Secure Blink Researchers have found multiple critical vulnerabilities in an Indian Employee Monitoring Software, posing a major security risk...

Continue reading
Secure Blink Researchers have found multiple security vulnerabilities in the Indian SaaS employee monitoring software We360 ai. As per our observations on varying security flaws present in both of their web portals as well as applications (MyZen) which are compromising their global users' personal data.
Our vulnerability disclosures include numerous findings; however, in this feed, we are only focusing on those vulnerabilities with CVSS scores above 9.0; here are some of the discovered vulnerabilities & their overall nature:
Sensitive data is anything that should not be accessible to unauthorized access, known as sensitive data. Such data exposure may happen due to a lack of database protection, misconfigurations when bringing up new instances of data stores, inappropriate usage of data systems, and more.

An Insecure Direct Object Reference (IDOR) vulnerability could allow any authenticated user to access sensitive internal objects such as files and user details of other users without going through any further validation.
Improper authentication could be a result of an application improperly verifying the identity of every user who attempts to access internal resources of software, incorrectly validating login information of users fueling the malicious intent of a user to obtain certain privileges within the application interface or disclose sensitive information allowing to access sensitive data and triggering arbitrary code execution.
When access control checks are not in place, any users can establish access data or execute actions that they should not be allowed to. This can lead to a whole host of security issues, including unwanted information exposures, denial of service, and arbitrary code execution.

Insufficient session expiration might be the consequence of ineffective session management. This vulnerability may occur in both the design and implementation stages and can be exploited by attackers to get unauthorized access to the application.
It is possible that the file found flaws are very sensitive as there is no active connection between the website and this file. This test checks for security flaws in a whole host of files and data, including password files, configuration files, log files, statistics data, and database dumps. Any of these files might be exploited by an attacker to learn more about their target.
We have already reached out to the concerned team regarding the critical vulnerabilities; however, they simply denied most of our claims in the first place instead of looking into them. This doesn't end there as being a user of their software; instead of accepting our exclusive findings, they have surprisingly blocked our premium access to their software.
It could also be a compelling reason behind these alarming vulnerability disclosures that have been left unaddressed over a prolonged period. However, it is strictly advised to do your complete vendor due diligence before onboarding, and don't rely only on the online reviews and other claims, as all that glitters is not always gold.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.