QNAP Systems has disclosed a critical security vulnerability in its legacy VioStor Network Video Recorder (NVR) firmware that could allow remote attackers to completely bypass authentication mechanisms and gain unauthorized system access.  The vulnerability affects QVR firmware version 5.1.x running on legacy VioStor NVR  Key Takeaways1. Two vulnerabilities allow remote authentication bypass and unauthorized file […] The post QNAP Vulnerability Let Attackers Bypass Authentication and Access Unauthorized Files appeared first on Cyber Security News.

A critical security vulnerability has been discovered in the Linux UDisks daemon that could allow unprivileged attackers to gain access to files owned by privileged users.  The flaw, identified as CVE-2025-8067, was publicly disclosed on August 28, 2025, and carries an Important severity rating with a CVSS v3 score of 8.5. Key Takeaways1. CVE-2025-8067 in […] The post Linux UDisks Daemon Vulnerability Let Attackers Gaining Access to Files Owned by Privileged Users appeared first on Cyber Security News.

The Cybersecurity and Infrastructure Security Agency (CISA) has published nine Industrial Control Systems (ICS) advisories on August 28, 2025, detailing high- and medium-severity vulnerabilities across leading vendors’ products.  The advisories highlight remote-exploitable flaws, privilege-escalation weaknesses, memory corruption bugs, and insecure configurations.  CISA and vendors aim to empower operators with precise guidance to safeguard ICS environments […] The post CISA Releases Nine ICS Advisories Surrounding Vulnerabilities, and Exploits appeared first on Cyber Security News.

A significant global effort to patch a critical zero-day remote code execution (RCE) vulnerability in Citrix NetScaler devices has seen the number of exposed systems drop from approximately 28,200 to 12,400 in just one week. Data from The Shadowserver Foundation, a non-profit dedicated to internet security, reveals a rapid response from administrators worldwide, though thousands […] The post Citrix Netscaler 0-day RCE Vulnerability Patched – Vulnerable Instances Reduced from 28.2K to 12.4K appeared first on Cyber Security News.

NodeBB, a popular open-source forum platform, has been found vulnerable to a critical SQL injection flaw in version 4.3.0.  The flaw, tracked as CVE-2025-50979, resides in the search-categories API endpoint, allowing unauthenticated, remote attackers to inject both boolean-based blind and PostgreSQL error-based payloads.  Successful exploitation could lead to unauthorized data access, information disclosure, or further […] The post NodeBB Vulnerability Let Attackers Inject Boolean-Based Blind and PostgreSQL Error-Based Payloads appeared first on Cyber Security News.

Hikvision has disclosed three significant security vulnerabilities affecting multiple versions of its HikCentral product suite that could enable attackers to execute malicious commands and gain unauthorized administrative access.  The vulnerabilities, assigned CVE identifiers CVE-2025-39245, CVE-2025-39246, and CVE-2025-39247, were reported to the Hikvision Security Response Center (HSRC) on by security researchers Yousef Alfuhaid, Nader Alharbi, Eduardo […] The post Multiple Hikvision Vulnerabilities Let Attackers Inject Executable Commands appeared first on Cyber Security News.

A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the widely used PhpSpreadsheet library, potentially allowing attackers to exploit internal network resources and compromise server security.  The vulnerability, tracked as CVE-2025-54370, affects multiple versions of the phpoffice/phpspreadsheet package and carries a CVSS v4.0 score of 8.7. Key Takeaways1. SSRF in PhpSpreadsheet’s Worksheet\Drawing::setPath via […] The post PhpSpreadsheet Library Vulnerability Enables Attackers to Feed Malicious HTML Input appeared first on Cyber Security News.

Nagios XI, a widely-deployed network monitoring solution, has addressed a critical cross-site scripting (XSS) vulnerability in its Graph Explorer feature that could enable remote attackers to execute malicious JavaScript code within users’ browsers.  The security flaw was patched in version 2024R2.1, released on August 12, 2025, following responsible disclosure by security researcher Marius Lihet. Key […] The post Nagios XSS Vulnerability Let Remote Attackers to Execute Arbitrary JavaScript appeared first on Cyber Security News.