Plus critical critical Notepad++, Ivanti, and Fortinet updates, and one of these patches an under-attack security hole Happy December Patch Tuesday to all who celebrate. This month's patch party includes one Microsoft flaw under exploitation, plus two others listed as publicly known – but just 57 CVEs in total from …
Microsoft today pushed updates to fix at least 56 security flaws in its Windows operating systems and supported software. This final Patch Tuesday of 2025 tackles one zero-day bug that is already being exploited, as well as two publicly disclosed vulnerabilities. Despite releasing a lower-than-normal number of security updates …
SAP has released its December security updates addressing 14 vulnerabilities across a range of products, including three critical-severity flaws. [...]
Identity management vendors like Okta see an opening to calm CISOs worried about agents running amok The fear of AI agents running amok has thus far halted the wide deployment of these digital workhorses, Okta's president of Auth0, Shiv Ramji, told The Register.... [...]
Microsoft says Windows PowerShell now warns when running scripts that use the Invoke-WebRequest cmdlet to download web content, aiming to prevent potentially risky code from executing. [...]
Microsoft has released the KB5071546 extended security update to resolve 57 security vulnerabilities, including three zero-day flaws. [...]
Microsoft's December 2025 Patch Tuesday fixes 57 flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities. [...]
Fortinet has released security updates to address two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could allow attackers to bypass FortiCloud SSO authentication. [...]
Satellite silence trips immobilizers, leaving owners stuck Hundreds of Porsches in Russia were rendered immobile last week, raising speculation of a hack, but the German carmaker tells The Register that its vehicles are secure.... [...]
Have we learned nothing from sci-fi films and TV shows? Interview Imagine botnets in physical form and you've got a pretty good idea of what could go wrong with the influx of AI-infused humanoid robots expected to integrate into society over the next few decades.... [...]
Foreign secretary set to address senior diplomats later today The UK's foreign secretary is calling for closer collaboration with Europe to combat the growing threat of information warfare as hybrid attacks target countries on the continent.... [...]
Two competing arguments are making the rounds. The first is by a neurosurgeon in the New York Times. In an op-ed that honestly sounds like it was paid for by Waymo, the author calls driverless cars a “public health breakthrough”: In medical research, there’s a practice of ending …
As Portugal gives researchers a pass under cybersecurity law Portugal has become the latest country to carve out protections for researchers under its cybersecurity law.... [...]
Officials insist OBR relied on 'early estimate' and real figure won't emerge until next year The head of the department delivering the UK government's digital identity scheme has rejected the £1.8 billion cost forecast by the Office for Budget Responsibility (OBR), but is not willing to provide an …
Get your Hyper-V and VMware ESXi setups in order, people Researchers at security software vendor Huntress say they’ve noticed a huge increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as can be and properly backed up.... [...]
Today, we’re excited to announce IAM Policy Autopilot, an open-source static analysis tool that helps your AI coding assistants quickly create baseline AWS Identity and Access Management (IAM) policies that you can review and refine as your application evolves. IAM Policy Autopilot is available as a command-line tool …
Minors groomed to kill and intimidate victims Nearly 200 people, including minors accused of involvement in murder plots, have been arrested over the last six months as part of Europol's Operational Taskforce (OTF) GRIMM. The operation targets what cops call "violence-as-a-service" - crime crews recruiting kids and teens online to …
At re:Invent 2025, AWS unveiled its latest AI- and automation-enabled innovations to strengthen cloud security for customers to grow their business. Organizations are likely to increase security spending from $213 billion in 2025 to $377 billion by 2028 as they adopt generative AI. This 77% increase highlights the …
Atlantic Bastion combines AI systems with warships to counter increased surveillance The UK government has announced enhanced protection for undersea cables using autonomous vessels alongside crewed warships and aircraft, responding to escalating Russian surveillance activities.... [...]
Regulator disappointed as soon-to-be-scrapped algo's problems remained a secret despite consistent engagement The UK's data protection watchdog has criticized the Home Office for failing to disclose significant biases in police facial recognition technology, despite regular engagement between the organizations.... [...]
Here’s a fun paper: “ The Naibbe cipher: a substitution cipher that encrypts Latin and Italian as Voynich Manuscript-like ciphertext “: Abstract: In this article, I investigate the hypothesis that the Voynich Manuscript (MS 408, Yale University Beinecke Library) is compatible with being a ciphertext by attempting to develop a …
Body confirms patient and staff details siphoned via Oracle EBS flaw as gang threatens to leak haul Barts Health NHS Trust has confirmed that patient and staff data was stolen in Clop's mass-exploitation of Oracle's E-Business Suite (EBS), and says it is now taking legal action in an effort …
Analysts worry lazy users could have agents complete mandatory infosec training, and attackers could do far nastier things Agentic browsers are too risky for most organizations to use, according to analyst firm Gartner.... [...]
