Feed aggregator

• Security outfit Wallarm spotted a PoC in the wild
• The method abuses a deserialization flaw in Apache Tomcat
• It allows attackers to fully take over vulnerable endpoints

A deserialization vulnerability on Apache Tomcat servers is being abused in the wild to completely take over affected endpoints, security researchers are warning.

Wallarm has revealed it saw a Chinese forum user, alias iSee857, share a proof-of-concept (PoC) for a flaw tracked as CVE-2025-24813, warning threat actors only need one PUT API request to take over the vulnerable server. The request is used to upload a malicious serialized Java session, which then allows the attacker to trigger deserialization by referencing the malicious session ID in a GET request.

“Tomcat, seeing this session ID, retrieves the stored file, deserializes it, and executes the embedded Java code, granting full remote access to the attacker,” Wallarm explained.

Dead simple

The researchers added that the attack is “dead simple” to execute, and requires no authentication. The only requirement is that Tomcat is using file-based session storage which, according to the researchers, is “common in many deployments”. Furthermore, base64 encoding means the attack will bypass most traditional security filters.

Most web application firewalls (WAF) “completely miss” this attack, Wallarm further warned, since the PUT request looks normal, the payload is base64-encoded, the attack is two-step, where the harmful only happens in the second step, and since most WAFs don’t deeply inspect uploaded files.

“This means that by the time an organization detects the breach in its logs, it’s already too late.”

The worst part, Wallarm concluded, is that “this is just the first wave,” as it expects threat actors to start uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage.

It was not yet assigned a severity score, and as per the NVD, it affects Apache Tomcat from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, and from 9.0.0.M1 through 9.0.98.

Users are advised to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.

You might also like

• These vulnerabilities in Apache HTTP Server enable HTTP Request Smuggling and SSL Authentication Bypass
• We've rounded up the best password managers
• Take a look at our guide to the best authenticator app

• Google Messages could get WhatsApp-style mentions
• An overhauled preferences menu also suggests an app redesign could be in the works
• Neither the new feature or redesign has been officially confirmed

Google Messages could finally be getting a seriously useful feature for group chats, as well as an overhauled design, if newly discovered code makes it to release.

In an APK teardown (which is a look at upcoming and unreleased code in future Android updates) the team at Android Authority uncovered a new mentions feature for Google Messages group chats.

A mentions feature typically allows users to tag others in group chats by placing an @ symbol before their name, similar to social media platforms and other messaging services like WhatsApp and Telegram.

Tagging a user then sends them a direct notification, making it much easier to speak directly to an individual or group of people within a wider group chat.

However, as the report notes, the unreleased code doesn’t actually include directions for how Google Messages mentions will actually work, so this is an educated guess based on other implementations on other apps.

Google Messages has steadily been improved over the last few months to add more modern features, such as upgraded media quality, individual read receipts, and unsending messages. As the default messaging app on many of the best Android phones, it’s one of the most commonly used messaging apps worldwide.

But as a separate Android Authority APK teardown notes, we might be getting more than new features in Google Messages’ near future, as further unreleased code hints at an Android 16-inspired redesign.

This second APK teardown enabled the activation of a redesigned Preferences screen, sporting a simplified look that reflects the wider Android 16 UI, which suggests a redesign for the rest of the app is either on the way or being considered.

Of course, Google is under no obligation to actually implement any of this unreleased code, and things may change before release.

Personally, I’m starting to root for Google Messages as a legitimate rival to third-party messaging services like WhatsApp and Apple’s own Messages app. The slew of new features we’ve gotten over the past few years has transformed Google Messages from a backup option to an overall impressive experience.

What do you make of these possible updates? Are you keen to see Google Messages get a redesign? Let us know in the comments.

You might also like

• New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
• From iPhone to Android and (almost) back again – the iPhone 16e failed to lure me back to iOS
• iPhone 16e vs iPhone 15: which is the real bargain?

Commentary: Apple's iPhone 17 cameras need to impress when the phone launches later this year. This is how they can.

