Take action on the latest cybersecurity events

Cybersecurity advisories and events as they happen, with a clear action you can take.

The Wordfence Threat Intelligence team disclosed multiple critical vulnerabilities in the widely-used Kirotech's UserPro WordPress plugin, advising immediate update to the patched version 5.1.5.
A critical vulnerability in CrushFTP allows unauthenticated attackers to execute code and access sensitive data via a mass-assignment flaw, prompting urgent patching and additional mitigations.
Fortinet warns of a critical vulnerability (CVE-2023-36553) in its FortiSIEM report server that could be exploited by remote attackers, potentially allowing unauthorized command execution via specially crafted API requests. Fortinet advises affected users to upgrade to recommended versions for protection.
Aruba Networks has released patches for 14 security flaws affecting various versions of ArubaOS and InstantOS, with three critical vulnerabilities related to the PAPI protocol enabling potential unauthenticated remote code execution and file deletion, and recommends upgrading to specified versions or doing a workaround mitigation.
CertiK has reported a serious security flaw in the Solana Saga smartphone, which has an integrated hardware wallet for secure Web3 and cryptocurrency operations. A video posted by CertiK suggests that attackers could potentially unlock the bootloader to install a backdoor and gain root access, posing a significant risk to the security of users' cryptocurrency data. Solana Labs disputes this claim, arguing that the bootloader unlocking process requires user authentication and multiple steps that would be evident to the device owner, as it also results in data deletion—a detail users are clearly warned about.
The SAP Security Patch Day in November 2023 introduced six security advisories, with the most critical being an improper access control vulnerability in SAP Business One (CVE-2023-31403) and an update to the fix for missing authorization check in SAP CommonCryptoLib (CVE-2023-40309), with no known exploits yet reported.
Intel issued 31 advisories covering approximately 105 vulnerabilities, notably patching a high-risk CPU flaw called Reptar (CVE-2023-23583) and a critical vulnerability in its DCM software (CVE-2023-31273), alongside nine other high-severity issues affecting various products.
VMware has alerted users to a critical, unresolved security flaw (CVE-2023-34060, CVSS score 9.8) in Cloud Director 10.5 upgraded instances that allows attackers network access to bypass authentication on certain ports. A temporary shell script fix is available that does not disrupt service.
In November 2023, Microsoft addressed 58 security issues, including 5 zero-day vulnerabilities, through its Patch Tuesday updates. These updates spanned a range of products, including Azure, Microsoft Edge, Office and other Microsoft different software and tackled various vulnerabilities from remote code execution to information disclosure.
Adobe's Patch Tuesday updates rectified 72 security flaws, including critical executable code vulnerabilities in Acrobat and Reader, and other high-risk issues in ColdFusion, InDesign, Photoshop, and more, affecting multiple versions across Windows and macOS platforms.