Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Arctic Wolf

CVE202554236: Critical Adobe Commerce and Magento Open Source Flaw Allows Customer Account Takeover and RCE

Sep 10, 2025 By Andres Ramos In Arctic Wolf
On September 9, 2025, Adobe released an out-of-band security update to address a critical vulnerability in Adobe Commerce and Magento Open Source. The vulnerability, tracked as CVE-2025-54236 and referred to in open-source reporting as “SessionReaper,” allows a remote unauthenticated threat actor to take over customer accounts through the Commerce REST API.
Read Post
detectify

Product comparison: Detectify vs. Intruder

Sep 10, 2025 By Detectify In Detectify
Intruder is a cloud-based vulnerability scanner that provides an automated overview of an organization’s attack surface. Its primary function is to proactively identify weaknesses across internet-facing infrastructure and applications before they are exploited. The platform’s scanning engine runs a set of checks for both infrastructure-level misconfigurations and application-layer vulnerabilities, like those in the OWASP Top 10. It leverages open-source engines like ZAP to execute its checks.
Read Post

When Secure Isn't Safe Uncovering OWASP Top 10 Business Logic Abuse

Sep 10, 2025 By Wallarm In Wallarm
The OWASP Top 10 for Business Logic Abuse reveals the most critical ways attackers exploit the design of your applications, not just their code. Business logic abuse isn’t about SQL injection or XSS, it's about bypassing the rules, manipulating workflows, and triggering unintended behaviors in ways your functional tests never anticipated. Why this Matters? Attackers are shifting from exploiting code flaws to abusing the intended functionality of your applications.These logic-level threats are particularly dangerous because they.
View Video
Featured Post
Machines, the Silent Threat Lurking Inside the Enterprise

Machines, the Silent Threat Lurking Inside the Enterprise

Sep 9, 2025 By Brian Ramsey, VP Americas - Sales In Xalient
The digital enterprise is no longer primarily made up of individuals' identities. According to Gartner, over 60% of all identities in a typical organization are non-human. These Non-Human Identities (NHIs) are digital identities assigned to software, services, applications, containers, or devices that require access to systems and data. Unlike human identities, NHIs operate autonomously, at scale, and often with high privilege. This makes them essential for modern automation and uniquely vulnerable to misuse.
Read Post
bitsight

Patch vs. Workaround: How CVEs Actually Get Fixed

Sep 9, 2025 By Diogo Ferreira In BitSight
In order to collect various security-related metrics, Bitsight scans the entire internet, collecting a unique set of data that enables us to carry out a variety of studies that would be extremely difficult for any other company to conduct. One of the metrics that we collect is related to the presence of certain vulnerabilities. For this, we need to take into consideration all possible mitigation strategies that are available and that allow us to reduce the risk.
Read Post
elastic

Guide to the OWASP Top 10 for LLMs: Vulnerability mitigation with Elastic

Sep 9, 2025 By Rich Cabrera In Elastic
Industries, governments, and enterprises of all kinds have adopted large language models (LLMs) and generative AI (GenAI) into their operations and workflows, unlocking new possibilities for everything from customer interaction to complex data analysis. But with this innovation comes new challenges for security, observability, and data science teams.
Read Post
Arctic Wolf

CVE-2025-42944: Maximum-Severity OS Command Execution Vulnerability in SAP NetWeaver

Sep 9, 2025 By Andres Ramos In Arctic Wolf
On September 9, 2025, SAP released its September 2025 Security Patch Day update with patches for 21 vulnerabilities. The most severe of these, CVE-2025-42944, is a maximum-severity deserialization vulnerability of untrusted Java objects in SAP NetWeaver that resides in the RMI-RP4 module. A remote unauthenticated threat actor can exploit this vulnerability by submitting a malicious payload to an open port to achieve arbitrary OS command execution.
Read Post
ionix

Unauthenticated SSRF in Ditty WordPress Plugin (CVE-2025-8085)

Sep 9, 2025 By Tal Zamir In IONIX
A critical Server-Side Request Forgery (SSRF) vulnerability—CVE-2025-8085—has been discovered in the popular WordPress plugin “Ditty (News Ticker & Display Items)” for versions prior to 3.1.58. The issue resides in the displayItems REST API endpoint (wp-json/dittyeditor/v1/displayItems), which lacks authentication and authorization, allowing unauthenticated attackers to force the server to fetch arbitrary URLs—internal or external—via crafted JSON payloads.
Read Post
Snyk

Snyk Named a Leader in the 2025 Forrester SAST Wave: SAST Solutions, Q3 2025

Sep 9, 2025 By Ben Desjardins In Snyk
We’re excited to announce that Snyk has been recognized as a Leader in the Forrester Wave: Static Application Security Testing (SAST) Solutions, Q3 2025. This recognition affirms our place at the forefront of developer-first security — and highlights the innovation, customer impact, and platform breadth that continue to set us apart.
Read Post

Copyright © 2026 OpsMatters™. All rights reserved.