Windows systems are under threat! A tiny flaw now lets hackers steal sensitive credentials with just a folder click. How safe is your PC against these crafty phishing attacks? Read more on this alarming vulnerability.

https://thedefendopsdiaries.com/understanding-the-cve-2025-24054-vulnerability-a-critical-threat-to-windows-systems/

#cve202524054
#windowsvulnerability
#ntlmhash
#cybersecurity
#phishingattacks

CVE ID: CVE-2025-24054
Vendor: Microsoft
Product: Windows
Date Added: 2025-04-17
Vulnerability: Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054 ; https://nvd.nist.gov/vuln/detail/CVE-2025-24054
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-24054

CISA has updated the KEV catalogue.

- CVE-2025-31200: Apple Multiple Products Memory Corruption Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31200

- CVE-2025-31201: Apple Multiple Products Arbitrary Read and Write Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31201

- CVE-2025-24054: Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-24054 #CISA #cybersecurity #infosec #Apple #Microsoft

CVE ID: CVE-2025-24054
Vendor: Microsoft
Product: Windows
Date Added: 2025-04-17
Vulnerability: Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054 ; https://nvd.nist.gov/vuln/detail/CVE-2025-24054
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-24054

CISA has updated the KEV catalogue.

- CVE-2025-31200: Apple Multiple Products Memory Corruption Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31200

- CVE-2025-31201: Apple Multiple Products Arbitrary Read and Write Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31201

- CVE-2025-24054: Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-24054 #CISA #cybersecurity #infosec #Apple #Microsoft

Windows NTLM vulnerability exploited in multiple attack campaigns

CVE-2025-24054, a Windows NTLM hash disclosure vulnerability that Microsoft has issued patches for last month, has been leveraged by threat actors. Active exploitation in the wild has been observed since March 19, 2025.

https://www.helpnetsecurity.com/2025/04/17/windows-ntlm-vulnerability-exploited-in-multiple-attack-campaigns-cve-2025-24054/

#cybersecurity #Windows

Windows NTLM Vulnerability (CVE-2025-24054) Actively Exploit in the Wild to Hack Systems https://gbhackers.com/windows-ntlm-vulnerability/ #CyberSecurityNews #cybersecurity #Vulnerability #Exploit #Windows

https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/

• CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted .library-ms file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused.

• Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.

• Initial reports suggested that exploitation occurred once the .library-ms file was unzipped. However, Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.

Check Point: CVE-2025-24054, NTLM Exploit in the Wild https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/ #cybersecurity #Infosec

CVE ID: CVE-2025-31200
Vendor: Apple
Product: Multiple Products
Date Added: 2025-04-17
Vulnerability: Apple Multiple Products Memory Corruption Vulnerability
Notes: https://support.apple.com/en-us/122282 ; https://support.apple.com/en-us/122400 ; https://support.apple.com/en-us/122401 ; https://support.apple.com/en-us/122402 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31200
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-31200

CISA has updated the KEV catalogue.

- CVE-2025-31200: Apple Multiple Products Memory Corruption Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31200

- CVE-2025-31201: Apple Multiple Products Arbitrary Read and Write Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31201

- CVE-2025-24054: Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-24054 #CISA #cybersecurity #infosec #Apple #Microsoft

CVE ID: CVE-2025-31200
Vendor: Apple
Product: Multiple Products
Date Added: 2025-04-17
Vulnerability: Apple Multiple Products Memory Corruption Vulnerability
Notes: https://support.apple.com/en-us/122282 ; https://support.apple.com/en-us/122400 ; https://support.apple.com/en-us/122401 ; https://support.apple.com/en-us/122402 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31200
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-31200

CISA has updated the KEV catalogue.

- CVE-2025-31200: Apple Multiple Products Memory Corruption Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31200

- CVE-2025-31201: Apple Multiple Products Arbitrary Read and Write Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31201

- CVE-2025-24054: Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-24054 #CISA #cybersecurity #infosec #Apple #Microsoft

Heads up, Apple folks! 🚨 Listen up, 'cause there are new zero-days floating around, and getting those updates installed is absolutely ESSENTIAL!

We're talking about CVE-2025-31200 and CVE-2025-31201, and yeah, attackers are *already* actively exploiting them in the wild. This impacts a whole range of systems: iOS, iPadOS, macOS, tvOS, and even visionOS. What can they do? Think code execution and completely bypassing security measures. 😱 Nasty stuff, right?

Honestly, I see these kinds of vulnerabilities get weaponized way too often in real-world scenarios. It's also a stark reminder that automated tools, while useful, can definitely overlook critical flaws like these sometimes. That’s exactly why thorough, manual pentesting remains so incredibly important. So please, go check your systems!

Have you managed to get everything updated yet? Also, I'm really curious – what tools or methods are you relying on to spot any fishy activity on your networks? Drop your thoughts below! 👇

#AppleSecurity #InfoSec #Pentesting #Cybersecurity #ZeroDay #UpdateNow

CVE-2025-31200: Another day, another critical, zero-day exploited, bounds-checking CVE.

I feel it's long overdue for the tech industry at large to standardize on memory-safe languages.

Update your #Apple devices ASAP. Two vulnerabilities, CVE-2025-31200 and CVE-2025-31201, have been fixed: https://support.apple.com/en-us/122282

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS."

While iOS has been known to be targeted, the fixes are available for all Apple devices and should be installed as soon as possible.

#activeexploitation #CVE_2025_31200 #CVE_2025_31201

📣 EMERGENCY UPDATES 📣

Apple pushed updates for 2 new zero-days that may have been actively exploited.

