Threat of Year 2036/2038 vulnerabilities detailed

Internet of Things (IoT)

Threat actors could harness the "Year 2036 Problem" and "Year 2038 Problem" rollover vulnerabilities impacting systems using older Network Time Protocol versions and those that leverage a 32-bit integer for time storage, respectively, to prompt significant disruptions over a decade before they are actually triggered, according to SecurityWeek. Hundreds of thousands of internet-exposed devices, including industrial control systems, routers, printers, smart TVs, and automobiles, could be compromised through the bugs, which are exploitable through multiple time manipulation tactics, said Bitsight researcher Pedro Umbelino, who co-presented a study on the flaws with Trey Darley at the BruCON security conference. Attackers could also leverage the flaws to target telecommunications systems, power plants, water facilities, and other critical infrastructure, added Umbelino. Numerous vendors have already been alerted about their susceptibility to Y2K28 intrusions, including Dover Fueling Solutions, which has already issued a fix for a vulnerability in its ProGauge automatic tank gauging devices, tracked as CVE-2025-55068, which could be abused to alter system time and result in denial-of-service.

Biggest L7 DDoS intrusion prevented

Hackread reports that the most significant Layer 7 distributed denial-of-service attack aimed at a government entity, which involved a botnet composed of 5.76 million breached internet-connected devices and systems around the world, was averted by Qrator Labs earlier this month.

Experts: US Cyber Trust Mark program at risk of being jeopardized by ongoing FCC probe

Operations of the Federal Communications Commission's Cyber Trust Mark program were noted by cybersecurity experts and Biden administration officials to be potentially undermined by an ongoing vague investigation launched by FCC Chair Brendan Carr over the Chinese links of Illinois-based testing conglomerate UL Solutions, which was tasked to supervise the program, reports Cybersecurity Dive.

