Technology

• Security researchers find multiple vulnerabilities in different tunneling protocols
• The bugs allowed threat actors to mount DoS attacks, and more
• The majority of vulnerable endpoints were in China

Millions of VPN servers, home routers, and other internet hosts could be carrying multiple vulnerabilities which could allow threat actors to perform anonymous attacks and could grant them access to private networks, experts have warned.

New research from Mathy Vanhoef, a professor at the KU Leuven university in Belgium, PhD student Angelos Beitis, and Top10VPN discovered the vulnerabilities in multiple tunneling protocols: IPIP/IP6IP6, GRE/GRE6, 4in6 and 6in4, and were given these identifiers: CVE-2024-7595, CVE-2025-23018, CVE-2025-23019 and CVE-2024-7596.

VPN tunneling protocols are methods used to securely transmit data between a user's device and a VPN server by encapsulating it within an encrypted tunnel. Common protocols include PPTP, L2TP/IPsec, OpenVPN, and WireGuard, each offering varying levels of speed, security, and compatibility.

Millions of potential victims

The vulnerable ones primarily function to encapsulate one type of IP packet (IPv4 or IPv6) within another for network routing purposes. Unlike VPN-specific protocols, these are generally used for network transport rather than encryption or secure communication.

The research argues the misconfigured systems accept tunneling packets without confirming the identity of the sender, making it, "trivial to inject traffic into the vulnerable protocols’ tunnels."

A malicious actor could send a packet encapsulated using one of the affected protocols with two IP headers, in which the outer header contains the attackers’ source IP with the vulnerable host’s IP as the destination. The inner header’s source IP is that of the vulnerable host IP, while the destination IP is of the target.

So, when the vulnerable host receives the packet, it strips the outer IP header and forwards the inner packet to its destination, paving the way for the creation of a one-way proxy, and abusing the bug to run DoS attacks, DNS spoofing, and more.

The researcher said they scanned the internet for vulnerable hosts and found 4.26 million, including various VPN servers, ISP-provided home routers, core internet routers, mobile network gateways and nodes, and CDN nodes, most of which were located in China.

“All vulnerable hosts can be hijacked to perform anonymous attacks, as the outer packet headers containing an attacker’s real IP address are stripped. These attacks are easily traceable to the compromised host, however, which can then be secured,” the researchers explained.

“Spoofing-capable hosts can have ANY IP address as the source address in the inner packet, so not only does an attacker remain anonymous, but the compromised host also becomes much harder to discover and secure,” they added.

You might also like

• Which VPN protocols aren't safe anymore?
• Here's a list of the best antivirus tools on offer
• These are the best endpoint protection tools right now

This is the best cheap network amplifier you can buy right now.

• Zoom Team Chat is now smarter with AI Companion integration
• The AI upgrades are free of charge for paying customers
• Zoom Chat also has improvements for developers

In its effort to become the go-to “AI-first work platform for human connection” – a term coined by the company in its Zoom 2.0 rebranding in November 2024 – Zoom has introduced a series of new AI tools to its Team Chats.

The redesigned Team Chat sidebar includes new organization functions like drag-and-drop tab arrangement, advanced sorting and filtering.

Key to the updated Team Chat sidebar are the new AI Companion enhancements, which include conversation summarization in select chats and channels, action item identification and information retrieval through an improve search feature.

Zoom overhauls its Team Chat sidebar with AI

“With Zoom Team Chat, you can do cross-product work and be more productive with Zoom Workplace’s AI-first products like Zoom Docs, Zoom Meetings, and Zoom Whiteboard," Zoom CPO Smita Hashim commented.

In a bid to cater to its developer users, Zoom has also added code block and in-line code support to help users format and share code from within the application.

“Our new Team Chat sidebar design takes this to the next level by empowering users to collaborate smarter and customize their workspace to fit their preferred workflow," added Hashim.

"With AI Companion… users can triage and track their messages more easily, saving time and allowing them to focus on what matters most.”

The redesigned sidebar and AI Companion are available to paying Zoom Workplace subscribers for no additional charge.

The new changes are part of CEO Eric Yuan’s plan to make Zoom 2.0 a “fully customizable digital twin” that can save employees an entire working day each week in unproductive time.

You might also like

• We’ve listed the best online collaboration tools
• Remember what Zoom used to be known for? It was one of the best video conferencing tools
• Google Workspace opens up Gemini for all - but you'll have to pay more

The “severance procedure” isn't real—but some of Severance’s ideas aren’t as out-there as you may think.

• Two unannounced live service games have been canceled by Sony
• This was confirmed by a company spokesperson
• They were in development at Bend Studio and Bluepoint Games

Sony has canceled two unannounced live service games.

According to Bloomberg, a Sony spokesperson confirmed that they were canceled "following a recent review”. They were in development at two PlayStation studios, Bend Studio and Bluepoint Games.

Bend Studio is known for developing PlayStation exclusives, most recently Days Gone. Bluepoint Games usually specializes in comprehensive remasters or remakes, such as the PlayStation 5 release of Demon’s Souls as well as the PlayStation 4 version of Shadow of the Colossus.

Although the games have been canceled, neither studio will be shut down. “Bend and Bluepoint are highly accomplished teams who are valued members of the PlayStation Studios family,” the spokesperson continued. “We are working closely with each studio to determine what are the next projects.”

Sony also specified that it intends to “do everything we can to ensure there is minimal business impact,” though it’s not clear whether this will involve some job cuts. Bluepoint Games was reportedly working on a live service God of War title, likely similar in scope to the The Last of Us Online game developer Naughty Dog that was cancelled in December 2023.

These two unannounced games were part of a wider push by Sony to invest in live-service tiles, which can be very successful. The likes of Fortnite or Destiny 2 provide a constant revenue stream and can keep players engaged for years via frequent content updates. That said, an extremely crowded market makes putting out a new live service a very risky endeavor.

Last year Sony launched Helldivers 2, which sold well and is the perfect example of a live-service hit. On the opposite end of the spectrum we also saw the high-budget Concord struggle to make much of an impact, with disastrous sales that led to its shutdown just two weeks after it launched. It seems safe to assume that these cancellations are measures to try and avoid a similar disaster.

You might also like...

• PS6: when can we expect the PlayStation 6 and what do we want to see?
• Watch out, this convincing Steam scam could risk your entire game library
• Yes, the Nintendo Switch 2 is really called that, but I was hoping for a more exciting name

• A vulnerability in Microsoft Outlook allowed threat actors to distribute malware via email
• The bug abuses the Windows Object Linking and Embedding function
• A patch is already available, and users are advised to apply it ASAP

Microsoft has released a patch for a critical vulnerability that allowed threat actors to distribute malware through its Outlook email client - and given the severity of the flaw, users are advised to install the patch immediately.

In a security advisory, Microsoft detailed CVE-2025-21298, a use-after-free vulnerability with a severity score of 9.8/10 (critical). Use after free is a vulnerability in which threat actors are able to use previously freed memory, which allows them to corrupt valid data, or in this scenario - distributing malware remotely.

Located in the Windows Object Linking and Embedding (OLE) function, the bug means simply viewing a malicious email in the preview pane is enough to have the endpoint infected with malware. Windows OLE is a technology that allows embedding and linking to documents and other objects. For example, users could embed an Excel chart into a Word document, and updates in the Excel file will reflect in the Word document, if linked.

Specially crafted emails

“In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim,” Microsoft explained in the advisory.

“Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim's Outlook application displaying a preview of a specially crafted email . This could result in the attacker executing remote code on the victim's machine.”

For those that cannot apply the patch immediately, Microsoft suggests a number of mitigations, including viewing emails as plain text and, in large LAN networks, restricting NTLM traffic, or disabling it altogether. Viewing emails as plain text means other multimedia, such as images, animations, or different fonts, will not be displayed.

It’s worth the trouble, though, since the malware sent this way can cause severe business disruptions, loss of customers, and possibly even regulatory fines.

Via NotebookCheck

You might also like

• This new malware campaign can hijack your Gmail or Outlook email account
• Here's a list of the best antivirus tools on offer
• These are the best endpoint protection tools right now

• The Samsung Galaxy S26 series could use silicon-carbon batteries
• That should allow for a 10-15% increase in capacity
• The Samsung Galaxy S26 Ultra then could have a battery of up to around 5,750mAh

The Samsung Galaxy S25 series is almost here, but reports suggest their batteries won’t be any bigger than last year’s phones. So, if you’re hoping for improved battery life, you might want to wait for the Samsung Galaxy S26 series, which could have much bigger batteries.

According to @Jukanlosreve – citing leaker @UniverseIce – the Samsung Galaxy S26 series will use silicon-carbon batteries. This kind of battery has only recently started making its way into phones, with the likes of the OnePlus 13, Honor Magic 7 Pro, and Xiaomi 15 Pro already having silicon-carbon batteries.

Those three phones have much larger batteries than most handsets, at 6,000mAh, 5,850mAh, and 6,100mAh respectively, and that’s no coincidence, as this kind of battery allows for around 10-15% higher energy density, so a higher capacity battery can take up the same amount of space.

Update: The S26 will use a silicon-carbon battery.Source: Ice Universe, Undead Weibo. https://t.co/6KBDQlNvFWJanuary 16, 2025

Up to around 5,750mAh

The source doesn’t say what capacities we can expect from the batteries in the Samsung Galaxy S26 series, but for reference, the Samsung Galaxy S24 has a 4,000mAh battery, the Samsung Galaxy S24 Plus has a 4,900mAh one, and the Samsung Galaxy S24 Ultra has a 5,000mAh battery. We’re expecting the same from the Samsung Galaxy S25 series.

So, assuming an increase of 10-15%, we might be looking at somewhere between 4,400mAh and 4,600mAh for the Samsung Galaxy S26, between 5,390mAh and 5,635mAh for the Galaxy S26 Plus, and between 5,500mAh and 5,750mAh for the Samsung Galaxy S26 Ultra.

Those are big enough increases that these phones could last substantially longer between charges than current Galaxy S models, so if battery life is a priority for you, they might be worth waiting for.

Of course, this is just a rumor for now, and a very early one at that, so even though the source is reputable we wouldn’t count on it happening.

Plus, while rumors suggest the battery capacities in the Samsung Galaxy S25 line won’t be higher than in the S24 series, we won’t be certain of that until these phones launch on January 22. And even if there’s no change in capacity, they might still offer improved life through software optimizations.

So, you might not actually have to wait until 2026 for a longer-lasting Samsung smartphone, but in any case, we’ll have a clearer idea soon.

You might also like

• This could be our best look yet at the Samsung Galaxy S25 series
• These new Samsung Galaxy S25 Slim renders look great, but the phone's key selling point could also be its downfall
• Samsung Galaxy S25 price rumors: how much is the S25 line likely to cost?

Cue the theme songs for Stranger Things, The Last of Us, Andor and more this year.

Alignments of five or more planets are rare—there will be two more featuring five or more planets this year, but after that the next won’t happen until 2040.

• Motorola has announced refreshes for its Moto G and Moto G Power budget phones
• The new handsets aim to bring an enhanced entertainment experience, with large displays and 5000mAh batteries
• The Moto G launches on January 30, while the Moto G Power launches on February 6

Motorola has released the newly refreshed Moto G and Moto G Power budget smartphones, bringing flagship-level features to highly affordable handsets.

Both phones are refreshes of existing models, but in both cases they bring a number of high-quality features at very low price points – in fact, the new Moto G costs just a few cents more than a quarter of the price of a new iPhone 16.

The new Moto G features a 6.7-inch display with a 120Hz refresh rate and 1000 nits of maximum brightness, protected by Corning Gorilla Glass 3. The phone sports a water-resistant design (no IP rating given yet) that resembles the previous generation Moto G.

As for internals, the phone comes with a MediaTek Dimensity 6300 chipset, a midrange platform that can also be found powering budget phones from Oppo and TCL. The Moto G comes equipped with a 50MP main camera and a 2MP macro camera, too.