We’ve tested every Apple Watch and rounded up our picks for every need and every budget.

• Apple's rumored 18.8-inch foldable might run macOS
• It's also now tipped to launch in 2027
• It could rely on big changes coming in macOS 16

While many of its rivals – Samsung, Google, OnePlus, and more – have started to release foldables, Apple has been noticeably absent. New leaks, however, are teasing it’s not just working on a bendy iPhone but a folding iPad too that is tipped to run macOS.

We reported yesterday (March 17) on the most recent foldable iPhone rumors. It could launch in 2026 but it may be pretty darn pricey, with a starting price of $2,300 (around £1,750 / AU$3,600) – for that kind of money we’re expecting an invisible crease and a self-healing screen.

Today we want to instead focus on Apple’s rumored 18.8-inch foldable which is said to be an iPad-MacBook hybrid. Previously it wasn't expected to launch until 2028, but a new report from Analyst Jeff Pu (via MacRumors) now suggests the foldable will begin production in late 2026 ahead of a 2027 release.

Beyond teasing an earlier release than we expected, Pu adds that the hybrid will lean more towards its MacBook side – saying he believes the foldable will run MacOS instead of iPadOS. This ties into comments made by Bloomberg’s Mark Gurman (behind a paywall) that design changes are coming to iOS 19 and macOS 16 to better support foldables and touch-screen computers.

(Image credit: Apple)

For now, however, this report should be taken with a pinch of salt. While Jeff Pu is an analyst with a fairly solid track record, his macOS guess is just that: a guess. He doesn’t cite an insider’s leak and instead references a Wall Street Journal report (paywalled) which describes the foldable as being like a laptop but doesn’t directly confirm it runs on macOS.

That said, it wouldn’t be the first time the large foldable has been associated with macOS.

Back in December last year, we reported on rumors the device would be able to run macOS apps – though then it was said the device would run a souped-up version of iPadOS capable of running both operating systems' apps.

Even if it doesn’t end up running macOS proper, it sounds like Apple is gearing up to launch some kind of touchscreen laptop-like device which certainly has its appeal though some major questions remain like the device’s cost and specs. If the foldable iPhone is $2,300, expect this larger display to be a lot more expensive when it launches.

You might also like

• We're apparently another step towards a folding iPhone
• The rumored foldable iPhone could save a stagnant folding phone market
• Here's how big the two displays on the foldable iPhone could be

Womanizer stuffs its famous Pleasure Air technology into a vibrator, delivering a winning combo.

Manchester, New Hampshire, might not have a wide selection of internet providers, but the available options offer reliable speeds and solid coverage. Here are CNET’s top picks for the best internet service in the area.

Nothing ruins a great night of sleep faster than getting too hot. We slept on a myriad of cooling mattresses to find which ones drew the heat away best.

Welcome to our live coverage of Nvidia GTC 2025!

Today sees the opening keynote from Nvidia CEO Jensen Huang, who is set to unveil a host of new hardware and AI tools - along with a few surprises, no doubt.

The keynote is set to start shortly - so stay tuned for all the updates as they happen.

Good morning and welcome to our live coverage of the Nvidia GTC 2025 keynote!

We're super excited to see what Nvidia has in store for us today, with company CEO and founder Jensen Huang set to take to the stage in a few hours time.

We're not far off the opening keynote at Nvidia GTC 2025 now, so what can we expect?

Last year's keynote saw the reveal of Blackwell, the company's new generation of GPUs, and we're expecting another major hardware update today.

(Image credit: Future / Mike Moore)

The company also unveiled a host of new data center hardware, and we're expecting more data center, server and workstation news today for sure.

But there was also a big focus on robotics, particularly in factories, and the role AI can play there, so it may well be we see more of the same today.

If you want to watch along with the keynote, you'll need to head to the Nvidia GTC 2025 website, where you can sign up.

You've not got long though - Jensen Huang will be on stage in just a few hours time!

