shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

252
active users

#vulnerabilities

1 post1 participant0 posts today

(Maybe intentional, maybe unintentional) deceptive advisories 101: certvde.com/en/advisories/VDE- .

The actual vulns here are OS command injection issues (CWE-78). The webapp just so happens to be vulnerable to CSRF too, so they use CWE-352, but honestly nobody in their right mind gives a crap about CSRF as a top priority item.

There are multiple ways to exploit the bugs. The score/vector in the advisory is technically correct, but you could also exploit the bug (or series of bugs) as 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) or 9.9 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) depending on the privilege required to do the OS command injection. But honestly the 'what privilege required' becomes moot when you search the user manual for default credentials....

Whether the deception is intentional or not, who knows, it is what it is. Attackers are never* gonna use CSRF, but they are absolutely positively going to abuse command injection (even authenticated command injection), especially against devices which has 1) a cellular modem and 2) published default credentials that are incredibly easy to learn.

This is all an example of the fact that CVSS does not score a vulnerability, but rather scores one exploitation method of a vulnerability. There are often multiple ways to interpret 'a vuln'. In this case the advisory probably should have reserved more CVEs anyway: some to cover the CSRF, and others to cover the command injection bugs (the fixes for each are most likely distinct code changes, so worthy of independent CVEs, but I digress).

And sorry for the sales pitch: this is the kind of thing that we manually review all week, every week, and publish details about in our Worldview reports: dragos.com/dragos-worldview/

certvde.comVDE-2025-052 | CERT@VDEAdvisories

🔥 Latest issue of my curated #cybersecurity and #infosec list of resources for week #23/2025 is out!

It includes the following and much more:

🇫🇷 Cartier announced a #databreach;

🫱🏻‍🫲🏼 Microsoft and CrowdStrike are working together to connect the different names used for hacking groups;

🇩🇪 German authorities have identified Vitaly Nikolaevich Kovalev as the leader of the #TrickBot cybercrime gang;

🩹 🐛 Over 30 #Vulnerabilities Patched in #Android;

🇪🇺 Microsoft has launched a free European Security Program to enhance cybersecurity for #EU governments;

🇮🇳 #Microsoft Helps India CBI Dismantle Indian Call Centers;

📨 Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️

infosec-mashup.santolaria.net/

X’s InfoSec Newsletter🕵🏻‍♂️ [InfoSec MASHUP] 23/2025Cartier announced a data breach; Microsoft and CrowdStrike are working together to connect the different names used for hacking groups; German authorities have identified Vitaly Nikolaevich Kovalev as the leader of the TrickBot cybercrime gang; Over 30 Vulnerabilities Patched in Android; Microsoft has launched a free European Security Program to enhance cybersecurity for EU governments; Microsoft Helps India CBI Dismantle Indian Call Centers;

The VLAI Severity model is accessible via API. Here is a simple example from a recent Ivanti vulnerability description from their vulnerability webpage.

The VLAI Security model for vulnerabilities is accessible via vulnerability-lookup and the public instance operated by CIRCL.

So, if you have a vulnerability description, you can quickly assess it to get a general idea of its severity.

curl -X 'POST' \
'https://vulnerability.circl.lu/api/vlai/severity-classification' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{ "description": "Ivanti has released updates for Ivanti Neurons for ITSM (on-prem only) which addresses one critical severity vulnerability. Depending on system configuration, successful exploitation could allow an unauthenticated remote attacker to gain administrative access to the system. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. We have included an environmental score to provide customers with additional context on the adjusted risk of this vulnerability with typical use cases. Customers who have followed Ivanti guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment. Customers who have users log into the solution from outside their company network also have a reduced risk to their environment if they ensure that the solution is configured with a DMZ." }'

