urn:uuid:72595d37-5e23-4d48-9c9f-67a6a47c2f53
heise security News
2026-07-02T12:44:00.000Z
Heise - Content
Heise
https://www.heise.de
Copyright (c) Heise Medien
urn:bid:5110190
2026-07-02T12:44:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Cloudflare erweitert die Steuerung von KI-Crawlern. Websitebetreiber können Zugriffe nun nach Einsatzzweck unterscheiden und blockieren.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Instead-of-a-total-block-Cloudflare-separates-AI-crawlers-by-purpose-11351950.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FStatt-Totalblockade-Cloudflare-trennt-KI-Crawler-nach-Zweck-11351571.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.ix.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FStatt-Totalblockade-Cloudflare-trennt-KI-Crawler-nach-Zweck-11351571.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Statt-Totalblockade-Cloudflare-trennt-KI-Crawler-nach-Zweck-11351571.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.ix.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Statt-Totalblockade-Cloudflare-trennt-KI-Crawler-nach-Zweck/forum-585933/comment/"
class="a-article-action"
name="meldung.ix.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>2</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Roboter interagieren mit einem Browserfenster, Büchern und einem Dokument."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Cloudflare)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-02T14:44:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span class="a-datetime__time ">14:44
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
4 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/ix/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: iX Magazin"
>
iX Magazin
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Moritz-Foerster-3688111"
class="creator__link"
>Moritz Förster</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Instead-of-a-total-block-Cloudflare-separates-AI-crawlers-by-purpose-11351950.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Cloudflare baut die Steuerung von KI-Crawlern deutlich aus. Webseitenbetreiber können Zugriffe künftig nicht mehr nur pauschal blockieren, sondern nach Einsatzzweck unterscheiden. Neu sind getrennte Regeln für Suchindexierung, KI-Agenten und Modelltraining. Die Funktionen stehen laut Cloudflare ab sofort allen Kunden zur Verfügung, auch im kostenlosen Tarif.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Zum 15. September 2026 will <a href="https://blog.cloudflare.com/content-independence-day-ai-options/" rel="external noopener" target="_blank">Cloudflare</a> außerdem die Voreinstellungen für neue Domains ändern. Auf Seiten mit Werbung sollen Crawler für KI-Training und KI-Agenten standardmäßig blockiert werden, Suchmaschinen-Crawler dagegen weiterhin zugelassen bleiben. Der CDN- und Sicherheitsanbieter begründet dies damit, dass Suchmaschinen weiterhin Klicks und damit Besucher auf die Webseiten bringen, während Trainings- und Agenten-Crawler Inhalte häufig ohne entsprechenden Gegenwert nutzen.</p>
<h3 class="subheading" id="nav_drei_kategorien__0">Drei Kategorien statt pauschaler KI-Blockade</h3>
<p>Bislang bot Cloudflare eine Option, bekannte KI-Crawler für das Modelltraining pauschal zu blockieren. Diese Funktion ersetzt das Unternehmen nun durch eine feinere Einteilung in drei Kategorien.</p>
<p>„Search“ umfasst Crawler, die Inhalte indexieren, um sie später in Suchdiensten oder KI-Suchmaschinen zu verwenden. „Agent“ bezeichnet Systeme, die im Auftrag eines Nutzers in Echtzeit Webseiten aufrufen, etwa ChatGPT- oder Claude-Agenten, die Informationen abrufen oder Formulare ausfüllen. „Training“ schließlich steht für Crawler, die Inhalte dauerhaft zum Trainieren oder Nachtrainieren von KI-Modellen sammeln.</p>
<p>Cloudflare empfiehlt Anbietern, diese Aufgaben mit getrennten Crawlern auszuführen. Unternehmen, die Suchindexierung, KI-Agenten und Modelltraining mit demselben Bot erledigen, sollen die Funktionen künftig auf unterschiedliche Bots aufteilen. Das soll Webseitenbetreibern transparentere Entscheidungen ermöglichen.</p>
<h3 class="subheading" id="nav_neue__1">Neue Standardregeln für Mehrzweck-Crawler</h3>
<p>Mit den neuen Voreinstellungen verschärft Cloudflare zugleich den Umgang mit Crawlern, die mehrere Aufgaben übernehmen. Künftig gelten für sie sämtliche zutreffenden Regeln gleichzeitig.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Kombiniert also ein Crawler Suchindexierung und KI-Training, greift die restriktivere Einstellung. Betreiber, die Trainings-Crawler blockieren, sperren damit automatisch auch solche Mehrzweck-Crawler. Cloudflare nennt unter anderem Googlebot, Applebot und Bingbot als Beispiele für Bots, die von dieser Änderung betroffen sein können. Webseitenbetreiber können die neuen Voreinstellungen vor dem Stichtag deaktivieren und ihre bisherigen Regeln beibehalten.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_botbase_soll__2">BotBase soll mehr Transparenz schaffen</h3>
<p>Für Enterprise-Kunden führt Cloudflare außerdem eine Datenbank namens BotBase ein. Sie listet alle bekannten und verifizierten Bots einschließlich ihrer Klassifizierung auf: Neben den drei KI-Kategorien ordnet BotBase Bots unter anderem auch SEO-Crawlern, Preisvergleichs- und Datensammlern, Monitoring-Diensten, Werbeprüfern oder Social-Media-Vorschau-Bots zu. Administratoren können im Cloudflare-Dashboard gezielt nach einzelnen Bots filtern und deren Erkennungs-IDs direkt für Sicherheitsregeln übernehmen.</p>
<p>Cloudflare will Bots künftig auch danach unterscheiden, wie sie Inhalte verwenden. Vorgesehen sind drei Nutzungsstufen: „immediate“ für reine Echtzeitinteraktionen ohne Speicherung, „reference“ für Indexierung mit Verweisen und Auszügen sowie „full“ für Zusammenfassungen oder weitergehende Nutzung der Inhalte.</p>