(Image credit: Nvidia)

Less than half an hour to go! Get some snacks and energy drinks ready, this could be a long one...

Also, make sure to keep an eye out for Jensen Huang's leather jacket - the Nvidia CEO is always snappily-dressed, and jacket-watch has become a popular trend for us media types - it's important to look good when you're presenting the future of AI, you know...

(Image credit: Nvidia)

Here we go! The lights go down and it's time for the keynote to begin...

"This is how intelligence is made - this is a whole new factory," an intro video outlining "endless possibilities" notes.

We're shown a number of possible use cases for the future of AI, from weather forecasting to space exploration to curing disease - all powered by tokens.

(Image credit: Nvidia)

"Together, we take the next great leap," the video ends, showing a view of Nvidia's futuristic San Jose HQ.

The video ends, and we welcome Jensen Huang, CEO and co-founder of Nvidia, to the stage.

"What an amazing year...we have a lot of amazing things to talk about" he declares, ushering us in to the virtual Nvidia HQ via virtual reality.

Huang admits he's doing this keynote without a script - brave!

(Image credit: Nvidia)

Huang starts by commemorating 25 years of GeForce - a huge lifespan for any technology - holding up one of the newest Blackwell GPUs.

"AI has now come back to revolutionize computer graPhics," he declares, showing us a stunning real-time generated AI video backdrop.

(Image credit: Nvidia)

Sunrise on the Reaping recounts the 50th annual Hunger Games, telling the story of Haymitch Abernathy. It's themes and events conjure images of today's U.S. political climate.

• Nintendo could be developing a new GameCube controller for the Switch 2
• New evidence has appeared in the form of a new FCC filing with new details related to the GameCube
• The "game controller" will feature wireless Bluetooth

Fresh evidence that a new GameCube controller is in development for the Nintendo Switch 2 has been spotted online.

It comes from a recently published FCC filing by Nintendo (spotted by NintendoLife) which shows that a new "game controller" is in the works.

This piece of hardware has a model number prefix of "BEE" which matches the Switch 2 and will be a "wireless Bluetooth controller", meaning it won't require a cable slot in the console, unlike the original GameCube pad.

Thanks to some Nintendo fans on Famiboards, it also appears that one of the attached images on the filing shows an etched label that matches the back of the GameCube controller.

However, it doesn't have NFC support, a feature included on the original Switch Pro Controller and Joy-Cons, meaning it likely won't be a Switch 2 Pro Controller.

It's unclear at this stage if this potential GameCube controller will be a re-release or a completely new model, but since it has Bluetooth capabilities, it's speculated that it could have a link to Nintendo Switch Online.

Rumors of a new wave of GameCube controllers started last year after a dataminer shared component shipment details for what they believed to be for the Switch 2.

The Nintendo Switch successor doesn't have a release date yet, but it's expected to launch in 2025. A Nintendo Direct Showcase is scheduled for April 2, which should hopefully provide us with a launch date and a new look at the hardware.

You might also like...

• The best Nintendo Switch games to play in 2025
• Nintendo Switch 2 Direct - five things I want to see
• New leak seemingly gives us a final look at the Nintendo Switch 2 dock

• Jason Blundell has announced that he is leading a new PlayStation studio
• It's called Dark Outlaw Games and is currently working on an unannounced project
• It follows his time and Treyarch and the defunct Deviation Games

Jason Blundell, who worked at Call of Duty studio Treyarch for over a decade, has announced that he's helming a new first-party PlayStation studio.

The new studio, called Dark Outlaw Games, is something of a successor to Deviation Games - which he co-founded with Sony in 2021 after leaving Treyarch the previous year.

As explained by Eurogamer, Deviation Games ran into trouble in 2023 which led to significant layoffs and its eventual closure in March last year. Dark Outlaw Games is reportedly comprised of many former Deviation Games staff.

Speaking in a new interview with presenter Jeff Gerstmann, Blundell said that he's "had the amazing opportunity to create a new studio within PlayStation Studios for Sony." He revealed that it is called "Dark Outlaw Games" and stated that it has "been working away in the shadows for a while" on an unannounced project.

