New assessment for topic: CVE-2025-58034

Topic description: "An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands. ..."

"Based on writing the [Rapid7 Analysis](https://attackerkb.com/topics/zClpINmLCh/cve-2025-58034/rapid7-analysis), I have rated the exploitability as `Very High`, as exploitation is trivial and reliable ..."

Link: https://attackerkb.com/assessments/c67a510c-5ac5-43a7-affd-7b7655c4b62f

@rebane2001 that booster thing is plain witchcraft.

pretty fun stuff in here :)
https://hackaday.com/2025/11/18/congratulations-to-the-2025-component-abuse-challenge-winners/

@Baa

Postmortem of the Xubuntu.org download site compromise

https://lwn.net/Articles/1047056/ #LWN

Sent from San Francisco, California, U.S.A. on December 20, 1995. https://postcardware.net/?id=12-38

RCE in Apache Causeway.

https://lists.apache.org/thread/rjlg4spqhmgy1xgq9wq5h2tfnq4pm70b

Cloudflare published a very good article explaining how yesterday's outage happened.

https://blog.cloudflare.com/18-november-2025-outage/

I encourage everyone to read it.

I also think people are focusing on that particular unwrap() too much, and not enough on a bigger picture: lack of fallbacks

Without fallbacks at the interfaces between different subsystems, there's nothing to stop an error in one place from cascading throughout the whole infra

Config parsing is not the only place where such fallback was missing

First #39C3 fake ticket spotted in the wild. If you see any offers on platforms like Kleinanzeigen or eBay showing a ticket it is a scam - tickets are not issued and no one knows how they will look like. Flag those offers please.

Another humble #UX request:

I know dates look ugly, but "last month" is a pretty wide timeframe and when my brain sees "3 weeks ago" it will recall yesterdays dinner and the 1994 World Cup finals with equal probability.

Please display exact dates on frontends!

TIL cURL only supports the lowercase http_proxy environment variable:

https://curl.se/mail/archive-2001-12/0034.html

[RSS] HEX ADVENT 2025: Crack the Advent, Conquer the Threat

https://starlabs.sg/blog/2025/11-hex-advent-2025/

[RSS] "Astral-tokio-tar" / "uv" Arbitrary Write Path Traversal Vulnerability

https://github.com/google/security-research/security/advisories/GHSA-9p78-p5g6-gcj8

This is CVE-2025-59825

[RSS] dz6: vim-like hex editor

https://crates.io/crates/dz6

Since yesterdays #AdTech link was received quite positively, I'm sharing again this collection from The Correspondent:

Debunking the science of advertising
https://thecorrespondent.com/collection/the-nonsense-of-online-advertising

The Correspondent was an incredible publication, and as such, turned out to be unsustainable :(

#HOPE #Hacking Conference Banned From University Venue Over Apparent ‘Anti-Police Agenda’

https://www.404media.co/hope-hacking-conference-banned-from-university-venue-over-apparent-anti-police-agenda/

I have a friend who prefers to stay anonymous who gives this amazing talk in non US (but allied) countries about how long their internet will -really- function if they lose all comms with American data centers and it’s… phew. It’s a thing. Some resilient ones will last a few weeks before certificates expire. But CF is a wrench.

I want to try switching to Linux.

However, I cannot find a working remote desktop system that allows me to take over the same session that I was using locally so that I can switch back and forth between being at the computer and being remote without having to log out. Blanking/Locking the local screen while I'm connected remotely is also a need.

Basically I need it to work as close to Microsoft's RDP as possible. If anyone can help me with this, you'll convert me to a Linux user.

#linux

Here’s a free scanner for that FortiWeb CVE-2025-64446 I made for you. https://github.com/sensepost/CVE-2025-64446

@mariyadelano @rmd1023 @brouhaha @hacks4pancakes this is a great article, pointing out that if someone charges you by their performance while they are also responsible for measuring their own performance, there is a slight chance of fraud
https://thecorrespondent.com/125/the-non-sense-of-online-advertising-when-the-numbers-dont-add-up