We've been collecting and mirroring what we can find of public data scrapes of data that has recently gone missing from federal sites or is likely to in the near future. The repos here include public data from CDC, NIH, and NOAA. Be warned that some of these repos are quite large!

https://git.lsit.ucsb.edu/publicdata

[RSS] Secure by Design: Google's Blueprint for a High-Assurance Web Framework

https://bughunters.google.com/blog/6644316274294784/secure-by-design-google-s-blueprint-for-a-high-assurance-web-framework

@_dm "Speedrunning engineering failures" is the new "Speedrunning the failures of the financial system"?

Unofficial #PatchTuesday continues with Google Chrome: Stable Channel Update for Desktop
Chrome 133.0.6943.53 (Linux) and 133.0.6943.53/54( Windows, Mac) includes 12 security fixes, 3 are externally reported:

• CVE-2025-0444 (high) Use after free in Skia
• CVE-2025-0445 (high) Use after free in V8
• CVE-2025-0451 (medium) Inappropriate implementation in Extensions API

No mention of exploitation.

#google #chrome #vulnerability #cve #infosec #cybersecurity

@krypt3ia The state of the industry is well illustrated by the fact that people take THN seriously...

@SecurityWriter one time, a trillion years ago, i did an assessment for a biotech company here in san diego. they wanted me to spend a few days going after their fat client. it talked to a server and had something to do with creating mollecules.

it had, by design, the ability to squirt arbitrary bash/python/php/etc into its server end - by design.

i tried to explain how this could be abused but they said "Pff.. who would ever do that?!" and wrote me off outright.

then they went to cloud

In relation to parent toots above, see related press release from CISA: CISA Partners with ASD’s ACSC, CCCS, NCSC-UK, and Other International and US Organizations to Release Guidance on Edge Devices

Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems. The damage can be expensive, time-consuming, and reputationally catastrophic for public and private sector organizations. These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise.

#infosec #cybersecurity #networksecurity #securitybestpractice #securebydesign

The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! https://portswigger.net/research/top-10-web-hacking-techniques-of-2024

@mumblegrepper

NETGEAR did this earlier than #PatchTuesday on 01 February 2025 but here you go:

• Security Advisory for Unauthenticated RCE on Some WiFi Routers, PSV-2023-0039An unassigned (no CVE) unauthenticated remote code execution vulnerability (CVSSv3.0: 9.8 critical) has been patched in NETGEAR XR1000, XR1000v2, and XR500 WiFi routers.
• Security Advisory for Authentication Bypass on Some Wireless Access Points, PSV-2021-0117An unassigned (no CVE) authentication bypass security vulnerability (9.6 critical) was patched on NETGEAR WAX206, WAX220 and WAX214c2 wireless access points.

#netgear #vulnerability #infosec #cybersecurity

Top 10 web hacking techniques of 2024 https://portswigger.net/research/top-10-web-hacking-techniques-of-2024

#PatchTuesday continues with Zyxel: Zyxel security advisory for command injection and insecure default credentials vulnerabilities in certain legacy DSL CPE
Zyxel's security advisory confirms the existence of CVE-2024-40890, CVE-2024-40891, and CVE-2025-0890 affecting end-of-life DSL CPE products. While they link to GreyNoise's blog post, Zyxel does not acknowledge the fact that CVE-2024-40891 (8.8 high) post-auth command injection is a zero-day being exploited in the wild by a Mirai botnet variant. They reiterate that EoL products don’t receive further support and:

"we strongly recommend that users replace them with newer-generation products for optimal protection."

Note: DSL CPE likely stands for Digital Subscriber Line Customer-Premises Equipment cc: @fellows for more Patch Tuesday Madness.

#zyxel #vulnerability #cve #CVE_2024_40891 #zeroday #eitw #activeexploitation #mirai #botnet #infosec #cybersecurity

Claroty: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated...
There was increased interest in healthcare industry's patient monitors after CISA warned on 31 January 2025 that Contec CMS8000 Contains a Backdoor. Claroty's Team82 actually previously investigated the firmware and reached the conclusion that it is most likely not a hidden backdoor, but instead an insecure/vulnerable design that introduces great risk to the patient monitor users and hospital networks. Their conclusion is mainly based on the fact that the vendor—and resellers who re-label and sell the monitor—list the IP address in their manuals and instruct users to configure the Central Management System (CMS) with this IP address within their internal networks. h/t: @bees; cc: @wdormann

Note: there's associated vulnerabilities:

• CVE-2025-0626 (CVSSv4: 7.7/v3.1: 7.5 high) Hidden Functionality vulnerability in Contec Health CMS8000 Patient Monitor
• CVE-2025-0683 (CVSSv4: 8.2 high/v3.1: 5.9 medium) Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Contec Health CMS8000 Patient Monitor

#contec #backdoor #hph #hhs #vulnerability #cve #china #cisa #infosec #cybersecurity

CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog
Hot off the press!:

• CVE-2018-19410 (9.8 critical) Paessler PRTG Network Monitor Local File Inclusion Vulnerability
• CVE-2018-9276 (7.2 high) Paessler PRTG Network Monitor OS Command Injection Vulnerability
• CVE-2024-29059 (7.5 high) Microsoft .NET Framework Information Disclosure Vulnerability
• CVE-2024-45195 (9.8 critical) Apache OFBiz Forced Browsing Vulnerability

#cisa #cisakev #kev #vulnerability #eitw #activeexploitation #infosec #cybersecurity #knownexploitedvulnerabilitiescatalog

Not that it surprises me, but the "National Cybersecurity Strategy" has disappeared:
https://www.whitehouse.gov/oncd/national-cybersecurity-strategy/

So yeah.

Archive link:
https://web.archive.org/web/20250117195921/https://www.whitehouse.gov/oncd/national-cybersecurity-strategy/

#infosec

There is still a couple more days to submit your 1-page article to Paged Out! #6!
We're at 41 pages of content out of 50 required. We'll start finalizing the issue when we reach 50. Not much time left, but you can still make it! 🙂
Details: https://pagedout.institute/?page=cfp.php

I enjoy memes and sarcasm more than anyone, but I'd really appreciate a TL;DR for these supply-chain posts of watchTowr...

I mean, their last exploit writeup is estimated a 15mins read, the latest thing is 41 and there isn't even code to explain.

4 February 1917 | A Polish Jewish dancer Franciszka Mann was born. She was most probably the woman who on 23 October 1943, inside the undressing room of gas chamber II at Auschwitz II-Birkenau, seized SS man Josef Schillinger’s pistol, shot him & wounded SS man Wilhelm Emmerich.

Apache Cassandra vulnerabilities:

CVE-2024-27137: Unrestricted deserialization of JMX authentication credentials

https://seclists.org/oss-sec/2025/q1/92

CVE-2025-24860: Network region AUTHZ bypass

https://seclists.org/oss-sec/2025/q1/94

CVE-2025-23015: Privilege escalation with ALL KEYSPACES permission

https://seclists.org/oss-sec/2025/q1/93