A critical RCE vulnerability has been fixed in the Russian video conferencing system VINTEO. The issue was caused by a feature in the implementation of a component that had insufficient filtering of user data.
The VINTEO video conferencing server is designed for building new VCS infrastructure and scaling existing networks. According to the manufacturer, VINTEO solutions have facilitated approximately 10 million video conferences over the past 12 years.
The issue was assigned the identifier BDU:2025-07296 (9.3 points on the CVSS scale) and was discovered in January 2025 by Positive Technologies specialists Mikhail Klyuchnikov and Alexander Starikov during a code analysis of the software on a test environment provided by VINTEO for research purposes.
It has been reported that the manufacturer was notified of the threat and promptly released a patch for their clients, completely resolving the issue. Subsequently, a comprehensive software update with the fix was prepared.
“In the event of a successful exploitation of the vulnerability, a potential attacker could execute arbitrary commands and gain access to the server and control over it. Subsequent attack scenarios could vary greatly,” comments Mikhail Klyuchnikov, Head of the Software Research Group in the Penetration Testing Department at Positive Technologies.
A vulnerability fixed in the new release was present in VINTEO 30.0.0, and users are now advised to install version 30.2.0 or newer as soon as possible.
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →