Múltiples vulnerabilidades en productos Tanzu de VMWare Mié, 30/04/2025 - 09:21 Aviso Recursos Afectados VMware Tanzu Greenplum, version 7.4.0 and previous;VMware Tanzu GemFire Vector Database, version 1.1.0 and previous. Descripción Broadcom ha publicado 8 Vulnerabilities, one of critical severity, 2 altas y el resto medias que afectan a componentes de VMware Tanzu y que podrían permitir, among other things, añadir o modificar datos, o provocar una denegación de servicio (Two). Identificador INCIBE-2025-0212 5 - Crítica Solución Actualizar a la última versión de los productos:VMware Tanzu Greenplum, version 7.4.1;VMware Tanzu GemFire Vector Database, version 1.2.0. Detail The vulnerability, of critical severity, afecta a Greenplum Cluster Management, y se produce por un fallo en la autenticación empleando claves públicas. Las aplicaciones y bibliotecas que hacen un uso indebido de connection.serverAuthenticate (mediante el campo de devolución de llamada ServerConfig.PublicKeyCallback) pueden ser susceptibles a Read More
Múltiples vulnerabilidades en Bookgy Mar, 29/04/2025 - 12:13 Aviso Recursos Afectados Bookgy (sin versionado específico). Description INCIBE has coordinated the publication of 5 Vulnerabilities: 2 of critical severity and 3 of medium severity, que afectan a Bookgy, un software de gestión y reserva online, which have been discovered by David Utón.These vulnerabilities have been assigned the following codes, CVSS Base Score v4.0, CVSS vector and the CWE vulnerability type of each vulnerability:CVE-2025-40615 y CVE-2025-40616: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/IU:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79CVE-2025-40617 y CVE-2025-40618: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/IU:N/VC:H/VI:H/VA:H/SC:N/YES:N/SA:N | CWE-89CVE-2025-40619: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/IU:N/VC:H/VI:H/VA:H/SC:N/YES:N/SA:N | CWE-863 Identificador INCIBE-2025-0207 5 - Crítica Solución Las vulnerabilidades han sido solucionadas por el equipo de Bookgy en octubre de 2024 y ya no son explotables en la actualidad. Cross-Site Scripting Vulnerability Detail (XSS) reflejado Read More
Ejecución remota de código en Craft CMS Mar, 29/04/2025 - 10:21 Aviso Recursos Afectados Las siguientes versiones de Craft CMS están afectadas:desde la versión 3.0.0-RC1 hasta la 3.9.14, incluidas;desde la versión 4.0.0-RC1, to the 4.14.14, incluidas;desde la versión 5.0.0-RC1 hasta la 5.6.16, incluidas. Descripción Craft CMS ha publicado una vulnerabilidad de severidad crítica que podría permitir a un atacante ejecutar código remoto.Además, el fabricante afirma que existe evidencias de que la vulnerabilidad esta siendo explotada. Identificador INCIBE-2025-0210 5 - Crítica Solución En función de la versión de la que se disponga, actualizar a las siguientes versiones de Craft CMS:3.9.15;4.14.15;5.6.17. Detalle La vulnerabilidad se basa en que un usuario, Unauthenticated, podría enviar una solicitud POST al endpoint responsable de la transformación de una imagen y el servidor interpretaría los datos de la solicitud. Estos datos se interpretan al crear el Read More
Múltiples vulnerabilidades en Commvault Mar, 29/04/2025 - 09:36 Aviso Recursos Afectados Según la vulnerabilidad los productos afectados difieren aunque, en ambos casos, afecta tanto si el producto está instalado en sistemas Windows como Linux:Para la vulnerabilidad crítica CVE-2025-34028:Commvault Command Center, Innovation Release, Versions from 11.38.0 hasta 11.38.19.Para la vulnerabilidad alta CVE-2025-3928:Commvault, maintenance release, Versions from 11.36.0 until 11.36.45;Commvault, maintenance release, Versions from 11.32.0 until 11.32.88;Commvault, maintenance release, Versions from 11.28.0 until 11.28.140;Commvault, maintenance release, Versions from 11.20.0 until 11.20.216. Descripción Commvault tiene dos vulnerabilidades, una de ellas de severidad crítica descubierta por Sonny MacDonald de watchTowr, y la otra de severidad alta. Estas vulnerabilidades pueden permitir la ejecución remota de código sin autenticación y crear y ejecutar webshells. Identificador INCIBE-2025-0209 5 - Crítica Solución Actualizar el producto a su versión no vulnerable:Commvault Command Center Installation, Innovation Release, Versions 11.38.20 and Read More