<p>Diese Präferenz lässt sich künftig über einen zusätzlichen Parameter in der robots.txt veröffentlichen. Der Eintrag dient lediglich als Hinweis für Crawler und erzwingt keine Sperre. Parallel will Cloudflare diese Angaben in BotBase berücksichtigen. Bots, die deklarierte Nutzungsregeln missachten, sollen ihren Status als verifizierter Bot verlieren.</p>
<p>Auch die Definition dieses Status ändert sich. Verifizierte Bots werden künftig nicht mehr automatisch zugelassen. Stattdessen entscheidet die jeweilige Kategorie darüber, ob ein Bot Zugriff erhält. Nicht verifizierte Bots blockiert Cloudflare weiterhin standardmäßig.</p>
<p>Als weiteren Baustein schlägt Cloudflare vor, Informationen über den eigentlichen Betreiber eines Bots über den standardisierten HTTP-Header <code>Forwarded</code> weiterzugeben. Damit sollen Betreiber automatisierter Dienste ihre Identität und den vorgesehenen Umgang mit abgerufenen Inhalten transparent machen können, selbst wenn Anfragen über mehrere zwischengeschaltete Plattformen laufen.</p>
<!-- RSPEAK_STOP -->
<div class="a-u-inline" style="margin: 1.5rem 0 1.5rem 1rem;">
<div class="ho-text" data-component="RecommendationBox"><header class="mb-4"><h3 class="inline-flex border-b-4 border-gray-800 pb-2 pr-8 text-xl leading-none font-bold dark:border-white">Lesen Sie auch</h3></header><a-collapse sneak-peek-elements="3" sneak-peek-elements-selector="article" class="group"><div data-collapse-target="true" class="relative mb-4"><div data-collapse-content="true"><section data-component="TeaserList" class="grid gap-6 md:gap-y-4" data-sneak-peek-elements-container="true"><article data-component="TeaserContainer" data-cid="" data-content-id="5106363" class="ho-text flex" data-teaser-name="MinimalHorizontalTeaser" data-upscore-object-id="11344008"><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Cloudflare-Eigene-OAuth-Apps-jetzt-fuer-alle-Entwickler-11344008.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="1999" height="1124" src="https://www.heise.de/imgs/18/5/1/0/6/3/6/3/cloudflare_0auth-3b8096ccc001f544.png" alt="Mehrere stilisierte Roboter um eine Lavalampe auf einem Podest versammelt." style="aspect-ratio:1999 / 1124"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="1999" height="1124" alt="Mehrere stilisierte Roboter um eine Lavalampe auf einem Podest versammelt." style="aspect-ratio:1999 / 1124;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">OAuth für alle: Cloudflare öffnet sein Ökosystem</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Bots-uebernehmen-Internet-frueher-als-gedacht-11320530.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="1920" height="1079" src="https://www.heise.de/imgs/18/5/0/9/5/9/0/0/overlay-mixer-20260606-113628-c3256dd8c3d3dcc2.png" alt="Business-Mann starrt Robotergesicht an" style="aspect-ratio:1920 / 1079"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="1920" height="1079" alt="Business-Mann starrt Robotergesicht an" style="aspect-ratio:1920 / 1079;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Bots übernehmen Internet früher als gedacht</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Cloudflare-uebernimmt-VoidZero-Team-hinter-Vite-wechselt-komplett-11318973.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="1999" height="1124" src="https://www.heise.de/imgs/18/5/0/9/5/1/1/9/BLOG-VOID_1-5d824488021fe958.png" alt="Logos von VOID und Cloudflare mit einem Pluszeichen dazwischen." style="aspect-ratio:1999 / 1124"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="1999" height="1124" alt="Logos von VOID und Cloudflare mit einem Pluszeichen dazwischen." style="aspect-ratio:1999 / 1124;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Cloudflare kauft Vite: Open Source und herstellerneutral – mit Millionenfonds</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/KI-Update-Verstoerende-Chatbots-Neue-Audio-Modelle-Mythos-Cloudflare-11288660.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="1920" height="1079" src="https://www.heise.de/imgs/18/5/0/7/9/7/5/1/KIupdate_Titel_122023-0953f976150f021c.jpeg" alt="Aufmacherbild KI Update" style="aspect-ratio:1920 / 1079"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="1920" height="1079" alt="Aufmacherbild KI Update" style="aspect-ratio:1920 / 1079;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">KI-Update: Verstörende Chatbots, Neue Audio-Modelle, Mythos, Cloudflare</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Cloudflares-KI-Umbau-kostet-ein-Fuenftel-der-Arbeitsplaetze-11286783.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="4032" height="2266" src="https://www.heise.de/imgs/18/5/0/7/8/7/5/7/shutterstock_1505640251-c45c8f32b528ab22.jpeg" alt="Cloudflare-Banner an der New Yorker Börse zum Börsengang des Unternehmens." style="aspect-ratio:4032 / 2266"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4032" height="2266" alt="Cloudflare-Banner an der New Yorker Börse zum Börsengang des Unternehmens." style="aspect-ratio:4032 / 2266;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Cloudflares KI-Umbau kostet ein Fünftel der Arbeitsplätze</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Cloudflare erweitert die Steuerung von KI-Crawlern. Websitebetreiber können Zugriffe nun nach Einsatzzweck unterscheiden und blockieren.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Instead-of-a-total-block-Cloudflare-separates-AI-crawlers-by-purpose-11351950.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FStatt-Totalblockade-Cloudflare-trennt-KI-Crawler-nach-Zweck-11351571.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.ix.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FStatt-Totalblockade-Cloudflare-trennt-KI-Crawler-nach-Zweck-11351571.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Statt-Totalblockade-Cloudflare-trennt-KI-Crawler-nach-Zweck-11351571.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.ix.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Statt-Totalblockade-Cloudflare-trennt-KI-Crawler-nach-Zweck/forum-585933/comment/"
