Microsoft will raise Microsoft 365 and Office 365 prices in July 2026, citing new AI and security upgrades for business and government users.
The post Microsoft to Hike Office Prices in 2026, Citing Major AI and Security Overhauls appeared first on TechRepublic.
Microsoft will raise Microsoft 365 and Office 365 prices in July 2026, citing new AI and security upgrades for business and government users.
The post Microsoft to Hike Office Prices in 2026, Citing Major AI and Security Overhauls appeared first on TechRepublic.
A Critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-55182, has been discovered in Next.js applications utilizing React Server Components (RSC) and Server Actions. This vulnerability stems from insecure deserialization within the underlying “Flight” protocol used by React. Unauthenticated remote attackers can exploit this flaw to execute arbitrary code on the server, potentially leading to a complete compromise of the application and underlying system.
Given the widespread adoption of Next.js and the critical severity of the flaw (CVSS 10.0), immediate action is required.
The vulnerability affects the React Server Components ecosystem, which is heavily integrated into modern frameworks like Next.js. Specifically, it impacts the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages.
Affected Versions:
CVE-2025-55182 is an insecure deserialization vulnerability that occurs at “Server Function endpoints.”
The flaw exists because the server-side handler for the React “Flight” protocol unsafely deserializes payloads from HTTP requests. The server fails to properly validate serialized input before processing it. An attacker can trigger this vulnerability by sending a specially crafted POST request to the root path containing:
LoginNext-Action headers.When processed, this malformed payload triggers the insecure deserialization, allowing the attacker to inject and execute malicious code remotely.
Detectify customers can now test whether their applications are exposed to this RCE.
The vulnerability assessment released by Detectify checks for the presence of the insecure deserialization flaw by sending a specially crafted POST request to the root path with Next-Action headers and malformed multipart data. The test safely identifies the vulnerability by observing specific error responses from the server that confirm the deserialization failure, without executing malicious code.
Upgrade Immediately: The most effective mitigation is to upgrade the affected packages to their patched versions.
react-server-dom-* packages to versions 19.0.1, 19.1.2, or 19.2.1 (or later).If immediate patching is not feasible: You may be able to mitigate the risk by applying Web Application Firewall (WAF) rules to block requests containing suspicious Next-Action headers or malformed multipart bodies, though this is not a substitute for patching.
The vulnerability is fixed in the following versions:
Users are strongly advised to update to these versions.
Customers can always find updates in the “What’s New at Detectify” product log. Any questions can be directed to Customer Success representatives or Support. If you’re not already a customer, click here to sign up for a demo or a free trial and immediately start scanning. Go hack yourself!
References
Vendor Advisory
The post Security Update: Critical RCE in React Server Components & Next.js (CVE-2025-55182) appeared first on Blog Detectify.
Prominent financial market wizard Peter Brandt has shared a sarcastic take on XRP investors and their unusually intense optimism. In a recent commentary on X, Brandt remarked that XRP bulls rank among the two most “obsessed perma-bull” groups, investors who remain extremely bullish regardless of market conditions.
Market veteran Peter Brandt has suggested that Bitcoin could correct by as much as 75%, citing historical data. His recent commentary comes on the back of the latest Bitcoin crash below $90,000 on Dec.
Bitcoin nears historical support as veteran analyst Peter Brandt warns prices could slide toward lower channel levels. Bitcoin (BTC) is trading at $86,032, marking a 0.7% decline over the past seven days.
Google Maps adds AI-powered tips, social recommendations, reviewer privacy tools, and EV charger predictions to help travelers navigate the holiday rush.
The post Gemini Comes to Google Maps With Insider Tips, Social Lists, and EV Tools appeared first on TechRepublic.
Google Maps adds AI-powered tips, social recommendations, reviewer privacy tools, and EV charger predictions to help travelers navigate the holiday rush.
The post Gemini Comes to Google Maps With Insider Tips, Social Lists, and EV Tools appeared first on TechRepublic.