He also said that "when we've got something to talk about, we'll step out into the light."

I wouldn't expect any major news any time soon, however, as Blundell went on to characterize the studio's current activities as "staffing up" and "keeping it kind of lowkey" - which would suggest that it is still in its very early stages.

Given Blundell's history at Treyarch, where he mainly led the Zombies component of Call of Duty games, it might seem reasonably to expect this mysterious project to be some kind of supernatural co-op shooter, but it's still far too early to say. We'll be keeping an eye out for further updates.

You might also like...

• MercurySteam CEO discusses upcoming new IP Blades of Fire: 'We love third person action adventure games and we wanted to revisit the genre'
• I was already sold on Atelier Yumia as an RPG, but I wasn’t expecting it to have my favorite crafting system in all of gaming
• Clair Obscur: Expedition 33 blends Western gaming sensibilities with JRPG panache in 2025’s weirdest role-playing game

Ellen Pompeo leads the series in her first starring role since leaving Grey's Anatomy.

Don't overpay for internet speeds you won't use. Here are our best cheap internet picks for older adults.

The V13 is InMotion's largest and fastest EUC, and it certainly lives up to expectations.

If you live in the US, you can now measure your online data exposure for free.

ExpressVPN, one of the best VPN providers on the market, recently launched a data scanner tool – completely free of charge.

Knowing which personal details have been exposed and, most importantly, who holds them is the first step to regaining control over your digital privacy. Even better, you won't even need to spend a penny to find out. Keep reading as I walk you through everything you need to know.

The dark side of data exposure

Every time you sign up for a new online service, use a mobile app, or access a website, you leave behind a trail of personal data.

Service providers collect this data and often sell it online to third parties without your consent. Recent research conducted by Surfshark, for example, found that 80% of the most popular fitness apps are selling your privacy by sharing users' tracked data with third parties.

Data brokers mostly collect this data – such as your date of birth, gender, home address, and phone number – to create a detailed profile about your digital persona that they can use to serve you with targeted ads.

(Image credit: ExpressVPN)

Cybercriminals can also get hold of these sensitive details, leaving you vulnerable to spam, online scams, and even identity theft.

The data broker industry is pretty unregulated in the US due to a lack of federal data protection laws like those in place in Europe or some US States like California, Virginia, and Colorado.

People-search sites are common in the US, too, allowing virtually anyone to look up information about individuals, including names, email addresses, social media profiles, and sometimes even financial or employment information.

How to use ExpressVPN's data exposure scan

Using ExpressVPN's data exposure scan couldn't be simpler. All you need to do is head to the ExpressVPN website and enter your personal information.

On its side, the VPN provider promises to keep your data safe per its privacy policy.

As mentioned earlier, there's no need for you to open an account or enter any payment details. Living in the US is the only requirement for using it.

(Image credit: Future)

Once you have estimated your online data exposure level, you have a few options to take back control over your privacy.

You could ask for your personal information to be taken down from these sites yourself. Beware, though, this may be a very time-consuming and complex process.

Another option is signing up for a data removal service that will handle this for you by automating data removal requests.

If that's something you'd like to explore, I recommend subscribing to ExpressVPN's two-year plan, as it now includes an Identity Defender Suite alongside its tried and tested virtual private network (VPN) tool, starting from the equivalent of $4.99 a month. Beyond the data removal service, you'll also benefit from the ID Theft and ID Alerts monitoring tools.

Don’t succumb to the chaos. Fire up Chrome’s bookmarks sidebar and bring some order to the noisy online world.

A new study finds that after decades of stagnation, fast-food and other restaurants finally saw a surge in productivity.

• The ESRB has published a content summary for Silent Hill f
• The horror game will unsurprisingly have a 'Mature 17+' rating in the US
• The summary details gruesome imagery and acts of violence

Silent Hill f has received an ESRB rating, and while that alone won't shock you, its lengthy and graphic content warnings might.