class="a-article-action"
name="meldung.ix.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>2</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/1/9/0/cloudflare_ki_crawler-90f79077009028a1.png 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Roboter interagieren mit einem Browserfenster, Büchern und einem Dokument."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Cloudflare)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-02T14:44:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span class="a-datetime__time ">14:44
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
4 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/ix/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: iX Magazin"
>
iX Magazin
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Moritz-Foerster-3688111"
class="creator__link"
>Moritz Förster</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Instead-of-a-total-block-Cloudflare-separates-AI-crawlers-by-purpose-11351950.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Cloudflare baut die Steuerung von KI-Crawlern deutlich aus. Webseitenbetreiber können Zugriffe künftig nicht mehr nur pauschal blockieren, sondern nach Einsatzzweck unterscheiden. Neu sind getrennte Regeln für Suchindexierung, KI-Agenten und Modelltraining. Die Funktionen stehen laut Cloudflare ab sofort allen Kunden zur Verfügung, auch im kostenlosen Tarif.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Zum 15. September 2026 will <a href="https://blog.cloudflare.com/content-independence-day-ai-options/" rel="external noopener" target="_blank">Cloudflare</a> außerdem die Voreinstellungen für neue Domains ändern. Auf Seiten mit Werbung sollen Crawler für KI-Training und KI-Agenten standardmäßig blockiert werden, Suchmaschinen-Crawler dagegen weiterhin zugelassen bleiben. Der CDN- und Sicherheitsanbieter begründet dies damit, dass Suchmaschinen weiterhin Klicks und damit Besucher auf die Webseiten bringen, während Trainings- und Agenten-Crawler Inhalte häufig ohne entsprechenden Gegenwert nutzen.</p>
<h3 class="subheading" id="nav_drei_kategorien__0">Drei Kategorien statt pauschaler KI-Blockade</h3>
<p>Bislang bot Cloudflare eine Option, bekannte KI-Crawler für das Modelltraining pauschal zu blockieren. Diese Funktion ersetzt das Unternehmen nun durch eine feinere Einteilung in drei Kategorien.</p>
<p>„Search“ umfasst Crawler, die Inhalte indexieren, um sie später in Suchdiensten oder KI-Suchmaschinen zu verwenden. „Agent“ bezeichnet Systeme, die im Auftrag eines Nutzers in Echtzeit Webseiten aufrufen, etwa ChatGPT- oder Claude-Agenten, die Informationen abrufen oder Formulare ausfüllen. „Training“ schließlich steht für Crawler, die Inhalte dauerhaft zum Trainieren oder Nachtrainieren von KI-Modellen sammeln.</p>
<p>Cloudflare empfiehlt Anbietern, diese Aufgaben mit getrennten Crawlern auszuführen. Unternehmen, die Suchindexierung, KI-Agenten und Modelltraining mit demselben Bot erledigen, sollen die Funktionen künftig auf unterschiedliche Bots aufteilen. Das soll Webseitenbetreibern transparentere Entscheidungen ermöglichen.</p>
<h3 class="subheading" id="nav_neue__1">Neue Standardregeln für Mehrzweck-Crawler</h3>
<p>Mit den neuen Voreinstellungen verschärft Cloudflare zugleich den Umgang mit Crawlern, die mehrere Aufgaben übernehmen. Künftig gelten für sie sämtliche zutreffenden Regeln gleichzeitig.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Kombiniert also ein Crawler Suchindexierung und KI-Training, greift die restriktivere Einstellung. Betreiber, die Trainings-Crawler blockieren, sperren damit automatisch auch solche Mehrzweck-Crawler. Cloudflare nennt unter anderem Googlebot, Applebot und Bingbot als Beispiele für Bots, die von dieser Änderung betroffen sein können. Webseitenbetreiber können die neuen Voreinstellungen vor dem Stichtag deaktivieren und ihre bisherigen Regeln beibehalten.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_botbase_soll__2">BotBase soll mehr Transparenz schaffen</h3>
<p>Für Enterprise-Kunden führt Cloudflare außerdem eine Datenbank namens BotBase ein. Sie listet alle bekannten und verifizierten Bots einschließlich ihrer Klassifizierung auf: Neben den drei KI-Kategorien ordnet BotBase Bots unter anderem auch SEO-Crawlern, Preisvergleichs- und Datensammlern, Monitoring-Diensten, Werbeprüfern oder Social-Media-Vorschau-Bots zu. Administratoren können im Cloudflare-Dashboard gezielt nach einzelnen Bots filtern und deren Erkennungs-IDs direkt für Sicherheitsregeln übernehmen.</p>
<p>Cloudflare will Bots künftig auch danach unterscheiden, wie sie Inhalte verwenden. Vorgesehen sind drei Nutzungsstufen: „immediate“ für reine Echtzeitinteraktionen ohne Speicherung, „reference“ für Indexierung mit Verweisen und Auszügen sowie „full“ für Zusammenfassungen oder weitergehende Nutzung der Inhalte.</p>
<p>Diese Präferenz lässt sich künftig über einen zusätzlichen Parameter in der robots.txt veröffentlichen. Der Eintrag dient lediglich als Hinweis für Crawler und erzwingt keine Sperre. Parallel will Cloudflare diese Angaben in BotBase berücksichtigen. Bots, die deklarierte Nutzungsregeln missachten, sollen ihren Status als verifizierter Bot verlieren.</p>
<p>Auch die Definition dieses Status ändert sich. Verifizierte Bots werden künftig nicht mehr automatisch zugelassen. Stattdessen entscheidet die jeweilige Kategorie darüber, ob ein Bot Zugriff erhält. Nicht verifizierte Bots blockiert Cloudflare weiterhin standardmäßig.</p>
