Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws

Today is Microsoft’s June 2025 Patch Tuesday, which includes security updates for 66 flaws, including one actively exploited vulnerability and another that was publicly disclosed. This Patch Tuesday also fixes ten “Critical” vulnerabilities, eight being remote code execution vulnerabilities and two being elevation of privileges bugs. The number of bugs in each vulnerability category is […]

Over 84,000 Roundcube instances vulnerable to actively exploited flaw

Over 84,000 Roundcube webmail installations are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) flaw with a public exploit. The flaw, which impacts Roundcube versions 1.1.0 through 1.6.10, spanning over a decade, was patched on June 1, 2025, following its discovery and reporting by security researcher Kirill Firsov. The bug stems from unsanitized $_GET[‘_from’] […]

Google patched bug leaking phone numbers tied to accounts

A vulnerability allowed researchers to brute-force any Google account’s recovery phone number simply by knowing a their profile name and an easily retrieved partial phone number, creating a massive risk for phishing and SIM-swapping attacks. The attack method involves abusing a now-deprecated JavaScript-disabled version of the Google username recovery form, which lacked modern anti-abuse protections. The […]

SentinelOne shares new details on China-linked breach attempt

SentinelOne has shared more details on an attempted supply chain attack by Chinese hackers through an IT services and logistics firm that manages hardware logistics for the cybersecurity firm. SentinelOne is an American endpoint protection (EDR/XDR) solutions provider that protects critical infrastructure in the country and numerous large enterprises. It is a high-value target for […]

New Mirai botnet infect TBK DVR devices via command injection flaw

A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them. The flaw, tracked under CVE-2024-3721, is a command injection vulnerability disclosed by security researcher “netsecfish” in April 2024. The proof-of-concept (PoC) the researcher published at the time came in […]

Supply chain attack hits Gluestack NPM packages with 960K weekly downloads

A significant supply chain attack hit NPM after 16 popular Gluestack ‘react-native-aria’ packages with over 950,000 weekly downloads were compromised to include malicious code that acts as a remote access trojan (RAT). BleepingComputer determined that the compromise began on June 6 at 4:33 PM EST, when a new version of the react-native-aria/focus package was published to NPM. Since […]

Malicious npm packages posing as utilities delete project directories

Two malicious packages have been discovered in the npm JavaScript package index, which masquerades as useful utilities but, in reality, are destructive data wipers that delete entire application directories. The data wiper packages are ‘express-api-sync’ and ‘system-health-sync-api,’ and pose as database syncing and system health monitoring Ttools. According to open-source software security firm Socket, they […]

Microsoft shares script to restore inetpub folder you shouldn’t delete

Microsoft has released a PowerShell script to help restore an empty ‘inetpub’ folder created by the April 2025 Windows security updates if deleted. As Microsoft previously warned, this folder helps mitigate a high-severity Windows Process Activation privilege escalation vulnerability. In April, after installing the new security updates, Windows users suddenly found that an empty C:\Inetpub […]