As reported by IGN, the Entertainment Software Rating Board - which handles game age rating and content warnings in the US - has assigned Silent Hill f a 'Mature 17+' age rating.

By itself that's not too surprising, but a glance at the rating summary reveals more. Fair warning, if you're particularly squeamish (or eating your lunch) you'll probably want to click away now.

"This is a survival-horror action game in which players assume the role of a student confronting supernatural entities in a 1960s Japanese mountain town," the summary begins. "From a third-person perspective, players explore the town, solve puzzles, interact with characters, and battle enemy creatures (e.g., humanoid monsters, mutants, mythical creatures)." Yep, that all checks out so far.

"Players use axes, crowbars, knives, and spears to defend against and kill enemy creatures in melee-style combat. Blood-splatter effects occur frequently as characters are attacked; several areas depict large bloodstains in the environment and near corpses." Again, all sounding distinctly Silent Hill up to this point.

"Some enemy attacks can result in players' character getting impaled in the neck and/or getting their faces ripped apart.

"Cutscenes sometimes depict gore and more intense acts of violence: a character burned alive inside a cage; a woman branded by a hot iron; entrails and sinew displayed on serving platters in fantastical celebration/ceremony; a character sawing off her own arm; a character slicing off portions of a character's face during a ritual.

"Concept art depicts a nude mannequin-like character, with exposed buttocks and partially exposed breasts; the character appears in a creature-like form throughout the game."

Other than sounding like your average night out in Torquay, it's certainly pretty gruesome even by Mature 17+ standards. In fact, Japan's Computer Entertainment Rating Organization has given Silent Hill f a 'CERO Z' rating. That's for players aged 18 and over, a first for the series, and is the highest possible age rating a game can receive in the country.

We don't yet have a release date for Silent Hill f, but you can wishlist the game now on PS5, Xbox Series X, Xbox Series S and PC via Steam and the Epic Games Store. You can also catch up on the Silent Hill f Transmission broadcast from last week to learn more about the game.

You might also like...

• I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
• I didn't know an SSD could be cute until I saw Seagate's new Genshin Impact limited edition
• Knights of the Old Republic remake developer Saber Interactive states all its projects are 'still in development'

• Users who factory-reset can now get back up and running
• A new Google Home update enables affected devices to be restored
• This bug was first widely reported last week

It seems as though the saga of the Chromecast untrusted device bug is finally drawing to a close: Google has now pushed out an additional fix for those users who factory-reset their devices as a way of troubleshooting the problem.

As per a forum post and an email seen by 9to5Google, the solution is to update the Google Home app on Android or iOS. That should then allow you to set up affected Chromecasts from scratch again – something which hadn't previously been possible.

This all started last week, when owners of the 2nd-gen Chromecast and Chromecast Audio devices – both launched in 2015 – started seeing 'untrusted device' messages. The issue was, apparently, something to do with expired security certification.

While it investigated, Google advised users against factory-resetting broken devices, as they wouldn't be able to set them up again – though by that time, plenty of people had done exactly that in an attempt to get everything working again.

Find your fix

The Chromecast Audio has also been hit (Image credit: Future)

As far as Google is concerned, the problem is now resolved. If you didn't factory-reset your Chromecast device then it should be working again, thanks to an update that was rolled out a few days ago. If not, try updating the device firmware.

If you did run a factory reset and have since been unable to get your Chromecast up and running, check for the latest version of Google Home on your phone – the version you're looking for is 3.30.1.6 for Android or 3.30.106 for iOS.

Once you've got the app update (it may take a few days to reach everyone), start the setup process from the beginning: Open the Devices tab, tap the Add button, then follow the instructions on screen for your Chromecast.

You should then be up and running again. "We sincerely apologize for this disruption and any inconvenience it may have caused, and we are committed to ensuring all users are back up and running as quickly as possible," says Google.

You might also like

• Chromecasts are getting a free update to Android 14
• Everything you need to know about the Google TV Streamer
• Google has stopped selling the Chromecast with Google TV