According to the US Cybersecurity and Infrastructure Security Agency (CISA) a SQL injection flaw in Microsoft Configuration Manager patched in October 2024 is now being actively exploited, exposing unpatched businesses and government agencies to attack.
CISA added CVE-2024-43468 to its Known Exploited Vulnerabilities catalog on Thursday, setting a March 5 deadline for federal agencies to deploy the patch. The 9.8-rated SQL injection vulnerability exists in Microsoft Configuration Manager, which IT admins use to manage organizations’ Windows-based servers and laptops.
Read more…
Source: There Register News
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- September Patch Tuesday Updates Exchange, SharePoint
September 9, 2020
This month’s update includes 129 updates for the Microsoft Office suite, with 15 specifically addressing SharePoint vulnerabilities. Of the total number, 23 have been rated Critical and 105 as Important. No zero days have been observed, but four vulnerabilities are under close scrutiny for their potential abuse. Specifically, CVE-2020-16875 can be exploited for remote code execution ...
- Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot
September 8, 2020
Malicious actors continue to target environments running Docker containers. We recently encountered an attack that drops both a malicious cryptocurrency miner and a distributed denial-of-service (DDoS) bot on a Docker container built using Alpine Linux as its base image. A similar attack was also reported by Trend Micro in May; in that previous attack, threat ...
- Hackers for hire attack architecture firm via 3ds Max exploit
August 26, 2020
An advanced hackers-for-hire group has compromised computers of an architecture firm involved in luxury real-estate projects worth billions of US dollars. The group carries out espionage operations, the attack vector being a malicious plugin for the Autodesk 3ds Max software for creating professional 3D computer graphics. According to an investigation from Bitdefender, the unnamed victim is an ...
- Security researcher discloses Safari bug after Apple delays patch
August 25, 2020
A security researcher has published details today about a Safari browser bug that could be abused to leak or steal files from users’ devices. The bug was discovered by Pawel Wylecial, co-founder of Polish security firm REDTEAM.PL. Wylecial initially reported the bug to Apple earlier this spring, in April, but the researcher decided to go public with ...
- Lifting the veil on DeathStalker, a mercenary triumvirate
August 24, 2020
State-sponsored threat actors and sophisticated attacks are often in the spotlight. Indeed, their innovative techniques, advanced malware platforms and 0-day exploit chains capture our collective imagination. Yet these groups still aren’t likely to be a part of the risk model at most companies, nor should they be. Businesses today are faced with an array of much ...
- Bug bounty platform ZDI awarded $25m to researchers over the past 15 years
August 20, 2020
Bug bounty platform pioneer Zero-Day Initiative (ZDI) said it awarded more than $25 million in bounty rewards to security researchers over the past decade and a half. In an anniversary post celebrating its 15-year-old birthday, ZDI said the bounty rewards represent payments to more than 10,000 security researchers for more than 7,500 successful bug submissions. Most of ...