25 Vulnerabilities in Cloud Password Managers Allow Unauthorized Access and Modifications Researchers from ETH Zurich have uncovered 25 serious vulnerabilities in three leading cloud-based password managers : Bitwarden, LastPass, and Dashlane. These flaws enable a malicious server to bypass zero-knowledge encryption claims, allowing unauthorized access, modification, and recovery of users’ stored passwords and vault data. Bitwarden, LastPass, and Dashlane collectively serve over 60 million users and hold significant market share. The analysis targets their client-server interactions under a fully malicious server threat model, where servers deviate arbitrarily from protocols. Vendors advertise “zero-knowledge encryption,” implying servers cannot access plaintext vaults even if compromised, but the researchers demonstrate repeated failures in confidentiality and integrity protections. The 25 attacks span four categories: key escrow mechanisms, item-level vault encryption flaws, sharing features, and backwards compatibility issues. Key Escrow Attacks These target account recovery and SSO login mechanisms enable full vault compromise via unauthenticated keys. Bitwarden’s BW01-BW03 allow malicious auto-enrollment, key rotation, and KC conversion through key substitution upon joining organizations or dialogs. LastPass’s LP01 exploits password reset flaws similarly. Item-Level Encryption Flaws Flawed per-item encryption leads to integrity violations, metadata leaks, field swapping, and KDF downgrades. Bitwarden’s BW04-BW07 expose unprotected metadata, swap fields, decrypt icons, and remove iterations for brute-force. LastPass LP02-LP06 and Dashlane DL01 enable malleable vaults and replay attacks due to AES-CBC and missing bindings. Sharing Feature Exploits Unauthenticated public keys compromise organizations and shared vaults. Bitwarden’s BW08-BW09 inject or overwrite organizations; LastPass LP07 and Dashlane DL02 overwrite sharing keys upon joining. Impacts scale to team-wide access. Backwards Compatibility Issues Legacy code support triggers downgrades to insecure modes like CBC. Bitwarden’s BW10-BW12 disable protections and overwrite keys; Dashlane’s DL03-DL06 enable injections, KDF removal, and “Lucky 64” after syncs. Dashlane patched via extension 6.2544.1. In Bitwarden, 12 attacks include malicious auto-enrollment (BW01), where unauthenticated organization public keys allow key substitution and full vault compromise upon joining any group. LastPass faces seven issues, such as lacking ciphertext integrity with AES-CBC (LP05), enabling malleable vaults, and field swapping. Dashlane has six vulnerabilities, like transaction replay (DL01) due to shared keys across transactions, violating vault integrity. Attack Ref Product Cause Impact Client Interaction BW01 Bitwarden Lack of Key Auth, Key Substitution Full vault compromise 1 join BW02 Bitwarden Key Substitution Full vault compromise 1 rotation BW03 Bitwarden Lack of Key Auth, Key Substitution Full vault compromise 1 dialog LP01 LastPass Lack of Key Auth Full vault compromise 1 login BW04 Bitwarden Lack of Auth Enc Read/modify metadata – BW05 Bitwarden Lack of Key Sep Field/item swapping – BW06 Bitwarden Lack of Key Sep Loss of confidentiality 1 open BW07 Bitwarden Lack of Auth Enc No brute-force protection 1 login LP02 LastPass Lack of Auth Enc Field/item swapping – LP03 LastPass Lack of Key Sep Loss of confidentiality 1 open LP04 LastPass Lack of Auth Enc No brute-force protection 1 login LP05 LastPass Lack of Auth Enc Loss of vault integrity – DL01 Dashlane Lack of Key Sep Loss of vault integrity – BW08 Bitwarden Lack of Key Auth Add users to orgs 1 sync BW09 Bitwarden Lack of Key Auth, Key Substitution Org compromise 1 join LP07 LastPass Lack of Key Auth Shared vault compromise 1 join DL02 Dashlane Lack of Key Auth Shared vault compromise 1 join BW10 Bitwarden Lack of Auth Enc Downgrade key hierarchy – BW11 Bitwarden CBC Support Loss of confidentiality 2 logins BW12 Bitwarden CBC Support Full vault compromise 2 logins DL03 Dashlane CBC Support Loss of vault integrity 104 syncs DL04 Dashlane CBC Support No brute-force protection 104 syncs DL05 Dashlane CBC Support Loss of confidentiality 105 syncs DL06 Dashlane CBC Support No brute-force protection 104 syncs LP06 LastPass Lack of Auth Enc Read/modify metadata – Many attacks require minimal interaction, like a single login or sync, exploiting unauthenticated public keys, missing key separation, and legacy AES-CBC support. For instance, icon URL decryption leaks (BW06, LP03) reveal passwords via client requests. KDF iteration downgrades (BW07, LP04) accelerate brute-force by up to 300,000x. Attack Hierarchies Researchers disclosed findings responsibly : Bitwarden on January 27, 2025; LastPass on June 4, 2025; Dashlane on August 29, 2025, with 90-day remediation windows. Bitwarden advanced fixes for several, including minimum KDF iterations and CBC removal; LastPass addressed LP03; Dashlane mitigated some CBC issues. Recommended mitigations include authenticated encryption (AE), full key separation (KS), public key authentication (PKA), and ciphertext signing (SC). Users should update clients, enable per-item keys where available, and monitor vendor patches. The study urges formal security models for password managers akin to E2EE cloud storage. Self-hosted deployments remain vulnerable if servers are compromised. Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories. The post 25 Vulnerabilities in Cloud Password Managers Allow Unauthorized Access and Modifications appeared first on Cyber Security News .