🐛 CVE-2025-31200 (CoreAudio),
🐛 CVE-2025-31201 (RPAC):
- iOS and iPadOS 18.4.1
- macOS Sequoia 15.4.1
- tvOS 18.4.1
- visionOS 2.4.1

#apple #cybersecurity #infosec #security #ios

CVE ID: CVE-2025-31201
Vendor: Apple
Product: Multiple Products
Date Added: 2025-04-17
Vulnerability: Apple Multiple Products Arbitrary Read and Write Vulnerability
Notes: https://support.apple.com/en-us/122282 ; https://support.apple.com/en-us/122400 ; https://support.apple.com/en-us/122401 ; https://support.apple.com/en-us/122402 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31201
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-31201

CISA has updated the KEV catalogue.

- CVE-2025-31200: Apple Multiple Products Memory Corruption Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31200

- CVE-2025-31201: Apple Multiple Products Arbitrary Read and Write Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31201

- CVE-2025-24054: Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-24054 #CISA #cybersecurity #infosec #Apple #Microsoft

CVE ID: CVE-2025-31201
Vendor: Apple
Product: Multiple Products
Date Added: 2025-04-17
Vulnerability: Apple Multiple Products Arbitrary Read and Write Vulnerability
Notes: https://support.apple.com/en-us/122282 ; https://support.apple.com/en-us/122400 ; https://support.apple.com/en-us/122401 ; https://support.apple.com/en-us/122402 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31201
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-31201

CISA has updated the KEV catalogue.

- CVE-2025-31200: Apple Multiple Products Memory Corruption Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31200

- CVE-2025-31201: Apple Multiple Products Arbitrary Read and Write Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-31201

- CVE-2025-24054: Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability https://www.cve.org/CVERecord?id=CVE-2025-24054 #CISA #cybersecurity #infosec #Apple #Microsoft

Heads up, Apple folks! 🚨 Listen up, 'cause there are new zero-days floating around, and getting those updates installed is absolutely ESSENTIAL!

We're talking about CVE-2025-31200 and CVE-2025-31201, and yeah, attackers are *already* actively exploiting them in the wild. This impacts a whole range of systems: iOS, iPadOS, macOS, tvOS, and even visionOS. What can they do? Think code execution and completely bypassing security measures. 😱 Nasty stuff, right?

Honestly, I see these kinds of vulnerabilities get weaponized way too often in real-world scenarios. It's also a stark reminder that automated tools, while useful, can definitely overlook critical flaws like these sometimes. That’s exactly why thorough, manual pentesting remains so incredibly important. So please, go check your systems!

Have you managed to get everything updated yet? Also, I'm really curious – what tools or methods are you relying on to spot any fishy activity on your networks? Drop your thoughts below! 👇

#AppleSecurity #InfoSec #Pentesting #Cybersecurity #ZeroDay #UpdateNow

Update your #Apple devices ASAP. Two vulnerabilities, CVE-2025-31200 and CVE-2025-31201, have been fixed: https://support.apple.com/en-us/122282

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS."

While iOS has been known to be targeted, the fixes are available for all Apple devices and should be installed as soon as possible.

#activeexploitation #CVE_2025_31200 #CVE_2025_31201

📣 EMERGENCY UPDATES 📣

Apple pushed updates for 2 new zero-days that may have been actively exploited.

🐛 CVE-2025-31200 (CoreAudio),
🐛 CVE-2025-31201 (RPAC):
- iOS and iPadOS 18.4.1
- macOS Sequoia 15.4.1
- tvOS 18.4.1
- visionOS 2.4.1

#apple #cybersecurity #infosec #security #ios

Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now

A critical vulnerability in the Erlang/OTP SSH, tracked as CVE-2025-32433, has been disclosed that allows for unauthenticated remote code execution...

🔗️ [Bleepingcomputer] https://link.is.it/g9fxbp

A major flaw in Erlang/OTP SSH now lets attackers run code without needing any credentials—imagine leaving your front door wide open. Is your system at risk? Dive into the details and learn how to lock it down.

https://thedefendopsdiaries.com/understanding-and-mitigating-the-cve-2025-32433-vulnerability-in-erlangotp-ssh/

#cve202532433
#erlang
#sshsecurity
#remotecodeexecution
#cybersecurity

🚨Critical remote code execution zero-day (CVSS 10.0) vulnerability CVE-2025-32433 affecting the Erlang/OTP SSH service allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication

"All users running the Erlang/OTP SSH server are impacted by this vulnerability, regardless of the underlying Erlang/OTP version. If your application provides SSH access using the Erlang/OTP SSH library, assume you are affected.