Escalada de privilegios locales en impresoras de EPSON Lun, 28/04/2025 - 09:34 Aviso Recursos Afectados Impresoras EPSON con sistemas Windows configuradas en un idioma diferente al inglés. Descripción Erkan Ekici ha descubierto esta vulnerabilidad, of high severity, que afecta a impresoras EPSON en sistemas Windows configuradas en un idioma diferente al inglés. En caso de ser explotada, un atacante podría ejecutar código arbitrario y realizar una escalada de privilegios. Identificador INCIBE-2025-0206 4 - Alta Solución Instalar el parche que soluciona este problema.El fabricante recomienda que las actualizaciones de este producto se realicen a través de la herramienta actualización Epson Software Updater. Detalle En las impresoras EPSON instaladas en sistemas Windows y configuradas en un idioma diferente al inglés es posible sobreescribir algunos ficheros DLL que gestiona el driver de la impresora y, In this way, escalar privilegios.Se ha asignado el Read More
La vulnerabilidad CVE-2025-34028 es un fallo crítico (con valor CVSS de 10) el cual permite a un atacante no autenticado tomar el control total de servidores Commvault Command Center 11.38 mediante la carga de un archivo ZIP malicioso. El error, de tipo path traversal, conduce a ejecución remota de código (RCE), poniendo riesgo los backups de la organización. Dada la naturaleza sensible de los sistemas de respaldo (que suelen contener datos críticos y credenciales de varios entornos), esta vulnerabilidad representa un riesgo serio tanto para la seguridad técnica como para la continuidad de negocio de las organizaciones. La entrada Vulnerabilidad de path traversal en Commvault Command Center se publicó primero en Una Al Día. Read More
ARMO researchers have published Curing, A proof-of-concept rootkit that operates exclusively through the kernel's io_uring interface. By not invoking traditional system calls, malware goes unnoticed by most EDRs and monitoring tools that base their detections on syscalls, including Falco, Tetragon (with […] The Curing Ticket: A io_uring-based rootkit leaves many Linux security solutions "blind" was first published in Una Al Día. Read More
Lack of authorization verification in SAP Vie NetWeaver Visual Composer, 25/04/2025 - 08:29 Notice Affected Resources SAP NetWeaver Visual Composer, Framework v7.50. Description SAP and Onapsis have published a security note to communicate the existence of a 0day vulnerability of critical severity that could allow an attacker to, Unauthenticated, exploiting the vulnerability to gain full control of systems SAP.Se is aware that the vulnerability is being actively exploited by ransomware. Identifier INCIBE-2025-0198 5 - Critical Solution Update as soon as possible to the latest version. SAP has published, Outside of your usual update cycle, The patch 3594142 to fix this issue. Detail The 0day vulnerability, of critical severity, occurs because the Meta Uploader component is not properly authorized, allowing attackers, Unauthenticated, Read More
Data leak on Moroccan institutions increases political tensions with Algeria 09/04/2025 Thu, 24/04/2025 - 13:23 The 8 April 2025, the threat actor Jabaroot, published confidential data extracted from the National Social Security Treasury on BreachForums (CNSS) from Morocco. The filtered dataset includes more than 53.000 files containing detailed records of nearly half a million companies and nearly 2 million employees. The documents include data such as company affiliation, Employee ID Numbers, Salaries and contact information. In addition, Most of the data appears to have been exposed in clear text on compromised servers. According to statements made by actor Jabaroot, CNSS leak appears to be motivated as a political response. Jabaroot claims the attack was carried out in retaliation for an earlier attack Read More
[Update 30/04/2025] Unauthorized Remote Code Execution on Erlang/OTP SSH Server in Multiple CISCO Jue Products, 24/04/2025 - 09:30 Notice Affected Resources The following products are affected by the vulnerability:Network Application, Service and Acceleration:ConfD, ConfD Basic (1)Network management and delivery:Network Services Orchestrator (NSO) (1)Smart PHYRouting and Switiching - Company & Service Provider:Intelligent Node ManagerUltra Cloud Core - Subscriber Microservices InfrastructureNote: Products marked with (1) are vulnerable because they accept unauthenticated channel request messages, but because of how they're set up, not vulnerable to remote code execution (RCE).CISCO provides two additional listings, one of the products that are not affected by the vulnerability and another of products in which they are still investigating their possible impact. Ambos listados pueden consultarse en el enlace de las referencias.[Update 30/04/2025] CISCO ha Read More
