Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablement

New research has found that Google Cloud API keys, typically designated as project identifiers for billing purposes, could be abused to authenticate to sensitive Gemini endpoints and access private data. The findings come from Truffle Security, which discovered nearly 3,000 Google API keys...

Mattermost has an Observable Timing Discrepancy vulnerability

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

CVE-2025-54499

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

CVE-2025-54499 Insecure string comparison enables timing attacks

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets...

EUVD-2016-7467

Malware in sbrugna...

EUVD-2018-10322

Malware in sbrugna...

EUVD-2018-7358

Malware in sbrugna...

EUVD-2021-16380

Malware in sbrugna...

EUVD-2025-27818

Malicious code in bioql PyPI...

EUVD-2024-21373

Malicious code in bioql PyPI...

Akira Ransomware Group Utilizing SonicWall Devices for Initial Access

Latest update – September 18, 2025 On September 17, 2025, SonicWall disclosed a security breach affecting all SonicWall customers with MySonicWall.com cloud backups enabled. The firm detected suspicious activity targeting MySonicWall.com, through which threat actors were able to access backup...

CVE-2025-32010

A stack-based buffer overflow vulnerability exists in the Cloud API functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP response can lead to arbitrary code execution. An attacker can send an HTTP response to trigger this vulnerability...

CVE-2025-32010

A stack-based buffer overflow vulnerability exists in the Cloud API functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP response can lead to arbitrary code execution. An attacker can send an HTTP response to trigger this vulnerability...

CVE-2025-32010

A stack-based buffer overflow vulnerability exists in the Cloud API functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP response can lead to arbitrary code execution. An attacker can send an HTTP response to trigger this vulnerability...

Tenda AC6 安全漏洞

Tenda AC6 is a dual-band wireless router from Tenda that supports IPv4 and IPv6 protocols and utilizes the 802.11ac/n wireless standard to provide a wireless transmission rate of 1167Mbps. Tenda AC6 has a stack buffer overflow vulnerability, the vulnerability stems from the Cloud API function has...

Tenda AC6 V5.0 Cloud API stack-based buffer overflow vulnerability

Talos Vulnerability Report TALOS-2025-2168 Tenda AC6 V5.0 Cloud API stack-based buffer overflow vulnerability August 20, 2025 CVE Number CVE-2025-32010 SUMMARY A stack-based buffer overflow vulnerability exists in the Cloud API functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HT...

CVE-2025-29629

Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 uses weak default credentials for secure shell access. This may result in attackers gaining access to exposed Gardyn Home Kits...

CVE-2024-23943

An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected...

CVE-2024-23943

An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected...

CVE-2024-23943 MB connect line: Cloud API access due to a lack of authentication for a critical function

An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected...