sigmoid.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A social space for people researching, working with, or just interested in AI!

Server stats:

597
active users

#vulnerability

24 posts14 participants3 posts today
BobDaHacker<p>Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦</p><p>What I found:<br>- Email disclosure via XMPP (username→email)<br>- Auth bypass (email→account takeover, no password)</p><p>History of ignoring researchers:<br>- 2022: Someone else reports XMPP email leak, ignored<br>- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350<br>- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)<br>- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)<br>- Told me fix for email vuln needs 14 months because "legacy support" &gt; user security (had 1-month fix ready)<br>- July 28: I go public<br>- July 30: Both fixed in 48 hours</p><p>Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.</p><p>News covered it but my blog has the full technical details:<br><a href="https://bobdahacker.com/blog/lovense-still-leaking-user-emails/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bobdahacker.com/blog/lovense-s</span><span class="invisible">till-leaking-user-emails/</span></a></p><p><a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/BugBounty" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BugBounty</span></a> <a href="https://infosec.exchange/tags/ResponsibleDisclosure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ResponsibleDisclosure</span></a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://infosec.exchange/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> <a href="https://infosec.exchange/tags/IoT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IoT</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
BeyondMachines :verified:<p>Vulnerability in SonicWall Gen7 firewalls enables remote Denial-of-Service attacks</p><p>SonicWall disclosed CVE-2025-40600, a format string vulnerability in the SSL VPN interface of Gen7 firewall products that allows remote unauthenticated attackers to cause denial-of-service attacks through memory corruption.</p><p>**If you have SonicWall Gen7 firewalls, check the advisory and your OS versions. If they are vulnerable, plan an update to SonicOS version 7.3.0-7012 or higher. The main risk is attackers crashing your system and making your VPN useless. If you can't update right away, disable the SSL-VPN interface, since it won't be of much use if attackers are crashing it.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/vulnerability-in-sonicwall-gen7-firewalls-enables-remote-denial-of-service-attacks-7-8-8-0-s/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/vulnerability-in-sonicwall-gen7-firewalls-enables-remote-denial-of-service-attacks-7-8-8-0-s/gD2P6Ple2L</span></a></p>
PrivacyDigest<p><a href="https://mas.to/tags/Journalist" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Journalist</span></a> Discovers <a href="https://mas.to/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Google</span></a> <a href="https://mas.to/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> That Allowed People to Disappear Specific Pages From <a href="https://mas.to/tags/Search" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Search</span></a> <a href="https://www.404media.co/journalist-discovers-google-vulnerability-that-allowed-people-to-disappear-specific-pages-from-search/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">404media.co/journalist-discove</span><span class="invisible">rs-google-vulnerability-that-allowed-people-to-disappear-specific-pages-from-search/</span></a></p>
BeyondMachines :verified:<p>Google releases one more urgent Chrome update</p><p>Google released an emergency Chrome security update to patch CVE-2025-8292, a use-after-free vulnerability in the Media Stream component that could allow attackers to execute arbitrary code on systems using video conferencing and screen sharing applications.</p><p>**This one is not urgent, but it is important. Nobody releases an update for just one flaw until there is something very important about that flaw. Update your Chrome and Chromium based browsers (Opera, Brave, Vivaldi, Edge...). It's very probable that this flaw will soon be reported as exploited. Patching is super easy, all your tabs reopen.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/google-releases-one-more-urgent-chrome-update-s-2-o-e-w/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/google-releases-one-more-urgent-chrome-update-s-2-o-e-w/gD2P6Ple2L</span></a></p>
