Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Adobe has recently addressed a critical vulnerability in its Acrobat Reader software, urging users to update immediately. The flaw, tracked as CVE-2024-41869, is a "use after free" vulnerability, which could allow attackers to execute malicious code remotely through specially crafted PDF files. This article explores the nature of this exploit, its discovery, and the urgency behind updating to the latest version.

GitHub Copilot and other AI coding tools have transformed how we write code and promise a leap in developer productivity. But they also introduce new security risks. If your codebase has existing security issues, AI-generated code can replicate and amplify these vulnerabilities.

We’re excited to announce a new Snyk AppRisk integration with Orca Security that brings the best of two worlds together: developer-loved, security-trusted application security from Snyk and leading cloud security from Orca. This integration is big news for organizations looking to align with DevSecOps and enhance collaboration between development and security teams.

CVE-2024-40766 is a critical (CVSS v3 score: 9.3) access control flaw. Its primary danger comes from the potential for providing unauthorized network access, both allowing attackers unfettered access to critical resources and, in some cases, giving attackers the ability to crash the firewall.

The critical CVE-2024-40711 vulnerability in Veeam Backup & Replication (VBR) is drawing attention from security researchers and ransomware groups alike. Discovered by Florian Hauser from Code White, this flaw allows attackers to take full control of enterprise systems, posing a significant threat to the integrity of data backup infrastructures. With ransomware groups historically targeting Veeam vulnerabilities, CVE-2024-40711 could soon become a valuable tool for cybercriminals.

On September 10, 2024, Ivanti released fixes for CVE-2024-29847, a maximum severity vulnerability in Ivanti Endpoint Manager (EPM). This flaw, found in the agent portal of specific EPM versions, allows Remote Code Execution (RCE) by an unauthenticated attacker due to improper deserialization of untrusted data.

The security world is awash in acronyms. As a niche in the security world, vulnerability, tracking, measurement, and management is no stranger to inscrutable collections of capital letters. We’ve got NVD, CPE, CWE, CVSS, EPSS, CAPEC, KEV, and of course “CVE”. The key goal of all these frameworks is to try to help folks organize information around vulnerabilities and assess how their presence might increase an organization's exposure.