<p>Als weiteren Baustein schlägt Cloudflare vor, Informationen über den eigentlichen Betreiber eines Bots über den standardisierten HTTP-Header <code>Forwarded</code> weiterzugeben. Damit sollen Betreiber automatisierter Dienste ihre Identität und den vorgesehenen Umgang mit abgerufenen Inhalten transparent machen können, selbst wenn Anfragen über mehrere zwischengeschaltete Plattformen laufen.</p>
<!-- RSPEAK_STOP -->
<div class="a-u-inline" style="margin: 1.5rem 0 1.5rem 1rem;">
<div class="ho-text" data-component="RecommendationBox"><header class="mb-4"><h3 class="inline-flex border-b-4 border-gray-800 pb-2 pr-8 text-xl leading-none font-bold dark:border-white">Lesen Sie auch</h3></header><a-collapse sneak-peek-elements="3" sneak-peek-elements-selector="article" class="group"><div data-collapse-target="true" class="relative mb-4"><div data-collapse-content="true"><section data-component="TeaserList" class="grid gap-6 md:gap-y-4" data-sneak-peek-elements-container="true"><article data-component="TeaserContainer" data-cid="" data-content-id="5106363" class="ho-text flex" data-teaser-name="MinimalHorizontalTeaser" data-upscore-object-id="11344008"><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Cloudflare-Eigene-OAuth-Apps-jetzt-fuer-alle-Entwickler-11344008.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="1999" height="1124" src="https://www.heise.de/imgs/18/5/1/0/6/3/6/3/cloudflare_0auth-3b8096ccc001f544.png" alt="Mehrere stilisierte Roboter um eine Lavalampe auf einem Podest versammelt." style="aspect-ratio:1999 / 1124"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="1999" height="1124" alt="Mehrere stilisierte Roboter um eine Lavalampe auf einem Podest versammelt." style="aspect-ratio:1999 / 1124;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">OAuth für alle: Cloudflare öffnet sein Ökosystem</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Bots-uebernehmen-Internet-frueher-als-gedacht-11320530.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="1920" height="1079" src="https://www.heise.de/imgs/18/5/0/9/5/9/0/0/overlay-mixer-20260606-113628-c3256dd8c3d3dcc2.png" alt="Business-Mann starrt Robotergesicht an" style="aspect-ratio:1920 / 1079"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="1920" height="1079" alt="Business-Mann starrt Robotergesicht an" style="aspect-ratio:1920 / 1079;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Bots übernehmen Internet früher als gedacht</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Cloudflare-uebernimmt-VoidZero-Team-hinter-Vite-wechselt-komplett-11318973.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="1999" height="1124" src="https://www.heise.de/imgs/18/5/0/9/5/1/1/9/BLOG-VOID_1-5d824488021fe958.png" alt="Logos von VOID und Cloudflare mit einem Pluszeichen dazwischen." style="aspect-ratio:1999 / 1124"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="1999" height="1124" alt="Logos von VOID und Cloudflare mit einem Pluszeichen dazwischen." style="aspect-ratio:1999 / 1124;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Cloudflare kauft Vite: Open Source und herstellerneutral – mit Millionenfonds</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/KI-Update-Verstoerende-Chatbots-Neue-Audio-Modelle-Mythos-Cloudflare-11288660.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="1920" height="1079" src="https://www.heise.de/imgs/18/5/0/7/9/7/5/1/KIupdate_Titel_122023-0953f976150f021c.jpeg" alt="Aufmacherbild KI Update" style="aspect-ratio:1920 / 1079"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="1920" height="1079" alt="Aufmacherbild KI Update" style="aspect-ratio:1920 / 1079;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">KI-Update: Verstörende Chatbots, Neue Audio-Modelle, Mythos, Cloudflare</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Cloudflares-KI-Umbau-kostet-ein-Fuenftel-der-Arbeitsplaetze-11286783.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="4032" height="2266" src="https://www.heise.de/imgs/18/5/0/7/8/7/5/7/shutterstock_1505640251-c45c8f32b528ab22.jpeg" alt="Cloudflare-Banner an der New Yorker Börse zum Börsengang des Unternehmens." style="aspect-ratio:4032 / 2266"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4032" height="2266" alt="Cloudflare-Banner an der New Yorker Börse zum Börsengang des Unternehmens." style="aspect-ratio:4032 / 2266;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Cloudflares KI-Umbau kostet ein Fünftel der Arbeitsplätze</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-02T12:44:00.000Z
urn:bid:5110070
2026-07-02T08:29:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Netzwerkspeicher von Synology mit MailPlus Server sind attackierbar. Ein Sicherheitspatch schafft Abhilfe.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Vulnerabilities-in-Synology-MailPlus-Server-allow-attackers-to-pass-11351424.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FSchwachstellen-in-Synology-MailPlus-Server-lassen-Angreifer-passieren-11351331.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FSchwachstellen-in-Synology-MailPlus-Server-lassen-Angreifer-passieren-11351331.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Schwachstellen-in-Synology-MailPlus-Server-lassen-Angreifer-passieren-11351331.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Schwachstellen-in-Synology-MailPlus-Server-lassen-Angreifer-passieren/forum-585904/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>11</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Eine Frau drückt einen symbolischen Updateknopf. "
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Alfa Photo/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-02T10:29:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span class="a-datetime__time ">10:29
