Hírolvasó

A Check Point Research kiberbiztonsági szakértői egy új adathalász kampányt azonosítottak, amelynek célja érzékeny adatok - például bankkártya-információk vagy jelszavak - megszerzése. A Check Point Harmony Email Security jelentése szerint a támadók eddig már több mint 12 866 adathalász e-mailt küldtek szét, amelyek körülbelül 6 135 felhasználóhoz értek el.

A WhatsApp az utóbbi időben egyre nehezebb helyzetbe került – sok felhasználó szerint már azóta, hogy a Meta felvásárolta. A korábban megbízható, alapértelmezett üzenetküldőként használt alkalmazást ma sokan már csak kényszerűségből használják, mivel a kapcsolataik többsége továbbra is ezen a platformon érhető el. Az adatvédelemre érzékeny felhasználók továbbra is a WhatsAppot tartják a széles körben […]

A Fortinet egy új, kritikus súlyosságú, aktívan kihasznált sérülékenységre hívta fel a figyelmet, amely a FortiCloud egyszeri bejelentkezési (Single Sign-On, SSO) mechanizmusát érinti.

A kiberbűnözők egyre gyakrabban használnak látványosan módosított QR-kódokat adathalász linkek terjesztésére – figyelmeztet a Help Net Security. A QR-kódos adathalászat (quishing) már önmagában is nehezen észlelhető, mivel a QR-kódok nem jelenítik meg előre a céloldal URL-jét, továbbá emberi szemmel gyakorlatilag értelmezhetetlenek, így a felhasználók nem látják, milyen weboldalra irányítja őket a kód. Az elkövetők most […]

Egy újonnan azonosított malware-as-a-service (MaaS) szolgáltatás, a Stanley komoly kockázatot jelent a böngészőbővítmények ökoszisztémájára nézve.

A Microsoft figyelmeztetése szerint a kiberbűnözők egy új adathalász kampányban élnek vissza a SharePointtal payloadok terjesztésére, kifejezetten az energetikai szektor szervezeteit célozva.

A Huntress Labs friss jelentése szerint egy új, kifinomult támadási kampány, a CrashFix, a ClickFix támadások továbbfejlesztett változata, amely célzottan vállalati rendszereket, valamint otthoni felhasználókat érint.

A 1Password egy előfizetéses alapon működő jelszókezelő, amely beépített védelmi megoldást vezetett be az adathalász (phishing) URL-ekkel szemben annak érdekében, hogy segítséget nyújtson a felhasználóknak a rosszindulatú weboldalak azonosításában, és megakadályozza a fiókhoz tartozó hitelesítési adatok jogosulatlan megszerzését.

A globális sportesemények, így a 2026-os Milan–Cortina Téli Olimpia, jelentős növekedést okoznak a hálózati forgalomban, új rendszerek bevezetését igénylik és rövid távú együttműködéseket hoznak létre.

Egy jelentős, világszerte tapasztalt spamkampány zajlik, amelyben a támadók nem megfelelően konfigurált Zendesk ügyfélszolgálati rendszereket használnak ki, hogy hatalmas mennyiségű kéretlen e-mailt küldjenek ki.

A generatív mesterséges intelligencia (GenAI) megjelenése jelentősen átalakította a kibertámadások kivitelezésének módját, és új típusú fenyegetéseket hozott magával. A Világgazdasági Fórum (World Economic Forum, WEF) 2026-os jelentése szerint a szervezetek 47%-a a GenAI legaggasztóbb következményeként a támadók technikai képességeinek ugrásszerű fejlődését emelte ki. Az érintett eljárások között egyre elterjedtebbek az automatizált adathalász-támadások, a célzottan generált […]

Egy új, androidos kattintásos csalásra specializálódott trójai kártevőcsalád jelent meg, amely a TensorFlow gépi tanulási modelleket használja arra, hogy automatikusan felismerje és interakcióba lépjen a konkrét hirdetési elemekkel.

A Modular DS WordPress-bővítményben felfedezett kritikus sebezhetőség lehetővé teszi, hogy hitelesítetlen támadók adminisztrátori hozzáférést szerezzenek, amit már aktívan ki is használnak.

Az Európai Bizottság új kiberbiztonsági jogszabály bevezetését javasolja, amely kötelezővé tenné a magas kockázatú beszállítók eltávolítását a telekommunikációs hálózatok biztonsága érdekében.