Unauthorized access to emails from senior U.S. banking regulator officials USA. 08/04/2025 Sea, 22/04/2025 - 14:55 A group of hackers has accessed sensitive information after penetrating the email system used by the Office of the Comptroller of the Currency (OCC) from the United States. The OCC notified Tuesday 8 April to Congress a serious security incident that was first announced in February. This agency is an independent office within the Treasury Department that regulates all U.S. banks, federal savings associations and branches of foreign banks. The OCC found that unauthorized access to the emails of several of its executives and employees included highly sensitive information regarding the banking status of federally regulated financial institutions, used in your exams Read More
Multiple vulnerabilities in Moodle Mar, 22/04/2025 - 10:49 Notice Affected Resources Moodle, Versions: 4.5 until 4.5.3; 4.4 until 4.4.7, 4.3 until 4.3.11, 4.1 until 4.1.17 and previous maintenance-free versions (CVE-2025-3643, CVE-2025-3642 and CVE-2025-3641).4.5 until 4.5.3; 4.4 until 4.4.7 and 4.3 until 4.3.11 (CVE-2025-3625).Affected versions of Moodle for vulnerabilities whose severity is not high or critical, can be found in the safety notice of the references. Description Several researchers have reported 15 Vulnerabilities: 2 of critical severity, 2 of high severity and 11 of medium and low severity, the exploitation of which could allow an attacker to perform remote code execution or cause a denial-of-service condition (Two), inter alia. Identifier INCIBE-2025-0197 5 - Critical Solution Moodle has fixed the vulnerabilities reported in the following versions:4.5.4, 4.4.8, 4.3.12 and 4.1.18 (CVE-2025-3643, CVE-2025-3642 and CVE-2025-3641).4.5.4, 4.4.8 Read More
Cross-Site scripting (XSS) in TP-Link Sea products, 22/04/2025 - 10:32 Notice Affected Resources TP-Link WR841N v14/v14.6/v14.8, Build versions prior to or equal to 241230 Rel. 50788n. Description TP-Link has published a high-severity vulnerability, the exploitation of which could allow a remote attacker to inject arbitrary JavaScript code. Identifier INCIBE-2025-0196 4 - High Solution TP-Link has fixed the vulnerability reported in the Build version 250328 Rel.49245n. Cross-Site Scripting Vulnerability Detail (XSS) stored on the Web Interface upnp.htm page in TP-Link WR841N v14/v14.6/v14.8 could allow remote attackers to inject arbitrary JavaScript code through the portmapping description. This leads to an execution of the JavaScript payload when the upnp page loads. The identifier CVE-2025-25427 has been assigned for this vulnerability. Reference List Statement on cross-site scripting (XSS) vulnerability on TP-Link WR841N Read More
Critical Updates to Oracle (abril 2025) Lun, 21/04/2025 - 11:19 Notice Affected Resources GoldenGate Stream Analytics, Versions 19.1.0.0.0-19.1.0.0.10;JD Edwards EnterpriseOne Tools, Versions 9.2.0.0-9.2.9.2;Management Cloud Engine, version 24.3.0;MySQL Client, Versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0;MySQL Cluster, Versions 7.6.0-7.6.33, 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0;MySQL Connectors, Versions 9.0.0-9.2.0;MySQL Enterprise Backup, Versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0;MySQL Server, Versions 8.0.0-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0;MySQL Shell, Versions 8.0.32-8.0.41, 8.4.0-8.4.4, 9.0.0-9.2.0;MySQL Workbench, Versions 8.0.0-8.0.41;Oracle Access Manager, version 12.2.1.4.0;Oracle Agile Engineering Data Management, version 6.2.1;Oracle Application Express, Versions 23.2.15, 23.2.16, 24.1.9, 24.1.10, 24.2.3, 24.2.4;Oracle Application Testing Suite, version 13.3.0.1;Oracle Banking APIs, Versions 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0;Oracle Banking Corporate Lending Process Management, Versions 14.5.0.0.0-14.7.0.0.0;Oracle Banking Digital Experience, Versions 21.1.0.0.0, 22.1.0.0.0, 22.2.0.0.0;Oracle Banking Liquidity Management, version 14.7.0.7.0;Oracle Banking Origination, Versions 14.5.0.0.0-14.7.0.0.0;Oracle BI Publisher, Versions 7.6.0.0.0, 12.2.1.4.0;Oracle Business Activity Monitoring, version 14.1.2.0.0;Oracle Business Intelligence Enterprise Edition, Versions 7.6.0.0.0, 12.2.1.4.0;Oracle Business Process Management Suite, Versions 12.2.1.4.0, 14.1.2.0.0;Autonomous Health Framework, Versions Read More
The Cybersecurity and Infrastructure Security Agency (CISA) of the United States incorporated a medium-severity vulnerability last Thursday (CVSSv3: 6.5), identified as CVE-2025-24054, to its Catalog of Actively Exploited Vulnerabilities (KEV). The Alert entry in Windows: NTLM vulnerability (CVE-2025-24054) exploited for hash theft was first published in Una Al Día. Read More