At ManagedMethods, we’re always listening and thinking about how we can make our cybersecurity, student safety, and classroom management products simpler and more effective for educators and IT leaders. This Fall, we’re excited to share several new updates across both Classroom Manager and Cloud Monitor, designed to help districts improve student engagement, streamline digital class ...
The post What’s New in Cloud Monitor & Classroom Manager: Smarter Tools for K–12 Classrooms appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.
The post What’s New in Cloud Monitor & Classroom Manager: Smarter Tools for K–12 Classrooms appeared first on Security Boulevard.
Google Calendar now lets you block time for Google Tasks with busy status, auto-decline, and DND settings, making deep work easier and more intentional.
The post New Google Calendar Update Makes Deep Work Easier Than Ever appeared first on TechRepublic.
Google Calendar now lets you block time for Google Tasks with busy status, auto-decline, and DND settings, making deep work easier and more intentional.
The post New Google Calendar Update Makes Deep Work Easier Than Ever appeared first on TechRepublic.
Google’s latest release raises the platform’s research capabilities with structured analysis, clear sourcing, and support for more document types.
The post Google’s NotebookLM Update Adds Deep Research, Expanded File Formats appeared first on TechRepublic.
Google’s latest release raises the platform’s research capabilities with structured analysis, clear sourcing, and support for more document types.
The post Google’s NotebookLM Update Adds Deep Research, Expanded File Formats appeared first on TechRepublic.
Six months after launch, Alfred, the AI Agent that autonomously builds security tests, has revolutionized our workflow. Alfred has delivered over 450 validated tests against high-priority threats (average CVSS 8.5) with 70% requiring zero manual adjustment, allowing our human security researchers to concentrate on more complex, high-impact issues.
Now, we’re elevating Alfred’s capabilities by integrating real-world threat actor intelligence directly into its core system. This significant enhancement ensures that Alfred immediately prioritizes and generates tests for the most alarming, actively weaponized CVEs, dramatically increasing the speed and relevance of protection for all Detectify customers.
When we first built the vulnerability catalog that Alfred uses to source its assessments, the initial focus was identifying which CVEs were being utilized by Advanced Persistent Threats (APTs) and other active threat actors. Up until now, the system has primarily sourced raw vulnerability data (CVEs, along with their exploitability likelihood). However, in the spirit of our original intent, we’ve overhauled the pipeline to directly integrate active threat intelligence.
This means that the vulnerability catalog used to feed the Alfred pipeline now sources two critical elements: vulnerabilities AND threat actors.
This change allows Alfred to place immediate and explicit emphasis on the CVEs that are being actively exploited by malicious actors in the wild. Alfred ensures that the most dangerous, actively weaponized CVEs are prioritized first for test generation and deployment onto the Detectify platform by adding up-to-the-minute threat actor behavior into our prioritization model.
In addition to this enhanced threat intelligence sourcing, we have also optimized Alfred’s processing pipeline. This alteration is designed to capture an even broader scope of relevant CVEs: specifically, those with a high likelihood of translating into actionable security tests that will help our customers find vulnerabilities in their assets.
We’re excited to deliver continuous and even higher-value security research by combining the power of the Detectify Crowdsource community with our AI Researcher Alfred.
The post Detectify AI-Researcher Alfred gets smarter with threat actor intelligence appeared first on Blog Detectify.
In the wake of the federal government’s push to bring employees back to the office, agencies like FEMA are facing a critical crossroads. While the intent behind return-to-office policies may be rooted in tradition, optics or perceived productivity, the reality is far more complex — and far more costly.
For employees with disabilities, these mandates are not just inconvenient. They are exclusionary, legally questionable and operationally unsound.
The Jan. 20, 2025, presidential mandate directing federal employees to return to in-person work includes a crucial caveat: It must be implemented consistent with applicable law. That includes the Rehabilitation Act of 1973 and the Americans with Disabilities Act (ADA), which require agencies to provide effective accommodations to qualified employees with disabilities unless doing so would cause undue hardship.