📰 Today's Top 20 Hacker News Stories (Sorted by Score) 📰
----------------------------------------
🔖 Title: Zoom outage caused by accidental 'shutting down' of the zoom.us domain
🔗 URL: https://status.zoom.us/incidents/pw9r9vnq5rvk
👍 Score: [575]
💬 Discussion: https://news.ycombinator.com/item?id=43711957
----------------------------------------
🔖 Title: Making Software
🔗 URL: https://www.makingsoftware.com/
👍 Score: [478]
💬 Discussion: https://news.ycombinator.com/item?id=43678144
----------------------------------------
🔖 Title: Google is illegally monopolizing online advertising tech, judge rules
🔗 URL: https://www.nytimes.com/2025/04/17/technology/google-ad-tech-antitrust-ruling.html
👍 Score: [395]
💬 Discussion: https://news.ycombinator.com/item?id=43717705
----------------------------------------
🔖 Title: An Intro to DeepSeek's Distributed File System
🔗 URL: https://maknee.github.io/blog/2025/3FS-Performance-Journal-1/
👍 Score: [337]
💬 Discussion: https://news.ycombinator.com/item?id=43716058
----------------------------------------
🔖 Title: Passing planes and other whoosh sounds
🔗 URL: https://www.windytan.com/2025/04/passing-planes-and-other-whoosh-sounds.html
👍 Score: [170]
💬 Discussion: https://news.ycombinator.com/item?id=43713524
----------------------------------------
🔖 Title: Why Japan's "Weakest Samurai Warlord" Is Still Admired to This Day
🔗 URL: https://www.tokyoweekender.com/art_and_culture/japanese-culture/oda-ujiharu-the-weakest-samurai-warlord/
👍 Score: [132]
💬 Discussion: https://news.ycombinator.com/item?id=43714619
----------------------------------------
🔖 Title: Unauthenticated Remote Code Execution in Erlang/OTP SSH
🔗 URL: https://nvd.nist.gov/vuln/detail/CVE-2025-32433
👍 Score: [112]
💬 Discussion: https://news.ycombinator.com/item?id=43716526
----------------------------------------
🔖 Title: HDR‑Infused Emoji
🔗 URL: https://sharpletters.net/2025/04/16/hdr-emoji/
👍 Score: [106]
💬 Discussion: https://news.ycombinator.com/item?id=43717606
----------------------------------------
🔖 Title: MCP Run Python
🔗 URL: https://github.com/pydantic/pydantic-ai/tree/main/mcp-run-python
👍 Score: [72]
💬 Discussion: https://news.ycombinator.com/item?id=43691230
----------------------------------------
🔖 Title: The Second Half
🔗 URL: https://ysymyth.github.io/The-Second-Half/
👍 Score: [61]
💬 Discussion: https://news.ycombinator.com/item?id=43679065
----------------------------------------
🔖 Title: Stainless steel strengthened: Twisting creates submicron 'anti-crash wall'
🔗 URL: https://techxplore.com/news/2025-04-stainless-steel-technique-submicron-anti.html
👍 Score: [60]
💬 Discussion: https://news.ycombinator.com/item?id=43717377
----------------------------------------
🔖 Title: Show HN: AgentAPI – HTTP API for Claude Code, Goose, Aider, and Codex
🔗 URL: https://github.com/coder/agentapi
👍 Score: [54]
💬 Discussion: https://news.ycombinator.com/item?id=43719447
----------------------------------------
🔖 Title: Vivarium: The keeper of a lab's animals stumbles onto a secret [fiction]
🔗 URL: https://jsomers.net/vivarium/
👍 Score: [45]
💬 Discussion: https://news.ycombinator.com/item?id=43710761
----------------------------------------
🔖 Title: OpenAI looked at buying Cursor creator before turning to Windsurf
🔗 URL: https://www.cnbc.com/2025/04/17/openai-looked-at-cursor-before-considering-deal-with-rival-windsurf.html
👍 Score: [38]
💬 Discussion: https://news.ycombinator.com/item?id=43716856
----------------------------------------
🔖 Title: Snapchat is harming children at an industrial scale
🔗 URL: https://www.afterbabel.com/p/industrial-scale-snapchat
👍 Score: [38]
💬 Discussion: https://news.ycombinator.com/item?id=43704382
----------------------------------------
🔖 Title: On Jane Jacobs (2017)
🔗 URL: https://salmagundi.skidmore.edu/articles/75-on-jane-jacobs
👍 Score: [28]
💬 Discussion: https://news.ycombinator.com/item?id=43719926
----------------------------------------
🔖 Title: Milwaukee M18 Battery Reverse Engineering
🔗 URL: https://quagmirerepair.com/milwaukee-m18-battery-reverse-engineering
👍 Score: [26]
💬 Discussion: https://news.ycombinator.com/item?id=43718809
----------------------------------------
🔖 Title: SQLite Transactions and Virtual Tables
🔗 URL: https://misfra.me/2025/sqlite-transactions-and-virtual-tables/
👍 Score: [20]
💬 Discussion: https://news.ycombinator.com/item?id=43719830
----------------------------------------
🔖 Title: A cute proof that makes e natural
🔗 URL: https://www.poshenloh.com/e/
👍 Score: [17]
💬 Discussion: https://news.ycombinator.com/item?id=43718988
----------------------------------------
🔖 Title: Ultrafast Optical Detector
🔗 URL: https://www.tdk.com/en/about_tdk/innovation/spin-photo-detector/index.html
👍 Score: [15]
💬 Discussion: https://news.ycombinator.com/item?id=43692746
----------------------------------------

🚨CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH

CVSS: 10

https://darkwebinformer.com/cve-2025-32433-unauthenticated-remote-code-execution-in-erlang-otp-ssh/

🚨 CVSS 10.0 RCE flaw (CVE-2025-32433) found in Erlang/OTP SSH. Affects systems using it for remote access, including IoT and telecom. Patch now!

Read: https://hackread.com/researchers-cvss-severity-rce-vulnerability-erlang-otp-ssh/

#Cybersecurity #InfoSec #Vulnerability #Erlang #OTPSSH

Unauthenticated Remote Code Execution in Erlang/OTP SSH

Link: https://nvd.nist.gov/vuln/detail/CVE-2025-32433
Discussion: https://news.ycombinator.com/item?id=43716526

we talk about ssh with @jtk and bam there is this

https://vulnerability.circl.lu/vuln/CVE-2025-32433#sightings

“SSH server (Erlang) may allow an attacker to perform unauthenticated remote code execution (RCE).”

We should be careful when we talk.

