A puppet made me cry and all I got was this t-shirt

Welcome to this week's edition of the Threat Source newsletter. Anyone who spoke with me in the last several weeks has had to deal with me loudly waiting in anticipation for the long-awaited "Project Hail Mary" movie adaptation. I read and cried over the book by Andy Weir, who's also the author o...

Over 100 Dell Laptop Models Plagued by Vulnerabilities Impacting Millions

A new Cisco Talos report reveals critical flaws in Dell Latitude and Precision laptops. Find out how hackers can exploit the ControlVault chip to steal sensitive data...

PDF-XChange Editor EMF File EMR_EXTCREATEFONTINDIRECTW Facename Out-Of-Bounds Read Vulnerability

Talos Vulnerability Report TALOS-2025-2203 PDF-XChange Editor EMF File EMREXTCREATEFONTINDIRECTW Facename Out-Of-Bounds Read Vulnerability August 5, 2025 CVE Number CVE-2025-47152 SUMMARY An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor...

Parallels Desktop prl_disp_service Snapshots.xml Hard Link Privilege Escalation

Talos Vulnerability Report TALOS-2024-2124 Parallels Desktop prldispservice Snapshots.xml Hard Link Privilege Escalation June 3, 2025 CVE Number CVE-2024-54189 SUMMARY A privilege escalation vulnerability exists in the Snapshot functionality of Parallels Desktop for Mac version 20.1.1 build 55740...

Observium add_alert_check cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2024-2090 Observium addalertcheck cross-site scripting XSS vulnerability January 15, 2025 CVE Number CVE-2024-47140 SUMMARY A cross-site scripting xss vulnerability exists in the addalertcheck page of Observium CE 24.4.13528. A specially crafted HTTP request can...

Wavlink AC3000 login.cgi Goto_chidx() buffer overflow vulnerability

Talos Vulnerability Report TALOS-2024-2019 Wavlink AC3000 login.cgi Gotochidx buffer overflow vulnerability January 14, 2025 CVE Number CVE-2024-36290 SUMMARY A buffer overflow vulnerability exists in the login.cgi Gotochidx functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted...

Wavlink AC3000 wireless.cgi AddMac() command injection vulnerability

Talos Vulnerability Report TALOS-2024-2044 Wavlink AC3000 wireless.cgi AddMac command injection vulnerability January 14, 2025 CVE Number CVE-2024-34544 SUMMARY A command injection vulnerability exists in the wireless.cgi AddMac functionality of Wavlink AC3000 M33A8.V5030.210505. A specially...

Wavlink AC3000 nas.cgi add_dir() command injection vulnerabilities

Talos Vulnerability Report TALOS-2024-2058 Wavlink AC3000 nas.cgi adddir command injection vulnerabilities January 14, 2025 CVE Number CVE-2024-39784,CVE-2024-39785 SUMMARY Multiple command execution vulnerabilities exist in the nas.cgi adddir functionality of Wavlink AC3000 M33A8.V5030.210505. A...

Wavlink AC3000 internet.cgi set_qos() buffer overflow vulnerabilities

Talos Vulnerability Report TALOS-2024-2022 Wavlink AC3000 internet.cgi setqos buffer overflow vulnerabilities January 14, 2025 CVE Number CVE-2024-39768,CVE-2024-39770,CVE-2024-39769 SUMMARY Multiple buffer overflow vulnerabilities exist in the internet.cgi setqos functionality of Wavlink AC3000...

Wavlink AC3000 wireless.cgi DeleteMac() buffer overflow vulnerability

Talos Vulnerability Report TALOS-2024-2040 Wavlink AC3000 wireless.cgi DeleteMac buffer overflow vulnerability January 14, 2025 CVE Number CVE-2024-39359 SUMMARY A stack-based buffer overflow vulnerability exists in the wireless.cgi DeleteMac functionality of Wavlink AC3000 M33A8.V5030.210505. A...

Threat Source newsletter (Jan. 5, 2023): Digging out of our inboxes

Happy New Year and welcome to this weeks edition of the Threat Source newsletter. We cant tell if its the fog from Lurenes deadly eggnog or dare we say pure rest and relaxation but were still digging out of our inboxes, trying to remember logins, and circle back on all the things we prolonged int...

BEC Losses Top $1.8B as Tactics Evolve

Business email compromise BEC attacks ramped up significantly in 2020, with more than $1.8 billion stolen from organizations with these types of attacks last year alone — and things are getting worse. BEC attacks are carried out by cybercriminals either impersonating someone inside an organizatio...

liveMedia -- potential remote code execution

Talos reports: An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerabili...