Microsoft confirms two zero-day vulnerabilities in Exchange Server 2013, 2016, and 2019 are being exploited; one researcher suspects a Chinese threat actor (Sergiu Gatlan/BleepingComputer)

Sergiu Gatlan / BleepingComputer:
Fortinet confirms a critical remote authentication bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager is being exploited; a patch is available  —  Fortinet has confirmed today that a critical authentication bypass security vulnerability patched last week is being exploited in the wild.

Sergiu Gatlan / BleepingComputer:
Microsoft says hackers used vulnerabilities in Boa web server, discontinued in 2005 but pervasive across IoT devices, to target the Indian power sector  —  Microsoft said today that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organizations in the energy sector.

Lawrence Abrams / BleepingComputer:
Microsoft releases 68 security fixes, including patches for six actively exploited Windows zero-day flaws and 11 vulnerabilities classified as Critical  —  Today is Microsoft’s November 2022 Patch Tuesday, and with it comes fixes for six actively exploited Windows vulnerabilities and a total of 68 flaws.

Sergiu Gatlan / BleepingComputer:
Google updates Chrome to address an actively exploited high-severity zero-day vulnerability in Mojo, its sixth patch for zero-day vulnerabilities in 2022  —  Google has released Chrome 105.0.5195.102 for Windows, Mac, and Linux users to address a single high-severity security flaw …

Sergiu Gatlan / BleepingComputer:
Alongside iOS 16, Apple releases iOS and iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7 to fix the eighth actively exploited 0-day since January 2022  —  Apple has released security updates to address the eighth zero-day vulnerability used in attacks against iPhones and Macs since the start of the year.

Sergiu Gatlan / BleepingComputer:
The FBI and CISA say an Iranian-backed threat group hacked a US Federal Civilian Executive Branch and deployed XMRig cryptomining malware via the Log4Shell flaw  —  The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked …