Feed aggregator

A vulnerability in the Cisco IOx application hosting environment of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the Cisco IOx application hosting environment to stop responding, resulting in a denial of service (DoS) condition.<br><br> This vulnerability is due to the improper handling of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the Cisco IOx application hosting environment to stop responding. The IOx process will need to be manually restarted to recover services.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-dos-95Fqnf7b">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-dos-95Fqnf7b</a><br><br> This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279">Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br> <br/>Security Impact Rating: Medium <br/>CVE: CVE-2025-20196

Multiple vulnerabilities in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker with privilege level 15 to elevate privileges to <em>root</em> on the underlying operating system of an affected device.<br><br> These vulnerabilities are due to insufficient input validation when processing specific configuration commands. An attacker could exploit these vulnerabilities by including crafted input in specific configuration commands. A successful exploit could allow the attacker to elevate privileges to <em>root</em> on the underlying operating system of an affected device. The Security Impact Rating (SIR) of this advisory has been raised to High because an attacker could gain access to the underlying operating system of the affected device and perform potentially undetected actions.<br><br> <strong>Note</strong>: The attacker must have privileges to enter configuration mode on the affected device. This is usually referred to as privilege level 15.<br><br> Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-privesc-su7scvdp">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-privesc-su7scvdp</a><br><br> This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279">Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br> <br/>Security Impact Rating: High <br/>CVE: CVE-2025-20197,CVE-2025-20198,CVE-2025-20199,CVE-2025-20200,CVE-2025-20201

A vulnerability in the Internet Key Exchange version 1 (IKEv1) implementation of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The attacker must have valid IKEv1 VPN credentials to exploit this vulnerability.<br><br> This vulnerability is due to improper validation of IKEv1 phase 2 parameters before the IPsec security association creation request is handed off to the hardware cryptographic accelerator of an affected device. An attacker could exploit this vulnerability by sending crafted IKEv1 messages to the affected device. A successful exploit could allow the attacker to cause the device to reload.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ikev1-dos-XHk3HzFC">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ikev1-dos-XHk3HzFC</a><br><br> This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279">Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br> <br/>Security Impact Rating: High <br/>CVE: CVE-2025-20192

A vulnerability in the DHCP snooping security feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a full interface queue wedge, which could result in a denial of service (DoS) condition.<br><br> This vulnerability is due to improper handling of DHCP request packets. An attacker could exploit this vulnerability by sending DHCP request packets to an affected device. A successful exploit could allow the attacker to cause packets to wedge in the queue, creating a DoS condition for downstream devices of the affected system and requiring that the system restart to drain the queue.<br><br> <strong>Note:</strong> This vulnerability can be exploited with either unicast or broadcast DHCP packets on a VLAN that does not have DHCP snooping enabled.<br><br> Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-dhcpsn-dos-xBn8Mtks">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-dhcpsn-dos-xBn8Mtks</a><br><br> This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279">Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br> <br/>Security Impact Rating: High <br/>CVE: CVE-2025-20162

A vulnerability in the Cisco Industrial Ethernet Switch Device Manager (DM) of Cisco IOS Software could allow an authenticated, remote attacker to elevate privileges.<br><br> This vulnerability is due to insufficient validation of authorizations for authenticated users. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to elevate privileges to privilege level 15.<br><br> To exploit this vulnerability, the attacker must have valid credentials for a user account with privilege level 5 or higher. <em>Read-only</em> DM users are assigned privilege level 5.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-http-privesc-wCRd5e3">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-http-privesc-wCRd5e3</a><br><br> This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279">Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br> <br/>Security Impact Rating: High <br/>CVE: CVE-2025-20164

A vulnerability in the lobby ambassador web interface of Cisco IOS XE Wireless Controller Software could allow an authenticated, remote attacker to remove arbitrary users that are defined on an affected device.<br><br> This vulnerability is due to insufficient access control of actions executed by lobby ambassador users. An attacker could exploit this vulnerability by logging in to an affected device with a <em>lobby ambassador</em> user account and sending crafted HTTP requests to the API. A successful exploit could allow the attacker to delete arbitrary user accounts on the device, including users with administrative privileges.<br><br> <strong>Note:</strong> This vulnerability is exploitable only if the attacker obtains the credentials for a <em>lobby ambassador </em>account. This account is not configured by default.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-user-del-hQxMpUDj">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-user-del-hQxMpUDj</a><br><br> This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279">Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br> <br/>Security Impact Rating: Medium <br/>CVE: CVE-2025-20190

A vulnerability in Cisco IOS XE Wireless Controller Software&nbsp;could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.<br><br> This vulnerability is due to insufficient input validation of access point (AP) Cisco Discovery Protocol (CDP) neighbor reports when they are processed by the wireless controller. An attacker could exploit this vulnerability by sending a crafted CDP packet to an AP. A successful exploit could allow the attacker to cause an unexpected reload of the wireless controller that is managing the AP, resulting in a DoS condition that affects the wireless network.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-cdp-dos-fpeks9K">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-cdp-dos-fpeks9K</a><br><br> This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279">Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br> <br/>Security Impact Rating: High <br/>CVE: CVE-2025-20202

A vulnerability in the management API of Cisco Catalyst Center, formerly Cisco DNA Center, could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings.<br><br> This vulnerability is due to the lack of authentication in an API endpoint. An attacker could exploit this vulnerability by sending a request to the affected API of a Catalyst Center device. A successful exploit could allow the attacker to view or modify the outgoing proxy configuration, which could disrupt internet traffic from Cisco Catalyst Center or may allow the attacker to intercept outbound internet traffic.<br><br> <strong>Note:</strong> For information about Cisco Catalyst Center features that require an internet connection and the corresponding internet domains used, see the <a href="https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/catalyst-center/2-3-7/install_guide/b_cisco_catalyst_center_install_guide_237x_3rdgen/m_plan_deployment_2_x_x_3rdgen.html#concept_z4t_cd3_sfb">Required internet URLs and fully qualified domain names</a> section of the <em>Cisco Catalyst Center Third-Generation Appliance Installation Guide</em>.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-api-nBPZcJCM">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-api-nBPZcJCM</a><br><br> <br/>Security Impact Rating: High <br/>CVE: CVE-2025-20210

A vulnerability in Cisco Catalyst Center, formerly Cisco DNA Center, could allow an authenticated, remote attacker to read and modify data in a repository that belongs to an internal service of an affected device.<br><br> This vulnerability is due to insufficient enforcement of access control on HTTP requests. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-insec-acc-mtt8EhEb">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-insec-acc-mtt8EhEb</a><br><br> <br/>Security Impact Rating: Medium <br/>CVE: CVE-2025-20223

A vulnerability in certificate validation processing of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an unauthenticated, remote attacker to gain access to sensitive information.<br><br> This vulnerability is due to improper validation of certificates that are used by the Smart Licensing feature. An attacker with a privileged network position could exploit this vulnerability by intercepting traffic that is sent over the Internet. A successful exploit could allow the attacker to gain access to sensitive information, including credentials used by the device to connect to Cisco cloud services.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catalyst-tls-PqnD5KEJ">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catalyst-tls-PqnD5KEJ</a><br><br> <br/>Security Impact Rating: Medium <br/>CVE: CVE-2025-20157

A vulnerability in Cisco IOS Software for Cisco Catalyst 2960X, 2960XR, 2960CX, and 3560CX Series Switches could allow an authenticated, local attacker with privilege level 15 or an unauthenticated attacker with physical access to the device to execute persistent code at boot time and break the chain of trust.<br><br> This vulnerability is due to missing signature verification for specific files that may be loaded during the device boot process. An attacker could exploit this vulnerability by placing a crafted file into a specific location on an affected device. A successful exploit could allow the attacker to execute arbitrary code at boot time.<br><br> Because this allows the attacker to bypass a major security feature of the device, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c2960-3560-sboot-ZtqADrHq">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c2960-3560-sboot-ZtqADrHq</a><br><br> This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279">Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br> <br/>Security Impact Rating: High <br/>CVE: CVE-2025-20181

A vulnerability in the bootstrap loading of Cisco IOS XE Software could allow an authenticated, local attacker to write arbitrary files to an affected system.<br><br> This vulnerability is due to insufficient input validation of the bootstrap file that is read by the system software when a device is first deployed in SD-WAN mode or when an administrator configures SD-Routing on the device. An attacker could exploit this vulnerability by modifying a bootstrap file generated by Cisco Catalyst SD-WAN Manager, loading it into the device flash, and then either reloading the device in a green field deployment in SD-WAN mode or configuring the device with SD-Routing. A successful exploit could allow the attacker to perform arbitrary file writes to the underlying operating system.<br><br> Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.<br><br> This advisory is available at the following link:<br><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootstrap-KfgxYgdh">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootstrap-KfgxYgdh</a><br><br> This advisory is part of the May 2025 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see <a href="https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75279">Cisco Event Response: May 2025 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication</a>.<br><br> <br/>Security Impact Rating: Medium <br/>CVE: CVE-2025-20155

Article URL: https://docs.vlm.run/guides/video-ai/guide-video-transcription

Comments URL: https://news.ycombinator.com/item?id=43921294

Points: 1

# Comments: 1

Article URL: https://mashable.com/article/galaxy-collision-rare-radio-relics-image

Comments URL: https://news.ycombinator.com/item?id=43921271

Points: 2

# Comments: 0

Article URL: https://www.wsj.com/articles/doctors-warn-accountants-of-private-equity-drain-on-quality-you-could-be-next-1be0f0fd

Comments URL: https://news.ycombinator.com/item?id=43921265

Points: 1

# Comments: 1

Article URL: https://github.com/tscircuit/tscircuit

Comments URL: https://news.ycombinator.com/item?id=43921251

Points: 1

# Comments: 0

Article URL: https://www.axios.com/2025/05/07/ai-rule-trump-biden-nvidia

Comments URL: https://news.ycombinator.com/item?id=43921227

Points: 1

# Comments: 0

Article URL: https://pages.nist.gov/800-63-4/sp800-63b.html

Comments URL: https://news.ycombinator.com/item?id=43921196

Points: 2

# Comments: 0

Article URL: https://www.theverge.com/news/662678/figma-buzz-draw-make-sites-announcement-availability

Comments URL: https://news.ycombinator.com/item?id=43921186

Points: 3

# Comments: 0