CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779 require immediate attention

The post Three New React Vulnerabilities Surface on the Heels of React2Shell appeared first on Security Boulevard.

The NCSC warns prompt injection is fundamentally different from SQL injection. Organizations must shift from prevention to impact reduction and defense-in-depth for LLM security.

The post Prompt Injection Can’t Be Fully Mitigated, NCSC Says Reduce Impact Instead  appeared first on Security Boulevard.

AI-generated code is reshaping software development and introducing new security risks. Organizations must strengthen governance, expand testing and train developers to ensure AI-assisted coding remains secure and compliant.

The post Securing AI-Generated Code in Enterprise Applications: The New Frontier for AppSec Teams  appeared first on Security Boulevard.

Among the most debated questions in the constantly changing mobile application development, whether to include root detection in the application is a seemingly important choice to both developers and security...

The post Root Detection in Android Apps – Security Benefits, Challenges, and Implementation Strategies appeared first on Strobes Security.

The post Root Detection in Android Apps – Security Benefits, Challenges, and Implementation Strategies appeared first on Security Boulevard.

See how the latest Shai-Hulud attack works.

The post Shai-Hulud: The Second Coming appeared first on Security Boulevard.

In this episode, we discuss the first reported AI-driven cyber espionage campaign, as disclosed by Anthropic. In September 2025, a state-sponsored Chinese actor manipulated the Claude Code tool to target 30 global organizations. We explain how the attack was executed, why it matters, and its implications for cybersecurity. Join the conversation as we examine the […]

The post AI Agent Does the Hacking: First Documented AI-Orchestrated Cyber Espionage appeared first on Shared Security Podcast.

The post AI Agent Does the Hacking: First Documented AI-Orchestrated Cyber Espionage appeared first on Security Boulevard.

💾

Learn how to implement risk-based authorization for enhanced security in identity and access management. Protect your applications from unauthorized access and data breaches.

The post Comprehensive Guide to Risk-Based Authorization for Identity and Access Management appeared first on Security Boulevard.

Fortinet may have silently patched an exploited zero-day vulnerability more than two weeks before officially disclosing the vulnerability. CVE-2025-64446 in Fortinet’s FortiWeb web application firewall (WAF) may have been exploited as early as October 6, according to DefusedCyber in a post on X. Fortinet is believed to have patched the 9.8-rated vulnerability in FortiWeb 8.0.2 in late October, but didn’t publish an advisory disclosing the exploited vulnerability until November 14. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog the same day as Fortinet’s disclosure. Late today, Fortinet disclosed another exploited FortiWeb vulnerability - CVE-2025-58034, a 7.2-rated OS Command Injection vulnerability.

Fortinet Silent Patch Raises Concerns

The delayed notification in the case of CVE-2025-64446 has raised concerns with some in the cybersecurity industry, who say the delay may have put Fortinet customers at a disadvantage. “Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,” VulnCheck’s Caitlin Condon said in a blog post. “We already know security by obscurity doesn't work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not,” Condon added. “When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders.” The Cyber Express has reached out to Fortinet for comment and will update this article with any response.

CVE-2025-64446 FortiWeb Vulnerability

CVE-2025-64446 is a 9.8-severity relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, and FortiWeb 7.0.0 through 7.0.11. The vulnerability could potentially allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. Fortinet recommends disabling HTTP or HTTPS for internet facing interfaces until an upgrade can be performed. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,” Fortinet’s advisory said. Shadowserver shows several hundred internet-facing FortiWeb management instances, which presumably would be vulnerable until upgraded. After completing upgrades, Fortinet recommends that FortiWeb customers “review their configuration for and review logs for unexpected modifications, or the addition of unauthorized administrator accounts.” watchTowr said CVE-2025-64446 appears to comprise two vulnerabilities: a path traversal vulnerability, and an authentication bypass vulnerability. watchTowr shared one sample request stream that it said was “evidence of a threat actor looking to exploit a vulnerability ... that allowed privileged administrative functions to be reached.” In the example, the threat actor “exploited the vulnerability to add administrative accounts to the target and vulnerable appliance, serving as a weak persistence mechanism. “To be explicitly clear,” watchTowr added, “this is a complete compromise of the vulnerable appliance.”

See how Mend.io's Risk Reduction Dashboard works.

The post AppSec metrics fail, Mend.io’s Risk Reduction Dashboard fixes it appeared first on Security Boulevard.

💾

Discover a step-by-step workflow you can plug directly into your development process

The post Fixing Vulnerabilities Directly in your IDE with Escape MCP appeared first on Security Boulevard.

In this episode, we discuss the newly released OWASP Top 10 for 2025. Join hosts Tom Eston, Scott Wright, and Kevin Johnson as they explore the changes, the continuity, and the significance of the update for application security. Learn about the importance of getting involved with the release candidate to provide feedback and suggestions. The […]

The post OWASP Top 10 for 2025: What’s New and Why It Matters appeared first on Shared Security Podcast.

The post OWASP Top 10 for 2025: What’s New and Why It Matters appeared first on Security Boulevard.

💾

Over the past year, we've seen a steady drumbeat of supply chain incidents targeting npm — each slightly different, but collectively pointing to the same truth: the open source ecosystem is being stress-tested in real time.

The post Unprecedented Automation: IndonesianFoods Pits Open Source Against Itself appeared first on Security Boulevard.

Open source components form the backbone of innovation, but they also introduce significant security risks.

The post Stop Open Source Malware at the Gate with Repository Firewall appeared first on Security Boulevard.

As LLMs, agents and Model Context Protocols (MCPs) reshape software architecture, API sprawl is creating major security blind spots. The 2025 GenAI Application Security Report reveals why continuous API discovery, testing and governance are now critical to protecting AI-driven applications from emerging semantic and prompt-based attacks.

The post Why API Security Will Drive AppSec in 2026 and Beyond  appeared first on Security Boulevard.

Discover the best Application Security Testing (AST) services in 2025.

The post Best Application Security Testing Services to Know appeared first on Security Boulevard.

Twilio acquiring Stytch signals a major shift in developer CIAM. I've analyzed 20+ platforms—from Descope to Keyclock—to show you which deliver on Auth0's promise without the lock-in. OpenID standards, AI agent auth, and what actually matters when choosing your identity platform.

The post The Twilio-Stytch Acquisition: A Watershed Moment for Developer-First CIAM appeared first on Security Boulevard.

Discover the security risks in vibe-coded applications as we uncover over 2,000 vulnerabilities, exposed secrets, and PII

The post Methodology: How we discovered over 2k high-impact vulnerabilities in apps built with vibe coding platforms appeared first on Security Boulevard.

Explore top risks and proven open source security strategies.

The post Ultimate Guide to Open Source Security: Risks, Attacks & Defenses appeared first on Security Boulevard.

How trending are mobile apps? Statistics say that mobile apps are now a part of 70% of the digital interactions across the globe. The number of smartphone users now stands at over 6.8 billion. Based on the most recent available data from 2023, 40% of data breaches were linked to mobile app vulnerabilities, and, given […]

The post OWASP Mobile Top 10 for Android – How AutoSecT Detects Each Risk? appeared first on Kratikal Blogs.

The post OWASP Mobile Top 10 for Android – How AutoSecT Detects Each Risk? appeared first on Security Boulevard.