1. Security News – 2025-10-16
Thu Oct 16 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
The Hacker News
Cybersecurity news and insights
CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack - October 16, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Adobe Experience Manager to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-54253 (CVSS score: 10.0), a maximum-severity misconfiguration bug that could result in arbitrary code execution.
SecurityWeek
Latest cybersecurity news
SecurityWeek to Host 2025 ICS Cybersecurity Conference October 27-30 in Atlanta - October 15, 2025
Premier industrial cybersecurity conference Offers 70+ sessions, five training courses, and and ICS Village CTF competition.
The post SecurityWeek to Host 2025 ICS Cybersecurity Conference October 27-30 in Atlanta appeared first on SecurityWeek.
The Hacker News
Cybersecurity news and insights
F5 Breach Exposes BIG-IP Source Code — Nation-State Hackers Behind Massive Intrusion - October 15, 2025
U.S. cybersecurity company F5 on Wednesday disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP’s source code and information related to undisclosed vulnerabilities in the product. It attributed the activity to a “highly sophisticated nation-state threat actor,” adding the adversary maintained long-term, persistent access to its network. The
SecurityWeek
Latest cybersecurity news
Webinar Today: Fact vs. Fiction – The Truth About API Security - October 15, 2025
Get practical guidance to protect APIs against the threats attackers are using right now.
The post Webinar Today: Fact vs. Fiction – The Truth About API Security appeared first on SecurityWeek.
The Hacker News
Cybersecurity news and insights
Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks - October 15, 2025
New research has uncovered that publishers of over 100 Visual Studio Code (VS Code) extensions leaked access tokens that could be exploited by bad actors to update the extensions, posing a critical software supply chain risk. “A leaked VSCode Marketplace or Open VSX PAT [personal access token] allows an attacker to directly distribute a malicious extension update across the entire install base,“
SecurityWeek
Latest cybersecurity news
Customer Service Firm 5CA Denies Responsibility for Discord Data Breach - October 15, 2025
After being named by Discord as the third-party responsible for the breach, 5CA said none of its systems were involved.
The post Customer Service Firm 5CA Denies Responsibility for Discord Data Breach appeared first on SecurityWeek.
The Hacker News
Cybersecurity news and insights
How Attackers Bypass Synced Passkeys - October 15, 2025
TLDR Even if you take nothing else away from this piece, if your organization is evaluating passkey deployments, it is insecure to deploy synced passkeys.
Synced passkeys inherit the risk of the cloud accounts and recovery processes that protect them, which creates material enterprise exposure. Adversary-in-the-middle (AiTM) kits can force authentication fallbacks that circumvent strong
SecurityWeek
Latest cybersecurity news
ICS Patch Tuesday: Fixes Announced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact - October 15, 2025
Over 20 advisories have been published by industrial giants this Patch Tuesday.
The post ICS Patch Tuesday: Fixes Announced by Siemens, Schneider, Rockwell, ABB, Phoenix Contact appeared first on SecurityWeek.
Schneier on Security
Security news and analysis by Bruce Schneier
Apple’s Bug Bounty Program - October 15, 2025
Apple is now offering a $2M bounty for a zero-click exploit. According to the Apple website:
Today we’re announcing the next major chapter for Apple Security Bounty, featuring the industry’s highest rewards, expanded research categories, and a flag system for researchers to objectively demonstrate vulnerabilities and obtain accelerated awards.
- We’re doubling our top award to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks. This is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million. We’re also doubling or significantly increasing rewards in many other categories to encourage more intensive research. This includes $100,000 for a complete Gatekeeper bypass, and $1 million for broad unauthorized iCloud access, as no successful exploit has been demonstrated to date in either category. ...
The Hacker News
Cybersecurity news and insights
Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped - October 15, 2025
Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU) program. Of the 183 vulnerabilities, eight of them are non-Microsoft
SecurityWeek
Latest cybersecurity news
High-Severity Vulnerabilities Patched by Fortinet and Ivanti - October 15, 2025
Fortinet and Ivanti have announced their October 2025 Patch Tuesday updates, which patch many vulnerabilities across their products.
The post High-Severity Vulnerabilities Patched by Fortinet and Ivanti appeared first on SecurityWeek.
