2551 matches found
Scammers are sending bogus copyright warnings to steal your X login
One of my favorite Forbes correspondents recently wrote about receiving several fake copyright-infringement notices from X. Let’s suppose you get an email claiming it’s from X, warning: “We’ve received a DMCA notice regarding your account.” Chances are, you’ll be wondering what you did wrong. DMC...
CVE-2025-8855 2FA Expiry Bypass in Optimus Software's Brokerage Automation
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry...
CVE-2025-8855
Optimus Software Brokerage Automation before version 1.1.71 is affected by multiple auth-related issues: Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, and Authentication Bypass by Assumed-Immutable Data. These flaws enable exploitation ...
CVE-2025-8855 2FA Expiry Bypass in Optimus Software's Brokerage Automation
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry...
Android Trojan 'Fantasy Hub' Malware Service Turns Telegram Into a Hub for Hackers
Cybersecurity researchers have disclosed details of a new Android remote access trojan RAT called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service MaaS model. According to its seller, the malware enables device control and espionage, allowing threat actor...
Vulnerabilities fixed in Fortinet FortiOS and FortiProxy
Fortinet has fixed vulnerabilities in FortiOS and FortiProxy. The vulnerabilities include a stack-based buffer overflow that allows authenticated attackers to execute unauthorized code via specially crafted CLI commands. In addition, there are issues with incorrect certificate validation that all...
DRUPAL-CONTRIB-2025-115
The Email TFA module provides additional email-based two-factor authentication for Drupal logins. In certain scenarios, the module does not fully protect all login mechanisms as expected. This issue is mitigated by the fact that an attacker must already have valid user credentials username and...
Drupal Email TFA module < 2.0.6 - Authenticated Broken Access Control vulnerability
Authenticated Broken Access Control vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Email TFA versions 2.0.6...
Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115
The Email TFA module provides additional email-based two-factor authentication for Drupal logins. In certain scenarios, the module does not fully protect all login mechanisms as expected. This issue is mitigated by the fact that an attacker must already have valid user credentials username and...
A week in security (October 27 – November 2)
Last week on Malwarebytes Labs: Update Chrome now: 20 security fixes just landed How scammers use your data to create personalized tricks that work Ransomware gang claims Conduent breach: what you should watch for next Fake PayPal invoice from Geek Squad is a tech support scam Atlas browser’s...
CVE-2025-34249
Nagios Fusion versions prior to 2024R2.1 contain a brute-force bypass in the Two-Factor Authentication 2FA implementation. The application did not properly enforce rate limiting or account lockout for repeated failed 2FA verification attempts, allowing a remote attacker to repeatedly try...
CVE-2025-34269
Nagios Fusion versions prior to R2.1 contain a vulnerability due to the application not requiring re-authentication or session rotation when a user has enabled two-factor authentication 2FA. As a result, an adversary who has obtained a valid session could continue using the active session after t...
CVE-2025-8850
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...
EUVD-2025-37225
Nagios Fusion versions prior to 2024R2.1 contain a brute-force bypass in the Two-Factor Authentication 2FA implementation. The application did not properly enforce rate limiting or account lockout for repeated failed 2FA verification attempts, allowing a remote attacker to repeatedly try...
EUVD-2025-37224
Nagios Fusion versions prior to R2.1 contain a vulnerability due to the application not requiring re-authentication or session rotation when a user has enabled two-factor authentication 2FA. As a result, an adversary who has obtained a valid session could continue using the active session after t...
CVE-2025-34269
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a duplicate of CVE-2025-60424...
CVE-2025-34249
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it is a duplicate of CVE-2025-60425...
EUVD-2025-37197
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...
CVE-2025-34269
...
CVE-2025-34269
This CVE-2025-34269 entry concerns Nagios Fusion prior to R2.1, where the application does not require re-authentication or session rotation after a user enables 2FA. A valid session may persist after 2FA is enabled, enabling potential persistent account takeover and undermining the legitimate us...