-
The Jenkins project released Security Advisory 2025-10-29 on October 28, 2025, disclosing multiple vulnerabilities across 13 plugins that power the popular open-source automation server. These flaws range from high-severity authentication bypasses to permission misconfigurations and credential exposures, potentially exposing enterprise CI/CD pipelines to unauthorized access and code execution. While fixes are available for two critical […] The post Multiple Jenkins Vulnerability SAML Authentication Bypass And MCP Server Plugin Permissions appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Security researcher Jofpin has disclosed “Brash,” a critical flaw in Google’s Blink rendering engine that enables attackers to crash Chromium-based browsers almost instantly. Affecting billions of users worldwide, this architectural weakness exploits unchecked updates to the document.title API, overwhelming the browser’s main thread and triggering system-wide denial of service without sophisticated tools or privileges. The […] The post Critical Vulnerability in Chromium’s Blink Let Attackers Crash Chromium-based Browsers Within Seconds appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated privilege escalation vulnerability in Windows SMB servers, leveraging Ghost Service Principal Names (SPNs) and Kerberos authentication reflection to achieve remote SYSTEM-level access. Microsoft designated this as CVE-2025-58726, an “SMB Server Elevation of Privilege” flaw impacting all Windows versions absent enforced SMB signing. According to Semperis, the issue persists in environments with default Active […] The post New Attack Combines Ghost SPNs and Kerberos Reflection to Elevate Privileges on SMB Servers appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Microsoft has patched a critical race condition vulnerability in its Windows Cloud Files Minifilter driver, known as CVE-2025-55680, which enables local attackers to escalate privileges and create arbitrary files across the system. Discovered by researchers at Exodus Intelligence in March 2024, the flaw was addressed in the October 2025 Patch Tuesday updates, earning a CVSS […] The post Microsoft Windows Cloud Files Minifilter Privilege Escalation Vulnerability Exploited appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In a critical update issued on October 29, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) has provided organizations with enhanced guidance on detecting and mitigating threat activity related to the actively exploited CVE-2025-59287 vulnerability in Microsoft’s Windows Server Update Services (WSUS). This remote code execution flaw, rated at a CVSS score of 9.8, allows […] The post CISA Shares New Threat Detections for Actively Exploited WSUS Vulnerability appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A new open-source tool called HikvisionExploiter has emerged, designed to automate attacks on vulnerable Hikvision IP cameras. Released on GitHub in mid-2024 but gaining renewed attention amid 2025’s surge in camera exploits, this Python-based utility targets unauthenticated endpoints in cameras running outdated firmware, such as version 3.1.3.150324. Developed for researchers and red teamers, it streamlines […] The post Hikvision Exploiter – An Automated Exploitation Toolkit Targeting Hikvision IP Cameras appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A public exploit code demonstrating how attackers could exploit CVE-2025-40778, a critical vulnerability in BIND 9 that enables DNS cache poisoning. The Internet Systems Consortium (ISC) initially disclosed this flaw on October 22, revealing a dangerous weakness in the world’s most widely used DNS software. The vulnerability allows remote, unauthenticated attackers to inject forged DNS […] The post PoC Exploit Released for BIND 9 Vulnerability that Let Attackers Forge DNS Records appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
CISA has added two critical vulnerabilities affecting Dassault Systèmes DELMIA Apriso to its Known Exploited Vulnerabilities catalog, warning that threat actors are actively exploiting these security flaws in real-world attacks. The alert, issued on October 28, 2025, requires federal agencies to implement mitigations by November 18, 2025, while urging all organizations using the affected software […] The post CISA Warns of Dassault Systèmes Vulnerabilities Actively Exploited in Attacks appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A vulnerability in Google Messages on Wear OS devices allows any installed app to silently send SMS, MMS, or RCS messages on behalf of the user. Dubbed CVE-2025-12080, the issue stems from improper handling of ACTION_SENDTO intents using URI schemes like sms:, smsto:, mms:, and mmsto:. This misconfiguration bypasses user confirmation and permission checks, enabling […] The post Google Wear OS Message App Vulnerability Let Any Installed App To Send SMS Behalf Of User appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A critical vulnerability in Magento, the popular e-commerce platform, is now rebranded as Adobe Commerce. Dubbed SessionReaper and tracked as CVE-2025-54236, this improper input validation flaw allows attackers to hijack user sessions and, in some cases, execute malicious code remotely. The discovery highlights the ongoing risks to online retailers, with over 250 Magento stores reportedly […] The post Magento Input Validation Vulnerability Exploited In Wild To Hijack Session And Execute Malicious Codes appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