The Hacker News
Cybersecurity news and insights
Two CVSS 10.0 Bugs in Red Lion RTUs Could Hand Hackers Full Industrial Control - October 15, 2025
Cybersecurity researchers have disclosed two critical security flaws impacting Red Lion Sixnet remote terminal unit (RTU) products that, if successfully exploited, could result in code execution with the highest privileges. The shortcomings, tracked as CVE-2023-40151 and CVE-2023-42770, are both rated 10.0 on the CVSS scoring system. “The vulnerabilities affect Red Lion SixTRAK and VersaTRAK
Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access - October 15, 2025
Cybersecurity researchers have disclosed that a critical security flaw impacting ICTBroadcast, an autodialer software from ICT Innovations, has come under active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2025-2611 (CVSS score: 9.3), relates to improper input validation that can result in unauthenticated remote code execution due to the fact that the call center
New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login - October 15, 2025
SAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution. The vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization. “Due to a deserialization vulnerability in SAP NetWeaver, an
SecurityWeek
Latest cybersecurity news
Adobe Patches Critical Vulnerability in Connect Collaboration Suite - October 15, 2025
Adobe has published a dozen security advisories detailing over 35 vulnerabilities across its product portfolio.
The post Adobe Patches Critical Vulnerability in Connect Collaboration Suite appeared first on SecurityWeek.
Microsoft Patches 173 Vulnerabilities, Including Exploited Windows Flaws - October 15, 2025
The tech giant has rolled out fixes for 173 CVEs, including five critical-severity security defects.
The post Microsoft Patches 173 Vulnerabilities, Including Exploited Windows Flaws appeared first on SecurityWeek.
Schneier on Security
Security news and analysis by Bruce Schneier
Upcoming Speaking Engagements - October 14, 2025
This is a current list of where and when I am scheduled to speak:
- Nathan E. Sanders and I will be giving a book talk on Rewiring Democracy at the Harvard Kennedy School’s Ash Center in Cambridge, Massachusetts, USA, on October 22, 2025, at noon ET.
- Nathan E. Sanders and I will be speaking and signing books at the Cambridge Public Library in Cambridge, Massachusetts, USA, on October 22, 2025, at 6:00 PM ET. The event is sponsored by Harvard Bookstore.
- Nathan E. Sanders and I will give a virtual talk about our book Rewiring Democracy on October 23, 2025, at 1:00 PM ET. The event is hosted by Data & Society...
SecurityWeek
Latest cybersecurity news
HyperBunker Raises Seed Funding to Launch Next-Generation Anti-Ransomware Device - October 14, 2025
Investors are placing bets on a hardware-based approach to data security in a market dominated by software solutions for ransomware resilience.
The post HyperBunker Raises Seed Funding to Launch Next-Generation Anti-Ransomware Device appeared first on SecurityWeek.
Schneier on Security
Security news and analysis by Bruce Schneier
The Trump Administration’s Increased Use of Social Media Surveillance - October 14, 2025
This chilling paragraph is in a comprehensive Brookings report about the use of tech to deport people from the US:
The administration has also adapted its methods of social media surveillance. Though agencies like the State Department have gathered millions of handles and monitored political discussions online, the Trump administration has been more explicit in who it’s targeting. Secretary of State Marco Rubio announced a new, zero-tolerance “Catch and Revoke” strategy, which uses AI to monitor the public speech of foreign nationals and revoke visas...
Rewiring Democracy is Coming Soon - October 13, 2025
My latest book, Rewiring Democracy: How AI Will Transform Our Politics, Government, and Citizenship, will be published in just over a week. No reviews yet, but you can read chapters 12 and 34 (of 43 chapters total).
You can order the book pretty much everywhere, and a copy signed by me here.
Please help spread the word. I want this book to make a splash when it’s public. Leave a review on whatever site you buy it from. Or make a TikTok video. Or do whatever you kids do these days. Is anyone a Slashdot contributor? I’d like the book to be announced there...
AI and the Future of American Politics - October 13, 2025
Two years ago, Americans anxious about the forthcoming 2024 presidential election were considering the malevolent force of an election influencer: artificial intelligence. Over the past several years, we have seen plenty of warning signs from elections worldwide demonstrating how AI can be used to propagate misinformation and alter the political landscape, whether by trolls on social media, foreign influencers, or even a street magician. AI is poised to play a more volatile role than ever before in America’s next federal election in 2026. We can already see how different groups of political actors are approaching AI. Professional campaigners are using AI to accelerate the traditional tactics of electioneering; organizers are using it to reinvent how movements are built; and citizens are using it both to express themselves and amplify their side’s messaging. Because there are so few rules, and so little prospect of regulatory action, around AI’s role in politics, there is no oversight of these activities, and no safeguards against the dramatic potential impacts for our democracy...