25 Vulnerabilities in Cloud Password Managers Allow Unauthorized Access and Modifications

Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...

Django Team Patches High-Severity SQL Injection Flaw (CVE-2025-64459) and DoS Bug (CVE-2025-64458) in Latest Security Update Django released urgent patches (v5.2.8+) for a Critical SQL Injection flaw (CVE-2025-64459) affecting QuerySet methods via the _connector keyword, risking remote database compromise.

Django Team Patches High-Severity SQL Injection Flaw (CVE-2025-64459) and DoS Bug (CVE-2025-64458) in Latest Security Update

2 Billion Email Addresses Were Exposed, and We Indexed Them All in Have I Been Pwned I hate hyperbolic news headlines about data breaches, but for the "2 Billion Email Addresses" headline to be hyperbolic, it'd need to be exaggerated or overstated - and it isn't. It's rounded up from ...

This has been an extraordinary set of data to process: 1.3B unique passwords, 2B unique email addresses (including mine 😭) and almost 3M of our @haveibeenpwned.com subscribers in there. It’s been weeks of processing to get this loaded, and finally, it’s done www.troyhunt.com/2-billion-em...

GitHub - A-poc/BlueTeam-Tools: Tools and Techniques for Blue Team / Incident Response Tools and Techniques for Blue Team / Incident Response - A-poc/BlueTeam-Tools

Repository contains a collection of 65+ tools and resources that can be useful for blue teaming activities.

CYBERATTAQUE / FRANCE

Bouygues Telecom a été victime d’une intrusion le 6 août 2025, exposant les données personnelles et IBAN de 6,4 millions de clients.

Plague: A Newly Discovered PAM-Based Backdoor for Linux - Nextron Systems

Plague: A Newly Discovered PAM-Based Backdoor for Linux.
by Pierre-Henri Pezier

Red Team Tactics - Evading EDR on Linux with io_uring

|￣￣￣￣￣￣￣￣￣￣￣￣￣|
| We Love Cybersecurity |
|＿＿＿＿＿＿＿＿＿＿＿＿＿|
\ (•◡•) /
\ /
——
| |
|_ |_

BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement.

www.akamai.com/blog/securit...

