BackBox.org offers a range of Penetration Testing services to simulate an attack on your network or application. If you are interested in our services, please contact us and we will provide you with further information as well as an initial consultation.
Ivanti, Fortinet, Splunk Release Security Updates
/in General NewsIvanti, Fortinet, and Splunk have released patches for critical- and high-severity vulnerabilities in their products.
The post Ivanti, Fortinet, Splunk Release Security Updates appeared first on SecurityWeek.
SecurityWeek – Read More
Alleged Chinese State Hacker Wanted by US Arrested in Italy
/in General NewsXu Zewei has been arrested on charges that he is a member of the Chinese state-sponsored hacking group Hafnium (Silk Typhoon).
The post Alleged Chinese State Hacker Wanted by US Arrested in Italy appeared first on SecurityWeek.
SecurityWeek – Read More
Hugging Face just launched a $299 robot that could disrupt the entire robotics industry
/in General NewsHugging Face launches Reachy Mini, a $299 open-source desktop robot that democratizes AI development for millions of builders worldwide.Read More
Security News | VentureBeat – Read More
US Announces Arresting Chinese Hacker Linked to HAFNIUM Group
/in General NewsA Chinese state-sponsored hacker, Xu Zewei, 33, has been arrested for his alleged role in the widespread HAFNIUM cyber attacks and theft of COVID-19 research. Learn about the charges and China’s Ministry of State Security involvement.
Hackread – Latest Cybersecurity, Hacking News, Tech, AI & Crypto – Read More
How passkeys work: The complete guide to your inevitable passwordless future
/in General NewsWhy are passkeys so much safer than passwords? And how exactly does this sorcery work? We go behind the scenes of this still-evolving authentication process.
Latest stories for ZDNET in Security – Read More
Microsoft Patch Tuesday, July 2025 Edition
/in General NewsMicrosoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.
While not listed as critical, CVE-2025-49719 is a publicly disclosed information disclosure vulnerability, with all versions as far back as SQL Server 2016 receiving patches. Microsoft rates CVE-2025-49719 as less likely to be exploited, but the availability of proof-of-concept code for this flaw means its patch should probably be a priority for affected enterprises.
Mike Walters, co-founder of Action1, said CVE-2025-49719 can be exploited without authentication, and that many third-party applications depend on SQL server and the affected drivers — potentially introducing a supply-chain risk that extends beyond direct SQL Server users.
“The potential exposure of sensitive information makes this a high-priority concern for organizations handling valuable or regulated data,” Walters said. “The comprehensive nature of the affected versions, spanning multiple SQL Server releases from 2016 through 2022, indicates a fundamental issue in how SQL Server handles memory management and input validation.”
Adam Barnett at Rapid7 notes that today is the end of the road for SQL Server 2012, meaning there will be no future security patches even for critical vulnerabilities, even if you’re willing to pay Microsoft for the privilege.
Barnett also called attention to CVE-2025-47981, a vulnerability with a CVSS score of 9.8 (10 being the worst), a remote code execution bug in the way Windows servers and clients negotiate to discover mutually supported authentication mechanisms. This pre-authentication vulnerability affects any Windows client machine running Windows 10 1607 or above, and all current versions of Windows Server. Microsoft considers it more likely that attackers will exploit this flaw.
Microsoft also patched at least four critical, remote code execution flaws in Office (CVE-2025-49695, CVE-2025-49696, CVE-2025-49697, CVE-2025-49702). The first two are both rated by Microsoft as having a higher likelihood of exploitation, do not require user interaction, and can be triggered through the Preview Pane.
Two more high severity bugs include CVE-2025-49740 (CVSS 8.8) and CVE-2025-47178 (CVSS 8.0); the former is a weakness that could allow malicious files to bypass screening by Microsoft Defender SmartScreen, a built-in feature of Windows that tries to block untrusted downloads and malicious sites.
CVE-2025-47178 involves a remote code execution flaw in Microsoft Configuration Manager, an enterprise tool for managing, deploying, and securing computers, servers, and devices across a network. Ben Hopkins at Immersive Labs said this bug requires very low privileges to exploit, and that it is possible for a user or attacker with a read-only access role to exploit it.
“Exploiting this vulnerability allows an attacker to execute arbitrary SQL queries as the privileged SMS service account in Microsoft Configuration Manager,” Hopkins said. “This access can be used to manipulate deployments, push malicious software or scripts to all managed devices, alter configurations, steal sensitive data, and potentially escalate to full operating system code execution across the enterprise, giving the attacker broad control over the entire IT environment.”
Separately, Adobe has released security updates for a broad range of software, including After Effects, Adobe Audition, Illustrator, FrameMaker, and ColdFusion.
The SANS Internet Storm Center has a breakdown of each individual patch, indexed by severity. If you’re responsible for administering a number of Windows systems, it may be worth keeping an eye on AskWoody for the lowdown on any potentially wonky updates (considering the large number of vulnerabilities and Windows components addressed this month).
If you’re a Windows home user, please consider backing up your data and/or drive before installing any patches, and drop a note in the comments if you encounter any problems with these updates.
Krebs on Security – Read More
South Korean Government Imposes Penalties on SK Telecom for Breach
/in General NewsFollowing a breach at the country’s top mobile provider that exposed 27 million records, the South Korean government imposed a small monetary penalty but stiff regulatory requirements.
darkreading – Read More
Microsoft Patches 137 CVEs in July, but No Zero-Days
/in General NewsSome 17 of the bugs are at high risk for exploits, including multiple remote code execution bugs in Office and SharePoint.
darkreading – Read More
Chinese researchers unveil MemOS, the first ‘memory operating system’ that gives AI human-like recall
/in General NewsResearchers unveil MemOS, a breakthrough “memory operating system” for AI that delivers 159% improvement in reasoning tasks and enables persistent memory across sessions.Read More
Security News | VentureBeat – Read More
Adobe Patches Critical Code Execution Bugs
/in General NewsAdobe patches were also released for medium-severity flaws in After Effects, Audition, Dimension, Experience Manager Screens, FrameMaker, Illustrator, Substance 3D Stager, and Substance 3D Viewer.
The post Adobe Patches Critical Code Execution Bugs appeared first on SecurityWeek.
SecurityWeek – Read More