226 matches found
IT administrators’ passwords are awful too
The key is under the doormat by the front door. The administrator password is "admin". These are easy to remember clues when you are providing entrance to someone you trust. The problem is that they are also enormously easy to guess. It’s where we would expect an unwanted visitor to check first,...
Who and What is Behind the Malware Proxy Service SocksEscort?
Researchers this month uncovered a two-year-old Linux-based remote access trojan dubbed AVrecon that enslaves Internet routers into botnet that bilks online advertisers and performs password-spraying attacks. Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service...
CVE-2022-45860
A weak authentication vulnerability CWE-1390 in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increas...
CVE-2022-45860
A weak authentication vulnerability CWE-1390 in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increas...
Authentication flaw
A weak authentication vulnerability CWE-1390 in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increas...
CVE-2022-45860
The CVE-2022-45860 entry describes a weak authentication vulnerability in FortiNAC-F v7.2.0 and FortiNAC versions 9.4.2 and below, 9.2 and earlier, 9.1 and earlier, 8.8 and earlier, 8.7 and earlier, located in the device registration page. The underlying issue allows an unauthenticated attacker t...
CVE-2022-45860
A weak authentication vulnerability CWE-1390 in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increas...
CVE-2022-45860
A weak authentication vulnerability CWE-1390 in FortiNAC-F version 7.2.0, FortiNAC version 9.4.2 and below, 9.2 all versions, 9.1 all versions, 8.8 all versions, 8.7 all versions in device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increas...
FortiNAC - Weak authentication mechanism on device registration page
A weak authentication vulnerability CWE-1390 in FortiNAC device registration page may allow an unauthenticated attacker to perform password spraying attacks with an increased chance of success...
Siemens Desigo PXC and DXR Devices Improper Restriction of Excessive Authentication Attempts (CVE-2022-24044)
A vulnerability has been identified in Desigo DXR2 All versions V01.21.142.5-22, Desigo PXC3 All versions V01.21.142.4-18, Desigo PXC4 All versions V02.20.142.10-10884, Desigo PXC5 All versions V02.20.142.10-10884. The login functionality of the application does not employ any countermeasures...
CrackQL - GraphQL Password Brute-Force And Fuzzing Utility
CrackQL is a GraphQL password brute-force and fuzzing utility. CrackQL is a versatile GraphQL penetration testing tool that exploits poor rate-limit and cost analysis controls to brute-force credentials and fuzz operations. How it works? CrackQL works by automatically batching a single GraphQL...
Msprobe - Finding All Things On-Prem Microsoft For Password Spraying And Enumeration
Finding all things on-prem Microsoft for password spraying and enumeration. The tool will used a list of common subdomains associated with your target apex domain to attempt to discover valid instances of on-prem Microsoft solutions. Screenshots of the tool in action are below: Installing Install...
Experts Detail New RCE Vulnerability Affecting Google Chrome Dev Channel
Details have emerged about a recently patched critical remote code execution vulnerability in the V8 JavaScript and WebAssembly engine used in Google Chrome and Chromium-based browsers. The issue relates to a case of use-after-free in the instruction optimization component, successful exploitatio...
CVE-2022-24044
A vulnerability has been identified in Desigo DXR2 All versions V01.21.142.5-22, Desigo PXC3 All versions V01.21.142.4-18, Desigo PXC4 All versions V02.20.142.10-10884, Desigo PXC5 All versions V02.20.142.10-10884. The login functionality of the application does not employ any countermeasures...
CVE-2022-24044
A vulnerability has been identified in Desigo DXR2 All versions V01.21.142.5-22, Desigo PXC3 All versions V01.21.142.4-18, Desigo PXC4 All versions V02.20.142.10-10884, Desigo PXC5 All versions V02.20.142.10-10884. The login functionality of the application does not employ any countermeasures...
CVE-2022-24044
A vulnerability has been identified in Desigo DXR2 All versions V01.21.142.5-22, Desigo PXC3 All versions V01.21.142.4-18, Desigo PXC4 All versions V02.20.142.10-10884, Desigo PXC5 All versions V02.20.142.10-10884. The login functionality of the application does not employ any countermeasures...
Design/Logic Flaw
A vulnerability has been identified in Desigo DXR2 All versions V01.21.142.5-22, Desigo PXC3 All versions V01.21.142.4-18, Desigo PXC4 All versions V02.20.142.10-10884, Desigo PXC5 All versions V02.20.142.10-10884. The login functionality of the application does not employ any countermeasures...
SSOh-No - User Enumeration And Password Spraying Tool For Testing Azure AD
This tool is designed to enumerate users, password spray and perform brute force attacks against any organisation that utilises Azure AD or O365. Generally, this endpoint provides extremely verbose errors which can be leveraged to enumerate users and validate their passwords via brute...
CVE-2022-24044
A vulnerability has been identified in Desigo DXR2 All versions V01.21.142.5-22, Desigo PXC3 All versions V01.21.142.4-18, Desigo PXC4 All versions V02.20.142.10-10884, Desigo PXC5 All versions V02.20.142.10-10884. The login functionality of the application does not employ any countermeasures...
CVE-2022-24044
The CVE-2022-24044 entry affects Siemens Desigo DXR2, PXC3, PXC4 and PXC5 controllers. Root cause: the login functionality lacks protection against Password Spraying/Credential Stuffing, enabling an attacker to enumerate valid usernames and then perform targeted login attempts to gain access to a...