Egy, a pénzügyi szektorban működő, Fortune 100 vállalatot érintő zsarolóvírus-kampány során a támadók az új, PDFSider néven azonosított Windows-alapú malware-t alkalmazták.

Overview

An out-of-bounds memory access vulnerability exists in the uncompressed decoder component of libheif. A maliciously crafted HEIF image can trigger a denial-of-service condition by causing the libheif library to crash or exhibit other unexpected behavior due to an out-of-bounds memory access.

Description

libheif is an open-source library used for decoding and encoding modern image formats, including HEIF (High Efficiency Image File Format) and AVIF (AV1 Image File Format). These formats provide high compression efficiency and are widely used across mobile devices and online platforms.

libheif contains an out-of-bounds iterator access vulnerability in its uncompressed codec. The issue occurs when the decoder processes certain metadata structures within a HEIF file. Specifically, the decoder fails to adequately validate values read from an internal metadata box before performing iterator arithmetic on the underlying data buffer.

As a result, a malformed HEIF file can cause the decoder to read past the end of the input buffer and incorrectly interpret unrelated memory as valid metadata. This invalid memory access may lead to a segmentation fault during image decoding.

The CVE-2025-65586 captures this out-of-bounds checking flaw in libheif’s uncompressed codec that allows a maliciously crafted HEIF file to trigger an out-of-bounds read, resulting in a segmentation fault and denial of service when the file is parsed. The vulnerability was introduced in commit 6190b58f (October 3, 2024). Versions v1.19.0 through Versions 1.21.1 are affected by this vulnerbaility. The versions v1.17.6 and earlier are not affected. The issue was reported to the libheif project and has been fixed in commit f4d9157 (November 5, 2025) and then merged to the version release 1.21.0 at the end of 2025.

Impact

An attacker can exploit this vulnerability by supplying a maliciously crafted HEIF image, causing applications that use libheif to crash. Based on current analysis, exploitation is limited to denial-of-service conditions.

Potential impacts include

• Unexpected termination of applications that decode HEIF images
• Crashes in systems that automatically generate previews or thumbnails
• Disruption of services that process untrusted HEIF content (e.g., browsers, email clients, photo management tools)

There is no evidence at this time that this vulnerability can be used to achieve memory disclosure or arbitrary code execution.

Discovery

The vulnerability was discovered through coverage-guided fuzzing using AddressSanitizer-instrumented builds of libheif. The issue was reproducible across standard Linux development environments.

Solution

Software vendors and developers using the libheif library are strongly encouraged to update to version 1.21.0 or later, which includes the fix for this vulnerability. End users should apply available software updates to ensure they are running a version of libheif that addresses this issue.

Acknowledgements

Thanks to the reporter Maor Caplan for identifying the vulnerability and to Dirk Farin for implementing the fix. This document was written by Timur Snoke.

Overview

The binary-parser library for Node.js contains a code injection vulnerability that may allow arbitrary JavaScript code execution if untrusted input is used to construct parser definitions. Versions prior to 2.3.0 are affected. The issue has been resolved by the developer in a public update.

Description

binary-parser is a JavaScript library to facilitate writing "efficient binary parsers in a simple and declarative manner." binary-parser (versions < 2.3.0) dynamically generates JavaScript code at runtime using the Function constructor. Certain user-supplied values—specifically, parser field names and encoding parameters—are incorporated into this generated code without validation or sanitization.

If an application passes untrusted or externally supplied data into these parameters, the unsanitized values can alter the generated code, enabling execution of attacker-controlled JavaScript. Applications that use only static, hardcoded parser definitions are not affected.

The vendor has released a fix and clarified the library’s design limitations in version 2.3.0.

Impact

In affected applications that construct parser definitions using untrusted input, an attacker may be able to execute arbitrary JavaScript code with the privileges of the Node.js process. This could allow access to local data, manipulation of application logic, or execution of system commands depending on the deployment environment.

Solution

Users of the binary-parser library should upgrade to version 2.3.0 or later, where the vendor has implemented input validation and mitigations for unsafe code generation. Developers should avoid passing untrusted or user-controlled values into parser field names or encoding parameters.

