Design/Logic Flaw

In IQrouter through 3.3.1, there is a root user without a password, which allows attackers to gain full remote access via SSH. Note: The vendor claims that this vulnerability can only occur on a brand-new network that, after initiating the forced initial configuration which has a required step fo...

Hackers Update Age-Old Excel 4.0 Macro Attack

Hackers have updated the age-old Excel malware attack technique with a new passwordless twist. Researchers have identified a new method that no longer requires victims to enter a password to open a danger document, more readily exposing them to potential malware infection. Researchers from securi...

CVE-2020-9473

The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 has a passwordless ftp ssh user. By using an exploit chain, an attacker with access to the network can get root access on the gateway...

CVE-2020-9473

The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 has a passwordless ftp ssh user. By using an exploit chain, an attacker with access to the network can get root access on the gateway...

Design/Logic Flaw

The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 has a passwordless ftp ssh user. By using an exploit chain, an attacker with access to the network can get root access on the gateway...

CVE-2020-9473

CVE-2020-9473 affects the S. Siedle & Soehne SG 150-0 Smart Gateway older than 1.2.4. It documents a passwordless ftp/SSH user, allowing an attacker with network access to chain exploits and achieve root access on the gateway. CVSS metrics from the sources indicate high impact (I/H, A/H) with net...

CVE-2020-9473

The S. Siedle & Soehne SG 150-0 Smart Gateway before 1.2.4 has a passwordless ftp ssh user. By using an exploit chain, an attacker with access to the network can get root access on the gateway...

CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP Access Control Error Vulnerability

CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP is a baby surveillance camera. A security vulnerability exists in the CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP using firmware version 3.4.2.0919. The vulnerability can be exploited by an attacker to access the RTSP service without...

CVE-2020-6852

CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required...

Samsung Mobile Device Information Disclosure Vulnerability (CNVD-2020-29856)

Android is a free and open source operating system from Google based on the Linux kernel without GNU components. An information disclosure vulnerability exists in Samsung mobile devices, which can be exploited by an attacker to access the contents of locked applications without a password...

Empower Firstline Workers with Azure AD and YubiKey passwordless authentication

At the end of February, Microsoft announced the FIDO2 passwordless support for hybrid environments. The integration of FIDO2-based YubiKeys and Azure Active Directory Azure AD is a game changer. It combines the ubiquity of Azure AD, the usability of YubiKey, and the security of both solutions to...

Quick wins—single sign-on (SSO) and Multi-Factor Authentication (MFA)

With Multi-Factor Authentication MFA and single sign-on SSO being a few of the most effective countermeasures against modern threats, organizations should consider a Cloud Identity as a Service IDaaS, and MFA solution, like Azure Active Directory AD. Here are seven benefits: 1. Azure AD is simple...

CVE-2020-7954

An issue was discovered in OpServices OpMon 9.3.2. Starting from the apache user account, it is possible to perform privilege escalation through the lack of correct configuration in the server's sudoers file, which by default allows the execution of programs e.g. nmap without the need for a...

Afternoon Cyber Tea—The State of Cybersecurity: How did we get here? What does it mean?

Every year the number and scale of cyberattacks grows. Marc Goodman, a global security strategist, futurist, and author of the book, Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It, thinks a lot about how we got here and what it means, which is why he w...

5 identity priorities for 2020

Today, Joy Chik, Corporate Vice President of Identity, shared five priorities central to security that organizations should prioritize in 2020 as they digitally transform. These priorities are based on many conversations with our customers, including: 1. Connect all applications and cloud resourc...

Go passwordless to strengthen security and reduce costs

We all know passwords are inherently unsecure. They’re also expensive to manage. Users struggle to remember them. It’s why we’re so passionate about eliminating passwords entirely. Passwordless solutions, such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app, provide mor...

Improve security with a Zero Trust access model

Zero Trust is a security model that I believe can begin to turn the tide in the cybersecurity battles. Traditional perimeter-based network security has proved insufficient because it assumes that if a user is inside the corporate perimeter, they can be trusted. We’ve learned that this isn't true...

PT-2019-6424 · Ruijie · Ruijie Eg-2000 Series Gateway

Name of the Vulnerable Software and Affected Versions: Ruijie EG-2000 series gateway versions EG-2000SE EG RGOS 11.11B1. Description: The issue is related to a buffer overflow in the client.so file of the Ruijie EG-2000 series gateway. This allows an attacker to login to any account without...

CVE-2019-15102

An issue was discovered in Tyto Sahi Pro 6.x through 8.0.0. TestRunnerNondistributed and distributed end points does not have any authentication mechanism. This allow an attacker to execute an arbitrary script on the remote Sahi Pro server. There is also a password-protected web interface intende...

CVE-2019-15949

Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile profile.php?cmd=download, is executed as root via a...