeyondTrust flaw within 3 days after active exploitation
technology1 month ago

Feds told to patch BeyondTrust flaw within 3 days after active exploitation

CISA ordered Federal civilian agencies to patch BeyondTrust Remote Support and Privileged Remote Access within three days after CVE-2026-1731, a remote code execution flaw that’s been actively exploited. SaaS instances were patched by BeyondTrust on Feb 2, 2026, but on-premise deployments require manual updates. Exploitation can allow unauthenticated remote code execution, risking system compromise, data exfiltration, and service disruption. Threat intel reports active exploitation and about 11,000 exposed instances (roughly 8,500 on‑premises). The agency added the CVE to its Known Exploited Vulnerabilities catalog and urged mitigations or discontinuation per vendor guidance under BOD 22-01.

via BleepingComputer|
#beyondtrust#cybersecurity#government
Critical pre-auth RCE in BeyondTrust remote-support tools prompts urgent patch
technology2 months ago

Critical pre-auth RCE in BeyondTrust remote-support tools prompts urgent patch

BeyondTrust warns of CVE-2026-1731, a pre-auth remote code execution flaw in Remote Support (RS) 25.3.1 and Privileged Remote Access (PRA) 24.3.4 and earlier, allowing unauthenticated attackers to run OS commands; patches are available by upgrading to RS 25.3.2+ and PRA 25.1.1+ (or enabling automatic updates). Cloud systems have been secured; about 11,000 instances are exposed online, with roughly 8,500 on-premises potentially vulnerable if not patched; no active exploitation is reported yet.

via BleepingComputer|
#enterprise-security#patch-management#remote-code-execution
800k Telnet Devices Open to Root-Login Bypass (CVE-2026-24061)
security2 months ago

800k Telnet Devices Open to Root-Login Bypass (CVE-2026-24061)

Shadowserver has identified about 800,000 IPs fingerprinted for Telnet activity, highlighting widespread exposure to the root-login bypass in GNU InetUtils telnetd (CVE-2026-24061) affecting 1.9.3–2.7 and patched in 2.8; attackers can bypass authentication by sending USER=-f root via Telnet IAC. GreyNoise detected limited exploits starting Jan 21 from 18 IPs across 60 sessions, with 83% targeting root; attackers also attempted Python malware deployment but failed due to missing binaries. Most exposed devices are in Asia and the Americas; admins should disable vulnerable telnetd or block port 23 until patching.

via BleepingComputer|
#cve-2026-24061#cybersecurity#iot
Node.js patches mitigate async_hooks stack overflow DoS risk
technology2 months ago

Node.js patches mitigate async_hooks stack overflow DoS risk

Node.js released patches for a critical vulnerability where async_hooks can cause a stack-overflow DoS, with the runtime exiting on code 7 instead of a catchable error; it affects many apps and frameworks (including React Server Components and Next.js) and APMs, tracked as CVE-2025-59466 (CVSS 7.5). Updates are available in Node.js 20.20.0+, 22.22.0+, 24.13.0+, and 25.3.0, while older 8.x–18.x remain EOL. Upgrade promptly and apply stronger stack-space protections; other high-severity fixes were released too.

via The Hacker News|
#asynchooks#dos#nodejs
Reprompt flaw lets attackers hijack Copilot sessions via malicious prompts
security2 months ago

Reprompt flaw lets attackers hijack Copilot sessions via malicious prompts

Researchers exposed 'Reprompt', a flaw that injects commands via Copilot's URL q parameter to hijack an authenticated session and exfiltrate data, using P2P injection, double-request, and chain-request techniques; Microsoft patched the vulnerability on January 2026 Patch Tuesday, mainly affecting Copilot Personal rather than Microsoft 365 Copilot, and users should apply the latest Windows updates.

via BleepingComputer|
#copilot#data-exfiltration#prompt-injection