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
1 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Vulnerabilities-in-Synology-MailPlus-Server-allow-attackers-to-pass-11351424.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Setzen Angreifer erfolgreich an Sicherheitslücken in Synology MailPlus Server an, können sie unter anderem auf Dateien zugreifen oder über DoS-Attacken Abstürze auslösen. Seitens des Herstellers gibt es derzeit keine Warnungen zu laufenden Attacken.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_verschiedene__0">Verschiedene Gefahren</h3>
<p><a href="https://www.synology.com/en-us/security/advisory/Synology_SA_26_11" rel="external noopener" target="_blank">In einer Warnmeldung listen die Entwickler insgesamt drei Schwachstellen auf</a>. Zwei davon sind als „<strong>kritisch</strong>“ eingestuft (CVE-2025-15660), eine (CVE-2026-13136) weist den maximalen CVSS Score 10 von 10 auf. In beiden Fällen sind unbefugte Dateizugriffe und DoS-Angriffe möglich.</p>
<p>Die dritte Lücke (CVE-2026-13135) ist mit „<strong>mittel</strong>“ eingestuft. Hier können Angreifer auf interne, nicht näher beschriebene Services zugreifen.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Die Entwickler versichern, die Sicherheitsprobleme in <strong>MailPlus Server 4.0.1-21663</strong> für DSM 7.2.1, 7.2.2 und 7.3 gelöst zu haben.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11351331"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11351331: Schwachstellen in Synology MailPlus Server lassen Angreifer passieren"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Netzwerkspeicher von Synology mit MailPlus Server sind attackierbar. Ein Sicherheitspatch schafft Abhilfe.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Vulnerabilities-in-Synology-MailPlus-Server-allow-attackers-to-pass-11351424.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FSchwachstellen-in-Synology-MailPlus-Server-lassen-Angreifer-passieren-11351331.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FSchwachstellen-in-Synology-MailPlus-Server-lassen-Angreifer-passieren-11351331.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Schwachstellen-in-Synology-MailPlus-Server-lassen-Angreifer-passieren-11351331.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Schwachstellen-in-Synology-MailPlus-Server-lassen-Angreifer-passieren/forum-585904/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>11</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/7/0/shutterstock_1861629355-8fcbf7c5218cd6dd.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Eine Frau drückt einen symbolischen Updateknopf. "
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Alfa Photo/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-02T10:29:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span class="a-datetime__time ">10:29
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
1 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Vulnerabilities-in-Synology-MailPlus-Server-allow-attackers-to-pass-11351424.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Setzen Angreifer erfolgreich an Sicherheitslücken in Synology MailPlus Server an, können sie unter anderem auf Dateien zugreifen oder über DoS-Attacken Abstürze auslösen. Seitens des Herstellers gibt es derzeit keine Warnungen zu laufenden Attacken.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_verschiedene__0">Verschiedene Gefahren</h3>
<p><a href="https://www.synology.com/en-us/security/advisory/Synology_SA_26_11" rel="external noopener" target="_blank">In einer Warnmeldung listen die Entwickler insgesamt drei Schwachstellen auf</a>. Zwei davon sind als „<strong>kritisch</strong>“ eingestuft (CVE-2025-15660), eine (CVE-2026-13136) weist den maximalen CVSS Score 10 von 10 auf. In beiden Fällen sind unbefugte Dateizugriffe und DoS-Angriffe möglich.</p>
<p>Die dritte Lücke (CVE-2026-13135) ist mit „<strong>mittel</strong>“ eingestuft. Hier können Angreifer auf interne, nicht näher beschriebene Services zugreifen.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Die Entwickler versichern, die Sicherheitsprobleme in <strong>MailPlus Server 4.0.1-21663</strong> für DSM 7.2.1, 7.2.2 und 7.3 gelöst zu haben.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11351331"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11351331: Schwachstellen in Synology MailPlus Server lassen Angreifer passieren"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-02T08:29:00.000Z
urn:bid:5109931
2026-07-02T08:23:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
„Hide my E-Mail“ oder „E-Mail-Adresse verbergen“ soll eigentlich User vor Spam und Co. schützen. Es gibt aber eine Lücke. Die Entdecker warten weiter auf Apple.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Apple-s-disguise-email-address-error-still-without-fix-11351414.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FFehler-in-E-Mail-Adresse-verbergen-von-Apple-weiter-ohne-Fix-11351055.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.mac-and-i.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FFehler-in-E-Mail-Adresse-verbergen-von-Apple-weiter-ohne-Fix-11351055.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Fehler-in-E-Mail-Adresse-verbergen-von-Apple-weiter-ohne-Fix-11351055.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.mac-and-i.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Fehler-in-E-Mail-Adresse-verbergen-von-Apple-weiter-ohne-Fix/forum-585903/comment/"
class="a-article-action"
name="meldung.mac-and-i.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>3</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Apple Mail auf einem iPhone"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Apple Mail auf einem iPhone.
