Critical vulnerabilities in Sitecore Experience Platform allow attackers to achieve complete system compromise through a sophisticated attack chain combining HTML cache poisoning with remote code execution capabilities. These flaws also enable attackers to enumerate cache keys and configuration details via the exposed ItemServices API, streamlining targeted exploitation. Key Takeaways1. CVE-2025-53693 lets attackers inject HTML via […] The post Sitecore CMS Platform Vulnerabilities Enables Remote Code Execution appeared first on Cyber Security News.

Over 1,400 developers discovered today that a malicious post-install script in the popular NX build kit silently created a repository named s1ngularity-repository in their GitHub accounts.  This repository contains a base64-encoded dump of sensitive data wallet files, API keys, .npmrc credentials, environment variables, and more harvested directly from developers’ file systems. Key Takeaways1. Malware in […] The post NX Build Tool Hacked with Malware That Checks for Claude or Gemini to Find Wallets and Secrets appeared first on Cyber Security…

A newly disclosed vulnerability in the widely used ISC Kea DHCP server poses a significant security risk to network infrastructure worldwide.  The flaw, designated CVE-2025-40779, allows remote attackers to crash DHCP services with just a single maliciously crafted packet, potentially disrupting network operations across entire organizations. The vulnerability affects multiple versions of the Kea DHCP […] The post Kea DHCP Server Vulnerability Let Remote Attacker With a Single Crafted Packet appeared first on Cyber Security News.

A weaponized proof-of-concept exploit has been publicly released targeting CVE-2025-54309, a severe authentication bypass vulnerability affecting CrushFTP file transfer servers.  The flaw enables remote attackers to gain administrative privileges through a race condition in AS2 validation processing, circumventing authentication mechanisms entirely.  Key Takeaways1. Race-condition exploit lets attackers bypass CrushFTP authentication.2. Public PoC on GitHub confirms […] The post PoC Exploit Released for CrushFTP 0-day Vulnerability (CVE-2025-54309) appeared first on Cyber Security News.

CISA released three significant Industrial Control Systems (ICS) advisories on August 26, 2025, alerting organizations to critical vulnerabilities affecting widely-deployed automation systems.  These advisories highlight severe security flaws across INVT Electric’s engineering tools, Schneider Electric’s Modicon controllers, and Danfoss refrigeration systems, with CVSS v4 scores reaching 8.7, indicating high-severity exploitable conditions. Key Takeaways1. CISA issued […] The post CISA releases New ICS Advisories Surrounding Vulnerabilities and Exploits appeared first on Cyber Security News.