Why nested deserialization is STILL harmful – Magento RCE (CVE-2025-54236) › Searchlight Cyber
@GoSecurity
https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/
@GoSecurity
https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/
Searchlight Cyber
Why nested deserialization is harmful: Magento RCE (CVE-2025-54236)
Magento is still one of the most popular e-commerce solutions in use on the internet, estimated to be running on more than 130,000 websites. It is also offered as an enterprise offering by Adobe under the name Adobe Commerce, which receives automatic patching.…
هکرها برای ۷۳ آسیبپذیری زیرودی در مسابقه Pwn2Own ایرلند، ۱٬۰۲۴٬۷۵۰ دلار کسب کردند
مسابقه هک Pwn2Own ایرلند ۲۰۲۵ با جمعآوری جوایز نقدی به مبلغ ۱٬۰۲۴٬۷۵۰ دلار توسط پژوهشگران امنیتی پس از بهرهبرداری از ۷۳ آسیبپذیری صفر روزه به پایان رسید.
@GoSecurity
https://www.bleepingcomputer.com/news/security/hackers-earn-1-024-750-for-73-zero-days-at-pwn2own-ireland/
مسابقه هک Pwn2Own ایرلند ۲۰۲۵ با جمعآوری جوایز نقدی به مبلغ ۱٬۰۲۴٬۷۵۰ دلار توسط پژوهشگران امنیتی پس از بهرهبرداری از ۷۳ آسیبپذیری صفر روزه به پایان رسید.
@GoSecurity
https://www.bleepingcomputer.com/news/security/hackers-earn-1-024-750-for-73-zero-days-at-pwn2own-ireland/
BleepingComputer
Hackers earn $1,024,750 for 73 zero-days at Pwn2Own Ireland
The Pwn2Own Ireland 2025 hacking competition has ended with security researchers collecting $1,024,750 in cash awards after exploiting 73 zero-day vulnerabilities.
CVE-2022-4445
The FL3R FeelBox WordPress plugin through 8.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
@GoSecurity
The FL3R FeelBox WordPress plugin through 8.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
@GoSecurity
WPScan
FL3R FeelBox <= 8.1 - Unauthenticated SQLi
See details on FL3R FeelBox <= 8.1 - Unauthenticated SQLi CVE 2022-4445. View the latest Plugin Vulnerabilities on WPScan.
⚠️ ALERT: A Chrome zero-day (CVE-2025-2783) was exploited to deliver spyware built by Memento Labs — the firm behind past government surveillance tools.
One click in Chromium = full sandbox escape.
@GoSecurity
Read this → https://thehackernews.com/2025/10/chrome-zero-day-exploited-to-deliver.html
One click in Chromium = full sandbox escape.
@GoSecurity
Read this → https://thehackernews.com/2025/10/chrome-zero-day-exploited-to-deliver.html
👨💻1
New Atroposia malware comes with a local vulnerability scanner
A new malware-as-a-service (MaaS) platform named Atroposia provides cybercriminals a remote access trojan that combines capabilities for persistent access, evasion, data theft, and local vulnerability scanning. [...]
@GoSecurity
https://www.bleepingcomputer.com/news/security/new-atroposia-malware-comes-with-a-local-vulnerability-scanner/
A new malware-as-a-service (MaaS) platform named Atroposia provides cybercriminals a remote access trojan that combines capabilities for persistent access, evasion, data theft, and local vulnerability scanning. [...]
@GoSecurity
https://www.bleepingcomputer.com/news/security/new-atroposia-malware-comes-with-a-local-vulnerability-scanner/
BleepingComputer
New Atroposia malware comes with a local vulnerability scanner
A new malware-as-a-service (MaaS) platform named Atroposia provides cybercriminals a remote access trojan that combines capabilities for persistent access, evasion, data theft, and local vulnerability scanning.
WordPress security plugin exposes private data to site subscribers
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information.
@GoSecurity
https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-exposes-private-data-to-site-subscribers/
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information.
@GoSecurity
https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-exposes-private-data-to-site-subscribers/
BleepingComputer
WordPress security plugin exposes private data to site subscribers
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information.