🤣

Critical Microsoft Telnet 0-Click Vulnerability Exposes Windows Credentials A critical vulnerability in Microsoft Telnet Server enables attackers to bypass authentication completely, potentially gaining administrator access without valid credentials. Organizations running legacy Windows systems are advised to take immediate action, as no official patch is available. The critical flaw, discovered by a security researcher with Handle Hacker Fantastic, exploits a misconfiguration in the NTLM Authentication processes of the Telnet MS-TNAP ( Microsoft Telnet Authentication Protocol) extension. Designated as a “0-click” vulnerability, it requires no user interaction and allows remote unauthenticated attackers to bypass authentication mechanisms entirely. Affected systems include legacy Microsoft operating systems from Windows 2000 through Windows Server 2008 R2. While these systems are relatively old, many organizations still maintain such servers for legacy applications or infrastructure. “A critical 0-click remote authentication bypass vulnerability in Microsoft Telnet Server allows attackers to gain access as any user, including Administrator, without requiring valid credentials,” according to security researchers who analyzed the vulnerability. The exploit works by manipulating the mutual authentication process between client and server. Microsoft Telnet Client 0-click Vulnerability The vulnerability stems from improper SSPI (Security Support Provider Interface) flag configurations during the authentication handshake. Specifically, researchers identified two critical misconfigurations: The server initializes NTLM security with the SECPKG_CRED_BOTH flag and uses AcceptSecurityContext() with ASC_REQ_DELEGATE and ASC_REQ_MUTUAL_AUTH flags. This combination allows attackers to invert the authentication relationship, essentially tricking the server into authenticating itself to the client rather than validating the client’s credentials. Example of 1-click Telnet client exploit, MS-TNAP will automatically send credentials to hosts in Intranet or Trusted zones, earlier MSIE does not prompt when launching telnet.exe making it 1-click only on legacy hosts & 1-click 1-prompt on latest hosts. https://t.co/TwEji200sx pic.twitter.com/O83WHnd8lk — hackerfantastic.x (@hackerfantastic) May 5, 2025 A proof-of-concept exploit named “telnetbypass.exe” has been released , though its source code has been withheld to minimize widespread exploitation. The exploit can bypass authentication to any account on the host by sending specially crafted mutual authentication packets. With no patch currently available from Microsoft, security experts recommend several immediate actions to mitigate risk: Immediately disable the Telnet Server service on all affected systems. Replace Telnet with more secure alternatives like SSH for remote management. Implement network filtering to restrict Telnet access to trusted networks only. Deploy application controls to prevent unauthorized Telnet clients from connecting. Security analysts emphasize that while this vulnerability is severe, its impact is limited to older systems. “A dead protocol, Telnet, that is not installed by default, on Windows versions that have already been EOL for years. It’s a clever find, but it’s 15 years too late,” noted one security professional. Nevertheless, organizations maintaining legacy infrastructure should take this threat seriously. “Anyone who exposes Telnet to the internet on ancient Windows versions is either running a honeypot or taking extraordinary risks,” the expert added. This vulnerability highlights the ongoing security challenges faced by organizations running legacy systems past their support lifecycle. Even as new security measures are implemented in modern operating systems, older protocols like Telnet continue to present significant risks when left active. Security operations teams are advised to audit their environments for any running Telnet Server services, particularly on legacy Windows systems, and take immediate action to mitigate this vulnerability. Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar The post Critical Microsoft Telnet 0-Click Vulnerability Exposes Windows Credentials appeared first on Cyber Security News .

Critical Microsoft Telnet 0-Click Vulnerability Exposes Windows Credentials

Detecting Windows persistence techniques with Wazuh | Wazuh Persistence techniques refer to methods attackers or malicious software use to maintain access to a compromised endpoint even after reboots, logouts, or: Learn how Wazuh detects Windows persistence te...

Persistence techniques allow attackers to keep access to a compromised system across reboots or logouts.

Our new blog post shows how to detect Windows persistence techniques with Wazuh.