gcve.eu<p>In the scope of GCVE and <span class="h-card" translate="no"><a href="https://social.circl.lu/@circl" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>circl</span></a></span> we couldn't find a practical, publicly available, and accessible document that outlines best practices for vulnerability handling and disclosure.</p><p>So we created a new one, released under an open-source license, to which everyone can freely contribute.</p><p>PDF: <a href="https://gcve.eu/bcp/gcve-bcp-02/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">gcve.eu/bcp/gcve-bcp-02/</span><span class="invisible"></span></a><br>HTML: <a href="https://gcve.eu/bcp/gcve-bcp-02/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">gcve.eu/bcp/gcve-bcp-02/</span><span class="invisible"></span></a><br>Contributing: <a href="https://github.com/gcve-eu/gcve.eu/blob/main/content/bcp/gcve-bcp-02.md" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/gcve-eu/gcve.eu/blo</span><span class="invisible">b/main/content/bcp/gcve-bcp-02.md</span></a></p><p><a href="https://social.circl.lu/tags/cve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cve</span></a> <a href="https://social.circl.lu/tags/gcve" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gcve</span></a> <a href="https://social.circl.lu/tags/vulnerabilitymanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilitymanagement</span></a> <a href="https://social.circl.lu/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://social.circl.lu/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://social.circl.lu/tags/cvd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cvd</span></a></p>
BeyondMachines :verified:<p>Gemini CLI vulnerability enables silent code execution via prompt injection</p><p>Cybersecurity firm Tracebit discovered a critical vulnerability in Google's Gemini CLI tool that allows attackers to silently execute arbitrary malicious commands on developers' systems through prompt injection and inadequate command validation.</p><p>**If you're using Google's Gemini CLI tool, immediately upgrade to version 0.1.14 or later. When using any AI development tools, always run them in sandboxed environments and avoid using them on untrusted code repositories. Ideally, don't rush into using AI development tools which have access to live systems (even your own laptop). The AI tooling is not mature, and is very prone to being exploited.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/gemini-cli-vulnerability-enables-silent-code-execution-via-prompt-injection-c-5-5-i-k/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/gemini-cli-vulnerability-enables-silent-code-execution-via-prompt-injection-c-5-5-i-k/gD2P6Ple2L</span></a></p>
BeyondMachines :verified:<p>Apple relesases security updates patching 95 vulnerabilities across all products</p><p>Apple released security updates addressing 95 vulnerabilities across all major operating systems (iOS, iPadOS, macOS, watchOS, tvOS, and visionOS), including critical remote code execution flaws, privilege escalation issues, sandbox escapes, and memory corruption vulnerabilities that could allow attackers to gain root privileges or cause system termination.</p><p>**If you have any Apple devices (iPhone, iPad, Mac, Apple Watch, Apple TV, or Vision Pro), time to update them. There's a huge pack of patches and critical flaws that will be exploited. Don't delay.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/apple-relesases-security-updates-patching-95-vulnerabilities-across-all-products-p-2-9-s-9/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/apple-relesases-security-updates-patching-95-vulnerabilities-across-all-products-p-2-9-s-9/gD2P6Ple2L</span></a></p>
BeyondMachines :verified:<p>Email disclosure and account takeover flaws reported in Lovense connected sex toy platform</p><p>Security researchers discovered two critical vulnerabilities in Lovense's connected platform that allow attackers to extract users' private email addresses from usernames and completely take over accounts without passwords by exploiting hardcoded application credentials and flawed XMPP chat system architecture.</p><p>**We don't have a good advice on this flaw. It's a cloud based service and it the flaw exposed users. It seems that it hasn't been exploited. Best we can advise is not to trust too much in connected devices and platforms. Anything can and eventually will be hacked.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/email-disclosure-and-account-takeover-flaws-reported-in-lovense-connected-sex-toy-platform-x-y-w-a-j/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/email-disclosure-and-account-takeover-flaws-reported-in-lovense-connected-sex-toy-platform-x-y-w-a-j/gD2P6Ple2L</span></a></p>
BeyondMachines :verified:<p>Critical authentication bypass flaw reported in AI coding platform Base44</p><p>Wiz Research disclosed a critical authentication bypass vulnerability in Base44, an AI-powered coding platform with over 20,000 users, that allowed attackers to access private enterprise applications by exploiting misconfigured API endpoints with easily discoverable app IDs visible in URLs and manifest files.</p><p>**You can't do much about the flaw, it's already patched. If your organization uses Base44 for applications, review them for any suspicious user registrations or unusual access patterns. If you are developing applications, NEVER code undocumented endpoints and API interfaces, especially without a proper authentication. Security by obscurity doesn't work.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/critical-authentication-bypass-flaw-reported-in-ai-coding-platform-base44-2-9-7-s-n/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/critical-authentication-bypass-flaw-reported-in-ai-coding-platform-base44-2-9-7-s-n/gD2P6Ple2L</span></a></p>
