Security Bulletin

Such investigation has been confirmed by DigitalMint, which promptly moved to terminate the employee following the accusations but has not provided details regarding the suspect's arrest.

Microsoft, PayPal, Docusign, and others are among the trusted brands threat actors use in socially engineered scams that try to get victims to call adversary-controlled phone numbers.

Threat actors could leverage the flaw — which stems from inadequate value sanitization conducted by the Forminator plugin's function for saving form entry fields to the database — to remove specific arbitrary files on the server upon the removal of a...

More severe of the vulnerabilities is the TM SGNL Spring Boot Actuator misconfiguration bug, tracked as CVE-2025-48927, which could be abused for memory dump downloads, while the other flaw, tracked as CVE-2025-48928, could be exploited to reveal...

Affected by the vulnerability, which stems from the availability of static user credentials for root accounts during development, were Cisco Unified CM and Unified CM SME Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1.

Threat actors behind the intrusion had leveraged breached client credentials to infiltrate C&M's systems and services, according to C&M Commercial Director Kamal Zogheib, who noted that an investigation into the incident alongside Brazil's central...

Additional details regarding the possible political bent of the intrusion were not provided by a Columbia spokesperson, who noted an ongoing investigation into the attack's connection to the display of President Donald Trump's photo on multiple...

Investigation into the extent of the intrusion, which has not yet been claimed by a known threat actor, as well as efforts to recover other systems, are still underway following the restoration of critical systems, said Surmodics in a filing with the...

Many of the fake extensions were trojanized open-source versions of cryptocurrency wallets that contain code facilitating the exfiltration of wallet keys and seed phrases, which could be leveraged for subsequent cryptocurrency asset draining...

Russia-based bulletproof hosting (BPH) service offers no-questions-asked access to servers.

Passengers' personal information was likely accessed via a third-party platform used at a call center, but didn't include passport or credit card info.

Attackers can abuse malicious extensions to access critical data, including credentials, but organizations can reduce the risks by raising awareness and enforcing strict policy controls.