Yet, across the federal landscape, many agency leaders are misinterpreting this mandate as a blanket prohibition against remote work, even in cases where virtual accommodations are medically necessary and legally protected. This misapplication is not only harmful to employees, it exposes agencies to legal liability, reputational damage and operational risk.
At FEMA, the consequences of this misinterpretation are playing out in real time. In fiscal year 2025 alone, FEMA employees submitted over 4,600 reasonable accommodation requests, up more than three times from the previous year. Despite this surge, the agency’s accommodation infrastructure remains underresourced and reactive.
Supervisors, often untrained in disability law, are making high-stakes decisions without adequate support. The result? Delays, denials and errors that leave employees feeling unseen, unsupported and in some cases, forced out of the workforce entirely.
One FEMA reservist with a service-connected disability shared:
“After months of silence and no support, I gave up. I stopped applying for deployments. I felt like FEMA had no place for me anymore.”
Another permanent employee wrote:
“I wasn’t asking for anything fancy — just to do my job from home so I didn’t collapse from pain after 20 minutes in the building. Instead, I was treated like a problem.”
These stories are not isolated. They reflect a systemic failure that is both preventable and fixable.
When agencies deny effective accommodations, they don’t just violate the law, they lose talent, morale and money.
Consider the cost of FEMA forcing an employee to deploy in person to a disaster event when they could be performing the same job virtually instead. Tens of thousands of dollars in airfare, lodging and meals — all paid from the Disaster Relief Fund — become unnecessarily incurred expenses. Worse, the employee may underperform due to physical hardship or burn out entirely. In contrast, virtual deployment may be a zero-cost, high-return accommodation that results in better stewardship of taxpayer dollars.
Reasonable accommodations, when applied correctly, do not remove essential job functions or lower performance standards. They enable employees to meet those standards in a way that aligns with their health and abilities. They are not a problem; they are a solution.
Federal agencies must recognize that return-to-office policies and reasonable accommodations are not mutually exclusive. Virtual work can, and should, coexist with in-person mandates when it enables qualified individuals with disabilities to perform their essential functions.
This is not just a legal imperative. It’s a strategic one.
A supported, well-equipped workforce is more productive, more mission-focused, and less likely to file complaints and grievances. Accommodations foster a positive workplace culture, which is critical for retaining skilled staff. They also align with the administration’s stated goals of rooting out inefficiency and ensuring high performance among public servants.
To modernize federal accommodation practices and align them with both legal obligations and operational goals, agencies should consider the following steps:
Federal agencies must stop treating reasonable accommodations as a bureaucratic hurdle and start recognizing them as a strategic asset. A fully optimized accommodation program enhances legal compliance, protects against risk, retains mission-critical personnel and improves operational excellence.
Return-to-office mandates may be politically popular, but they must be implemented with nuance, compassion and legal integrity. For employees with disabilities, flexibility is not a perk — it’s a lifeline. And for agencies like FEMA, it’s the key to building a workforce that’s not just present, but prepared.
Jodi Hershey is a former FEMA reasonable accommodation specialist and is now the founder of EASE, LLC.
The post Return-to-office mandates are undermining federal workforce readiness — especially for employees with disabilities first appeared on Federal News Network.
© Getty Images/Ridofranz
Our API scanner can test for dozens of vulnerability types like prompt injections and misconfigurations. We’re excited to share today that we’re releasing vulnerability tests for OAuth API authorization for organizations that use JWT tokens. These JWT, or JSON Web Tokens, are meant to prove that you have access to whatever it is you are accessing. One of the most critical JWT vulnerabilities is algorithm confusion. This occurs when an attacker tricks the server into verifying the token’s signature using a different, less secure algorithm than intended. There are plenty of other issues that can go wrong with managing JWT, which is why having a test to catch these misconfigurations is so useful.
