Django released urgent patches (v5.2.8+) for a Critical SQL Injection flaw (CVE-2025-64459) affecting QuerySet methods via the _connector keyword, risking remote database compromise.

I hate hyperbolic news headlines about data breaches, but for the "2 Billion Email Addresses" headline to be hyperbolic, it'd need to be exaggerated or overstated - and it isn't. It's rounded up from ...

Tools and Techniques for Blue Team / Incident Response - A-poc/BlueTeam-Tools

Learn how to bypass modern defenses with io_uring

A critical vulnerability in Microsoft Telnet Server enables attackers to bypass authentication completely, potentially gaining administrator access without valid credentials. Organizations running legacy Windows systems are advised to take immediate action, as no official patch is available. The critical flaw, discovered by a security researcher with Handle Hacker Fantastic, exploits a misconfiguration in the NTLM Authentication processes of the Telnet MS-TNAP ( Microsoft Telnet Authentication Protocol) extension. Designated as a “0-click” vulnerability, it requires no user interaction and allows remote unauthenticated attackers to bypass authentication mechanisms entirely. Affected systems include legacy Microsoft operating systems from Windows 2000 through Windows Server 2008 R2. While these systems are relatively old, many organizations still maintain such servers for legacy applications or infrastructure. “A critical 0-click remote authentication bypass vulnerability in Microsoft Telnet Server allows attackers to gain access as any user, including Administrator, without requiring valid credentials,” according to security researchers who analyzed the vulnerability. The exploit works by manipulating the mutual authentication process between client and server. Microsoft Telnet Client 0-click Vulnerability The vulnerability stems from improper SSPI (Security Support Provider Interface) flag configurations during the authentication handshake. Specifically, researchers identified two critical misconfigurations: The server initializes NTLM security with the SECPKG_CRED_BOTH flag and uses AcceptSecurityContext() with ASC_REQ_DELEGATE and ASC_REQ_MUTUAL_AUTH flags. This combination allows attackers to invert the authentication relationship, essentially tricking the server into authenticating itself to the client rather than validating the client’s credentials. Example of 1-click Telnet client exploit, MS-TNAP will automatically send credentials to hosts in Intranet or Trusted zones, earlier MSIE does not prompt when launching telnet.exe making it 1-click only on legacy hosts & 1-click 1-prompt on latest hosts. https://t.co/TwEji200sx pic.twitter.com/O83WHnd8lk — hackerfantastic.x (@hackerfantastic) May 5, 2025 A proof-of-concept exploit named “telnetbypass.exe” has been released , though its source code has been withheld to minimize widespread exploitation. The exploit can bypass authentication to any account on the host by sending specially crafted mutual authentication packets. With no patch currently available from Microsoft, security experts recommend several immediate actions to mitigate risk: Immediately disable the Telnet Server service on all affected systems. Replace Telnet with more secure alternatives like SSH for remote management. Implement network filtering to restrict Telnet access to trusted networks only. Deploy application controls to prevent unauthorized Telnet clients from connecting. Security analysts emphasize that while this vulnerability is severe, its impact is limited to older systems. “A dead protocol, Telnet, that is not installed by default, on Windows versions that have already been EOL for years. It’s a clever find, but it’s 15 years too late,” noted one security professional. Nevertheless, organizations maintaining legacy infrastructure should take this threat seriously. “Anyone who exposes Telnet to the internet on ancient Windows versions is either running a honeypot or taking extraordinary risks,” the expert added. This vulnerability highlights the ongoing security challenges faced by organizations running legacy systems past their support lifecycle. Even as new security measures are implemented in modern operating systems, older protocols like Telnet continue to present significant risks when left active. Security operations teams are advised to audit their environments for any running Telnet Server services, particularly on legacy Windows systems, and take immediate action to mitigate this vulnerability. Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar The post Critical Microsoft Telnet 0-Click Vulnerability Exposes Windows Credentials appeared first on Cyber Security News .

Persistence techniques refer to methods attackers or malicious software use to maintain access to a compromised endpoint even after reboots, logouts, or: Learn how Wazuh detects Windows persistence te...

From crypto kingpins to sophisticated scammers, these are the lesser-known hacking groups that should be on your radar.

VSCode Remote Tunnels, a legitimate feature of the popular development environment, are increasingly being used by malicious actors. This feature allows developers to remotely access their local coding environment, which promotes engagement and flexibility. Using this feature, malicious actors install files or scripts that install the VSCode CLI and create a remote tunnel without the user’s awareness. This allows attackers illegal access to the developer’s device, enabling them to steal confidential data, deploy malware, and move laterally over the network. Investigate Real-World Malicious Links & Phishing Attacks With  Threat Intelligence Lookup  -  Try for Free How VSCode Tunnels Are Being Abused By Threat Actors? According to On the Hunt’s blog post , the malicious LNK file that is initially delivered includes a PowerShell command that allows the user to download and execute a Python script from a remote IP address. The VSCode CLI binary, code-insiders.exe, is downloaded and executed by a Python script. A Python script uses the CLI binaries against Github to generate and authenticate a VSCode tunnel .  The Attack Chain A remote tunnel for VSCode is created and the threat actor uses the tunnel created via a web browser to execute commands on a Python payload. Python Script sets up the tunnel  To authenticate to VSCode without utilizing the attacker’s GitHub account, the connect to tunnel button is pressed. Connecting to tunnel Once verified with the account, a list of remote hosts with active tunnels can be observed. Selecting the online victim host will connect to the VSCode remote tunnel running on that host.  This now makes traversing directories on the victim’s remote computer possible. Additionally, it is also possible to create new files or scripts and run them remotely. It is advisable for organizations to restrict access to remote tunnels to their own tenants. If it’s not feasible, tunnel use within the estate should be prohibited, or measures to prevent their misuse should be implemented.  Therefore, companies may safeguard their sensitive data and protect the integrity of their development environments by taking proactive measures to combat this new threat. Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira ->  Free Webinar The post Hackers Abusing Microsoft VSCode Remote Tunnels To Bypass Security Tools appeared first on Cyber Security News .

A critical vulnerability, CVE-2024-43468, has been identified in Microsoft Configuration Manager (ConfigMgr), posing a severe security risk to organizations relying on this widely used systems management software. Rated with a CVSS score of 9.8, the vulnerability allows unauthenticated attackers to execute remote code on affected systems, potentially leading to complete system compromise. CVE-2024-43468 stems from two unauthenticated SQL injection flaws in the MP_Location service of ConfigMgr. These flaws occur due to improper input sanitization when processing client messages. Attackers can exploit these weaknesses to execute arbitrary SQL queries on the ConfigMgr database with sysadmin privileges, enabling remote code execution (RCE) through the activation of the xp_cmdshell procedure. Investigate Real-World Malicious Links & Phishing Attacks With  Threat Intelligence Lookup  -  Try for Free The vulnerability affects ConfigMgr versions 2403, 2309, and 2303, particularly when the critical patch KB29166583 is not applied. Exploitation requires network access to a Management Point but does not necessitate authentication or user interaction, making it highly exploitable. Microsoft Configuration Manager RCE Released SynACKTIV researchers have released a proof-of-concept (PoC) script demonstrating how attackers can leverage the vulnerability. The PoC highlights two attack vectors: MachineID Injection : An attacker can inject malicious SQL commands into the SourceID field of an XML message targeting the vulnerable getMachineID function. ContentID Injection : This vector exploits the getContentID function by providing a valid MachineID obtained from the system database. Both methods allow attackers to create new sysadmin accounts or execute commands on the underlying server. The implications of CVE-2024-43468 are severe: Unauthorized Access : Attackers can gain full access to the ConfigMgr database and its contents. System Compromise : By escalating privileges, attackers can execute arbitrary commands on the server, potentially deploying ransomware or other malicious payloads across managed devices. Data Breaches : Sensitive data stored within the ConfigMgr database is at risk. Mitigation and Recommendations Microsoft has addressed this vulnerability with patch KB29166583 in the patch Tuesday update. Organizations using ConfigMgr versions 2303, 2309, or 2403 should immediately apply this update to secure their systems. Additional mitigation strategies include: Network Segmentation : Restrict access to Management Points to trusted networks only. Database Security Best Practices : Validate all SQL inputs and use parameterized queries to prevent injection attacks. Regular Updates : Ensure that all software components are updated promptly when patches are released. Detecting exploitation attempts for CVE-2024-43468 is challenging as SQL injection payloads do not leave clear traces in log files. However, anomalies in MP_Location.log , such as errors following UpdateSFRequestXML messages, may indicate exploitation attempts. Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar The post Microsoft Configuration Manager Vulnerability Allows Remote Code Execution – PoC Released appeared first on Cyber Security News .

