All articles tagged with #vulnerabilities
Researchers found 1,575 vulnerabilities across 10 Android mental-health apps with more than 14.7 million total installs, including insecure URI handling, local data exposure, hardcoded API endpoints, and weak token generation, potentially exposing therapy transcripts and other sensitive data; it's unclear if the issues have been fixed.
CISA added four flaws to the Known Exploited Vulnerabilities catalog due to active exploitation: CVE-2026-2441 (Chrome use-after-free), CVE-2024-7694 (TeamT5 ThreatSonar Anti-Ransomware arbitrary file upload leading to command execution), CVE-2020-7796 (Zimbra Collaboration Server SSRF), and CVE-2008-0015 (Windows Video ActiveX buffer overflow). Google confirms an in-the-wild exploit for CVE-2026-2441; GreyNoise documents about 400 IPs exploiting CVE-2020-7796 across several countries; the CVE-2008-0015 exploit can download additional malware like Dogkild and alter system files/hosts. The TeamT5 exploitation vector remains unclear. Federal agencies are urged to patch by March 10, 2026.
Researchers from ETH Zurich and USI Lugano analyzed Bitwarden, Dashlane, and LastPass and uncovered multiple attack vectors that can enable a compromised or malicious server to read or even modify vaults, especially when account-recovery, group enrollment, key escrow, or backward-compatibility features are enabled. Some attacks could allow theft of entire vaults or selective item data, and even breach older encryption configurations. While vendors defend their security audits and ongoing patching, the study argues that the term “zero-knowledge” can be misleading and urges stronger threat models and resilience measures across password managers.
Swiss researchers disclosed 27 attack scenarios across Bitwarden, LastPass, Dashlane and 1Password that could let attackers view or modify vaults, challenging the science of end-to-end encryption and exploiting issues in onboarding, key escrow, and item-level encryption. A notable attack demonstrated is ‘malicious auto-enrolment’ against Bitwarden, which could allow a server-controlled attacker to hijack a vault during organization onboarding. Vendors are patching (Bitwarden, LastPass, Dashlane) while 1Password defends its SRP-based design. The paper recommends stronger authentication, key separation and ciphertext integrity. Users should check remediation status with providers and ask for audits.)
Microsoft's February 10, 2026 security update KB5077181 for Windows 11 versions 24H2 and 25H2 appears to trigger boot loops on affected devices, forcing multiple restarts; while it patches 58 vulnerabilities (including six zero-days) and ships new Secure Boot certificates to improve boot integrity, users report login failures with System Event Notification Service errors, DHCP connectivity losses, and install errors such as 0x800f0983/0x800f0991, prompting uninstall guidance via Control Panel or Windows Recovery Environment and a suggested SFC scan; enterprises should test via WSUS and monitor health while Microsoft has not publicly acknowledged the issues.
CISA has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-31125 and CVE-2025-34026 affecting Versa software (including the Concerto SD-WAN) via dev-exposure and Traefik misconfig, CVE-2025-68645 in Zimbra Webmail Classic UI (local file inclusion), and a supply-chain issue in eslint-config-prettier (CVE-2025-54313) tied to Prettier. Patches or mitigations exist for affected products; US federal agencies must apply updates or stop using the products by February 12, 2026. The status of ransomware-related exploitation remains unknown.
Researchers have revealed WhisperPair, a set of security flaws in Google's Fast Pair Bluetooth protocol that affect 17 audio devices from 10 brands. The vulnerabilities allow attackers within Bluetooth range to silently pair with devices, hijack audio streams, eavesdrop via microphones, or track users through Google's Find Hub, potentially even if the target uses an iPhone. Patches exist, but installation can be inconsistent, and researchers note bypasses to Google's patches; they advocate a cryptographic fix to enforce owner authentication for pairings to address the root issue.
The U.S. government has issued urgent warnings for iPhone and Android users to update their devices immediately due to active attacks exploiting multiple vulnerabilities, including WebKit and Chromium flaws, driven by commercial spyware. Deadlines for federal agencies to update are set between December 23 and January 5, emphasizing the critical need for all users to apply updates to prevent exploitation.
Executions in the U.S. nearly doubled in 2025, with Florida conducting a record number of executions, driven by political support and federal policies, despite declining public support for the death penalty overall.
A researcher exploited vulnerabilities in Kindle e-readers to hijack Amazon accounts via malicious ebooks, highlighting security risks associated with side-loading books from third-party sources. Amazon has fixed these critical flaws following disclosure, emphasizing the importance of device security and cautious downloading practices.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a mandatory update warning for Android devices due to two critical vulnerabilities that could allow remote denial of service attacks. Google and Samsung have confirmed fixes, with a deadline of December 23 for federal users and a recommended update for all others. The vulnerabilities, particularly affecting Samsung devices, involve remote memory access issues, emphasizing the need for timely updates to mitigate risks.
Google's December 2025 Android Security Bulletin reveals numerous severe vulnerabilities affecting Android 13 and later, including critical flaws in the Android Framework and system level, which will be addressed in device-specific updates starting December 5, 2025. Users are advised to update their devices to stay protected.
Microsoft's November 2025 Patch Tuesday addresses 63 vulnerabilities across its ecosystem, including one zero-day actively exploited in the wild, emphasizing the urgent need for immediate patch deployment to mitigate risks from critical flaws in Windows, Office, Azure, and other products.
Apple released iOS 26.1 and iPadOS 26.1, which include about 50 security updates addressing various vulnerabilities such as privilege escalation, privacy issues, and system stability bugs. Users are encouraged to update their devices to enhance security and fix critical bugs.
AI browsers like ChatGPT Atlas and Edge's Copilot Mode are transforming web navigation but pose significant cybersecurity risks, including vulnerabilities that could lead to data leaks, malicious code injection, and malware deployment, as researchers warn that these issues are just beginning to surface.