#vulnerabilities

#vulnerabilities

CVE-2025-65717 (CVSS score: 9.1) - A vulnerability in Live Server that allows attackers to exfiltrate local files, tricking a developer into visiting a malicious website when the extension is running, causing JavaScript embedded in the page to crawl and extract files from the local development HTTP server that runs at localhost:5500, and transmit them to a domain under their control. (Remains unpatched)

Google on Tuesday announced the release of Chrome 145 to the stable channel with fixes for 11 vulnerabilities, including three high-severity bugs. First in line is CVE-2026-2313, a high-severity use-after-free issue in CSS that earned the reporting researchers an $8,000 bug bounty reward. The two other high-severity defects, tracked as CVE-2026-2314 and CVE-2026-2315, were found and reported by Google and are described as a heap buffer overflow in Codecs and an inappropriate implementation in WebGPU, respectively.

The most serious, with a CVSS score of 9.8, allows attackers to execute code with SYSTEM privileges without authentication. Organizations should immediately patch to Build 7190. The most dangerous vulnerability, CVE-2025-69258, is a remote code execution vulnerability in LoadLibraryEX. An attacker can load a malicious DLL into a critical part of the system without login credentials. This gives them full control with the highest system privileges. The impact is significant: confidentiality, integrity, and availability are all at stake.

Cybercrime is a serious threat to the global economy, destroying livelihoods, sowing distrust, and undermining growth. One forecast has it costing more than $15 trillion annually by the end of the decade. If so, only the GDPs of the U.S. and China are bigger. There's cause for hope, though. As cyberthreats evolve, innovation is meeting the challenge. New solutions are leveraging AI, real-time threat intelligence, collaborative networks, and advanced authentication technologies.

In July, Microsoft fixed a flaw in its file sharing service SharePoint that was already being exploited by attackers. Later that month, Microsoft warned that hackers were making use of the zero-day to distribute ransomware, adding even more risk to the serious vulnerability. The SharePoint flaw is just one example of attackers becoming faster at exploiting vulnerabilities before they can be properly addressed by vendors and patched by organizations.

On Monday, Google security engineering managers Jason Parsons and Zak Bennett said in a blog post that the new program, an extension of the tech giant's existing Abuse Vulnerability Reward Program (VRP), will incentivize researchers and bug bounty hunters to focus on "high-impact abuse issues and security vulnerabilities" in Google products and services.

Visualize any system's defenses against failure-a biological immune system, or a healthcare delivery system, or an aircraft control system-as a series of slices of delicious, creamy Emmentaler cheese. Each layer has a couple of holes (vulnerabilities) in it, of varying size, here and there, but as long as the holes are not aligned with each other, no threat to the system can pass all the way through all the layers,

Based on over 4,400 Java tasks, the report finds that depending on which of the four levels of reasoning capabilities that OpenAI now makes available, the overall quality of the code, especially in terms of the vulnerabilities generated, significantly improves. However, the overall volume of code being generated per task also substantially increases, which creates additional maintenance challenges for application developers that are not going to be familiar with how code might have been constructed in the first place.

At least one implementation of the end-to-end encryption solution endorsed by ETSI has a similar issue that makes it equally vulnerable to eavesdropping.

CISA analysed six files including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.

The first vulnerability (CVE-2025-23320 - 7.5) relates to a bug in the Python backend, triggered by exceeding the shared memory limit, using a very large request.

A leak happened here somewhere,” Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register. “And now you’ve got a zero-day exploit in the wild, and worse than that, you’ve got a zero-day exploit in the wild that bypasses the patch, which came out the next day.

Cisco updated its advisory regarding critical vulnerabilities in Identity Services Engine, acknowledging active exploitation. Some vulnerabilities were attempted to be exploited in the wild as of July 2025.

In the first half of 2025, it was observed that groups affiliated with China targeted key sectors like telecommunications and semiconductors through advanced cyber espionage activities.

CVE-2025-32462 has received a lower CVSS score due to the conditions that are needed. Namely, successful execution would require someone to make a misconfiguration and deploy a Sudoers file with an incorrect host for this vulnerability to work.

Cybersecurity researchers revealed that a critical vulnerability, CVE-2025-5777, in Citrix network management devices has been exploited for over a month, contradicting Citrix's claims.