Read on: ow.ly/Ih9E50VKtx5

#InformationSecurity #CyberSecurity #OpenSource #Wazuh

The Most Dangerous Hackers You’ve Never Heard Of From crypto kingpins to sophisticated scammers, these are the lesser-known hacking groups that should be on your radar.

From crypto kingpins to sophisticated scammers, these are the lesser-known hacking groups that should be on your radar. www.wired.com/story/most-d...

L'université Paris Sorbonne (UPMC) victime d'une cyberattaque orchestrée par une intelligence artificielle du groupe cybercriminel Funksec.

Hackers Abusing Microsoft VSCode Remote Tunnels To Bypass Security Tools VSCode Remote Tunnels, a legitimate feature of the popular development environment, are increasingly being used by malicious actors. This feature allows developers to remotely access their local coding environment, which promotes engagement and flexibility. Using this feature, malicious actors install files or scripts that install the VSCode CLI and create a remote tunnel without the user’s awareness. This allows attackers illegal access to the developer’s device, enabling them to steal confidential data, deploy malware, and move laterally over the network. Investigate Real-World Malicious Links & Phishing Attacks With  Threat Intelligence Lookup  -  Try for Free How VSCode Tunnels Are Being Abused By Threat Actors? According to On the Hunt’s blog post , the malicious LNK file that is initially delivered includes a PowerShell command that allows the user to download and execute a Python script from a remote IP address. The VSCode CLI binary, code-insiders.exe, is downloaded and executed by a Python script. A Python script uses the CLI binaries against Github to generate and authenticate a VSCode tunnel .  The Attack Chain A remote tunnel for VSCode is created and the threat actor uses the tunnel created via a web browser to execute commands on a Python payload. Python Script sets up the tunnel  To authenticate to VSCode without utilizing the attacker’s GitHub account, the connect to tunnel button is pressed. Connecting to tunnel Once verified with the account, a list of remote hosts with active tunnels can be observed. Selecting the online victim host will connect to the VSCode remote tunnel running on that host.  This now makes traversing directories on the victim’s remote computer possible. Additionally, it is also possible to create new files or scripts and run them remotely. It is advisable for organizations to restrict access to remote tunnels to their own tenants. If it’s not feasible, tunnel use within the estate should be prohibited, or measures to prevent their misuse should be implemented.  Therefore, companies may safeguard their sensitive data and protect the integrity of their development environments by taking proactive measures to combat this new threat. Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira ->  Free Webinar The post Hackers Abusing Microsoft VSCode Remote Tunnels To Bypass Security Tools appeared first on Cyber Security News .