#vulnerability #ssh #erlang

Unauthenticated Remote Code Execution in Erlang/OTP SSH

Link: https://nvd.nist.gov/vuln/detail/CVE-2025-32433
Discussion: https://news.ycombinator.com/item?id=43716526

Unauthenticated Remote Code Execution in Erlang/OTP SSH
Link: https://nvd.nist.gov/vuln/detail/CVE-2025-32433
Comments: https://news.ycombinator.com/item?id=43716526

Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now

A critical vulnerability in the Erlang/OTP SSH, tracked as CVE-2025-32433, has been disclosed that allows for unauthenticated remote code execution...

🔗️ [Bleepingcomputer] https://link.is.it/g9fxbp

🚨CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH

CVSS: 10

https://darkwebinformer.com/cve-2025-32433-unauthenticated-remote-code-execution-in-erlang-otp-ssh/

🚨 CVSS 10.0 RCE flaw (CVE-2025-32433) found in Erlang/OTP SSH. Affects systems using it for remote access, including IoT and telecom. Patch now!

Read: https://hackread.com/researchers-cvss-severity-rce-vulnerability-erlang-otp-ssh/

#Cybersecurity #InfoSec #Vulnerability #Erlang #OTPSSH

Unauthenticated Remote Code Execution in Erlang/OTP SSH

Link: https://nvd.nist.gov/vuln/detail/CVE-2025-32433
Discussion: https://news.ycombinator.com/item?id=43716526

we talk about ssh with @jtk and bam there is this

https://vulnerability.circl.lu/vuln/CVE-2025-32433#sightings

“SSH server (Erlang) may allow an attacker to perform unauthenticated remote code execution (RCE).”

We should be careful when we talk.

#vulnerability #ssh #erlang

Unauthenticated Remote Code Execution in Erlang/OTP SSH

Link: https://nvd.nist.gov/vuln/detail/CVE-2025-32433
Discussion: https://news.ycombinator.com/item?id=43716526

Unauthenticated Remote Code Execution in Erlang/OTP SSH
Link: https://nvd.nist.gov/vuln/detail/CVE-2025-32433
Comments: https://news.ycombinator.com/item?id=43716526

Unauthenticated Remote Code Execution in Erlang/OTP SSH
https://nvd.nist.gov/vuln/detail/CVE-2025-32433
#ycombinator

Critical vulnerability found in Erlang/OTP SSH server

https://nvd.nist.gov/vuln/detail/CVE-2025-32433

#HackerNews #CriticalVulnerability #ErlangOTP #SSHServer #CyberSecurity #CVE2025 #CVE

Openwall, from yesterday: Unauthenticated Remote Code Execution in Erlang/OTP SSH - CVE-2025-32433 (maximum severity) https://www.openwall.com/lists/oss-security/2025/04/16/2

More:

The Hacker News: Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution https://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html @thehackernews #cybersecurity #Infosec

Oh my. 🥳

https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials. This issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. A temporary workaround involves disabling the SSH server or to prevent access via firewall rules.

https://nvd.nist.gov/vuln/detail/CVE-2025-32433

Use full paths for your DLLs plz. OpenText just learned about it.

https://portal.microfocus.com/s/article/KM000040073?language=en_US

sev:HIGH 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4. End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.

https://nvd.nist.gov/vuln/detail/CVE-2024-12530

Use full paths for your DLLs plz. OpenText just learned about it.

https://portal.microfocus.com/s/article/KM000040073?language=en_US

sev:HIGH 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: 23.4. End-users can potentially exploit the vulnerability to execute malicious code in the trusted context of the thick-client application.

https://nvd.nist.gov/vuln/detail/CVE-2024-12530

Did I already share this one @Dio9sys @da_667 ? They just had a new CVE published today for Tenda and I can't remember.

https://github.com/xyqer1?tab=repositories

https://nvd.nist.gov/vuln/detail/CVE-2025-25457

Did I already share this one @Dio9sys @da_667 ? They just had a new CVE published today for Tenda and I can't remember.

https://github.com/xyqer1?tab=repositories

https://nvd.nist.gov/vuln/detail/CVE-2025-25457

Perforce with a couple CVEs today.

https://portal.perforce.com/s/detail/a91PA000001SeefYAC

sev:CRIT 9.0 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

A valid, authenticated user with sufficient privileges and who is aware of Continuous Compliance’s internal database configurations can leverage the application’s built-in Connector functionality to access Continuous Compliance’s internal database. This allows the user to explore the internal database schema and export its data, including the properties of Connecters and Rule Sets.

https://nvd.nist.gov/vuln/detail/CVE-2025-3113

https://portal.perforce.com/s/detail/a91PA000001Sed3YAC

sev:HIGH 8.5 - CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

An attacker with knowledge of creating user accounts during VM deployment on Google Cloud Platform (GCP) using the OS Login feature, can login via SSH gaining command-line control of the operating system. This allows an attacker to gain access to sensitive data stored on the VM, install malicious software, and disrupt or disable the functionality of the VM.

https://nvd.nist.gov/vuln/detail/CVE-2025-2903

Perforce with a couple CVEs today.

https://portal.perforce.com/s/detail/a91PA000001SeefYAC

sev:CRIT 9.0 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

A valid, authenticated user with sufficient privileges and who is aware of Continuous Compliance’s internal database configurations can leverage the application’s built-in Connector functionality to access Continuous Compliance’s internal database. This allows the user to explore the internal database schema and export its data, including the properties of Connecters and Rule Sets.

https://nvd.nist.gov/vuln/detail/CVE-2025-3113

https://portal.perforce.com/s/detail/a91PA000001Sed3YAC

sev:HIGH 8.5 - CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

An attacker with knowledge of creating user accounts during VM deployment on Google Cloud Platform (GCP) using the OS Login feature, can login via SSH gaining command-line control of the operating system. This allows an attacker to gain access to sensitive data stored on the VM, install malicious software, and disrupt or disable the functionality of the VM.

https://nvd.nist.gov/vuln/detail/CVE-2025-2903

It's alive! The CVE Program has secured another 11 months of funding, which can now be used to establish alternatives and secure other sources of funding.

