CrowdCyber - Nostr Hypermedia

CISA Warns: Critical Longwatch RCE Flaw (CVE-2025-13658, CVSS 9.8) Allows Unauthenticated SYSTEM Takeover of OT Surveillance

Daily CyberSecurity

CISA Warns: Critical Longwatch RCE Flaw (CVE-2025-13658, CVSS 9.8) Allows Unauthenticated SYSTEM Takeover of OT Surveillance

CISA warned of a Critical RCE flaw (CVE-2025-13658, CVSS 9.8) in Longwatch video surveillance. Unauthenticated attackers can execute arbitrary code...

CrowdCyber.com 3 months ago

How attackers use real IT tools to take over your computer

Malwarebytes

How attackers use real IT tools to take over your computer

We’ve seen a new wave of attacks exploiting legitimate Remote Monitoring and Management (RMM) tools to remotely control victims’ systems.

CrowdCyber.com 3 months ago

The minefield between syntaxes: exploiting syntax confusions in the wild https://www.reddit.com/r/netsec/comments/1p89lx1/the_minefield_between_syntaxes_exploiting_syntax/

CrowdCyber.com 3 months ago

High-Severity Angular Flaw (CVE-2025-66412) Allows Stored XSS via SVG and MathML Bypass

Daily CyberSecurity

High-Severity Angular Flaw (CVE-2025-66412) Allows Stored XSS via SVG and MathML Bypass

A High-severity XSS flaw (CVE-2025-66412, CVSS 8.5) in Angular allows attackers to bypass sanitization and execute scripts via vulnerable SVG/MathM...

CrowdCyber.com 3 months ago

Critical cPanel Flaw (CVSS 9.3) Allows Directory Traversal LPE for Full Server Takeover

Daily CyberSecurity

Critical cPanel Flaw (CVSS 9.3) Allows Directory Traversal LPE for Full Server Takeover

A Critical (CVSS 9.3) LPE flaw in cPanel's Team Manager API allows a standard user to break out of their directory via path traversal and compromis...

CrowdCyber.com 3 months ago

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

BleepingComputer

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM (Node Package Manager) re...

CrowdCyber.com 3 months ago

Critical ACF Extended Flaw (CVE-2025-13486, CVSS 9.8) Allows Unauthenticated RCE on 100K WordPress Sites

Daily CyberSecurity

Critical ACF Extended Flaw (CVE-2025-13486, CVSS 9.8) Allows Unauthenticated RCE on 100K WordPress Sites

A Critical (CVSS 9.8) RCE flaw in ACF Extended allows unauthenticated attackers to run arbitrary code via the prepare_form function, risking 100K+ ...

CrowdCyber.com 3 months ago

The Cloudflare Outage May Be a Security Roadmap

The Cloudflare Outage May Be a Security Roadmap – Krebs on Security

CrowdCyber.com 3 months ago

Iran's 'MuddyWater' Levels Up With MuddyViper Backdoor

Dark Reading

Iran

New Fooder loader and memory-only tactics suggest MuddyWater has evolved from its usual noisy ops to more stealthy espionage operations.

CrowdCyber.com 3 months ago

“Sleeper” browser extensions woke up as spyware on 4 million devices

Malwarebytes

“Sleeper” browser extensions woke up as spyware on 4 million devices

After seven years of acting like normal add-ons, five popular Chrome and Edge extensions with millions of installs suddenly turned malicious.

CrowdCyber.com 3 months ago

Critical OpenVPN Flaws Fix: Heap Over-Read (CVSS 9.1) and HMAC Bypass Allow DoS Attacks

Daily CyberSecurity

Critical OpenVPN Flaws Fix: Heap Over-Read (CVSS 9.1) and HMAC Bypass Allow DoS Attacks

OpenVPN released an urgent patch (v2.7_rc2) fixing two critical flaws: a Heap Over-read (CVE-2025-12106, CVSS 9.1) and an HMAC bypass (CVE-2025-130...

CrowdCyber.com 3 months ago

Google fixes two Android zero days exploited in attacks, 107 flaws

BleepingComputer

Google fixes two Android zero days exploited in attacks, 107 flaws

Google has released the December 2025 Android security bulletin, addressing 107 vulnerabilities, including two flaws actively exploited in targeted...

CrowdCyber.com 3 months ago

Next-Gen Stealer Arkanix Bypasses Chrome App-Bound Encryption Using C++ Process Injection

Daily CyberSecurity

Next-Gen Stealer Arkanix Bypasses Chrome App-Bound Encryption Using C++ Process Injection

G DATA exposed Arkanix, a fast-evolving C++ stealer. Its premium version uses process injection and Chrome Elevator to bypass Chrome App-Bound Encr...

CrowdCyber.com 3 months ago

Tomiris Unleashes 'Havoc' With New Tools, Tactics

Dark Reading

Tomiris Unleashes "Havoc" With New Tools, Tactics

The Russian-speaking group is targeting government and diplomatic entities in CIS member states in its latest cyber-espionage campaign.

CrowdCyber.com 3 months ago

Glassworm malware returns in third wave of malicious VS Code packages

BleepingComputer

Glassworm malware returns in third wave of malicious VS Code packages

The Glassworm campaign, which first emerged on the OpenVSX and Microsoft Visual Studio marketplaces in October, is now in its third wave, with 24 n...

CrowdCyber.com 3 months ago

Albiriox: The Russian ‘MaaS’ Android Trojan Redefining Mobile Fraud

Daily CyberSecurity

Albiriox: The Russian 'MaaS' Android Trojan Redefining Mobile Fraud

Meet Albiriox, a new Russian Android banking Trojan sold as a service. Learn how its "AcVNC" tech enables on-device fraud against 400+ glob...

CrowdCyber.com 3 months ago

New Android malware lets criminals control your phone and drain your bank account

Malwarebytes

New Android malware lets criminals control your phone and drain your bank account

Albiriox now targets over 400 financial apps and lets criminals operate your phone almost exactly as if it were in their hands.

CrowdCyber.com 3 months ago

Android Emergency: Critical DoS Flaw and 2 Exploited Zero-Days in Framework Require Immediate Patch

Daily CyberSecurity

Android Emergency: Critical DoS Flaw and 2 Exploited Zero-Days in Framework Require Immediate Patch

Google’s December update fixes a Critical DoS flaw (CVE-2025-48631) and two actively exploited zero-days (Info Disclosure/EoP). Kernel (PKVM) and...

CrowdCyber.com 3 months ago

Critical Devolutions Server Flaw (CVE-2025-13757) Allows Authenticated SQL Injection to Steal All Passwords

Daily CyberSecurity

Critical Devolutions Server Flaw (CVE-2025-13757) Allows Authenticated SQL Injection to Steal All Passwords

Devolutions Server patched a Critical SQLi flaw (CVE-2025-13757) allowing authenticated users to exfiltrate or modify data via log parameters. Upda...

CrowdCyber.com 3 months ago

ShadyPanda browser extensions amass 4.3M installs in malicious campaign

BleepingComputer

ShadyPanda browser extensions amass 4.3M installs in malicious campaign

A long-running malware operation known as "ShadyPanda" has amassed over 4.3 million installations of seemingly legitimate Chrome and Edge browser e...