DHS Ousts CBP Privacy Officers Who Questioned ‘Illegal’ Orders

https://fed.brid.gy/r/https://www.wired.com/story/cbp-privacy-threshold-analysis-foia/

Plethore of critical #Linksys MX4200 Wi-Fi router vulnerabilities (that were originally reported to Linksys nearly a year ago!) are still unfixed:

- [SYSS-2025-001] Linksys MX9600/MX4200 - Path Traversal https://seclists.org/fulldisclosure/2026/Feb/10
- [SYSS-2025-002] Linksys MX9600/MX4200 - Missing Authentication for Critical Function https://seclists.org/fulldisclosure/2026/Feb/11
- [SYSS-2025-009] Linksys MX9600/MX4200 - SQL Injection https://seclists.org/fulldisclosure/2026/Feb/12
- [SYSS-2025-010] Linksys MX9600/MX4200 - OS Command Injection https://seclists.org/fulldisclosure/2026/Feb/13
- [SYSS-2025-011] Linksys MX9600/MX4200 - OS Command Injection https://seclists.org/fulldisclosure/2026/Feb/18
- [SYSS-2025-014] Linksys MX4200 - Improper Verification of Source of a Communication Channel
https://seclists.org/fulldisclosure/2026/Feb/19

On first read it might appear that many of these vulnerabilities would only be exploitable by accessing the device non-WAN interface(s) from inside the local network. However, due to the SYSS-2025-014 vulnerability the normally "LAN only RCE" vulnerabilities (SYSS-2025-010 and -011) and SQL injection (SYSS-2025-009) can be performed from the WAN interface (read: the internet). The attacker merely needs to make the connection originate from port 5222 (which is trivial to arrange via local bind before connect).

Update: Users of Linksys MX4200 should upgrade to firmware version 2.0.7.216620 or later. While not all of the security issues are fixed, it at least should stop the attacks via the WAN interface (SYSS-2025-014). https://support.linksys.com/kb/article/952-en/

#linksys #fulldisclosure #vulnerability #infosec #cybersecurity

Full disclosure in computer security still exists and is complementary to other disclosure models. The evolution of vulnerability disclosure is not linear from full disclosure to responsible disclosure to coordinated disclosure. These models coexist and all need to be taken into account.

You can’t just say “the legal framework will solve it” or “just do coordinated disclosure.” Vendors, researchers, and users are not all rational actors playing the same game.

Vulnerability disclosure is more complex than that, and if you actually want to address the issue, you can’t just say “it doesn’t exist.”

#cve #gcve #vulnerabilitymanagement #cybersecurity #fulldisclosure #vulnerability

I gave no idea, zero (0), how they got a high severity CVSS out of missing response headers. I mean, are they important? Sure! Don't you put that on reports, Bill? You bet! 8.3 severity? I'd be laughed out of the readout call.

https://seclists.org/fulldisclosure/2025/Dec/0

#fulldisclosure #cvss

To everyone using #MintLinux:

Please run `sudo passwd` and set a password for your root shell right now!

Failing to do so will keep your system wounderable to a password-less recovery root shell, which's only security measure asking you to press "Enter", nothing else.

I am doing #FullDisclosure of this massive #SecurityBreach right now, as this huge problem is apparently known for years already, but nobody seems to care at @linuxmint

https://forums.linuxmint.com/viewtopic.php?t=363711.

What the...

#RootShell #Linux