and the result

{
"severity": "Critical",
"confidence": 0.9256
}

#cve #ivanti #vulnerability #vulnerabilitymanagement #vulnerabilities

For more details: vulnerability-lookup.org/2025/

@circl @gcve

www.vulnerability-lookup.org · Vulnerability-Lookup 2.10.0 releasedWe’re delighted to announce the release of Vulnerability-Lookup 2.10.0, and it’s packed with exciting features! What’s New AI-Powered Enrichment using our in-house AI models Vulnerability-Lookup now enhances vulnerability advisories using our in-house AI models. We recently worked on a new project, ML-Gateway, a FastAPI service for serving NLP models. It loads one or more pre-trained NLP models during startup and expose them through a clean, RESTful API for inference. For example, it leverages the transformers library to load the CIRCL/vulnerability-severity-classification-roberta-base model, which specializes in classifying vulnerability descriptions according to their severity level. The server initializes this model once at startup, ensuring minimal latency during inference requests.

Okay. Every now and then, I may use some AI to help write something.

But if I can't articulate what's wrong or where something is broken to get it fixed, maybe I should leave that up to someone who can.

Open source project curl is sick of users submitting “AI slop” vulnerabilities

arstechnica.com/gadgets/2025/0

#OpenSource#cURL#AI

📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #18/2025 is out!

It includes the following and much more:

🇫🇷 🇷🇺 France has linked Russian APT to 12 #cyberattacks on French Orgs.;

🇺🇸 Cybersecurity experts demand the reinstatement of Chris Krebs' security clearances and the withdrawal of the investigation;

🐛 🍎 #Vulnerabilities in Apple's #AirPlay Protocol;

🚉 New York's Metropolitan Transportation Authority plans to use #AI and cameras to detect potential subway crimes before they happen;

🇨🇳 @SentinelOne Targeted by Chinese #PurpleHaze Group;

🔐 #Microsoft sets all new accounts #passwordless by default;

🇺🇸 💸 The #Trump administration plans to cut $491 million from #CISA's budget;

Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️

infosec-mashup.santolaria.net/

X’s InfoSec Newsletter🕵🏻‍♂️ [InfoSec MASHUP] 18/2025France has linked Russian APT to 12 cyberattacks on French Orgs.; Cybersecurity experts demand the reinstatement of Chris Krebs' security clearances and the withdrawal of the investigation; Vulnerabilities in Apple's AirPlay Protocol; New York's Metropolitan Transportation Authority plans to use AI and cameras to detect potential subway crimes before they happen; SentinelOne Targeted by Chinse PurpleHaze Group; Microsoft sets all new Accounts passwordless by Default; The Trump administration plans to cut $491 million from CISA's budget;

📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #17/2025 is out!

It includes the following and much more:

🇺🇸 👋🏻 Two top officials from #CISA resigned;

🇺🇸 💬 U.S. Defense Secretary Pete Hegseth caught in another information leak;

📊 Yearly Threat Intelligence Reports Released;

🇺🇸 💸 U.S. lost record $16.6 billion to #cybercrime in 2024;

🇺🇸 5.5 Million Patients Affected by #DataBreach at Yale New Haven Health;

🐛 💥 VulnCheck spotted 159 actively exploited #vulnerabilities in first few months of 2025;

🇺🇸 🇨🇳 FBI is seeking public help to identify Chinese hackers known as #SaltTyphoon and offers $10 million reward;

Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️

infosec-mashup.santolaria.net/

X’s InfoSec Newsletter🕵🏻‍♂️ [InfoSec MASHUP] 16/2025Two top officials from CISA resigned; U.S. Defense Secretary Pete Hegseth caught in another information leak; Yearly Threat Intelligence Reports Released; U.S. lost record $16.6 billion to cybercrime in 2024; 5.5 Million Patients Affected by Data Breach at Yale New Haven Health; VulnCheck spotted 159 actively exploited vulnerabilities in first few months of 2025; FBI is seeking public help to identify Chinese hackers known as Salt Typhoon and offers $10 million reward;