The flaw, known as “MonikerLink,” allows attackers to bypass Outlook’s Protected View and execute malicious code or steal credentials. The PoC release highlights the continuing risk and provides security teams with insight into the attack vector.

Understanding the MonikerLink Flaw

This vulnerability, rated with a CVSS score of 9.8, originates from the way Outlook parses special hyperlinks called Moniker Links.

Protected View is designed to restrict suspicious files by running them in a limited, read‑only mode. However, attackers can bypass this protection by embedding a crafted file:// link containing an exclamation mark and additional text.

How the Exploit Triggers in Outlook

When a user clicks a malicious Moniker Link, Outlook attempts to access the referenced file without presenting any security warning.

This silent lookup can trigger an SMB connection to an attacker‑controlled server, resulting in the leakage of the victim’s NTLM credentials. In advanced attack scenarios, this behavior can escalate to remote code execution, giving attackers high‑level control over the compromised system.

The newly published Python-based PoC illustrates how this vulnerability can be exploited in a controlled lab setup. Available on GitHub, the script is designed to work with a specific configuration involving hMailServer and targets a user running a vulnerable version of Outlook.

It automates the process of sending an email that embeds the crafted Moniker Link, ensuring the malicious payload lands directly in the victim’s inbox.

According to the PoC author, the script assumes a simplified testing environment, including the absence of TLS authentication, to make the learning process easier. While the code is intentionally basic and aimed at users exploring the “MonikerLink” room on TryHackMe, it effectively demonstrates the core attack mechanics.

For researchers looking for more advanced tooling, the author also recommends alternative repositories, such as the one maintained by security researcher Xaitax.

Impact and Security Considerations

Beyond credential theft, the MonikerLink bypass can lead to full remote code execution when combined with other exploitation techniques.

This makes the flaw one of the most critical Outlook vulnerabilities disclosed in recent years. Organizations are urged to apply available patches and review email security controls to reduce exposure.

Mitigations:

• Watch for unusual email patterns that may indicate someone trying to trigger this weakness. A new YARA rule from researcher Florian Roth can help spot emails containing the file:\ path trick.
• Using this rule allows defenders to catch risky emails early, before they reach users.
• Microsoft has published security fixes for CVE-2024-21413, and updating systems right away is strongly recommended.
• Since exploit examples are now public, attackers are more likely to copy and use them.
• Make sure every Microsoft Office installation is running the latest security updates.
• Blocking outbound SMB connections on port 445 can help prevent NTLM credentials from leaking to outside servers.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post PoC Released for Critical Outlook Zero-Click RCE Bug appeared first on First Hackers News.

This flaw, caused by a stack-based buffer overflow, allows unauthenticated attackers to remotely execute arbitrary code on affected systems. It has already been actively exploited in the wild, raising concerns across the cybersecurity community.

Exploitation in the Wild

As of April 6, 2025, the Shadowserver Foundation reported that 5,113 Ivanti Connect Secure devices are still unpatched and vulnerable to a critical remote code execution (RCE) flaw—CVE-2025-22457.

This serious vulnerability allows attackers to take full control of affected devices without needing a password. Due to its severity, it has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgent need for organizations to take action.

Attackers can use this flaw to steal data, install ransomware, or create persistent backdoors into networks.

Shadowserver’s scan data shows these vulnerable devices are spread across IPv4 and IPv6 spaces, with high concentrations in North America, Europe, and Asia.

Ivanti first disclosed the issue in March 2025 and released patches to fix it. However, many organizations have yet to update, leaving them open to attack.

Recommendation

• Apply Ivanti’s patch immediately if you’re using Connect Secure.
• Check access logs for any unusual activity that could indicate compromise.
• Scan your infrastructure to make sure no vulnerable devices are exposed online.

Experts stress that unpatched systems are actively being targeted. Delays in applying security updates can lead to serious consequences, including breaches, downtime, and regulatory issues.

This situation is a clear reminder of how crucial timely patching and proactive cybersecurity practices are in today’s threat landscape.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Ivanti RCE flaw affects over 5,000 devices appeared first on First Hackers News.