Hackers Abusing Microsoft VSCode Remote Tunnels To Bypass Security Tools

Microsoft Configuration Manager Vulnerability Allows Remote Code Execution – PoC Released A critical vulnerability, CVE-2024-43468, has been identified in Microsoft Configuration Manager (ConfigMgr), posing a severe security risk to organizations relying on this widely used systems management software. Rated with a CVSS score of 9.8, the vulnerability allows unauthenticated attackers to execute remote code on affected systems, potentially leading to complete system compromise. CVE-2024-43468 stems from two unauthenticated SQL injection flaws in the MP_Location service of ConfigMgr. These flaws occur due to improper input sanitization when processing client messages. Attackers can exploit these weaknesses to execute arbitrary SQL queries on the ConfigMgr database with sysadmin privileges, enabling remote code execution (RCE) through the activation of the xp_cmdshell procedure. Investigate Real-World Malicious Links & Phishing Attacks With  Threat Intelligence Lookup  -  Try for Free The vulnerability affects ConfigMgr versions 2403, 2309, and 2303, particularly when the critical patch KB29166583 is not applied. Exploitation requires network access to a Management Point but does not necessitate authentication or user interaction, making it highly exploitable. Microsoft Configuration Manager RCE Released SynACKTIV researchers have released a proof-of-concept (PoC) script demonstrating how attackers can leverage the vulnerability. The PoC highlights two attack vectors: MachineID Injection : An attacker can inject malicious SQL commands into the SourceID field of an XML message targeting the vulnerable getMachineID function. ContentID Injection : This vector exploits the getContentID function by providing a valid MachineID obtained from the system database. Both methods allow attackers to create new sysadmin accounts or execute commands on the underlying server. The implications of CVE-2024-43468 are severe: Unauthorized Access : Attackers can gain full access to the ConfigMgr database and its contents. System Compromise : By escalating privileges, attackers can execute arbitrary commands on the server, potentially deploying ransomware or other malicious payloads across managed devices. Data Breaches : Sensitive data stored within the ConfigMgr database is at risk. Mitigation and Recommendations Microsoft has addressed this vulnerability with patch KB29166583 in the patch Tuesday update. Organizations using ConfigMgr versions 2303, 2309, or 2403 should immediately apply this update to secure their systems. Additional mitigation strategies include: Network Segmentation : Restrict access to Management Points to trusted networks only. Database Security Best Practices : Validate all SQL inputs and use parameterized queries to prevent injection attacks. Regular Updates : Ensure that all software components are updated promptly when patches are released. Detecting exploitation attempts for CVE-2024-43468 is challenging as SQL injection payloads do not leave clear traces in log files. However, anomalies in MP_Location.log , such as errors following UpdateSFRequestXML messages, may indicate exploitation attempts. Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar The post Microsoft Configuration Manager Vulnerability Allows Remote Code Execution – PoC Released appeared first on Cyber Security News .

Microsoft Configuration Manager Vulnerability Allows Remote Code Execution – PoC Released

Revisiting a Simple SQL Injection Methodology If you take a closer look at a vast number of “Bug Bounty Tips” that are majorly trending on Twitter and LinkedIn, they can be classified…

Revisiting a Simple SQL Injection Methodology

Critical 7-Zip Zero-Day Exploit Leaked Online Let Hackers Hijack Windows PCs Remotely A critical 7-Zip zero-day exploit has been publicly leaked by a hacker, allowing attackers to execute arbitrary code to control PCs remotely.

Critical 7-Zip Zero-Day Exploit Leaked Online Let Hackers Hijack Windows PCs Remotely

Extracting Credentials From Windows Logs Overview During a recent engagement, I observed a lot of members of a particular organization authenticating with remote systems and services over the commandline with username and password in plai…

Extracting Credentials From Windows Logs.

Active Directory Pentesting Using Netexec Tool: A Complete Guide - Hacking Articles Active Directory (AD) penetration testing is an essential part of the security assessment of enterprise networks. The Netexec tool offers a wide range of capabilities

Active Directory Pentesting Using Netexec Tool.
Author: Pradnya Pawar, InfoSec researcher and Security Tech Lead.

#RedTeaming #Pentesting

Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts

Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts

Wordlists Every Pentester Must Have !!

Ivanti warns of maximum severity CSA auth bypass vulnerability Ivanti warned customers on Tuesday about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution.

Ivanti warns of maximum severity CSA auth bypass vulnerability

PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug Still unpatched 100+ days later, watchTowr says

PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities #cybersecurity #hacking #news #infosec #security #technology #privacy thehackernews.com/20...

New OpenSSH Vulnerability CVE-2024-6409 Exposes Systems to RCE Attack Security researchers have discovered a new vulnerability in OpenSSH, identified as CVE-2024-6409, which could potentially allow remote code execution attacks on affected systems.

New OpenSSH Vulnerability CVE-2024-6409 Exposes Systems to RCE Attack

New regreSSHion OpenSSH RCE bug gives root on Linux servers A new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed "regreSSHion" gives root privileges on glibc-based Linux systems.

New regreSSHion OpenSSH RCE bug gives root on Linux servers

Nouvelle vulnérabilité identifiée, CVE-2024-30103, dans Microsoft Outlook.

Cette faille de type "zero-click" permet l'exécution de code à distance (RCE) simplement en ouvrant et en prévisualisant un email contenant une charge malveillante.