Our API scanner can now detect a variety of misconfigurations that occur with JWT, like timestamp confusion or even manipulating the header with ‘none.’ This will help mitigate the risk of misconfigurations that come up when things like managing complex infrastructure is a daily part of an AppSec team’s scope.
When we set out to build our API scanning engine, we faced a fundamental choice: wrap an existing open-source tool like ZAP, or build something from the ground up. Unlike other vendors, we chose the latter. While open-source tools are invaluable to the security community, we believe our customers deserve more than repackaged checks and noisy results. To deliver on that, we engineered a proprietary engine guided by three core principles:
Detectify builds and maintains its scanning engines in-house to tailor them specifically for modern application architectures. This approach is designed to yield more accurate results for custom applications by better understanding complex logic and API-driven front-ends. In contrast, general-purpose open-source engines can struggle with the nuances of modern apps and APIs.
Why does this matter to AppSec teams? Simply put, reduced noise. Many security vendors today rely heavily on open-source tooling, meaning no steps are taken by the tool to reduce noise. By building its own engines, Detectify can implement methodologies like testing for OAuth authorization, which helps curb the time users spend validating vulnerabilities.
One piece of feedback we’ve regularly received from our customers is that they find the breadth of coverage really useful. Not only can we discover high and critical vulnerabilities, but we can also find issues like misconfigured JWT tokens and missing security headers, something that isn’t commonly available in API scanners.
We can deliver this kind of experience to our users because our engines are built with the AppSec team in mind, meaning that we consider the use cases that our users need.
Detectify’s research-led approach and proprietary fuzzing engine deliver high-fidelity, actionable results that empower AppSec teams to secure their APIs with confidence – try our API scanner to experience the difference.
The post New API testing category now available appeared first on Blog Detectify.
We know the importance of staying ahead of threats. At Detectify, we’re committed to providing you with the tools you need to secure your applications effectively. This update covers our new Dynamic API Scanning feature, updates over the last few months, and the latest additions to our vulnerability testing capabilities.
We’re excited to announce the launch of Dynamic API Scanning, now integrated into the Detectify platform. As APIs become increasingly critical to modern applications, they also present a growing attack surface. Our new API Scanning engine is designed to provide you with unified visibility and research-led testing for your APIs.
Key capabilities include:
This new feature will help you tackle challenges such as incomplete API inventories and the use of disparate testing solutions. The new API Scanner uses an advanced dynamic approach where the payloads used for testing are randomized and rotated with every single scan, meaning that every scan that we run against customer API is going to be unique; something that we never scanned before. Read more about Dynamic Payloads here.
Get started with Detectify API Scanning with this guide.
Prioritizing deep application scanning across hundreds of assets is a significant challenge. To solve this, our new Scan Recommendations feature helps you move from guessing to certainty. It analyzes your attack surface to identify complex, interactive web apps and recommends them for deeper scanning, ensuring your most critical assets are always covered.
To decide what to test, you first need to know what each asset does. Our new Asset Classification feature automates this by analyzing and categorizing your web assets (e.g., rich web apps, APIs). This gives you the insight needed to prioritize security testing and ensure your attack surface is covered.
We’ve enhanced active subdomain discovery. It now runs recursively to find deeply nested subdomains and uses a wordlist that is three times larger. This expanded wordlist is explored over time to uncover obscure assets with minimal impact. To support these improvements, passive subdomain discovery must be enabled to run active discovery.
We’ve improved vulnerability filtering in the API. The vulnerabilities endpoint now returns a <modified_at> timestamp that updates on any change, including manual actions. This allows for more granular queries using the new <modified_before> and <modified_after> filters.
This product update would be very, very long if we listed all of the new vulnerabilities we implemented thanks to our Alfred, our AI Security Researcher, Crowdsource, and our incredible team of Security Researchers. So, you can check out all of our new tests here.
The post Product update: Dynamic API Scanning, Recommendations & Classifications, and more appeared first on Blog Detectify.