PLUS: South Korea to strengthen security standards; Canon closes Chinese printer plant; APAC datacenter capacity to triple by 2029; And more Asia In Brief Chinese rocketry outfit LandSpace last week flew what it hoped would be the country’s first reusable rocket, only to watch it explode while attempting …
PLUS: New kind of DDOS from the Americas; Predator still hunting spyware targets; NIST issues IoT advice; And more! Infosec in Brief The Apache Foundation last week warned of a 10.0-rated flaw in its Tika toolkit.... [...]
Portugal has modified its cybercrime law to establish a legal safe harbor for good-faith security research and to make hacking non-punishable under certain strict conditions. [...]
Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors. [...]
A campaign has been observed targeting Palo Alto GlobalProtect portals with login attempts and launching scanning activity against SonicWall SonicOS API endpoints. [...]
A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine. The Nerdify homepage. The link between essay mills and Russian attack drones might seem …
Wanna know a secret? Whether you're logging into your bank, health insurance, or even your email, most services today do not live by passwords alone. Now commonplace, multifactor authentication (MFA) requires users to enter a second or third proof of identity. However, not all forms of MFA are created …
Proof of life? Or an active social media presence? Criminals are altering social media and other publicly available images of people to use as fake proof of life photos in "virtual kidnapping" and extortion scams, the FBI warned on Friday.... [...]
The vampire squid ( Vampyroteuthis infernalis ) has the largest cephalopod genome ever sequenced: more than 11 billion base pairs. That’s more than twice as large as the biggest squid genomes. It’s technically not a squid: “The vampire squid is a fascinating twig tenaciously hanging onto the cephalopod family …
Who needs JavaScript? Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS).... [...]
Security community needs to rally and share more info faster, one researcher says Amid new reports of attackers pummeling a maximum security hole (CVE-2025-55182) in the React JavaScript library, Cloudflare's technology chief said his company took down its own network, forcing a widespread outage early Friday, to patch React2Shell …
Barts Health NHS Trust has announced that Clop ransomware actors have stolen files from a database by exploiting a vulnerability in its Oracle E-business Suite software. [...]
At Google Cloud, we sit at a unique intersection of two transformative technologies: AI and Web3. The rise of AI agents capable of interacting with blockchains opens up a world of automated financial strategies, fast payments, and more complex scenarios like executing complex DeFi operations and bridging assets across …
The FBI warns of criminals altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams. [...]
Passive scan data goes stale fast as cloud assets shift daily, leaving teams blind to real exposures. Sprocket Security shows how continuous, automated recon gives accurate, up-to-date attack surface visibility. [...]
Laptop maker says a vendor breach exposed some phone camera code, but not its own systems Asus has admitted that a third-party supplier was popped by cybercrims after the Everest ransomware gang claimed it had rifled through the tech titan's internal files.... [...]
The European Commission has fined X €120 million ($140 million) for violating transparency obligations under the Digital Services Act (DSA). [...]
State-backed attackers started poking flaw as soon as it dropped – anyone still unpatched is on borrowed time Amazon has warned that China-nexus hacking crews began hammering the critical React "React2Shell" vulnerability within hours of disclosure, turning a theoretical CVSS-10 hole into a live-fire incident almost immediately.... [...]
Cloudflare has blamed today's outage on the emergency patching of a critical React remote code execution vulnerability, which is now actively exploited in attacks. [...]
American pharmaceutical firm Inotiv is notifying thousands of people that they're personal information was stolen in an August 2025 ransomware attack. [...]
Multiple China-linked threat actors began exploiting the React2Shell vulnerability (CVE-2025-55182) affecting React and Next.js just hours after the max-severity issue was disclosed. [...]
Plan would create statutory powers for police use of biometrics, prompting warnings of mass surveillance The UK government has kicked off plans to ramp up police use of facial recognition, undeterred by a mounting civil liberties backlash and fresh warnings that any expansion risks turning public spaces into biometric …
You can improve the odds by combining skepticism, verification habits, and a few technical checks Opinion Liars, cranks, and con artists have always been with us. It's just that nowadays their reach has gone from the local pub to the globe.... [...]
A new anonymous phone service allows you to sign up with just a zip code. [...]
Automated software keeps getting better at pilfering cryptocurrency Anthropic could have scored an easy $4.6 million by using its Claude AI models to find and exploit vulnerabilities in blockchain smart contracts.... [...]
Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Components has a maximum Common Vulnerability Scoring System (CVSS) score …
Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. [...]