Hírolvasó

A ClickFix névre keresztelt social engineering technika új szintre emelte az online fenyegetések hatékonyságát.

A szakértők egy kifinomult adatszivárogtató (infostealer) kampányt azonosítottak.

Az AI rendszerek automatikusan feldolgozott jogi szövegei is támadási felületté válhatnak

Súlyos biztonsági rést azonosítottak az NVIDIA Triton Inference Server nyílt forráskódú platformban.

A Microsoft Threat Intelligence legfrissebb megfigyelései alapján egy orosz állami háttérrel működő kampány célozza a Moszkvában működő diplomáciai szervezeteket.

Egy új Android távoli hozzáférésű trójai programot fedeztek fel a kiberbiztonsági kutatók. A PlayPraetor nevű vírus eddig több mint 11.000 eszközt fertőzött meg, legfőképpen Portugália, Spanyolország, Franciaország, Marokkó, Peru és Hong Kong területén.

Firefox kiegészítő-fejlesztők AMO-fiókjait célozza az új támadási kampány.

A link wrapping rendszerek kihasználása phishing célra újabb kihívást jelent az e-mail biztonság terén, különösen akkor, ha kompromittált fiókok állnak rendelkezésre a támadók számára.

Overview

Partner Software and Partner Web, both products of their namesake company, Partner Software, fail to sanitize report or note files, allowing for XSS attacks. Partner Software is subdivision of N. Harris Computer Corporation and is a field application development company, with products intended for use by industry, municipalities, state government, and private contractors. An authorized user of Partner Software or Partner Web application can upload "Reports" when viewing a job. The file upload feature does not limit files that can be uploaded or their extensions, allowing an attacker with valid credentials to perform XSS attacks and execute malicious code on the device. The Partner Web product also ships with the same default administrator username and password across versions. An attacker with access to the Partner Web application could abuse these vulnerabilities to perform arbitrary code execution on the hosting device.

Description

Partner Software's products Partner Software and Partner Web are used by various municipalities, state government, and private contractors for field application work. These products include support for various GIS-related uses, map viewers, and other support tools. The Partner Software and Partner Web products contain various fields for uploading content for analysis by field workers. An authenticated user with access to the Partner Web application could perform RCE through usage of the vulnerabilities.

CVE-2025-6076 Partner Software's corresponding Partner Web application does not sanitize files uploaded on the Reports tab, allowing an authenticated attacker to upload a malicious file that will be stored on the victim server.

CVE-2025-6077 Partner Software's corresponding Partner Web application all use the same default username and password for the administrator account.

CVE-2025-6078 Partner Software/Partner Web allows an authenticated user to add text on the Notes page within the Job view, but does not completely sanitize input, making it possible to add notes with HTML tags and JavaScript and enabling an attacker to add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting).

Impact

An attacker using these vulnerabilities can either gain administrator access to the device or perform XSS, compromising the device.

Solution

Partner Software has provided a patch for the affected product in version 4.32.2. The Admin and Edit users are now removed in the 4.32.2 patch, and the Notes section now restricts and sanitizes input to only including simple text. Additionally, file attachments allowed include only .csv, .jpg, .png, .txt, .doc, and .pdf files, and will not longer read then files, only display them. The affected versions of Partner Web are 4.32 and previous. Patch information is available here: https://partnersoftware.com/resources/software-release-info-4-32/

Acknowledgements

Thanks to the reporter, Ryan Pohlner (Cybersecurity and Infrastructure Security Agency). for the report and to Partner Software for coordination efforts. This document was written by Christopher Cullen.

A Microsoft bemutatta a „Copilot módot”, amely egy kísérleti fázisú funkció. Ennek bekapcsolásával az Edge böngésző egyfajta „MI-alapú” böngészővé válik.

Egy kiberbiztonsági szakértők által fejlesztett decryptor (titkosítást visszafejtő szoftver) került megosztásra a FunkSec zsarolóvírushoz, amellyel az áldozatok ingyenesen visszaszerezhetik az elvesztett fájljaikat.

A firmware-biztonságra és ellátási lánc kockázatkezelésre szakosodott Binarly kiberbiztonsági cég kedden bejelentette, hogy több Lenovo eszközben olyan sérülékenységeket talált, amelyek a támadók számára tartós kártevők (persistent implant) telepítését teszik lehetővé a célzott rendszereken. A kutatók összesen hat biztonsági rést azonosítottak az Insyde BIOS-ban, amelyek a Lenovo IdeaCentre és Yoga all-in-one asztali gépeit érintik. A sérülékenységek […]

A Carnegie Mellon Egyetem az Anthropic nevű mesterségesintelligencia-kutató szervezettel együttműködésben olyan kutatást indított, amelynek keretében az Equifax elleni 2017-es adatvédelmi incidens szimulációját valósították meg.

Július 28-án súlyos kibertámadás bénította meg az orosz állami légitársaság, az Aeroflot IT-infrastruktúráját. A támadás következményeként több mint 7 ezer szerver és munkaállomás semmisült meg, és az informatikai hálózat gyakorlatilag teljesen összeomlott.

Overview

The TP-Link Archer C50 router, which has reached End-of-Life (EOL), contains a hardcoded encryption key in its firmware, enabling decryption of sensitive configuration files. This vulnerability allows attackers to trivially access administrative credentials, Wi-Fi passwords, and other internal settings, after authentication to the device.