Last Updated on September 26, 2025 by Narendra Sahoo
The world of payment security never stands still, and neither does PCI DSS. PCI DSS 4.0.1 Compliance is now the latest update that is the new talk of the town. Don’t worry it’s not that massive and heavy on changes but it is here to make a remarkable difference in transparency and finance.
The Payment Card Industry Data Security Standard (PCI DSS v.4.0) is a data security framework that helps businesses keep their customers’ sensitive data safe. Every organization, regardless of size and location, that handles customers payment card data has to be PCI DSS compliant. PCI DSS v4.0 consists of 12 main requirements, categorized under 6 core principles that every organization must adhere to in order to maintain compliance.
Since 2008, 4 years from the date it was first introduced, PCI DSS has undergone multiple revisions to keep up with the emerging cyber threats and evolving payment technologies. With each update, organizations are expected to refine their security practices to meet stricter compliance expectations.
Now, with PCI DSS 4.0.1, organizations must once again adapt to the latest regulatory changes. But what does this latest version bring to the table, and how can your organization ensure a smooth transition? Let’s take a closer look.
PCI DSS 4.0.1 is a revised version of PCI DSS v4.0, published by the PCI Security Standard Council (PCI SSC) on June 11, 2024. The latest version focuses on minor adjustments, such as formatting corrections and clarifications, rather than introducing new requirements. Importantly, PCI DSS version 4.0.1 does not add, delete, or modify any existing requirements. So, organizations that have already started transitioning to PCI DSS 4.0, won’t face any drastic changes, but it is crucial to understand the key updates to ensure full compliance.
We know PCI DSS 4.0.1 does not introduce any brand-new requirements, so what kind of refinements does it bring, and are they worth noting?
The answer is: Yes, they are, and you should comply with them to avoid non-compliance. The new updates aim to enhance clarity, consistency, and usability rather than overhaul existing security controls in PCI DSS.
Below are some of the significant updates in PCI DSS 4.0.1:
PCI DSS 4.0.1 introduces clarifications, minor corrections, and additional guidance to make existing requirements in PCI DSS 4.0 easier to understand and implement.
PCI DSS 4.0.1 was released to address feedback from organizations and assessors, ensuring requirements are clear, consistent, and practical without changing the core security goals of version 4.0.
Organizations should review the updated documentation, perform a gap analysis, update policies and procedures if needed, and confirm alignment with the clarified requirements.
No new technical requirements were added. PCI DSS 4.0.1 focuses on clarifications and corrections to help organizations implement PCI DSS 4.0 more effectively.
Failure to comply with PCI DSS 4.0.1 can lead to fines, loss of the ability to process card payments, and increased risk of data breaches due to weak security practices.
PCI DSS compliance isn’t just a checkbox exercise, it is your very first commitment when it comes to safeguarding your customer’s data and strengthening cybersecurity. While PCI DSS 4.0.1 may not introduce serious changes, its refinements serve as a crucial reminder that security is an ongoing journey, not a one-time effort. With the March 2025 compliance deadline fast approaching, now is the time to assess, adapt, and act.
Need expert guidance to navigate PCI DSS 4.0.1 seamlessly? Partner with us at VISTA InfoSec for a smooth, hassle-free transition to the latest version of PCI DSS. Because in payment security, compliance is just the beginning, true protection is the actual goal.
The post PCI DSS 4.0.1 Compliance made simple with latest updates appeared first on Information Security Consulting Company - VISTA InfoSec.
What if we told you that our newly released API Scanner has 922 quintillion payloads for a single type of vulnerability test? A quintillion is a billion billion – an immense number that highlights the limitations of traditional API security testing. Old methods like relying on signatures, vulnerability-specific payloads, or a fixed set of fuzzing inputs just aren’t enough anymore, especially when dealing with custom-built software and unique API endpoints.
