All I Want for Xmas Is Your Secrets: LangGrinch Hits LangChain (CVE-2025-68664)

https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/

#HackerNews #LangGrinch #LangChain #CVE2025 #cybersecurity #secrets

Critical n8n flaw (CVE-2025-68613, CVSS 9.9) allows RCE via expression injection. Affected versions: >=0.211.0 <1.120.4. Update now! #n8n #CVE2025 #RCE #Security #AnhNguồn #CôngNghệ

https://www.reddit.com/r/selfhosted/comments/1pu0278/critical_n8n_flaw_cvss_99_enables_arbitrary_code/

🚨 CVE-2025-14388: CRITICAL vuln in PhastPress (≤3.7) lets unauth attackers read files like wp-config.php using double-encoded null bytes. Patch unavailable—disable plugin, block %2500 in URLs, monitor logs! https://radar.offseq.com/threat/cve-2025-14388-cwe-158-improper-neutralization-of--469918d2 #OffSeq #WordPress #Vulnerability #CVE2025

🔎 CVE-2025-11544 (CRITICAL, CVSS 9.5): Sharp Display Solutions projectors let attackers upload unauthorized firmware—remote, no auth needed. All models vulnerable. Urgently segment, restrict, and monitor! https://radar.offseq.com/threat/cve-2025-11544-cwe-912-hidden-functionality-in-sha-156315c0 #OffSeq #CVE2025 #infosec #embeddedsecurity

🔴 CVE-2025-11545: CRITICAL vuln in all Sharp projectors—embedded HTTP server leaks sensitive info, enables unauth’d remote actions. Network access only! Segment, restrict HTTP, monitor for abuse. Patch ASAP when available. https://radar.offseq.com/threat/cve-2025-11545-cwe-497-exposure-of-sensitive-syste-092c5862 #OffSeq #CVE2025 #IoTSecurity

🚨 CVE-2025-15016: CRITICAL flaw in Ragic Enterprise Cloud Database. Hard-coded crypto key enables remote, unauthenticated access as any user. Audit & restrict access urgently. No patch yet—mitigate now! https://radar.offseq.com/threat/cve-2025-15016-cwe-321-use-of-hard-coded-cryptogra-828a99de #OffSeq #CloudSecurity #Vulnerability #CVE2025

🚨 CVE-2025-68398: CRITICAL vuln in Weblate (<5.15.1). Privileged users can overwrite Git configs, risking full system compromise. Patch to 5.15.1+ & audit Git settings now! https://radar.offseq.com/threat/cve-2025-68398-cwe-20-improper-input-validation-in-186802ce #OffSeq #Weblate #Infosec #CVE2025

⚠️ CRITICAL: CVE-2025-47372 impacts Qualcomm Snapdragon (many models). Classic buffer overflow via oversized ELF files causes memory corruption—no auth required. Security teams: review exposure & monitor for updates. https://radar.offseq.com/threat/cve-2025-47372-cwe-120-buffer-copy-without-checkin-1257e58a #OffSeq #Vulnerability #Snapdragon #CVE2025

⚠️ HIGH severity: CVE-2025-11924 impacts Ninja Forms (WordPress), letting unauthenticated attackers access form data via REST API. Patch 3.13.1 is ineffective. Restrict API, audit tokens, and monitor logs. More info: https://radar.offseq.com/threat/cve-2025-11924-cwe-639-authorization-bypass-throug-69810fa6 #OffSeq #WordPress #CVE2025 #Security

🚨 CRITICAL: CVE-2025-13955 in EZCast Pro II v1.17478.146 — Predictable default Wi-Fi password lets attackers nearby calculate access credentials. Review your AP configs & restrict access. More info: https://radar.offseq.com/threat/cve-2025-13955-cwe-330-use-of-insufficiently-rando-ef4a57fd #OffSeq #CVE2025 #IoTSecurity #Infosec

Cal.com has patched a critical authentication bypass (CVE-2025-66489) that allowed attackers to submit any non-empty TOTP field and skip password checks. Versions ≤5.9.7 were impacted.

Update to 5.9.8 to ensure both password and TOTP verification are enforced.
How should MFA implementations be validated to prevent logic gaps like this?