</p> <p class="a-caption__source">
(Bild: hilalabdullah / Shutterstock)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-02T10:23:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span class="a-datetime__time ">10:23
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/mac-and-i/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Mac & i"
>
Mac & i
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Ben-Schwan-4508422"
class="creator__link"
>Ben Schwan</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Apple-s-disguise-email-address-error-still-without-fix-11351414.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Ein Dienst, der E-Mails verbirgt, sollte E-Mails verbergen – das sollte klar sein. Offenbar gelingt dies Apples <a href="http://www.heise.de/news/Apples-E-Mail-Adresse-verbergen-Nuetzlich-aber-leider-kaum-verbessert-11289817.html">„Hide My E-Mail“-Dienst alias „E-Mail-Adresse verbergen“</a> innerhalb von iCloud+ aber nicht. Es soll eine Sicherheitslücke geben, die ermöglicht, aus der versteckten E-Mail-Adresse wieder die echte zu machen. Das berichtet das investigative IT-Blog <a href="https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/" rel="external noopener" target="_blank">404 Media</a>, das sich auf einen <a href="https://easyoptouts.com/guides/apple-hide-my-email-is-leaking-email-addresses" rel="external noopener" target="_blank">detaillierten Bericht von EasyOptOuts</a> stützt. Schlimmer noch: Apple soll seit mindestens einem Jahr über den Fehler informiert sein, hat ihn bislang aber noch nicht behoben. Genauere Details wurden bislang noch nicht veröffentlicht.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_methode_soll__0">Methode soll mit allen Adressen funktionieren</h3>
<p>Der Angriff konnte auch in dieser Woche noch durchgeführt werden, <a href="https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/" rel="external noopener" target="_blank">berichtet 404 Media</a>, das die Möglichkeit mit einer eigenen versteckten E-Mail-Adresse durchexerziert hat. Entdeckt und an Apple gemeldet wurde das Sicherheitsloch vom Privacy-Dienst EasyOptOuts. Dessen Mitgründer Tyler Murphy sagte, er wisse nicht, warum Apple noch nicht tätig geworden ist. Das habe sich komisch angefühlt, weshalb das Unternehmen nach der langen Zeit nicht länger warten wollte und an die Öffentlichkeit ging.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Weder EasyOptOuts noch 404 Media veröffentlichten konkrete Details, wie der Angriff zu replizieren ist. EasyOptOuts hat dies gegenüber Apple aber genau beschrieben. „Hide My Email leakt E-Mail-Adressen, die versteckt sein sollten“, so Murphy. Ist die Originaladresse einmal vorhanden, könnten Angreifer über frei zugängliche Personendatenbanken weitere Informationen ermitteln – davor soll „E-Mail-Adresse verbergen“ eigentlich schützen.</p>
<h3 class="subheading" id="nav_fix_ist_kein__1">Fix ist kein Fix, weitere Kritik an „E-Mail-Adresse verbergen“</h3>
<p>Es ist unklar, ob alle versteckten Adressen angreifbar sind, Murphy zufolge gelang es aber mit 100 Prozent aller getesteten. Apple wurde das Problem im Juni 2025 mitgeteilt. Im März teilte Apple den Entdeckern dann mit, es habe bei einer Systemumstellung einen Fix gegeben. Dem war aber nicht so. Nach einem weiteren Hin und Her hieß es von Apple, man werde sich das Problem ansehen. Bis mindestens Mai lief die Untersuchung weiter. Damals bat Apple EasyOptOuts auch, Stillschweigen zu bewahren. Ende Mai hieß es dann, der Fix komme „in den kommenden Wochen“. Getan habe sich bislang nichts, so Murphy gegenüber 404 Media. Am 30. Juni 2026 behauptete Apple erneut, das Problem sei behoben – EasyOptOuts <a href="https://easyoptouts.com/guides/apple-hide-my-email-is-leaking-email-addresses" rel="external noopener" target="_blank">verifizierte jedoch, dass die Lücke weiterhin offen ist</a>. Apple kommentierte den Bericht nicht.</p>
<p>Zuletzt hatte es Kritik an einer von Apple angepeilten Änderung bei „Meine E-Mail verbergen“ gegeben: Das Unternehmen plant eine einheitliche, leicht zu identifizierende Domain für diese Accounts. Damit ließen sie sich von Diensten und Websites <a href="http://www.heise.de/news/Mit-Apple-anmelden-und-E-Mail-Adresse-verbergen-bekommen-einheitliche-Domain-11336719.html">wesentlich leichter wegfiltern beziehungsweise sperren</a>, was unschön wäre. Weiterhin wurde bekannt, dass Apple Namen von Besitzern von solchen Accounts <a href="http://www.heise.de/news/Apple-gibt-E-Mail-Adresse-verbergen-Nutzer-an-das-FBI-weiter-11227237.html">auch an Polizeibehörden weitergibt</a>. „E-Mail-Adresse verbergen“ ist Teil des Abodienstes <a href="https://www.apple.com/de/icloud/" rel="external noopener" target="_blank">iCloud+</a>, der mit mehr Speicherplatz mindestens 99 Cent im Monat kostet.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<a-opt-in checkbox-text="Preisvergleiche immer laden" class=" a-u-inline" type="Preisvergleichinternetservices">
<div class="opt-in__content-container">
<h2 class="opt-in__title">Empfohlener redaktioneller Inhalt</h2>
<p class="opt-in__description">
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
</p>
<div class="opt-in__cta-container">
<button class="opt-in__cta" data-opt-in>Preisvergleich jetzt laden</button>
</div>
<p class="opt-in__footnote">
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden.
Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden.
Mehr dazu in unserer
<a href="https://www.heise.de/Datenschutzerklaerung-der-Heise-Medien-GmbH-Co-KG-4860.html">Datenschutzerklärung</a>.
</p>
</div>
</a-opt-in>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="http://www.heise.de/mac-and-i" name="meldung.newsticker.inline.branding_mac-and-i" title="Mehr von Mac & i">
<a-img alt="Mehr von Mac & i" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/9/4/ho_markenbanner_mobil_mc2-b2508549b3fb181e.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Mehr von Mac & i" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Mehr von Mac & i" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/9/4/ho_markenbanner_desktop_neu_mc2-1b400c32629f6abc.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Mehr von Mac & i" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:bsc@heise.de" title="Ben Schwan">bsc</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11351055"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11351055: Fehler in „E-Mail-Adresse verbergen“ von Apple weiter ohne Fix"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
„Hide my E-Mail“ oder „E-Mail-Adresse verbergen“ soll eigentlich User vor Spam und Co. schützen. Es gibt aber eine Lücke. Die Entdecker warten weiter auf Apple.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Apple-s-disguise-email-address-error-still-without-fix-11351414.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FFehler-in-E-Mail-Adresse-verbergen-von-Apple-weiter-ohne-Fix-11351055.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.mac-and-i.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FFehler-in-E-Mail-Adresse-verbergen-von-Apple-weiter-ohne-Fix-11351055.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Fehler-in-E-Mail-Adresse-verbergen-von-Apple-weiter-ohne-Fix-11351055.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.mac-and-i.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Fehler-in-E-Mail-Adresse-verbergen-von-Apple-weiter-ohne-Fix/forum-585903/comment/"
class="a-article-action"
name="meldung.mac-and-i.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>3</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/9/3/1/shutterstock_1138534613-1af077a2a1aa2047.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Apple Mail auf einem iPhone"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Apple Mail auf einem iPhone.
</p> <p class="a-caption__source">
(Bild: hilalabdullah / Shutterstock)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-02T10:23:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span class="a-datetime__time ">10:23
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/mac-and-i/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Mac & i"
>
Mac & i
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Ben-Schwan-4508422"
class="creator__link"
>Ben Schwan</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Apple-s-disguise-email-address-error-still-without-fix-11351414.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Ein Dienst, der E-Mails verbirgt, sollte E-Mails verbergen – das sollte klar sein. Offenbar gelingt dies Apples <a href="http://www.heise.de/news/Apples-E-Mail-Adresse-verbergen-Nuetzlich-aber-leider-kaum-verbessert-11289817.html">„Hide My E-Mail“-Dienst alias „E-Mail-Adresse verbergen“</a> innerhalb von iCloud+ aber nicht. Es soll eine Sicherheitslücke geben, die ermöglicht, aus der versteckten E-Mail-Adresse wieder die echte zu machen. Das berichtet das investigative IT-Blog <a href="https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/" rel="external noopener" target="_blank">404 Media</a>, das sich auf einen <a href="https://easyoptouts.com/guides/apple-hide-my-email-is-leaking-email-addresses" rel="external noopener" target="_blank">detaillierten Bericht von EasyOptOuts</a> stützt. Schlimmer noch: Apple soll seit mindestens einem Jahr über den Fehler informiert sein, hat ihn bislang aber noch nicht behoben. Genauere Details wurden bislang noch nicht veröffentlicht.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_methode_soll__0">Methode soll mit allen Adressen funktionieren</h3>
<p>Der Angriff konnte auch in dieser Woche noch durchgeführt werden, <a href="https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/" rel="external noopener" target="_blank">berichtet 404 Media</a>, das die Möglichkeit mit einer eigenen versteckten E-Mail-Adresse durchexerziert hat. Entdeckt und an Apple gemeldet wurde das Sicherheitsloch vom Privacy-Dienst EasyOptOuts. Dessen Mitgründer Tyler Murphy sagte, er wisse nicht, warum Apple noch nicht tätig geworden ist. Das habe sich komisch angefühlt, weshalb das Unternehmen nach der langen Zeit nicht länger warten wollte und an die Öffentlichkeit ging.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Weder EasyOptOuts noch 404 Media veröffentlichten konkrete Details, wie der Angriff zu replizieren ist. EasyOptOuts hat dies gegenüber Apple aber genau beschrieben. „Hide My Email leakt E-Mail-Adressen, die versteckt sein sollten“, so Murphy. Ist die Originaladresse einmal vorhanden, könnten Angreifer über frei zugängliche Personendatenbanken weitere Informationen ermitteln – davor soll „E-Mail-Adresse verbergen“ eigentlich schützen.</p>
<h3 class="subheading" id="nav_fix_ist_kein__1">Fix ist kein Fix, weitere Kritik an „E-Mail-Adresse verbergen“</h3>
<p>Es ist unklar, ob alle versteckten Adressen angreifbar sind, Murphy zufolge gelang es aber mit 100 Prozent aller getesteten. Apple wurde das Problem im Juni 2025 mitgeteilt. Im März teilte Apple den Entdeckern dann mit, es habe bei einer Systemumstellung einen Fix gegeben. Dem war aber nicht so. Nach einem weiteren Hin und Her hieß es von Apple, man werde sich das Problem ansehen. Bis mindestens Mai lief die Untersuchung weiter. Damals bat Apple EasyOptOuts auch, Stillschweigen zu bewahren. Ende Mai hieß es dann, der Fix komme „in den kommenden Wochen“. Getan habe sich bislang nichts, so Murphy gegenüber 404 Media. Am 30. Juni 2026 behauptete Apple erneut, das Problem sei behoben – EasyOptOuts <a href="https://easyoptouts.com/guides/apple-hide-my-email-is-leaking-email-addresses" rel="external noopener" target="_blank">verifizierte jedoch, dass die Lücke weiterhin offen ist</a>. Apple kommentierte den Bericht nicht.</p>