Acknowledgements

Thanks to the reporter Maor Caplan for identifying the vulnerability and to Keichi Takahashi for implementing the fix. This document was written by Timur Snoke.

Overview

The Open5GS WebUI component contains default hardcoded secrets used for security-sensitive operations, including JSON Web Token (JWT) signing. If these defaults are not changed, an attacker can forge valid authentication tokens and gain administrative access to the WebUI. This can result in unauthorized access to protected management endpoints.

Description

Open5GS is an open-source implementation of 5G core network functions. It includes an optional WebUI component implemented using Node.js and Next.js for managing configuration and subscriber data. The WebUI relies on multiple secret values provided via Node.js process.env environment variables. These include secrets used for cryptographic operations such as signing and validating JSON Web Tokens (JWTs). By default, these environment variables are initialized to the static value change-me, including the JWT signing secret. JWTs are commonly used to implement authentication and authorization, as well as to securely transmit claims such as user roles and permissions.

In the Open5GS WebUI, these tokens are issued and validated using the default hardcoded secret unless explicitly overridden by the executing environment by the operator. The WebUI, on startup, does not emit warnings or enforce changes to these default secrets. As a result, deployments that do not manually override the defaults will operate with predictable and publicly known cryptographic keys. An attacker with network access to the WebUI can exploit this condition to forge valid administrative JWTs.

While the WebUI includes Cross-Site Request Forgery (CSRF) protections, these controls are ineffective against requests authenticated with valid forged JWTs. The WebUI is commonly deployed in containerized environments and may be assumed to be locally exposed; however, misconfigurations or local access assumptions can still place the interface at risk.

Impact

An unauthenticated network attacker with access to the WebUI component can generate forged JWTs using the known default secret. With these tokens, the attacker can access or modify protected REST endpoints under /api/db/*. This vulnerability allows unauthorized read and write access to sensitive data, including subscriber information and system configuration. CSRF protections do not mitigate this attack, as the forged tokens satisfy authentication requirements. Successful exploitation may result in full access of the WebUI component and all of its permissions.

Solution For Developers

A patch addressing this issue is available in the following pull request: https://github.com/open5gs/open5gs/pull/4279 against the version v2.7.6 released in July 2025. The patch introduces the use of a self-contained .env file for the WebUI’s Next.js environment and removes reliance on hardcoded default secret values. This ensures that each WebUI deployment generates and uses independent, locally scoped cryptographic secrets, reducing the risk of token forgery and key reuse across instances.

Developers integrating or redistributing the WebUI component are encouraged evaluate, validate and adopt the changes within their own environments prior to deployment

For Users

Users who are unable to apply the patch should manually configure their Node.js environment to define strong, cryptographically secure random values for the following environment variables: - process.env.SECRET_KEY - process.env.JWT_SECRET_KEY These values preferable are unique per deployment and treated as sensitive secrets. Additionally, operators are advised to restrict access to the WebUI by placing it behind appropriate network controls, such as authentication gateways or secure content inspection proxies, to limit exposure from untrusted networks.

Acknowledgements

Thanks to the reporter Andrew Fasano from NIST's Center for AI Standards & Innovation. This document was written by Laurie Tyzenhaus. The software patch was written by Vijay Sarvepalli.

Overview

A stack-based buffer overflow vulnerability exists in GNU libtasn1, a low-level ASN.1 parsing library. The issue is caused by unsafe string concatenation in the asn1_expand_octet_string function located in decoding.c. Under worst-case conditions, this results in a one-byte stack overflow that may corrupt adjacent memory. While the overflow is limited to a single byte, such conditions can still lead to unexpected behavior when processing untrusted ASN.1 input data.

Description

GNU libtasn1 is a low-level C library for manipulating Abstract Syntax Notation One (ASN.1) data structures and encoding rules, including Distinguished Encoding Rules (DER). It implements functionality defined by ITU-T Recommendations X.680 and X.690 and is widely used as a foundational component in cryptographic software stacks to parse and validate complex ASN.1-encoded data.

A stack-based buffer overflow has been identified in the function asn1_expand_octet_string in the file decoding.c. The vulnerability arises from the use of unbounded string manipulation functions (strcpy and strcat) to construct a local stack buffer (name) using the fields definitions->name and p2->name. In the worst-case scenario, both source strings may be at their maximum allowed length. When concatenated together with an additional separator character (".") and a terminating null byte, the destination buffer is undersized by one byte. As a result, the final null terminator written by strcat overflows the allocated stack buffer by a single byte.

