VMware urged immediate patching of the max-severity, arbitrary file upload flaw in Analytics service, which affects all appliances running default 6.5, 6.7 and 7.0 installs.

https://threatpost.com/vmware-ransomware-bug-vcenter-server/174901/

The initiative, run by HackerOne, aims to uncover dangerous code repository bugs that end up going viral across the application supply-chain.

https://threatpost.com/tiktok-github-facebook-open-source-bug-bounty/174898/

Misconfigured APIs make any app risky, but when you’re talking about financial apps, you’re talking about handing ne’er-do-wells the power to turn your pockets inside-out.

https://threatpost.com/payment-api-exposes-payment-data/174825/

Cities, states, federal and military agencies should patch the Laserfiche CMS post-haste, said the security researcher whose jaw dropped at 50 sites hosting porn and Viagra spam.

https://threatpost.com/porn-viagra-spams-govt-military-sites/174794/

Microsoft and RiskIQ researchers have identified several campaigns using the recently patched zero-day, reiterating a call for organizations to update affected systems.

https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/

The newly identified bug in a Zoho single sign-on and password management tool has been under active attack since early August.

https://threatpost.com/cisa-fbi-state-backed-apts-exploit-critical-zoho-bug/174768/

Adobe releases security updates for 59 bugs affecting its core products, including Adobe Acrobat Reader, XMP Toolkit SDK and Photoshop.

https://threatpost.com/adobe-bugs-acrobat-experience-manager/169467/

Two of IBM’s aging flagship server models, retired in 2020, won’t be patched for a command-injection flaw.

https://threatpost.com/no-patch-for-ibm-system-x-servers/169491/

Dubbed OMIGOD, a series of vulnerabilities in the Open Management Infrastructure used in Azure on Linux demonstrate hidden security threats, researchers said.

https://threatpost.com/azure-zero-day-supply-chain/169508/

A driver privilege-escalation bug gives attackers kernel-mode access to millions of PCs used for gaming.

https://threatpost.com/hp-omen-hub-gamers-cyberattack/169739/

A remote attacker could exploit a critical vulnerability to eavesdrop on live audio & video or take control. The bug is in ThroughTek’s Kalay network, used in 83m devices.

https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/

The OS command-injection bug, in the web application firewall (WAF) platform known as FortiWeb, will get a patch this week.

https://threatpost.com/unpatched-fortinet-bug-firewall-takeovers/168764/

Yaron Kassner, CTO at Silverfort, discusses authentication-bypass bugs in Cisco ASA, F5 Big-IP, IBM QRadar and Palo Alto Networks PAN-OS.

https://threatpost.com/kerberos-authentication-spoofing/168767/

The once-dominant handset maker BlackBerry is busy squashing BadAlloc bugs in its QNX real-time operating system used in cars in medical devices.

https://threatpost.com/blackberrys-qnx-devices-attacks/168772/

Security vulnerabilities in the ERP platform could allow attackers to tamper with or sabotage victims’ business-critical processes and to intercept data.

https://threatpost.com/critical-sage-x3-rce-bug-allows-full-system-takeovers/167612/

Threat actors enlist compromised WordPress websites in campaign targeting macOS users.

https://threatpost.com/macos-wildpressure-apt/167606/

David “moose” Wolpoff, CTO at Randori, discusses security appliances and VPNs and how attackers only have to “pick one lock” to invade an enterprise through them.

https://threatpost.com/breaking-into-security-appliances/167584/

The fix doesn’t cover the entire problem nor all affected systems however, so the company also is offering workarounds and plans to release further remedies at a later date.

https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/

Say hello to one more zero-day and yet more potential remote data death for those who can’t/won’t upgrade their My Cloud storage devices.

https://threatpost.com/rce-0-day-western-digital-users/167547/

REvil ransomware gang lowers price for universal decryptor after massive worldwide ransomware push against Kaseya security vulnerability CVE-2021-30116.

https://threatpost.com/kaseya-patches-zero-day-exploits/167548/