All about the vulnerability

The February update addressed:

• 25 Remote Code Execution flaws
• 14 Elevation of Privilege vulnerabilities
• 6 Denial of Service issues
• 4 Security Feature Bypass flaws
• 2 Spoofing vulnerabilities
• 1 Information Disclosure vulnerability

Microsoft Patch Tuesday – February 2025

This update addresses 61+ vulnerabilities, including critical and important flaws:

Critical Vulnerabilities:

• CVE-2025-21376: Remote code execution via LDAP protocol.
• CVE-2025-21379: RCE risk via crafted DHCP packets.
• CVE-2025-21381, 21386, 21387: Excel vulnerabilities allowing code execution via malicious files.
• CVE-2025-21406, 21407: RCE vulnerabilities in Windows Telephony Service.

Exploited in the Wild:

• CVE-2023-24932: Secure Boot bypass risk.
• CVE-2025-21391: Elevated privileges for attackers.
• CVE-2025-21418: SYSTEM privileges gained via exploit.

Other Notable Fixes:

• Visual Studio RCE (CVE-2025-21176, 21178): Immediate updates needed for RCE risks.
• Azure Network Watcher Elevation of Privilege (CVE-2025-21188): Update for Azure cloud admins.
• Microsoft Office RCE (CVE-2025-21392, 21397): Fix for Office document exploit risks.

Here’s a table of 61 vulnerabilities addressed in Microsoft’s February 2025 Patch Tuesday, based on the provided data and search results.

With two vulnerabilities actively exploited, delaying updates could leave systems vulnerable to threats.

Microsoft stresses the need to install the latest servicing stack updates (ADV990001) for smooth patch deployment.

How to Update:

• Windows Update: Go to Settings > Update & Security > Windows Update.
• Microsoft Update Catalog: Download individual patches for offline installation.
• WSUS: For enterprise environments.

The February 2025 Patch Tuesday highlights the growing complexity of cybersecurity threats. IT teams must act quickly to deploy these critical patches and stay vigilant against phishing and other exploits targeting unpatched systems.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Microsoft Patch Tuesday (Feb 2025): 61 Vulnerabilities, 25 RCE, 3 Zero-Day appeared first on First Hackers News.

1-Click RCE Flaw

The flaw in Voyager comes from an arbitrary file write issue in its media upload function. The app checks MIME types against a predefined list, but this check is flawed.

Attackers can exploit this by creating polyglot files, like disguising a PHP script as an image or video. Since file extensions aren’t properly verified, the malicious file could be uploaded, allowing arbitrary PHP code execution on the server.

The vulnerability is worsened by a reflected XSS flaw. Attackers can trick authenticated users into clicking a malicious link on the /admin/compass endpoint, executing arbitrary JavaScript and increasing the risk of server compromise.

These vulnerabilities pose significant risks, especially for applications using the popular Voyager package, which has over 11,000 stars on GitHub. While the threat is lower for users with the proper permissions, the potential for unauthorized code execution is high, especially in compromised admin contexts.

Despite outreach attempts, Voyager has not provided a fix, leaving version 1.8.0 unpatched. Users should carefully assess the risks before using it in production. The discovery of these flaws emphasizes the need for vigilance.

Organizations are advised to audit Voyager usage, enforce strict permissions, and consider alternatives until patches are released. Regular monitoring and proactive security measures are essential.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post 1-Click RCE Flaw in Voyager PHP Lets Attackers Run Arbitrary Code appeared first on First Hackers News.

All about the vulnerability

The vulnerability originates from improper handling of UVC_VS_UNDEFINED frames in the UVC driver’s uvc_parse_format function, leading to buffer size miscalculations and out-of-bounds memory writes.

Attackers can exploit this flaw by inserting malicious USB devices or manipulating video streams, causing buffer overflows that overwrite adjacent memory regions. This can enable local privilege escalation without requiring additional execution privileges.

While the flaw is not directly exploitable remotely, attackers can use USB device spoofing to bypass security measures, making it a serious risk to system integrity. Google has reported signs of limited, targeted exploitation, highlighting the urgency of applying security patches.

Affected Kernel Versions

The vulnerability impacts all Linux kernel versions from 2.6.26 to the latest patched releases. Users should update their devices to security patch levels 2025-02-01 or 2025-02-05 to protect against this and other vulnerabilities.