A fixed set of payloads can’t find new and unknown vulnerabilities. The future (now present) of API security testing requires a new approach that can generate a nearly infinite set of payloads to keep pace with new and evolving threats, such as Prompt Injection.
In security testing, a payload is a specific string of text or data designed to interact with an application in an unintended way. For instance, a payload for an SQL Injection attack might be ‘ OR 1=1–, while a Cross-Site Scripting (XSS) payload could be <script>alert(‘XSS’)</script>. A payload for a Prompt Injection vulnerability could look like this:
Traditional API security scanners use static word lists, which are files containing a finite number of known payloads. Traditional scanners limit the volume of payloads they test for. If they were to attempt to test a massive array of payloads, it would be slow and costly for the vendor to execute. This brute-force approach is fundamentally limited because it can only find what it knows to look for.
A more advanced approach to API fuzzing (a security testing technique that involves feeding malformed or unexpected data into an application to see how it responds) relies on a basically “infinite” body of payloads. Instead of relying on a finite list, the security tool can generate a virtually limitless number of unique payloads on the fly. But with a list this large, how does a tester or a security scanner manage what to test? The answer lies in the seed number.
Much like a seed in the game Minecraft generates a unique and expansive world, a seed number for API fuzzing deterministically generates a specific subset of payloads from an “infinite” list. This ensures that the same seed will always produce the same payloads, which allows for reproducible and manageable scans without the need to store a massive word list. The new API scanner can generate a nearly infinite set of payloads, with over 922 quintillion for prompt injection alone, which allows it to try new things with every scan while still running all the standard tests.
The true power of the seed number approach is leveraged when combined with machine learning principles. The system can learn from past scans and prioritize the most effective seeds. In the visual example above, for example, if seed 5684 consistently finds Prompt Injection vulnerabilities across various APIs, the security tool can “learn” that this seed is highly effective and prioritize using it for future scans on similar targets.
This dynamic approach can find novel vulnerabilities that a static word list could never anticipate by generating payloads in real time based on the application’s responses.
Let’s look at <seed 5684> with corresponding <payload B!>. The API Scanner sees the target API as a “black box”. It doesn’t need to understand the underlying logic of the API. It sends a series of requests (some with clean data, and some with the mutated, seeded payloads) and it analyzes the responses from the server, looking for anomalies.
The key to detection is response comparison. A clean request should yield a predictable response, while a malicious or fuzzed request might trigger an unexpected change. This could manifest as:
The system flags these changes and presents them. This simple, response-based logic allows the tool to be highly effective and accurate without needing a deep understanding of the API’s internal workings. The engine takes this a step further by attempting to actually exploit the vulnerability, which reduces false positives and provides high-fidelity, actionable findings.
API security is moving away from static, reactive methods and towards a proactive, intelligent, and scalable model. Concepts like the seed number and mutation-based fuzzing, which can generate a virtually limitless attack surface to test against, help ensure that a security posture is as dynamic as the threats that organizations face.
We can’t afford to only test for what is considered the norm. A truly effective security tool must go out of its way to find hidden parameters, unconventional routes, and unexpected states that would otherwise go unnoticed by most scanners.
Try out our new API Scanner with dynamic fuzzing to see it in action. Book a demo here.
Q: What is the main problem with traditional API security scanners? A: One of the main problems is their reliance on static, finite word lists of known payloads, which makes them ineffective against new, mutated payloads that attackers are constantly developing.
Q: How does a seed number help with API fuzzing? A: A seed number deterministically generates a specific, reproducible unique set of payloads from a much smaller list, allowing for manageable and repeatable scans without needing to store a massive word list. This is why the new API scanner is able to achieve massive scale while ensuring reproducible results.
Q: What does Detectify look for to detect a vulnerability? A: It looks for anomalies in the server’s response after a fuzzed request, such as a 500 Internal Server Error, a 403 Forbidden status, or unexpected changes in the response content, compared to a clean request.
The post Infinite payloads? The future of API Testing with dynamic fuzzing appeared first on Blog Detectify.