Source: https://gbhackers.com/critical-cal-com-flaw-allows-attackers-to-bypass-authentication-using-fake-totp-codes/

Share your insights and follow us for more security reporting.

#infosec #appsec #CVE2025 #authentication #MFA #ThreatIntel #SecureCoding #SoftwareSecurity #VulnerabilityManagement #SecurityUpdate

NextJS Security Vulnerability

https://nextjs.org/blog/CVE-2025-66478

#HackerNews #NextJS #Security #Vulnerability #NextJS #Security #Vulnerability #Cybersecurity #WebDevelopment #SoftwareSecurity #CVE2025

🛡️ CVE-2025-13646: HIGH severity in wpchill Image Gallery for WordPress (v2.13.1). Authenticated Author+ users can upload dangerous files, risking RCE. Restrict roles, monitor uploads, and patch ASAP. https://radar.offseq.com/threat/cve-2025-13646-cwe-434-unrestricted-upload-of-file-7a8848e4 #OffSeq #WordPress #Vuln #CVE2025 #Cybersecurity

⚠️ CRITICAL: CVE-2025-13658 hits Industrial Video & Control Longwatch v6.309 — remote unauthenticated code execution via HTTP GET grants SYSTEM privileges. No patch yet. Segment, restrict access, monitor traffic. Full advisory: https://radar.offseq.com/threat/cve-2025-13658-cwe-94-improper-control-of-generati-128a847f #OffSeq #OTSecurity #CVE2025

ASUS has patched a high-severity local privilege escalation flaw (CVE-2025-59373) in MyASUS that allowed elevation to NT AUTHORITY/SYSTEM via the System Control Interface Service. Patch now shipped through Windows Update with updated versions for x64 and ARM.

Full details:
https://www.technadu.com/asus-fixes-high-severity-myasus-vulnerability-that-allows-privilege-escalation-to-system-level-access/614620/

#infosec #vulnerability #ASUS #WindowsSecurity #patchmanagement #CVE2025

🚨 CVE-2025-13597 (CRITICAL): soportecibeles AI Feeds ≤1.0.11 for WordPress allows unauthenticated file uploads via 'actualizador_git.php', enabling RCE. Restrict access & monitor file integrity while awaiting patch. Details: https://radar.offseq.com/threat/cve-2025-13597-cwe-434-unrestricted-upload-of-file-188b0f58 #OffSeq #WordPress #CVE2025

Threat actors are actively exploiting CVE-2025-59287 in WSUS to deploy ShadowPad.

ASEC notes the attackers used PowerCat for shell access, then fetched and installed ShadowPad with certutil/curl, executing it through DLL side-loading.

How are you securing WSUS or other update infrastructure in your environment?
💬 Share your insights
⭐ Follow TechNadu for timely threat intel

#infosec #WSUS #ShadowPad #CVE2025 #malware #threatintel #sysadmin #DFIR #TechNadu

🔥 CVE-2025-13551 (HIGH): Buffer overflow in D-Link DIR-822K/DWR-M920 (firmware 1.00_20250513164613, 1.1.50). Remote, unauthenticated RCE possible; public exploit out. Isolate & monitor now! More: https://radar.offseq.com/threat/cve-2025-13551-buffer-overflow-in-d-link-dir-822k-fa75096a #OffSeq #DLink #CVE2025 #RouterSecurity

🚨 CVE-2025-64762 (HIGH): workos authkit-nextjs <2.11.1 fails to set anti-caching headers, risking session token leaks via CDN caches. Upgrade to 2.11.1+ or review CDN cache configs now! https://radar.offseq.com/threat/cve-2025-64762-cwe-524-use-of-cache-containing-sen-e4c820e8 #OffSeq #Nextjs #Security #CVE2025

🚨 CRITICAL: CVE-2025-64310 in EPSON WebConfig for Projectors enables unlimited login attempts, risking brute force admin password attacks. Check vendor for affected versions & mitigation steps. https://radar.offseq.com/threat/cve-2025-64310-improper-restriction-of-excessive-a-919b7551 #OffSeq #CVE2025 #Vuln #InfoSec