Although the overflow is limited in size, it occurs during the parsing of potentially untrusted ASN.1 input. One-byte stack overflows have historically led to subtle memory corruption issues and may cause unexpected behavior, including crashes, during cryptographic operations such as signature verification or certificate parsing.

Impact

An attacker could trigger the buffer overflow using a malformed ASN.1 data to potential corrupt memory or cause unexpected behavior. This requires breaking libtasn1’s assumption that ASN.1 structures passed to it are already validated by the main application using this library. The impact of this vulnerability is limited due to the one-byte nature of the overflow. Exploitation is constrained and may be further mitigated by modern compiler protections such as stack canaries, _FORTIFY_SOURCE, and other hardening mechanisms. However, as the GNU libtasn1 is commonly used in cryptographic libraries and security-sensitive contexts, malformed ASN.1 input triggering this condition could result in parsing failures or abnormal behavior during critical cryptographic operations, including signature verification and cryptographic data validation.

Solution

A patch addressing this issue has been proposed to the GNU libtasn1 project and is available for review and testing at: https://gitlab.com/gnutls/libtasn1/-/merge_requests/121. Developers and integrators are encouraged to evaluate the patch and apply appropriate mitigations, such as using bounded string operations or safer formatting functions, to eliminate the overflow condition in affected versions. Read https://gitlab.com/gnutls/libtasn1/-/blob/master/NEWS.md for updates

Acknowledgements

Thanks to Benny Zelster from Microsoft Research for coordinating the disclosure of this vulnerability.This document was written by Vijay Sarvepalli.

Overview

Kernel driver ProcessMonitorDriver.sys in Safetica's endpoint client x64, versions 10.5.75.0 and 11.11.4.0, allows for an unprivileged user to abuse an IOCTL path and terminate protected system processes.

Description

Safetica is a Data Loss Prevention (DLP) and Insider Risk Management (IRM) software solution that helps organizations protect their data via detecting, analyzing, and mitigating threats. Safetica's platform is AI-powered and is used by public and private organizations, globally.

A vulnerabilty has been discovered in Safetica’s ProcessMonitorDriver.sys kernel driver. A local, unprivileged user can abuse a vulnerable IOCTL (Input/Output Control) path in the kernel driver to cause privileged termination of arbitrary system processes. IOCTL interfaces allow user-mode software to send commands into the kernel space so that the driver can perform specific privileged actions such as terminating processes. Terminating Safetica's processes in endpoint detection and response and antivirus software can blind their clients' security monitoring on their machines. Improper input sanitization and user validation mechanisms can manipulate the kernel driver into privilege escalation and DOS (denial of service).

Impact

A threat actor can leverage this vulnerability and could use the IOCTL path to terminate processes repeatedly. This could lead to a DOS attack and render Safetica's systems unavailable.

Solution

At the time of publication, no vendor-supported fix is available for the vulnerability affecting Safetica DLP kernel driver ProcessMonitorDriver.sys, which allows unprivileged users to abuse exposed IOCTL handlers to terminate arbitrary processes. Until an official patch or guidance is provided by the vendor, the following mitigations are recommended:

1. Monitor and Detect Abuse of IOCTL Calls Targeting the Driver: Safetica's client organizations should actively monitor for suspicious or abnormal IOCTL handler requests. To detect this activity, clients should deploy kernel driver monitoring solutions like Endpoint Detection and Response or System Monitor-like telemetry (where supported). This will 1) identify unprivileged processes, 2) detect unusual IOCTL patterns, and 3) alert security teams when user-mode processes interact with the kernel driver.

2. Restrict or Block Access to the Vulnerable Driver via Policy Controls: To restrict access to ProcessMonitorDriver.sys, Safetica's client organizations should use Windows Group Policy or Application Control policies (WDAC [https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-overview] /AppLocker [https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker]). This will prevent untrusted or non-administrative processes from loading or interacting with the driver, through policy-based enforcement mechanisms. These enforcement mechanisms can block untrusted or unsigned binaries from communicating with the kernel driver.

Acknowledgements

Thanks to the reporter, KOSEC LLC. This document was written by Ayushi Kriplani.