Description

A vulnerability exists in the TP-Link Archer C50 router’s firmware, where encrypted configuration files are protected using DES in ECB (Electronic Codebook) mode with a hardcoded static key. The embedded DES key is never randomized or derived per device.

CVE-2025-6982 TP-Link Archer C50 router contains hardcoded DES decryption keys, which makes them vulnerable to configuration file decryption.

The encryption lacks randomness and message authentication, allowing for trivial offline decryption of sensitive data.

Impact

Exploitation of this vulnerability may result in:

Exposure of Sensitive Configuration Data

• Admin credentials
• Wireless network SSIDs and passwords
• Static IPs, DHCP settings, and DNS server details

Network Intelligence Gathering

• Internal network structure
• Connected device roles and topology
• Pre-positioning for further attacks

Ease of Exploitation

• Works on default firmware configurations
• Does not require the router to be actively running Primary Impact: Full authorized access to router configuration, leading to potential compromise of the connected network.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Note: The TP-Link Archer C50 has reached End-of-Life (EOL) and no longer receives firmware updates or security support from the vendor.

Users are strongly advised to:

• Retire and replace the Archer C50 with a supported router model
• Avoid using devices with known cryptographic flaws
• Secure or delete any exported configuration files
• Change passwords if configuration files were exposed or restored from backup

Acknowledgements

Thanks to the reporter Jai Bhortake from CoE - CNDS Lab, VJTI, Mumbai, India. This document was written by Timur Snoke.

A „Koske” nevű, Linux-alapú kártevő rávilágít arra, hogyan képesek a kiberbűnözők mesterséges intelligenciát felhasználni rosszindulatú szoftverek fejlesztésére, rejtett működésük biztosítására és a környezethez való alkalmazkodásra.

Több mint 200 000 WordPress-alapú weboldal használ egy olyan sérülékeny Post SMTP plugin verziót, amely lehetővé teszi a támadók számára az adminisztrátori fiókok átvételét.

Overview

Lakeside Software, an IT digital employee experience platform, offers a product called SysTrack, intended for endpoint observability. This program uses an executable called LsiAgent.exe, which attempts to load various Dynamic Link Library (DLL) files when run. The program does not properly check which files or places from which it loads the DLL files, allowing an attacker to place a malicious DLL file within a known System PATH variable on the victim device. When LsiAgent.exe runs, it will load the malicious code, resulting in code execution and privilege escalation, as LsiAgent.exe runs within the NT AUTHORITY\SYSTEM context. A patch has been provided by Lakeside Software, and the vulnerability is fixed in version 10.10.0.42 and higher.

Description

Lakeside Software, an IT digital employee experience company, offers a product called Systems Management Agent (SysTrack) that is intended for endpoint health and performance monitoring. The product contains various different programs and executables that are installed on a device. One of these programs is called LsiAgent.exe, which runs within the context of NT AUTHORITY\SYSTEM. Additionally, LsiAgent.exe runs on startup with default installation settings. A vulnerability has been discovered, tracked as CVE-2025-6241, which allows an attacker to achieve elevated code execution through placing malicious DLL files within a known System PATH environment variable, or by bundling the LsiAgent.exe program alongside another malicious DLL. The bundled DLL will be executed when the victim runs the supposedly safe LsiAgent.exe program.

System PATH variable settings are typically manipulated by other programs installed during normal use of a machine. When LsiAgent.exe is executed, it will iterate through the System PATH environment variable to search for a DLL titled 'wfapi.dll.' SysTrack uses the wdapi.dll file to verify if the system is running in a virtualized Citrix Environment. During the System PATH iteration process, LsiAgent.exe attempts to load and run the first file named wfapi.dll that it encounters within the System PATH variable. Therefore, an attacker would only need to provide their malicious DLL file named wfapi.dll within one of the System PATH variables to achieve code execution.

Impact

An attacker with the ability to place a file within any known System PATH environment variable on a victim machine can achieve remote code execution and privilege escalation, as LsiAgent.exe runs within the NT AUTHORITY\SYSTEM context. Furthermore, LsiAgent.exe is a signed program, so operations carried out by the program will be shown as being done by a legitimate program, heightening potential impact.

Solution

A patch has been provided by Lakeside Software to fix the affected LsiAgent.exe program. The vulnerable version, 10.05.0027, has been fixed in versions 10.10.0.42 and higher of LsiAgent.exe. The release notes of the version are available here: https://documentation.lakesidesoftware.com/en/Content/Release%20Notes/Agent/10_10_0%20Hotfix%20Agent%20Release%20Notes%20On%20Premises.htm?tocpath=Release%20Notes%7CAgent%7C_____13

Acknowledgements

Thanks to the reporter Owen Sortwell and contributors Adam Merrill and Brian Healy of Sandia National Laboratories. This document was written by Christopher Cullen.

Az ExpressVPN javított egy kritikus hibát a Windows kliensében, amely miatt a Remote Desktop Protocol (RDP) forgalom kikerülhette a VPN-alagutat, így felfedve a felhasználók valódi IP-címét.

A Hewlett-Packard Enterprise (HPE) biztonsági frissítéseket adott ki, amiben többek között a CVE-2025-37103 azonosítón nyomon követett kritikus sérülékenység is javításra került, amely az Instant On Access Point eszközöket érinti.