1. Home
  2. Cybersecurity Events

Take action on the latest cybersecurity events

Cybersecurity advisories and events as they happen, with a clear action you can take.

OpenCms vulnerable to unauthenticated XXE (XML External Entity) vulnerability
published: today
OpenCms, a Java framework by Alkacon Software, is impacted by a critical unauthenticated XXE vulnerability (CVE-2023-42344, CVSS 9.8) in versions 9.0.0 to 10.5.0, allowing attackers to execute remote code through manipulated file uploads, with an upgrade to version 10.5.1 recommended for mitigation.
Take action: If you are using OpenCms, update to version 10.5.1 or later ASAP. There is no hiding behind a firewall, and no reason for optimism. Hackers will detect OpenCms automatically and attack you.
Microsoft Edge releases new version patching bugs, and an important privacy change
published: today
Microsoft's Edge browser update 120.0.2210.61 addresses several vulnerabilities, including the critical CVE-2023-35618 allowing potential sandbox escape and code execution, and two less severe information disclosure issues, along with a privacy policy change enabling forwarding of search histories to third parties unless manually disabled.
Take action: If you are using Microsoft Edge - update to the latest version, it's extremely quick. Also, if you are concerned about privacy, disable the new telemetry (sending of search histories to external parties).
New 5G attack named 5Ghoul can exploit Qualcomm, MediaTek chips
published: today
The "5Ghoul" attack exploits critical vulnerabilities in Qualcomm and MediaTek 5G modems, affecting numerous 5G smartphones, routers, and USB modems, with risks including service disruptions and unauthorized network access, and responses from vendors include security bulletins and patches, though their distribution may be delayed.
Take action: A vulnerability in a chipset in your mobile phone is not something you can do much about. Except update your phone to the latest OS and firmware. So don't ignore those updates, there are so many things in the phone that need updating all the time.
Apache Struts 2 fixes critical vulnerablity, upgrade ASAP
published: today
The Apache Struts project has updated its framework to fix a critical remote code execution vulnerability (CVE-2023-50164) in versions 2.0.0 to 2.5.32 and 6.0.0 to 6.3.0.1, urging developers to upgrade immediately to the patched versions 2.5.33 and 6.3.0.2.
Take action: If you are using Apache Struts, update to versions 2.5.33 and 6.3.0.2 ASAP. Hiding the system behind a firewall doesn't work since Apache Struts is a web application framework - it's designed to be publicly accessible from the internet. Even if you are hiding the system behind a firewall, someone will expose it soon enough.
Most Windows and Linux computers vulnerable to a new cyberattack
published: yesterday
The LogoFAIL cybersecurity threat, identified as a significant risk to most Windows and Linux devices, allows attackers to execute undetectable malicious code during boot-up by exploiting flaws in UEFI. The attack can affecti a wide range of devices across multiple CPU ecosystems, with patches varying by manufacturer.
Take action: Keep up with the UEFI/Firmware updates for your computer, since the patch needs to be applied to the UEFI part of the computer. It's not a trivial process, proper reading of instructions is needed and one or more reboots. But since the vulnerability exists below the level of the operating system nothing else protects you. In the meantime, keep your device physically secure and be very careful with running programs and opening emails.
WordPress releases version 6.4.2, advising update because of critical vulnerability
published: Dec. 7, 2023
WordPress's 6.4.2 update addresses a critical vulnerability in versions 6.4 and 6.4.1 related to HTML parsing, which could allow attackers to execute arbitrary PHP code on websites, particularly when combined with certain plugins in multisite installations.
Take action: Even WordPress asks you to update your site, so it definitely is worth the effort. It's a minor update, so don't delay. Patch now.
Atlassian fixes multiple critical vulnerabilities in their products
published: Dec. 6, 2023
Atlassian has released updates to fix four critical vulnerabilities in its software, including deserialization issues and remote code execution flaws in various products, advising users to urgently update to specified versions to prevent potential exploitation.
Take action: Atlassian products are an extremely high risk at the moment, and these vulnerabilities are very exploitable. Expect a massive hacking campaign. Lock them down from the public internet, then patch IMMEDIATELY. If you can't patch them don't consider the firewall a sufficient protection. Backup the apps, then remove them from PCs and take the server systems offline.
Researchers repot multiple severe vulnerabilities in Sierra equipment that impacts IOT infrastructure
published: Dec. 6, 2023
Security researchers have identified 21 critical vulnerabilities in Sierra OT/IoT routers, including remote code execution and unauthorized access, affecting Sierra Wireless AirLink and open-source components. Shodan search revealing over 86,000 vulnerable routers mainly in the U.S., and security researchers recommend upgrading to ALEOS version 4.17.0 and additional security measures.
Take action: If you are using Sierra equipment, check that they are running in isolated APN/network - not accessible on the public 4G/5G network or internet. Then disable unnecessary services and start patching. Too many of these routers are exposed on the internet, and they will be hacked.
Atos Unify OpenScape reports maximum severity critical vulnerability
published: Dec. 5, 2023
The CVE-2023-6269 vulnerability in Atos Unify's OpenScape suite, rated CVSS 10, allows unauthorized root access via SSH due to an administrative web interface flaw, affecting various versions of OpenScape SBC, Branch, and BCF products, with updates and security measures recommended for mitigation.
Take action: This is a "LOCK DOWN AND PATCH IMMEDIATELY" advisory. Any publicly exposed SSH and management interface of OpenScape will be scanned automatically and compromised. Close SSH and management interfaces from any public internet access and patch ASAP.
MW WP Form plugin for WordPress has critical flaw exposing 200k installs
published: Dec. 4, 2023
Security experts discovered a critical vulnerability (CVE-2023-6316, CVSS3 score 9.8) in the MW WP Form plugin for WordPress, allowing unauthenticated attackers to upload and execute harmful files, impacting versions up to 5.0.1.
Take action: If you are using MW WP Forms plugin, update ASAP. If you are unable for whatever reason, disable “Saving inquiry data in database” option in the plugin’s form settings as a temporary stopgap. But that may break your site, so push for the update.