British postal service Royal Mail suffers data leak 02/04/2025 Wed, 16/04/2025 - 13:57 The 2 April 2025, the actor known as GHNA, has posted on the cybercriminal forum BreachForums 144 GB of data stolen from Royal Mail Group. Attached to the publication were 293 folders and 16.549 files to download for free. Among the data announced, Includes personal information of customers, Confidential documents, video recordings of internal Zoom meetings, Delivery Locations, Databases, mailing lists, among other sensitive information. The source of the leak was via the third-party service provider Spectos GmbH, Company dedicated to the monitoring and logistics of the postal service. As had happened with Samsung's leak of the 30 March, GHNA accessed Spectos' infrastructure using the stolen credentials Read More
Data Leakage with More Than 665.000 Medical studies in Argentina 04/04/2025 Sea, 15/04/2025 - 14:49 The cybercriminal group D0T, has released results of 665.128 Medical studies taken from the provider Medical Report, which they have contracted 30 Clinical, Sanatoriums and Hospitals in Argentina. The publication has been announced on cybercriminal forums dedicated to trading sensitive information and leaks. This incident has been detected on 4 by Birmingham Cyber Arms LTD, Dedicated platform in cybersecurity threat intelligence. Medical Report, is a developer of medical image storage and distribution systems, in addition to providing other medical management tools. The published studies correspond to different types of medical data ranging from X-ray images to, Ultrasound, Scans, to general analysis laboratory tests and specific tests, and even cases of Read More
A vulnerability has been identified in Rancher where a Restricted Administrator can change the password of Administrators and take control of their accounts. A Restricted Administrator should not be able to change the password of more privileged users unless it contains Manage Users permissions. Rancher deployments where the restricted administrator role is not used are not affected by this CVE. The entry Critical vulnerability found in Rancher/SUSE was published first in Una Al Día. Read More
Microsoft has confirmed the zero-day exploitation of the CVE-2025-29824 vulnerability, an elevation of privilege failure (EoP) in the Common Log File System (CLFS) Windows, that allowed attackers to gain privileges from SYSTEM using memory corruption techniques. This defect, Fixed in the April security patch 2025, was used in ransomware campaigns targeting entities in strategic sectors, including IT organizations in the U.S., the financial sector in Venezuela and companies in Saudi Arabia. The PipeMagic Input: CVE-2025-29824 exploitation in CLFS linked to ransomware campaigns was first published in Una Al Día. Read More
Data leak at Samsung steals up 270.000 Records of your customers 30/03/2025 Thu, 10/04/2025 - 13:15 The 30 March 2025, the technology giant Samsung has been the victim of a leak of data from its customers. Among her, personal information has been identified such as names, postal and email addresses, and also transaction information, Order Numbers, Tracking URLs, support interactions and communication between customers and Samsung.The author of the GHNA leak, has published approximately 270.000 customer records allegedly stolen from Samsung Germany's support ticketing system. GHNA accessed the infrastructure of this system using credentials stolen from an employee in 2021, after being infected with the Racoon infostealer. The stolen account, belonged to the Spectos GmbH service of Samsung, which is used to monitor and improve the Read More
Dismantled a call center in Alicante that has been able to defraud more than 2 million euros 26/03/2025 Sea, 08/04/2025 - 15:58 The National Police has dismantled a call center in Alicante from where different types of fraud were carried out such as the extortion of the hitman and the scam of the son in distress. They have stopped 73 people who were part of the criminal organization, which acted as recruiters, Extractors, "mules" and "voices". In the police operation, a total of 22 simultaneous registrations in Valencia, Barcelona and Alicante, in which interventions have been carried out around 250.000 Euros, Firearms, machetes and the blocking of 129 Bank accounts, three homes and more than 20 vehicles. The agents found a call center that worked 24 hours a day located in a house in the town of Read More
Information leak at California Cryobank 14/03/2025 Thu, 03/04/2025 - 16:39 California Cryobank (CCB), large sperm donation company in the United States, has recently notified its customers that it has suffered a data breach that has exposed their personal information. California Cryobank detected evidence of suspicious activity on its network that had occurred on 20 April 2024 and isolated computers from the computer network. This incident was detected by the company itself on 4 October 2024. From there, An investigation was conducted in which it has been discovered that the attack exposed various personal data of thousands of customers, including names, Bank accounts and routing numbers, Social Security numbers, driver's license numbers, Payment card numbers and/or health insurance information. By Read More
