The vulnerability enables remote code execution via maliciously crafted webpages when Autodesk Fusion Desktop is open with the MCP extension enabled,a direct attack vector against design workstations in manufacturing environments.
The vulnerability allows a network-positioned attacker to intercept HTTP AD CS certificate requests and inject a malicious Root CA certificate into the system trust store, compromising all subsequent TLS connections system-wide.
The vulnerability combines multiple critical OAuth 2.0 implementation flaws (insecure state parameter, missing session rotation, unencrypted redirect URIs) in Azure AD that enable session hijacking, session fixation, and token exfiltration.
BSI warns of multiple vulnerabilities in core Azure components (AI Bot Service, AD, Synapse) enabling privilege escalation and information disclosure; no CVE numbers specified in this alert.
BSI alert regarding an authentication-requiring privilege escalation in Exchange Online without a CVE number suggests an as-yet incompletely documented or coordinated vulnerability disclosure.
Attackers compromised the official build and distribution pipeline of a WordPress plugin vendor and distributed backdoor code through legitimate licensed update channels, demonstrating that trusted sources can be weaponized for malware delivery.
Iranian state actors continue cyber operations despite diplomatic ceasefires, exposing a loophole in international conflict law regarding cyberwarfare under ceasefire conditions.
An authentication bypass in Check Point VPN solutions is actively exploited in the wild, enabling unauthorized access without credentials , BSI alert signals urgent remediation.
APT29 (Cloaked Ursa) and UNC6692 exploit compromised accounts to send phishing links via Microsoft Teams messages redirecting to credential harvesting pages mimicking legitimate Microsoft login portals.
BSI advisory on multiple Chrome vulnerabilities without specific CVE numbers; details not yet published, but code execution and security bypass possible.