#MITRE published already a few new #CVE​s today, like this privilege escalation in the Nullsoft Scriptable Install System: https://fieldguide.lutrasecurity.com/CVE-2025-43715/

Resource injection in Hitachi Vantara. Once again, the published CVE has a bad link and the description is pretty worthless.

https://support.pentaho.com/hc/en-us/articles/35771876077709--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-0756

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

https://nvd.nist.gov/vuln/detail/CVE-2025-0756

New.

- Cisco Webex App Client-Side Remote Code Execution Vulnerability - CVE-2025-20236 (high) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-client-rce-ufyMMYLC

- Cisco Secure Network Analytics Privilege Escalation Vulnerability - CVE-2025-20178 (medium) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sna-prvesc-4BQmK33Z

- Cisco Nexus Dashboard LDAP Username Enumeration Vulnerability - CVE-2025-20150 (medium) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nd-unenum-2xFFh472 @TalosSecurity #Cisco #cybersecurity #Infosec

New.

- Cisco Webex App Client-Side Remote Code Execution Vulnerability - CVE-2025-20236 (high) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-client-rce-ufyMMYLC

- Cisco Secure Network Analytics Privilege Escalation Vulnerability - CVE-2025-20178 (medium) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sna-prvesc-4BQmK33Z

- Cisco Nexus Dashboard LDAP Username Enumeration Vulnerability - CVE-2025-20150 (medium) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nd-unenum-2xFFh472 @TalosSecurity #Cisco #cybersecurity #Infosec

New.

- Cisco Webex App Client-Side Remote Code Execution Vulnerability - CVE-2025-20236 (high) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-client-rce-ufyMMYLC

- Cisco Secure Network Analytics Privilege Escalation Vulnerability - CVE-2025-20178 (medium) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sna-prvesc-4BQmK33Z

- Cisco Nexus Dashboard LDAP Username Enumeration Vulnerability - CVE-2025-20150 (medium) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nd-unenum-2xFFh472 @TalosSecurity #Cisco #cybersecurity #Infosec

Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035 https://arcticwolf.com/resources/blog/credential-access-campaign-targeting-sonicwall-sma-devices-potentially-linked-to-exploitation-of-cve-2021-20035/ #cybersecurity #infosec #SonicWall

Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035 https://arcticwolf.com/resources/blog/credential-access-campaign-targeting-sonicwall-sma-devices-potentially-linked-to-exploitation-of-cve-2021-20035/ #cybersecurity #infosec #SonicWall

The vulnerability is tracked as CVE-2021-20035 and it has been described by SonicWall as an authenticated arbitrary command execution vulnerability. https://www.securityweek.com/sonicwall-flags-old-vulnerability-as-actively-exploited/

Can you believe CISA just added CVE-2021-20035 for SonicWall SMA to their Known Exploited Vulnerabilities list? Yeah, a vulnerability from *2021*! 🤦‍♂️

Seriously though, this is a stark reminder of why keeping up with patch management is absolutely critical. We're talking about an OS Command Injection flaw here, letting attackers run commands as the 'nobody' user... yikes!

This impacts SMA 200, 210, 400, 410, and 500v appliances. So, if you're running any of these, you *need* to double-check your firmware versions and get them patched ASAP. Honestly, leaving this open is just asking for trouble and makes attackers' lives way too easy.

And let's be real for a second: proactive penetration testing often uncovers more practical, real-world risks than just relying on that ISO 27001 certificate.

How often do you still stumble across these kinds of legacy vulns lurking in your own networks? Let me know below!

#infosec #pentest #cisa #sonicwall #patchmanagement #cybersecurity

CVE ID: CVE-2021-20035
Vendor: SonicWall
Product: SMA100 Appliances
Date Added: 2025-04-16
Vulnerability: SonicWall SMA100 Appliances OS Command Injection Vulnerability
Notes: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022 ; https://nvd.nist.gov/vuln/detail/CVE-2021-20035
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2021-20035

CISA has updated the KEV catalogue.

CISA: CVE-2021-20035: SonicWall SMA100 Appliances OS Command Injection Vulnerability https://www.cve.org/CVERecord?id=CVE-2021-20035 #CISA #cybersecurity #infosec

Microsoft Security Update Guide just updated this vulnerability:

Power Automate for Desktop - CVE-2025-29817, maximum severity https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29817 #cybersecurity #infosec #Microsoft

Gladinet flaw CVE-2025-30406 actively exploited in the wild https://securityaffairs.com/176552/hacking/gladinet-flaw-cve-2025-30406-actively-exploited-in-the-wild.html

@wdormann MSRC still haven't triaged the (I think) vuln CVE-2025-21204 patch introduces 🤪

Only had time now to take a look at the parquet security issue. A classic...