A remote access artifact (RAT) of high level of sophistication, developed in Python and called Triton, has been identified as an APT-level threat (Advanced Persistent Threat), using the Telegram platform as C2's infrastructure (Command and Control). The post Telegram is used by Triton RAT to access and control systems remotely was published first in Una Al Día. Read More
Serious security flaw in Kubernetes. In particular, the problem is in the component called Ingress NGINX Controller, that acts as a "gateway" for web traffic to applications within Kubernetes. CVE-2025-1974 allows an attacker to take control of that component without the need to log in or have credentials. The post Critical vulnerability in a Kubernetes component was published first in Una Al Día. Read More
Akira ransomware group bypasses EDR via webcam 05/03/2025 Thu, 27/03/2025 - 13:43 Cybersecurity firm S-RM has unveiled a new exploitation tactic used by hacker group Akira. Ransomware was implemented in it using a webcam, and bypassing the EDR protection system (Better known in the past as antivirus). The incident was analyzed by the company S-RM itself, while monitoring his client's private network, victim of this attack. In a first step, Akira had accessed the victim's server computer by exploiting the Windows Remote Desktop Service. Once access has been gained, a ZIP file containing the binary with the ransomware is downloaded. At that time, EDR deployed on the server detects the file download and quarantines Read More
Tarlogic Discovers Undocumented HCI Commands in Espressif's ESP32 Module 06/03/2025 Vie, 21/03/2025 - 12:19 Cybersecurity researchers from the company Tarlogic presented this past 6 at the RootedCON conference in Madrid, Your Bluetooth device auditing solution. In this context, Tarlogic has detected 29 Commands not documented by the manufacturer Espressif on the ESP32 module, A microcontroller that allows Wi-Fi and Bluetooth connection. The ESP32 is one of the most widely used models worldwide in IoT network environments (Internet of Things) and is present in millions of consumer devices. These types of manufacturer-specific commands, can be used to read/write RAM and flash, as well as to send some types of low-level packets that cannot normally be sent from the Host itself, due to the characteristics of Read More
AutoGPT is an advanced artificial intelligence tool with more than 174.000 stars on GitHub that uses language models like GPT-4 to perform complex tasks autonomously. Its particularity lies in the fact that it is capable of generating objectives, plan intermediate steps and execute specific actions by itself, managing the entire process in a comprehensive way. The post SSTI vulnerability found in AutoGPT was published first in Una Al Día. Read More
Cyber threat actors have activated exploit campaigns against an unpatched vulnerability (CVE-2025-1316, CVSS v4: 9.3) on Edimax IC-7100 network cameras, being used as a vector to deploy variants of the Mirai botnet since May 2024. This critical flaw, Classified as an operating system-level command injection vulnerability, Enables remote code execution (RCE) through maliciously structured requests. The post Critical vulnerability used in Edimax IC-7100 devices for Mirai botnet distribution was published first in Una Al Día. Read More
Kaspersky report: 2,3 millions of bank cards leaked on the Dark Web 04/03/2025 Vie, 14/03/2025 - 10:49 Kaspersky estimates that 2,3 millions of bank cards were leaked on the Dark Web between 2023 and 2024, based on an analysis of the log files of various data-stealing malware known as infostealers. This type of malware doesn't just steal financial information, but also credentials, Cookies and other sensitive data, which are then collected and sold in the Dark Web.Se calculates that, approximately, One in fourteen infostealer infections, Results in the theft of credit card information, with almost 26 millions of devices compromised by these malicious actors, of which more than 9 million in 2024 alone.Redline is the most widespread infostealer in recent years, with a 34% of the total number of infections analyzed. Without Read More
A critical "Prototype pollution" vulnerability has been found in Kibana data visualization software. The vulnerability has a criticality of 9.9 and can lead to executing commands through specially crafted HTTP requests through a file upload. The post Serious vulnerability in Kibana: Command execution risk was first published in Una Al Día. Read More