Fixed Kernel Versions

• 4.19.324 (LTS) – 95edf13a48e7
• 5.4.286 (LTS) – 684022f81f12
• 5.10.230 (LTS) – faff5bbb2762
• 5.15.172 (LTS) – 467d84dc78c9
• 6.1.117 – beced2cb09b5
• 6.6.61 – 575a562f7a3e
• 6.11.8 – 622ad10aae5f
• 6.12.1 – 1ee9d9122801
• 6.13-rc1 – ecf2b43018da

The update also fixes vulnerabilities in Qualcomm components and third-party drivers, stressing the need for timely security updates. Given the severity of CVE-2024-53104, Android users should apply the latest patches immediately to prevent potential exploits.

The Android Security Bulletin highlights the importance of staying vigilant against threats that could lead to unauthorized access and device compromise. Users should follow their device manufacturer’s instructions to apply updates as soon as possible.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Android Update Fixes Linux Kernel RCE Flaw appeared first on First Hackers News.

Critical RCE Vulnerabilities

The bulletin highlights critical Remote Code Execution (RCE) vulnerabilities in the Android System component. These flaws could allow attackers to run malicious code without extra privileges, posing significant risks if security mitigations are bypassed.

Android partners were notified a month before the bulletin’s release. Patches will be added to the Android Open Source Project (AOSP) repository within 48 hours, with updated links to follow.

The following critical vulnerabilities are grouped by component, listed with their CVE IDs, severity, and affected AOSP versions.

The Android security platform, combined with Google Play Protect, offers essential safeguards to minimize the risk of exploiting these vulnerabilities. These measures work together to protect devices from potential threats and harmful applications.

Users are strongly encouraged to stay proactive by regularly updating their devices to the latest Android version. Updates not only patch known vulnerabilities but also enhance overall system security, reducing the risk of exploitation.

Google Play Protect, enabled by default on devices with Google Mobile Services, is a critical line of defense. It scans apps in real-time, identifies potentially harmful applications, and removes threats to keep users safe.

By ensuring devices are up-to-date with the latest security patches, Android users can significantly enhance their mobile security and enjoy a safer, more reliable experience. Regular updates are not just a recommendation—they’re a necessity in today’s evolving threat landscape.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Android Security Update Fixes Critical RCE Vulnerabilities appeared first on First Hackers News.

The flaw affects versions ≤5.23.6 and lies in the getWindowsIEEE8021x function, where insufficient sanitization of the Wi-Fi SSID field allows attackers to execute malicious OS commands via Windows’ cmd.exe.

This highlights the need for secure coding practices when handling untrusted input.

All about the vulnerability

GitHub reports reveal the flaw in how SSIDs are processed.

The SSID is retrieved via netsh wlan show interface and passed to cmd.exe without sanitization.

This lets attackers use malicious SSID names to execute commands on the victim’s system.

Proof of Concept (PoC)

1. Craft a Malicious SSID: An attacker sets a hotspot SSID with a command injection payload, e.g.:
   • a" | ping /t 127.0.0.1 &
   • a" | %SystemDrive%\a\a.exe &
2. Connect to the Network: The victim connects to the malicious SSID on a vulnerable system.
3. Execute the Exploit: The attacker uses the vulnerable function in the package:javascriptCopy codeconst si = require('systeminformation'); si.networkInterfaces((net) => { console.log(net) });

This allows the attacker to run arbitrary commands, such as executing files or creating a continuous ping loop.

The vulnerability is critical, allowing RCE or privilege escalation based on how the systeminformation package is used.

Attackers can exploit it by injecting malicious commands via crafted Wi-Fi SSIDs, enabling unauthorized access, data theft, or disruption.

With a CVSS score of 10.0, it severely impacts confidentiality, integrity, and availability. Developers must patch their systems immediately.

Security researcher @xAiluros reported the issue and provided a proof of concept. The package author, sebhildebrandt, quickly released a patched version, urging users to update promptly.

Affected and Patched Versions

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Node.js systeminformation Package Enables RCE Attacks appeared first on First Hackers News.