If you take a closer look at a vast number of “Bug Bounty Tips” that are majorly trending on Twitter and LinkedIn, they can be classified…

A critical 7-Zip zero-day exploit has been publicly leaked by a hacker, allowing attackers to execute arbitrary code to control PCs remotely.

Overview During a recent engagement, I observed a lot of members of a particular organization authenticating with remote systems and services over the commandline with username and password in plai…

Active Directory (AD) penetration testing is an essential part of the security assessment of enterprise networks. The Netexec tool offers a wide range of capabilities

Wordlists Every Pentester Must Have !! Essential wordlists and tools that power password cracking, brute force attacks, and directory enumeration What Are Wordlists? A wordlist is a collection of words or strings used to guess passwords, usernames, or directory paths during penetration testing. It forms the backbone of various security testing techniques like brute force attacks and hash cracking. Pre-Installed Wordlists in Kali Linux Kali Linux comes equipped with a treasure trove of wordlists located at /usr/share/wordlists. Key examples include: Rockyou  : Over 14 million potential passwords. Dirb Wordlists : Ideal for directory brute-forcing. Wfuzz Wordlists : Tailored for web application fuzzing. Popular Wordlists and Repositories Seclists A versatile collection containing usernames, passwords, fuzzing payloads, and more. Location : /usr/share/seclists. Github Wordlists Find the latest, niche wordlists for zero-day vulnerabilities or unique testing scenarios. https://github.com/kkrypt0nn/wordlists https://github.com/gmelodie/awesome-wordlists https://github.com/xajkep/wordlists https://github.com/jeanphorn/wordlist https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials Assetnote Wordlists Regularly updated and optimized for subdomain discovery and artifact enumeration. Website : Assetnote Wordlists Create your own Dictionaries with Cewl Extracts potential passwords from website text. Command Example : cewl http://example.com -w wordlist.txt cewl https://example.com -d 2 -w wordlist.txt # https://example.com: The target website URL. # -d 2: Depth of spidering. # -w wordlist.txt: Specifies the output file to save. Crunch Generates wordlists with defined character sets and lengths. Command Example : crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst) @ Lower case alpha characters , Upper case alpha characters % Numeric characters ^ Special characters including spac crunch 6 8 -t ,@@^^%% CUPP (Common User Passwords Profiler) Creates personalized wordlists based on user details. GitHub : CUPP Repository cupp -i # The -i flag starts the interactive mode. [+] First name: John [+] Last name: Doe [+] Nickname: Johnny [+] Birthdate: 01011990 [+] Partner's name: Jane [+] Pet's name: Max [+] Company name: Acme Pydictor A flexible dictionary builder with advanced options. GitHub : Pydictor Repository pydictor.py -base custom -custom 'abcd1234!' -len 4 # Uses only a, b, c, d, 1, 2, 3, 4, and !. # Outputs words of length 4. pydictor.py -base upperlowerdigit -len 8 -pattern "XxNNxx" #XxNNxx creates words in a pattern: uppercase, lowercase, two digits, then lowercase twice. pydictor.py -base lowerupperdigit -len 6 #The -base option specifies the character Wister A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.  — From Hacktricks GitHub :  Wister Cleaning and Merging Wordlists Cleaning Wordlists : Use tools like clean_wordlists.sh to remove duplicates and noisy entries. Merging Wordlists : Tools like DyMerge combine multiple lists dynamically. Command Example : dymerge list1.txt list2.txt -o merged_list.txt Conclusion Wordlists are indispensable in cybersecurity. With the right resources and tools, you can efficiently craft and utilize wordlists tailored to specific tasks. Always use these tools responsibly, adhering to ethical hacking guidelines. Happy hacking! Wordlists Every Pentester Must Have !! was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Ivanti warned customers on Tuesday about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution.

Still unpatched 100+ days later, watchTowr says