NVD
As NVD flatlines, cybersecurity professionals call for urgent action
Consortium plans “doomed” as rumours swirl over vulnerability database program borkage.
VPN
PAN-OS vuln mitigation howler: “Disabling telemetry” no help
POCs for CVSS 10 bug are out of the bag, tens of thousands are exposed, and telemetry mitigation didn't work.
VPN
Palo Alto Networks: CVSS 10 bug in Pan-OS is being exploited in the wild
Patch? You'll need to wait until Sunday. Turn off telemetry (no, really; it's a mitigation!) and go to the pub. OK, maybe don't.
xz-utils
xz-utils Github repository disabled as Linux maintainers assess blast radius of backdoor, earlier commits
Incident suggests a state actor exploiting overstretched maintainer of an "unpaid hobby project"
Ubuntu
Password-leaking Ubuntu bug sat silent for 11 years
A newly-discovered Linux bug could allow for password leaks. Worse yet, it has sat undiscovered in the OS for the last 11 years
Fortinet
Fortinet warns on critical SQL Injection bug after NCSC disclosure
More pre-auth RCE bugs in Fortinet appliances? Colour us shocked!
Cybersecurity
CI/CD platform TeamCity exposed to critical pre-auth RCE bug, amid disclosure spat
JetBrains' platform "a suitable vector to position an attacker to perform a supply chain attack" if compromised warns Rapid7.
ConnectWise
Leaked LockBit malware deployed in ScreenConnect attacks – 600+ IPs seen attacking 8,200 instances
"The executable in question was built using the LockBit 3 ransomware builder tool leaked in 2022, so this particular sample may not have originated with the actual LockBit developers"
vulnerabilities
CVSS 10 ConnectWise vulnerability “extremely trivial to reverse and exploit” as POC lands, attacks start
"There might be active exploitation attempts across common AWS IP space"
Patch Tuesday
February’s Patch Tuesday brings exploited zero days, Exchange Server headaches
As a major Exchange Service update lands, Redmond admits "it is possible that some functionality may break after installing CU14..."
Ivanti
Ivanti 0day fest continues with fresh bugs, attacks, as CISA tells federal agencies "just disconnect"
"Threat actors have recently developed workarounds to current mitigations and detection methods and have been able to exploit weaknesses, move laterally, and escalate privileges without detection..."
vulnerabilities
Exploit released for fresh Fortra GoAnywhere bug: CVSS 9.8 and again, nasty. Patch up.
A 10-line exploit is now widely available. Unpatched instances *will* come under attack.