Top stories.
- SolarWinds patches critical RCE flaws.
- Conduent data breach impacted more than 25 million Americans.
- Ukrainian national gets five years in a US prison for role in North Korean laptop farm scheme.
SolarWinds patches critical RCE flaws.
SolarWinds has patched four critical vulnerabilities affecting its Serv-U file transfer software, BleepingComputer reports. The flaws, each of which has a severity score of 9.1, could allow attackers to achieve remote code execution as root. The most serious of the flaws is CVE-2025-40538, a broken access control vulnerability that "gives an attacker the ability to create a system admin user and execute arbitrary code as root via domain admin or group admin privileges."
All four vulnerabilities require attackers to have obtained elevated access, limiting exploitation to scenarios involving stolen credentials or chained privilege escalation. Users are urged to apply the patches promptly.
Conduent data breach impacted more than 25 million Americans.
A January 2025 data breach affecting business services giant Conduent compromised personal information belonging to more than 25 million Americans, TechCrunch reports. The breach, which was claimed by the SafePay ransomware gang, involved names, dates of birth, addresses, Social Security numbers, health insurance information, and medical data. The majority of the affected individuals were recipients of government services in Texas (15.4 million people) and Oregon (10.5 million), with several hundred thousand across Massachusetts, New Hampshire, and Washington.
Conduent has said little publicly about the breach, and has been notifying individuals directly. A Conduent spokesperson declined to tell TechCrunch how many breach notifications the company has sent.
Ukrainian national gets five years in a US prison for role in North Korean laptop farm scheme.
A US District Court has sentenced a 29-year-old Ukrainian man, Oleksandr Didenko, to five years in prison for assisting in North Korean employment fraud operations, SecurityWeek reports. Didenko pleaded guilty to wire fraud conspiracy and aggravated identity theft, and has agreed to forfeit more than $1.4 million.
The US Justice Department stated, "According to court documents, Didenko ran a website using a U.S.-based domain, 'Upworksell.com,' designed to help overseas IT workers buy or rent stolen identities. Beginning in 2021, the IT workers used the identities to get hired on online freelance work platforms based in California and Pennsylvania. The work platforms allowed users to advertise themselves as contract gig workers, create free accounts, advertise their skills, and bid on IT work contracts. Didenko paid individuals in the United States to receive and host computers at residences in Virginia, Tennessee, and California. Through his company, Didenko managed as many as 871 proxy identities and facilitated the operation of at least three U.S.-based 'laptop farms.'"
