Latest CyberSec News by @thecyberpicker

Hackers don't break in—they log in. Credential-based attacks now fuel nearly half of all breaches. Learn how to scan your Active Directory for compromised passwords and stop attackers before they strike.

Explore how Data Security Posture Management (DSPM) enhances traditional DLP by offering real-time visibility, risk assessment, and automated protection.

Hackers don't break in—they log in. Credential-based attacks now fuel nearly half of all breaches. Learn how to scan your Active Directory for compromised passwords and stop attackers before they strike.

Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware.

This week in cybersecurity from the editors at Cybercrime Magazine

Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.

Multi-stage phishing attack in Dec 2024 used .JSE, PowerShell, and AutoIt to deliver Agent Tesla.

A Server-Side Request Forgery (SSRF) attack occurs when an attacker tricks a server into making requests to other services. Review a real-world SSRF attack.

Inventio Lite 4 - SQL Injection. CVE-2024-44541 . webapps exploit for PHP platform

UJCMS 9.6.3 - User Enumeration via IDOR. CVE-2024-12483 . webapps exploit for Multiple platform

KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection. CVE-2024-11728 . webapps exploit for PHP platform

Langflow 1.3.0 - Remote Code Execution (RCE). CVE-2025-3248 . remote exploit for Multiple platform

Apache Commons Text 1.10.0 - Remote Code Execution. CVE-2022-42889 . webapps exploit for Multiple platform

Tatsu 3.3.11 - Unauthenticated RCE. CVE-2021-25094 . webapps exploit for PHP platform

Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation. CVE-2024-11972 . webapps exploit for Multiple platform

Le Digital Markets Act, le règlement européen sur le droit du numérique, force Apple à autoriser l'installation de magasins concurrents de l'App Store sur ses iPhone et iPad. AltStore Classic, disponible depuis le 17 avril, permet d'installer des applications illégales avec du contenu pirate. Des mois avant l'entrée

AI use in SaaS tools bypasses security controls, creating shadow integrations and real breach risks.

Russian state actor Midnight Blizzard is using fake wine tasting events as a lure to spread malware for espionage purposes, according to Check Point

XorDDoS malware targeted 71.3% of U.S. systems in latest wave; Docker, IoT, and Linux bots fuel rise.

Windows flaw CVE-2025-24054 actively exploited since March 19 to leak NTLM hashes via phishing attacks.

A near-miss episode of attempted defunding spotlights a need for a better way

A critical vulnerability in the Erlang/OTP SSH, tracked as CVE-2025-32433, has been disclosed that allows for unauthenticated remote code execution on vulnerable devices.

A highly active threat group says it will release stolen information, months after an attack disrupted e-commerce operations at the grocer’s U.S. business.

A near-miss episode of attempted defunding spotlights a need for a better way

Entertainment venue management firm Legends International warns it suffered a data breach in November 2024, which has impacted employees and people who visited venues under its management.

In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it's important to question the platforms you interact with online.

compop.ca 3.5.3 - Arbitrary code Execution. CVE-2024-48445 . webapps exploit for Multiple platform

AnyDesk 9.0.1 - Unquoted Service Path.. local exploit for Windows platform