The new Moto G (pictured) features a 5000mAh battery (Image credit: Motorola )

The Moto G Power is a slightly upgraded version of the Moto G, with a few choice improvements. The display is bumped up from 6.7 inches to a 6.8-inch panel, and the phone has received dual IP68 and IP69 ratings, offering complete dust and water protection. It packs the same MediaTek Dimensity 6300 processor as its smaller sibling.

Furthermore, the Moto G Power is rated at the MIL-STD-810H certification for durability, offering extended protection against extreme temperatures and drops of more than three feet.

Additionally, the Moto G Power gets an 8MP ultra-wide camera alongside the 50MP main and 2MP macro cameras found on the standard Moto G.

Both phones have the same 5000mAh battery capacity, with support for 30W wired charging (the Moto G Power gets 15W wireless charging, too). Additionally, both phones have had their speaker systems retooled, with support for Dolby Atmos and hi-res audio, as well as a proprietary bass boost technology, and both offer support for 5G connectivity.

The Moto G will launch on January 30 at a retail price of $199. The Moto G Power will launch on February 6 for $299. We've reached out to Motorola to check on UK and Australia pricing and availability and will update this article in due course.

If you can’t wait until the new Moto G phones release, be sure to check out our lists of the best Motorola phones and the best cheap phones.

You might also like

• If the iPhone 17 gets this rumored Face ID upgrade, I'll never call Apple unoriginal again
• The iPhone 17 Air and Samsung Galaxy S25 Slim could both come with one main drawback
• Crack your Galaxy phone display? The fix might cost you nothing if you subscribe to this Samsung service

The China-controled EV brand has been losing tens of thousands of dollars on every car sold. With a US ban on Chinese car sales looming, the company needs to quickly turn things around.

• The Connectivity Standards Alliance teased an update to the Zigbee protocol
• The update will let Zigbee devices like Hue lights work as occupancy sensors
• We don't yet have a timeline for when the feature might be rolled out

Your Philips Hue lights could soon get a lot smarter thanks to a free firmware update that would let them do double-duty as occupancy sensors. It involves an update to the Zigbee wireless protocol, and could allow your bulbs and lamps to detect your presence without the need for any extra hardware.

When you connect your smart lights, switches and other devices to a Philips Hue Bridge, it creates a mesh network using the Zigbee protocol. This allows all the devices to communicate with the Bridge and one another, and receive over-the-air (OTA) firmware updates to fix bugs and add new features.

This week, the Connectivity Standards Alliance (CSA), the organization behind Zigbee, announced a new feature called Ambient Sensing that will let Zigbee devices like Hue lights sense whether you're home without any extra hardware. It will be available for both new and legacy devices, and will be rolled out via an OTA update.

In a short video, the CSA explained that Ambient Sensing will "unlock new user experiences such as autonomous lighting control and home security, all while enjoying the privacy of running 100% locally without adding occupancy sensors in every room."

When is it coming?

As Mike Robinson of TechCrawlr explains, it's still early days for Ambient Sensing. The CSA hasn't offered a timeline for when it will roll out, and Signify (the company behind Philips Hue) hasn't given any indication of whether it'll be available for Hue bulbs and lamps. Nevertheless, it seems like a natural addition to the Hue system, and could even replace the Philips Hue Intelligent Indoor Motion Sensor.

Fabian of Hueblog.com (a reliable source of early information on Philips Hue) claims to have insider information on the subject, including some details of requirements for Ambient Sensing.

"According to the information available to me, the Philips Hue function requires at least three light sources in a room, which must be placed at a certain distance and in a suitable shape," Fabian says. "A permanent power supply to the light sources is of course essential. It should also be possible to set the intensity of the motion detection."

Signify already has some interesting plans for the coming year, including an AI assistant that will create custom lighting scenes for you using voice commands, but this sounds like a more practical, and potentially more useful feature. I'll keep my ear to the ground for more news and keep you updated as soon as I know more.

You might also like

• Forget AI, there's only one thing I want from Philips Hue this year
• The Philips Hue app is getting a big upgrade this year, with a new generative AI assistant
• New 24-hour scenes for your Philips Hue lights will set the mood all day long