The “High” severity vulnerability in Qlik Sense for Windows includes two issues:

• Remote Code Execution (RCE): Unprivileged users could create connection objects to run arbitrary EXE files on the server.
• Broken Access Control (BAC): Unprivileged users with network access may execute remote commands, risking availability, integrity, and confidentiality.

The vulnerabilities have CVSS scores of 8.8 and 7.5, indicating high risk. If exploited, they could compromise the server running Qlik Sense, including remote code execution.

The vulnerability affects all versions of Qlik Sense Enterprise for Windows before and including:

• May 2024 Patch 9
• February 2024 Patch 13
• November 2023 Patch 15
• August 2023 Patch 15
• May 2023 Patch 17
• February 2023 Patch 14

Qlik has released patches for these vulnerabilities. Users should update to the latest patched versions, including:

• November 2024 Initial Release
• May 2024 Patch 10
• February 2024 Patch 14
• November 2023 Patch 16
• August 2023 Patch 16
• May 2023 Patch 18
• February 2023 Patch 15

A workaround is available for extension and visualization issues by modifying the Repository.exe.config file and restarting specific services.

Although no exploitation has been reported, organizations are advised to act quickly to secure their systems and data. Regular patching and following security best practices is essential to protect against cyber threats.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Critical Qlik Sense RCE vulnerability discovered appeared first on First Hackers News.

CVE-2024-30052

Microsoft introduced the Portable PDB format for managed modules, replacing the traditional MSF for better cross-platform support and optimization.

Embedded PDBs, generated with the -debug switch, store compressed PDB data within the executable, allowing debugging of older versions or dump files without external PDBs.

Source files can be embedded into PDBs using methods like EmbedAllSources or -embed, making debugging easier by storing source information in the executable. However, Visual Studio trusts these embedded files, which creates a risk.

If a malicious file with a certain extension is embedded, Visual Studio could open it with an external program. This allows attackers to execute arbitrary code during debugging, highlighting the need to validate and sanitize embedded files to prevent such attacks.

The researcher developed a proof-of-concept to exploit a flaw in Visual Studio’s handling of embedded source files in portable PDBs. By replacing a legitimate source file with a PDF and altering the PDB structure, they tricked Visual Studio into opening the PDF as a source file during a memory dump debug. This showed how attackers could run arbitrary code or access sensitive information.

Three file types (CHM, HTA, and PY) were found to be risky, with CHM files, often used for help files, potentially containing embedded Visual Basic code for execution.

HTA and PY files can execute VB and Python code, respectively, and can be modified with non-printable characters to inject malicious code.

The researcher automated the creation of exploit dumps using a C# program, triggering calc.exe when debugged in Visual Studio due to an ACE vulnerability.

A new check in Visual Studio’s CVsUIShellOpenDocument function now prevents this exploitation by blocking embedded sources during debugging.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post CVE-2024-30052: RCE vulnerability in Visual Studio via dump files appeared first on First Hackers News.

CVE-2024-45489 was reported on August 25 and patched within 24 hours, with no users affected. The incident led to a thorough review of the company’s security practices. CEO Josh stated, “This was an important moment for us and our members,” emphasizing their commitment to improving security and incident response.

Arc Browser Launches Bug Bounty Program

The Arc Browser Company has launched the Arc Bug Bounty Program to engage the security research community in finding vulnerabilities. The program offers details on rewards and submission guidelines, and it will adapt based on feedback from participants.

In response to CVE-2024-45489, The Browser Company has implemented several security enhancements:

• JavaScript Boosts: Automatic enabling of JavaScript boosts across synced devices is no longer allowed in Arc version 1.61.2.
• Global Toggle: A new global toggle is added in Advanced Settings to disable all Boost-related features.
• External Audit: An external firm has been engaged to review backend systems, starting with access-control lists (ACLs).
• Internal Processes: The company is improving its internal processes to identify vulnerabilities earlier, emphasizing secure-by-design principles and defense-in-depth coding practices.

The company has improved its incident response processes for better communication and quicker response times. A new Security Bulletin will serve as the official source for all security incident reports, including technical details and impact assessments.

The post Arc Browser Launches Bug Bounty Program After RCE Vulnerability appeared first on First Hackers News.