This week's security landscape was dominated by critical vulnerabilities requiring immediate attention, alongside significant breaches impacting major organizations. High-severity CVEs in widely used software underscore the persistent need for rapid patch deployment.
Top Security Stories
Critical King Addons Vulnerability Exploited to Hack WordPress Sites
A critical-severity vulnerability in the King Addons for Elementor plugin for WordPress has been exploited to take over websites. The post Critical King Addons Vulnerability Exploited to Hack WordPres...
Source: securityweek.com
Android’s December 2025 Updates Patch Two Zero-Days
Google warns that two out of the 107 vulnerabilities patched in Android this month have been exploited in limited, targeted attacks. The post Android’s December 2025 Updates Patch Two Zero-Days appear...
Source: securityweek.com
North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware
The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month. According to Socket, these packages ...
Source: thehackernews.com
Critical flaw in WordPress add-on for Elementor exploited in attacks
Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions...
Source: bleepingcomputer.com
Chinese Hackers Exploiting React2Shell Vulnerability
AWS has seen multiple China-linked threat groups attempting to exploit the React vulnerability CVE-2025-55182. The post Chinese Hackers Exploiting React2Shell Vulnerability appeared first on SecurityW...
Source: securityweek.com
Hackers are exploiting ArrayOS AG VPN flaw to plant webshells
Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. [...]
Source: bleepingcomputer.com
Google addresses 107 Android vulnerabilities, including two zero-days
The company’s latest security update contains the second-highest number of defects patched so far this year. The post Google addresses 107 Android vulnerabilities, including two zero-days appeared fir...
Source: cyberscoop.com
SmartTube YouTube app for Android TV breached to push malicious update
The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users. [....
Source: bleepingcomputer.com
Google Patches 107 Android Flaws, Including Two Framework Bugs Exploited in the Wild
Google on Monday released monthly security updates for the Android operating system, including two vulnerabilities that it said have been exploited in the wild. The patch addresses a total of 107 secu...
Source: thehackernews.com
Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery
BitSight research has revealed how threat actors exploit calendar subscriptions to deliver phishing links, malware and social engineering attacks through hijacked domains
Source: infosecurity-magazine.com
Developers scramble as critical React flaw threatens major apps
The open-source code library is one of the most extensively used application frameworks. Wiz found vulnerable versions in around 39% of cloud environments. The post Developers scramble as critical Rea...
Source: cyberscoop.com
Critical PickleScan Vulnerabilities Expose AI Model Supply Chains
3 critical zero-day flaws in PickleScan, affecting Python and PyTorch, allowed undetected attacks
Source: infosecurity-magazine.com
CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's...
Source: thehackernews.com
Post Office Escapes £1m Fine After Postmaster Data Breach
The Information Commissioner’s Office has chosen only to reprimand the Post Office after a 2024 breach
Source: infosecurity-magazine.com
'MuddyWater' Hackers Target Israeli Orgs With Retro Game Tactic
Iran's top state-sponsored APT is usually rather crass. But in a recent spate of attacks, it tried out some interesting evasion tactics, including delving into Snake, an old-school mobile game.
Source: darkreading.com
Critical Vulnerabilities (CVEs)
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2025-65112 | 9.4 | PubNet is a self-hosted Dart & Flutter package service. Prior to version 1.1.3, the /api/storage/upload endpoint in PubNet allows unauthenticated user... |
| CVE-2025-66034 | 6.3 | fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTo... |
| CVE-2025-13615 | 9.8 | The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the pl... |
| CVE-2025-13787 | 5.4 | A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the compon... |
| CVE-2025-13788 | 7.3 | A vulnerability has been found in Chanjet CRM up to 20251106. The impacted element is an unknown function of the file /tools/upgradeattribute.php. The... |
Techworks Blog