BeyondMachines :verified:<p>Critical command injection flaw reported in CodeIgniter4 ImageMagick handler</p><p>CodeIgniter4 patched a critical command injection vulnerability (CVE-2025-54418) in its ImageMagick image processing handler that allows unauthenticated attackers to execute arbitrary system commands through malicious file uploads with crafted filenames or text processing operations.</p><p>**If you're running CodeIgniter4 applications that process images, update to version 4.6.2. If you can't update right away, switch from ImageMagick to the GD image handler, use CodeIgniter's getRandomName() method for file uploads and sanitization of input with regular expressions to eliminate dangerous characters.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/critical-command-injection-flaw-reported-in-codeigniter4-imagemagick-handler-z-q-u-m-7/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/critical-command-injection-flaw-reported-in-codeigniter4-imagemagick-handler-z-q-u-m-7/gD2P6Ple2L</span></a></p>
Bill<p>Cool new list of the new JavaScript greatest hits. Don't know the players without the program!</p><p><a href="https://thehackernews.com/2025/07/why-react-didnt-kill-xss-new-javascript.html?m=1" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2025/07/why-</span><span class="invisible">react-didnt-kill-xss-new-javascript.html?m=1</span></a></p><p><a href="https://infosec.exchange/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>javascript</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a></p>
BeyondMachines :verified:<p>Critical vulnerabilities reported in HT Contact Form Widget</p><p>Three critical vulnerabilities in the HT Contact Form Widget WordPress plugin expose to unauthenticated site takeover through arbitrary file upload, deletion, and movement capabilities that can lead to remote code execution. The vulnerabilities were patched in version 2.2.2 released July 13, 2025, just five days after being reported to the developer.</p><p>**If you use the HT Contact Form Widget on your WordPress site, immediately update to version 2.2.2 or later. Updating these plugins is trivial, don't delay because hackers will find the unpatched versions.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/critical-vulnerabilities-reported-in-ht-contact-form-widget-for-elementor-gutenberg-blocks-form-builder-6-0-i-3-2/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/critical-vulnerabilities-reported-in-ht-contact-form-widget-for-elementor-gutenberg-blocks-form-builder-6-0-i-3-2/gD2P6Ple2L</span></a></p>
BeyondMachines :verified:<p>Account takeover flaw reported in widely used Post SMTP Plugin</p><p>A high severity vulnerability (CVE-2025-24000) in the Post SMTP WordPress plugin exposes websites to takeover via broken access control that allows any logged-in user to view email logs and hijack administrator accounts via password reset emails.</p><p>**If you use the Post SMTP WordPress plugin, immediately update to version 3.3.0 or newer. Any logged-in user can hijack admin accounts. There is no workaround to this and updating the plugin is easy, so don't delay.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/account-takeover-flaw-reported-in-widely-used-post-smtp-plugin-4-x-7-a-o/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/account-takeover-flaw-reported-in-widely-used-post-smtp-plugin-4-x-7-a-o/gD2P6Ple2L</span></a></p>
Marcus "MajorLinux" Summers<p>Microsoft actually helped Apple plug a macOS vulnerability.</p><p>macOS Spotlight Vulnerability Discovered by Microsoft </p><p><a href="https://www.macrumors.com/2025/07/28/microsoft-macos-spotlight-vulnerability/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">macrumors.com/2025/07/28/micro</span><span class="invisible">soft-macos-spotlight-vulnerability/</span></a></p><p><a href="https://toot.majorshouse.com/tags/macOS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>macOS</span></a> <a href="https://toot.majorshouse.com/tags/Spotlight" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spotlight</span></a> <a href="https://toot.majorshouse.com/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> <a href="https://toot.majorshouse.com/tags/Microsoft" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microsoft</span></a> <a href="https://toot.majorshouse.com/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://toot.majorshouse.com/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://toot.majorshouse.com/tags/Tech" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Tech</span></a></p>
BeyondMachines :verified:<p>Indian Organ Retrieval Banking Organisation exposes organ donor information</p><p>The Organ Retrieval Banking Organisation (ORBO) website, managed by AIIMS New Delhi, exposed sensitive information of nationwide organ donors through a website vulnerability discovered in mid-May 2025, allowing unauthorized access to comprehensive personal data including medical profiles, identity documents, and contact details.</p><p>****<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/incident" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>incident</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/indian-organ-retrieval-banking-organisation-exposes-organ-donor-information-g-t-h-y-7/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/indian-organ-retrieval-banking-organisation-exposes-organ-donor-information-g-t-h-y-7/gD2P6Ple2L</span></a></p>
