The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity vulnerabilities to its catalog of known exploited vulnerabilities, as they are being exploited in the wild, which are considered directory traversal vulnerabilities that could enable attackers to install malware on a target system. CISA is expecting federal agencies in the U.S to patch both vulnerabilities by August 30, 2022, from the vendors. The first high-severity, tracked as CVE-2022-34713 (aka DogWalk bug), resides in Windows Support Diagnostic Tool (MSDT), allowing attackers to drop a malicious executable into the Windows Startup folder. For successful exploitation of the DogWalk bug, the hacker requires user interaction, which is easy to overcome through social engineering, especially in emails and web-based attacks. In an email attack scenario, the attacker can exploit the DogWalk bug by sending a specially crafted file to a user and convincing them to open it. In a web-based attack scenario, an attacker can host a website containing a specially crafted file that exploits the DogWalk flaw. Microsoft patched the CVE-2022-34713 vulnerability in its Patch Tuesday August 2022, but before that, an unofficial patch existed since June 2022. The second vulnerability added to CISA's Known Exploited Vulnerability Catalog is tracked as CVE-2022-30333 which is a path traversal bug in the UnRAR utility for Unix and Linux systems. The attacker could exploit this vulnerability to drop a malicious file into a target system by extracting it to an arbitrary location during an unpack operation.
everal popular Android applications available on the Google Play Store are vulnerable to a path traversal-affiliated vulnerability known as the Dirty Stream attack. This vulnerabil...
The US confirms Russian hackers have breached water systems. They warn North American and European operators about ongoing attempts by pro-Russia activists to infiltrate their tech...
The Simone Veil hospital in Cannes, France, has become the latest target of cybercriminals, with the LockBit ransomware gang claiming to have accessed and published confidential da...