Basically a serialization issue, because of trying to load a class name that can be user input. Another good example where the security manager... well I am getting off-topic. Some security vendors try to calm down a little by telling that you can just stop importing untrusted parquet files... isn't that what a lot of lakehouses do, using the defacto standard library for parquet in Java?

https://www.endorlabs.com/learn/critical-rce-vulnerability-in-apache-parquet-cve-2025-30065---advisory-and-analysis

Cybersecurity advisories, today's and yesterday's:

Oracle Critical Patch Update Advisory - April 2025 https://www.oracle.com/security-alerts/cpuapr2025.html

Dell, posted today: DSA-2025-165: Dell Storage Resource Manager (SRM) and Dell Storage Monitoring and Reporting (SMR) Security Update for Multiple Third-Party Component Vulnerabilities https://www.dell.com/support/kbdoc/en-us/000309323/dsa-2025-165-dell-storage-resource-manager-srm-and-dell-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Apple, updated yesterday: https://support.apple.com/en-us/100100

Google: CVE-2023-52927, published yesterday https://cloud.google.com/support/bulletins

#cybersecurity #Infosec #Oracle #Google #Apple

Cybersecurity advisories, today's and yesterday's:

Oracle Critical Patch Update Advisory - April 2025 https://www.oracle.com/security-alerts/cpuapr2025.html

Dell, posted today: DSA-2025-165: Dell Storage Resource Manager (SRM) and Dell Storage Monitoring and Reporting (SMR) Security Update for Multiple Third-Party Component Vulnerabilities https://www.dell.com/support/kbdoc/en-us/000309323/dsa-2025-165-dell-storage-resource-manager-srm-and-dell-storage-monitoring-and-reporting-smr-security-update-for-multiple-third-party-component-vulnerabilities

Apple, updated yesterday: https://support.apple.com/en-us/100100

Google: CVE-2023-52927, published yesterday https://cloud.google.com/support/bulletins

#cybersecurity #Infosec #Oracle #Google #Apple

https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/

• CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted .library-ms file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused.

• Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.

• Initial reports suggested that exploitation occurred once the .library-ms file was unzipped. However, Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.

Drop #640 (2025-04-17): Twisted Topics Thursday

DuckDB MCP; Bad Bots: Whatcha Gonna Do?; Terrifying Telemetry

As this tariFFable week slinks ever so further to a close, we’ll mix it up a bit for the Thursday Drop and cover some AI, the increasingly dead internet, and why you should never open your internet browser ever again.

And, we’ll make today’s a bit beefier to make up for no Wednesday Drop.

Type your email…

Subscribe

TL;DR

(This is an LLM/GPT-generated summary of today’s Drop using Ollama + llama 3.2 and a custom prompt.)

(Linkifying the WHOLE PARAGRAPH was an unexpected ‘hallucination’.)

The 2025 Web Browser Telemetry report from sizeof.cat shows that nearly all mainstream browsers, including privacy-focused ones, make unsolicited background connections, with only modified versions like LibreWolf and Waterfox minimizing telemetry at the expense of slower updates.

A hands-on walkthrough demonstrates connecting Claude Desktop to a DuckDB Model Context Protocol server, running anomaly detection SQL queries, and interpreting results to identify significant scanning spikes in security data.

Imperva’s 2025 Bad Bot Report reveals that automated bots now account for 51% of web traffic, with malicious bots making up 37% and targeting APIs and industries like travel and retail using increasingly sophisticated tactics.

DuckDB MCP

Our fine, feathered friends over at MotherDuck (the cloudy version of DuckDB) have a spiffy Model Context Protocol server for DuckDB which is super easy to hook up to, say, Claude Desktop to start exploring your data in some fancy and fun new ways.

I’m not a big fan of including all the args in the JSON configs of all these MCP clients (including Claude) so I made an entry for some tag, CVE, and sensor data from my $WORK like this:

"gndb": {  "command": "/Users/me/bin/gnddbmcp.sh"}

and that corresponding shell script is just:

#!/usr/bin/env bash/Users/me/.cargo/bin/uvx mcp-server-motherduck --db-path /Users/me/Data/gn.ddb

Claude has an “Attach to MCP” button which you can use to connect to the server and start exploring your data. And when I asked it what tables I had, you get something like this back:

> what tables are there?To see what tables exist in your database, I can help you run a query. Let me do that for you:{  `query`: `SHOW TABLES;`}Based on the query results, there are 4 tables in your database:1. cveActivity2. cveCpe3. sensors4. tagActivityWould you like to explore the schema of any of these tables to understand their structure?

I asked it a query that I already have scripts for (to see how well it performed):

