Tag

Vulnerabilities

All articles tagged with #vulnerabilities

Security flaws expose therapy data in popular Android mental-health apps
technology1 day ago

Security flaws expose therapy data in popular Android mental-health apps

Researchers found 1,575 vulnerabilities across 10 Android mental-health apps with more than 14.7 million total installs, including insecure URI handling, local data exposure, hardcoded API endpoints, and weak token generation, potentially exposing therapy transcripts and other sensitive data; it's unclear if the issues have been fixed.

CISA Flags Four Actively Exploited Flaws in KEV Update and Urges Patch
security7 days ago

CISA Flags Four Actively Exploited Flaws in KEV Update and Urges Patch

CISA added four flaws to the Known Exploited Vulnerabilities catalog due to active exploitation: CVE-2026-2441 (Chrome use-after-free), CVE-2024-7694 (TeamT5 ThreatSonar Anti-Ransomware arbitrary file upload leading to command execution), CVE-2020-7796 (Zimbra Collaboration Server SSRF), and CVE-2008-0015 (Windows Video ActiveX buffer overflow). Google confirms an in-the-wild exploit for CVE-2026-2441; GreyNoise documents about 400 IPs exploiting CVE-2020-7796 across several countries; the CVE-2008-0015 exploit can download additional malware like Dogkild and alter system files/hosts. The TeamT5 exploitation vector remains unclear. Federal agencies are urged to patch by March 10, 2026.

Zero-knowledge claims tested: researchers reveal multiple flaws in top password managers
security8 days ago

Zero-knowledge claims tested: researchers reveal multiple flaws in top password managers

Researchers from ETH Zurich and USI Lugano analyzed Bitwarden, Dashlane, and LastPass and uncovered multiple attack vectors that can enable a compromised or malicious server to read or even modify vaults, especially when account-recovery, group enrollment, key escrow, or backward-compatibility features are enabled. Some attacks could allow theft of entire vaults or selective item data, and even breach older encryption configurations. While vendors defend their security audits and ongoing patching, the study argues that the term “zero-knowledge” can be misleading and urges stronger threat models and resilience measures across password managers.

Researchers uncover 27 attack scenarios targeting cloud password managers
security8 days ago

Researchers uncover 27 attack scenarios targeting cloud password managers

Swiss researchers disclosed 27 attack scenarios across Bitwarden, LastPass, Dashlane and 1Password that could let attackers view or modify vaults, challenging the science of end-to-end encryption and exploiting issues in onboarding, key escrow, and item-level encryption. A notable attack demonstrated is ‘malicious auto-enrolment’ against Bitwarden, which could allow a server-controlled attacker to hijack a vault during organization onboarding. Vendors are patching (Bitwarden, LastPass, Dashlane) while 1Password defends its SRP-based design. The paper recommends stronger authentication, key separation and ciphertext integrity. Users should check remediation status with providers and ask for audits.)

Windows 11 Patch KB5077181 Triggers Infinite Restart on Some Devices
technology10 days ago

Windows 11 Patch KB5077181 Triggers Infinite Restart on Some Devices

Microsoft's February 10, 2026 security update KB5077181 for Windows 11 versions 24H2 and 25H2 appears to trigger boot loops on affected devices, forcing multiple restarts; while it patches 58 vulnerabilities (including six zero-days) and ships new Secure Boot certificates to improve boot integrity, users report login failures with System Event Notification Service errors, DHCP connectivity losses, and install errors such as 0x800f0983/0x800f0991, prompting uninstall guidance via Control Panel or Windows Recovery Environment and a suggested SFC scan; enterprises should test via WSUS and monitor health while Microsoft has not publicly acknowledged the issues.

CISA warns four enterprise flaws actively exploited across Versa, Zimbra, Vite, and Prettier
cybersecurity1 month ago

CISA warns four enterprise flaws actively exploited across Versa, Zimbra, Vite, and Prettier

CISA has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-31125 and CVE-2025-34026 affecting Versa software (including the Concerto SD-WAN) via dev-exposure and Traefik misconfig, CVE-2025-68645 in Zimbra Webmail Classic UI (local file inclusion), and a supply-chain issue in eslint-config-prettier (CVE-2025-54313) tied to Prettier. Patches or mitigations exist for affected products; US federal agencies must apply updates or stop using the products by February 12, 2026. The status of ransomware-related exploitation remains unknown.

WhisperPair Flaws Threaten Hundreds of Millions of Bluetooth Audio Devices
technology1 month ago

WhisperPair Flaws Threaten Hundreds of Millions of Bluetooth Audio Devices

Researchers have revealed WhisperPair, a set of security flaws in Google's Fast Pair Bluetooth protocol that affect 17 audio devices from 10 brands. The vulnerabilities allow attackers within Bluetooth range to silently pair with devices, hijack audio streams, eavesdrop via microphones, or track users through Google's Find Hub, potentially even if the target uses an iPhone. Patches exist, but installation can be inconsistent, and researchers note bypasses to Google's patches; they advocate a cryptographic fix to enforce owner authentication for pairings to address the root issue.

Urgent: Update Your Devices Now to Fix Critical Security Flaws
technology2 months ago

Urgent: Update Your Devices Now to Fix Critical Security Flaws

The U.S. government has issued urgent warnings for iPhone and Android users to update their devices immediately due to active attacks exploiting multiple vulnerabilities, including WebKit and Chromium flaws, driven by commercial spyware. Deadlines for federal agencies to update are set between December 23 and January 5, emphasizing the critical need for all users to apply updates to prevent exploitation.

Google Patches 107 Android Flaws, Including Two Zero-Days
technology2 months ago

Google Patches 107 Android Flaws, Including Two Zero-Days

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a mandatory update warning for Android devices due to two critical vulnerabilities that could allow remote denial of service attacks. Google and Samsung have confirmed fixes, with a deadline of December 23 for federal users and a recommended update for all others. The vulnerabilities, particularly affecting Samsung devices, involve remote memory access issues, emphasizing the need for timely updates to mitigate risks.