BeyondMachines :verified:<p>Multiple vulnerabilities reported in Tridium Niagara Framework</p><p>Researchers discovered 10 critical vulnerabilities (CVE-2025-3936 through CVE-2025-3945) in Tridium's widely-deployed Niagara Framework, an IoT middleware platform connecting HVAC, lighting, and security systems. The vulnerabilities can be chained together to enable complete system compromise, allowing adjacent attackers to intercept tokens, hijack administrator sessions, and execute arbitrary code with root privileges.</p><p>**If you use Tridium Niagara Framework systems (common in HVAC, lighting, and building automation), check to confirm that the system is isolated from the internet and accessible only from trusted networks. Then plan an update to the latest patched versions. Also check for proper encrypted communication between Tridium Niagara and all other components to prevent interception of sensitive data.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/multiple-vulnerabilities-reported-in-tridium-niagara-framework-u-w-q-s-0/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/multiple-vulnerabilities-reported-in-tridium-niagara-framework-u-w-q-s-0/gD2P6Ple2L</span></a></p>
PrivacyDigest<p>Do not DL the app, use the <a href="https://mas.to/tags/website" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>website</span></a></p><p>Beyond the Hype: The Real Reasons Companies Want You on Their App</p><p>The answer, in short, is data. A lot of it. And access. A whole lot more of that too</p><p>What can a website on your <a href="https://mas.to/tags/browser" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>browser</span></a> really get from you? Unless you manually upload your contact info, or there's a serious <a href="https://mas.to/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mas.to/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> , a website's access to your phone's deeper functions is quite limited</p><p>Apps, on the other hand, are a different beast entirely<br><a href="https://mas.to/tags/privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>privacy</span></a></p><p><a href="https://idiallo.com/blog/dont-download-apps" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">idiallo.com/blog/dont-download</span><span class="invisible">-apps</span></a></p>
BeyondMachines :verified:<p>Multiple flaws reported in Honeywell Experion PKS, at least one critical</p><p>Honeywell disclosed multiple vulnerabilities in its Experion Process Knowledge System (PKS) distributed control system, including a critical integer underflow flaw (CVE-2025-2523) that enables remote code execution, affecting industrial process management systems running releases prior to R520.2 TCU9 Hot Fix 1 or R530 TCU3 Hot Fix 1.</p><p>**If you have Honeywell Experion PKS industrial control systems, first make sure they are isolated from the internet and accessible from trusted networks. Then plan an update to R520.2 TCU9 Hot Fix 1 or R530 TCU3 Hot Fix 1 (depending on your version).**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/multiple-flaws-reported-in-honeywell-experion-pks-at-least-one-critical-s-h-k-j-d/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/multiple-flaws-reported-in-honeywell-experion-pks-at-least-one-critical-s-h-k-j-d/gD2P6Ple2L</span></a></p>
BeyondMachines :verified:<p>Authentication bypass vulnerability reported in Network Thermostat Smart Building Systems</p><p>Network Thermostat disclosed a critical vulnerability (CVE-2025-6260) in its X-Series WiFi thermostats that allows unauthenticated attackers to gain complete administrative access to building climate control systems through missing authentication in the embedded web server.</p><p>**If you have Network Thermostat X-Series WiFi devices, make sure it's isolated from the internet. Then check if the device has already auto-updated to the latest versions (v4.6+, v9.46+, v10.29+, or v11.5+ depending on your current version). If they are not updated, contact support@networkthermostat.com for manual update instructions.**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/authentication-bypass-vulnerability-reported-in-network-thermostat-smart-building-systems-i-f-1-r-x/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/authentication-bypass-vulnerability-reported-in-network-thermostat-smart-building-systems-i-f-1-r-x/gD2P6Ple2L</span></a></p>
BeyondMachines :verified:<p>Multiple vulnerabilities reported in Weidmueller Industrial Routers</p><p>Weidmueller reports multiple vulnerabilities in its IE-SR-2TX series industrial security routers, including two critical-severity flaws (CVE-2025-41663 and CVE-2025-41687) that enable unauthenticated remote attackers to execute arbitrary commands with root privileges through OS command injection and buffer overflow attacks.</p><p>**If you have Weidmueller IE-SR-2TX industrial routers, make sure they are isolated from the internet and accesible from trusted networks only. Then plan an update to the latest firmware versions (V1.49 or V1.62 depending on your model).**<br><a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/advisory" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>advisory</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a><br><a href="https://beyondmachines.net/event_details/multiple-vulnerabilities-reported-in-weidmueller-industrial-routers-n-r-3-e-r/gD2P6Ple2L" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">beyondmachines.net/event_detai</span><span class="invisible">ls/multiple-vulnerabilities-reported-in-weidmueller-industrial-routers-n-r-3-e-r/gD2P6Ple2L</span></a></p>