> What tags have anomalous recent spikes with at least one day having over 200 unique IPs?To find tags with anomalous recent spikes with at least one day having over 200 unique IPs, I'll need to analyze the tagActivity table. Let me write a query to identify this pattern:{  `query`: `-- First, let's examine the schema of the tagActivity table to understand its structureDESCRIBE tagActivity;`}Now I'll query for tags that have had at least one day with over 200 unique IPs, and analyze patterns to identify anomalous spikes:{  `query`: `WITH tag_stats AS (    -- Calculate the average unique IPs per day for each tag    SELECT        tag_id,        name,        AVG(unique_ips) AS avg_unique_ips,        MAX(unique_ips) AS max_unique_ips,        STDDEV(unique_ips) AS stddev_unique_ips    FROM        tagActivity    GROUP BY        tag_id, name    HAVING        MAX(unique_ips) > 200  -- Filter for tags with at least one day over 200 unique IPs),tag_anomalies AS (    -- Join back to get days with anomalous activity    -- defined as days where unique_ips exceeds average + 2*stddev    SELECT        ta.day,        ta.tag_id,        ta.name,        ta.unique_ips,        ts.avg_unique_ips,        ts.stddev_unique_ips,        (ta.unique_ips - ts.avg_unique_ips) / NULLIF(ts.stddev_unique_ips, 0) AS z_score    FROM        tagActivity ta    JOIN        tag_stats ts ON ta.tag_id = ts.tag_id AND ta.name = ts.name    WHERE        ta.unique_ips > ts.avg_unique_ips + 2 * ts.stddev_unique_ips        AND ta.unique_ips > 200    ORDER BY        z_score DESC)-- Get the final results with the most anomalous tags firstSELECT    tag_id,    name,    MAX(z_score) AS max_z_score,    MAX(unique_ips) AS max_unique_ips,    AVG(unique_ips) AS avg_unique_ips_during_anomalies,    COUNT(*) AS anomalous_daysFROM    tag_anomaliesGROUP BY    tag_id, nameORDER BY    max_z_score DESCLIMIT 15;`}Let's get a bit more detail on the most significant anomalies by looking at their daily activity patterns:{  `query`: `-- Let's look at the daily pattern for the top 5 anomalous tagsWITH top_anomalous_tags AS (    SELECT        tag_id    FROM (        WITH tag_stats AS (            SELECT                tag_id,                name,                AVG(unique_ips) AS avg_unique_ips,                MAX(unique_ips) AS max_unique_ips,                STDDEV(unique_ips) AS stddev_unique_ips            FROM                tagActivity            GROUP BY                tag_id, name            HAVING                MAX(unique_ips) > 200        ),        tag_anomalies AS (            SELECT                ta.day,                ta.tag_id,                ta.name,                ta.unique_ips,                ts.avg_unique_ips,                ts.stddev_unique_ips,                (ta.unique_ips - ts.avg_unique_ips) / NULLIF(ts.stddev_unique_ips, 0) AS z_score            FROM                tagActivity ta            JOIN                tag_stats ts ON ta.tag_id = ts.tag_id AND ta.name = ts.name            WHERE                ta.unique_ips > ts.avg_unique_ips + 2 * ts.stddev_unique_ips                AND ta.unique_ips > 200        )        SELECT            tag_id,            name,            MAX(z_score) AS max_z_score        FROM            tag_anomalies        GROUP BY            tag_id, name        ORDER BY            max_z_score DESC        LIMIT 5    ))-- Get daily activity for these tags over the last 30 daysSELECT    ta.day,    ta.tag_id,    ta.name,    ta.unique_ipsFROM    tagActivity taJOIN    top_anomalous_tags t ON ta.tag_id = t.tag_idWHERE    ta.day >= (SELECT MAX(day) FROM tagActivity) - INTERVAL 30 DAYORDER BY    ta.tag_id, ta.day;`}Let's now find out when the anomalous spikes occurred (finding days when the unique_ips count exceeded 200 for these tags):{  `query`: `-- Find days where the unique_ips count exceeded 200 for these tagsSELECT    day,    tag_id,    name,    unique_ipsFROM    tagActivityWHERE    unique_ips > 200ORDER BY    day DESC, unique_ips DESC;`}…

I’ll spare you from the entire session and just drop the result (this is all 100% accurate from what I already knew):

Most Significant Anomalous Spikes

1. AWS Configuration Scanner (bbf098dc-a1e5-4e28-a5c3-cf7d96765151)
   • Had a major spike on April 9, 2025, with 1,742 unique IPs
   • This is an extreme outlier with a z-score of 6.52 (meaning it’s 6.52 standard deviations above normal activity)
   • Normal activity for this tag averages around 130 unique IPs per day
   • Also had another spike on April 16, 2025, with 280 unique IPs
2. robots.txt Scanner (215d03ae-6899-49dd-9167-4c22fe1e832d)
   • Experienced a significant spike on April 7, 2025, with 9,478 unique IPs
   • This represents a z-score of 5.75
   • This scanner typically has high activity (average ~5,800 IPs daily), but the April 7 spike was still notably anomalous
3. Spring Boot Actuator Crawler (d9f421c7-d877-448f-a822-95a24f2a0ad7)
   • Saw a major spike on April 1, 2025, with 4,810 unique IPs
   • Represents a z-score of 5.63
   • Normal activity averages around 348 unique IPs per day

Other Recent Anomalous Activity in April

4. Git Config Crawler (c536e78c-7206-47e9-90f3-6e4302444185)
   • Spike on April 16, 2025, with 1,004 unique IPs (z-score 3.31)
   • Normal activity averages around 347 unique IPs
5. MVPower CCTV DVR RCE CVE-2016-20016 Attempt (3b9f5a45-63d0-4b08-a4c7-cd514cdc92f4)
   • Spike on April 16, 2025, with 1,917 unique IPs (z-score 3.24)
   • Normal activity averages around 515 unique IPs
6. JAWS Webserver RCE (55ca1afe-c8a3-4d7b-a741-81075b9f8200)
   • Spike on April 16, 2025, with 1,917 unique IPs (z-score 3.24)
   • Normal activity averages around 515 unique IPs
7. WordPress Backup Migration RCE Attempt (95ecfd16-5307-47d7-9500-2f64b93adb11)
   • Spike on April 13, 2025, with 388 unique IPs (z-score 3.33)
   • Normal activity averages around 51 unique IPs
8. SPIP Scanner (487d4a3f-884c-416e-9e69-239b04baa5c8)
   • Spike on April 12, 2025, with 273 unique IPs (z-score 3.02)
   • Normal activity averages around 63 unique IPs
9. Apache Tomcat Crawler (ebd17317-0de5-431b-9aa6-c91407eaf40f)
   • Spike on April 14, 2025, with 547 unique IPs (z-score 3.12)
   • Normal activity averages around 218 unique IPs

Patterns and Observations

• The AWS Configuration Scanner showed the most statistically significant anomaly, with unique IP counts over 13x normal levels
• Several security vulnerability scanners appear in the list, suggesting coordinated scanning activities
• Many of these anomalous spikes occurred on specific dates (April 9, April 16, April 13), which could indicate coordinated scanning campaigns
• There’s a notable pattern of targeting web-related vulnerabilities (AWS configurations, Spring Boot, WordPress, Apache Tomcat)

These spikes represent unusual scanning activity that deviates significantly from normal patterns and could indicate new vulnerability scanning campaigns or increased interest in exploiting specific vulnerabilities.

I went on to ask a more gnarly question: “Which sensor + persona combos experienced degraded performance during the timespan in the records?”, and I put the results here.

You’ll see I had to tell it about the fact that the last day’s records were not complete, so it had to rerun the analysis again. I double-checked the results with my Observable Framework dashboard, and — sure enough — it got it right.

I know lots of folks are reluctant to have these tools touch real data and draw real conclusions. And, that is 100% fair. Just because you’re reducing the content pool for the probabilistic choices does not mean it won’t make 💩 up, but — if you know your domain — these can be tremendously useful tools to augment your regular data analysis.

Bad Bots: Whatcha Gonna Do?

Imperva is one of the decent names in both “cloud” and “security” spaces. And, like all vendors (including my $WORK), they released a new report right before the annual corproate cyber megacon (RSA). This year, it’s on “bad bots”, and paints a stark picture of an internet where automated bots, empowered by artificial intelligence, now dominate web traffic and pose escalating risks across the globe.

For the first time in a decade, automated traffic exceeded human activity, making up 51% of all web traffic in 2024. This surge is largely attributed to the proliferation of AI tools and large language models, which have dramatically lowered the technical barriers for attackers. As a result, malicious bots—those designed to commit fraud, steal data, or disrupt services—accounted for 37% of all internet traffic, up sharply from 32% the previous year. “Good” bots, such as search engine crawlers, now represent just 14% of traffic.

This rise in bad bot activity is not just a matter of volume but also of sophistication. Attackers increasingly use advanced tactics to mimic human behavior, evade detection, and exploit vulnerabilities in business logic, especially within APIs. In 2024, 44% of advanced bot traffic targeted APIs, compared to just 10% directed at traditional web applications. These attacks are highly effective because APIs are the backbone of digital transformation, powering everything from payments to analytics, and often lack the same level of scrutiny as user-facing web interfaces. Attackers exploit API logic to automate fraud, scrape sensitive data, and bypass security controls, frequently with devastating financial and reputational consequences for organizations.

Industry analysis reveals shifting patterns in bot targeting. The travel sector overtook retail in 2024 as the most attacked industry, accounting for 27% of all bad bot attacks. Travel and retail both face advanced threats: bots disrupt inventory, manipulate pricing models, and hijack customer accounts. In the travel industry, “seat spinning” bots hold tickets without purchasing, while scraping bots distort look-to-book ratios, undermining revenue management and competitive pricing. Retailers face ongoing threats from scalping, gift card fraud, and price scraping, with bot attacks now occurring year-round rather than just during peak shopping seasons.

The report also details the economic and regulatory consequences of unchecked bot activity. Successful attacks can lead to direct financial losses, regulatory penalties under laws like GDPR and CCPA, legal costs, and long-term reputational harm. For instance, a case study highlights how a global talent agency saw 83% of its web traffic generated by bad bots, skewing marketing analytics and draining advertising budgets until advanced bot protection was deployed.

There’s TONS more info in the report, along with recommendations for mitigating bot threats. It’s a great read, with a pretty modern/bold design (though I could have done without the 🍩).

Terrifying Telemetry

The 2025 “Web Browser Telemetry” report from sizeof.cat reveals how modern browsers communicate with external servers without our knowledge. The findings suggest that privacy concerns are warranted, as nearly all mainstream browsers engage in background network activities.

Researchers tested various browsers by analyzing network requests during fresh launches and navigation to blank pages. Chrome and Edge proved to be the most communicative, immediately sending data to Google and Microsoft servers for updates, safe browsing features, and browser-wielder metrics collection.

Firefox, though often recommended for privacy, still connects to Mozilla servers at startup for telemetry, updates, and security checks. Even after disabling telemetry in settings, some network requests continue for security updates and features like Pocket.

Modified Firefox versions like LibreWolf and Waterfox present a more nuanced situation. These browsers avoid unsolicited connections to Mozilla or analytics servers at startup, supporting their privacy-focused claims. Yet community reports suggest they may still make minimal connections for extension updates or certificate verification, though far fewer than standard Firefox. For folks prioritizing minimal telemetry, these modified versions currently offer the best balance, despite potentially slower security updates due to smaller development teams.

Chromium-based browsers like Brave and Vivaldi, which emphasize privacy features, also maintain some background connections for their own systems. While they block many external trackers, they still communicate with their respective servers for updates and occasionally for metrics collection, though less aggressively than Chrome or Edge.

Advanced privacy tools like Pi-hole or DNS-based blocking provide only partial protection, as some browsers bypass system DNS settings through direct IP connections to telemetry endpoints. This bypassing is particularly common in Windows and Chrome-based browsers that increasingly use hardcoded DNS-over-HTTPS or direct IP addresses to avoid local network controls.

It’s a pretty bleak and detailed report, but the blows are dampened if you move to a different tab, and watch the site cycle through different <title> sequences that appear to make it look like various other online services.

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on:

• 🐘 Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev
• 🦋 Bluesky via https://bsky.app/profile/dailydrop.hrbrmstr.dev.web.brid.gy

☮️

#duckdb