<p>Zuletzt hatte es Kritik an einer von Apple angepeilten Änderung bei „Meine E-Mail verbergen“ gegeben: Das Unternehmen plant eine einheitliche, leicht zu identifizierende Domain für diese Accounts. Damit ließen sie sich von Diensten und Websites <a href="http://www.heise.de/news/Mit-Apple-anmelden-und-E-Mail-Adresse-verbergen-bekommen-einheitliche-Domain-11336719.html">wesentlich leichter wegfiltern beziehungsweise sperren</a>, was unschön wäre. Weiterhin wurde bekannt, dass Apple Namen von Besitzern von solchen Accounts <a href="http://www.heise.de/news/Apple-gibt-E-Mail-Adresse-verbergen-Nutzer-an-das-FBI-weiter-11227237.html">auch an Polizeibehörden weitergibt</a>. „E-Mail-Adresse verbergen“ ist Teil des Abodienstes <a href="https://www.apple.com/de/icloud/" rel="external noopener" target="_blank">iCloud+</a>, der mit mehr Speicherplatz mindestens 99 Cent im Monat kostet.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<a-opt-in checkbox-text="Preisvergleiche immer laden" class=" a-u-inline" type="Preisvergleichinternetservices">
<div class="opt-in__content-container">
<h2 class="opt-in__title">Empfohlener redaktioneller Inhalt</h2>
<p class="opt-in__description">
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
</p>
<div class="opt-in__cta-container">
<button class="opt-in__cta" data-opt-in>Preisvergleich jetzt laden</button>
</div>
<p class="opt-in__footnote">
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden.
Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden.
Mehr dazu in unserer
<a href="https://www.heise.de/Datenschutzerklaerung-der-Heise-Medien-GmbH-Co-KG-4860.html">Datenschutzerklärung</a>.
</p>
</div>
</a-opt-in>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="http://www.heise.de/mac-and-i" name="meldung.newsticker.inline.branding_mac-and-i" title="Mehr von Mac & i">
<a-img alt="Mehr von Mac & i" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/9/4/ho_markenbanner_mobil_mc2-b2508549b3fb181e.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Mehr von Mac & i" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Mehr von Mac & i" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/9/4/ho_markenbanner_desktop_neu_mc2-1b400c32629f6abc.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Mehr von Mac & i" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:bsc@heise.de" title="Ben Schwan">bsc</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11351055"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11351055: Fehler in „E-Mail-Adresse verbergen“ von Apple weiter ohne Fix"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-02T08:23:00.000Z
urn:bid:5110014
2026-07-02T07:43:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Wichtige Sicherheitsupdates schließen kritische Schadcode-Lücken in Adobe ColdFusion und Campaign Classic. Ab sofort sollen Patches häufiger erscheinen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Adobe-Patch-day-for-ColdFusion-and-Campaign-Classic-now-twice-a-month-11351352.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FAdobe-Patchday-fuer-ColdFusion-und-Campaign-Classic-fortan-zweimal-im-Monat-11351219.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FAdobe-Patchday-fuer-ColdFusion-und-Campaign-Classic-fortan-zweimal-im-Monat-11351219.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Adobe-Patchday-fuer-ColdFusion-und-Campaign-Classic-fortan-zweimal-im-Monat-11351219.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Luecken-in-Adobe-ColdFusion-und-Campaign-Classic-Patchdayzyklus-verdoppelt/forum-585897/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Achtung-Schild neben Adobe-Logo, vor MAtrix-Regen-Hintergrund"
width="610"
height="343"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: heise medien)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-02T09:43:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span class="a-datetime__time ">09:43
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Adobe-Patch-day-for-ColdFusion-and-Campaign-Classic-now-twice-a-month-11351352.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Adobes Enterprise-Marketing-Automatisierungslösung Campaign Classic und die Web-Anwendungsplattform sind über mehrere „<strong>kritische</strong>“ Sicherheitslücken mit Höchstwertung angreifbar. Nach erfolgreichen Attacken kann Schadcode Computer vollständig kompromittieren. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren. Überdies will der Softwarehersteller ab sofort zweimal pro Monat Sicherheitspatches verteilen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_sieben_lücken__0">Sieben Lücken mit maximalem Score</h3>
<p><a href="https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html" rel="external noopener" target="_blank">Wie aus einer aktuellen Warnmeldung zu ColdFusion hervorgeht</a>, haben die Entwickler insgesamt elf Sicherheitslücken geschlossen. Davon sind alle Plattformen betroffen. Acht der Schwachstellen sind mit dem Bedrohungsgrad „<strong>kritisch</strong>“ eingestuft. Für sechs Lücken (CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48283) wurde der maximale CVSS Score 10 von 10 vergeben.</p>
<p>Vom CVSS Score leitet sich der Schweregrad einer Lücke und dementsprechend die Priorisierung von Sicherheitsupdates ab. Demzufolge sollten Admins umgehend handeln, um Systeme vor möglichen Attacken zu schützen. Bislang gibt es keine Berichte, dass Angreifer die Schwachstellen bereits ausnutzen.</p>
<p>Um in diesen Fällen Schadcode auf Systeme zu schieben, können Angreifer präparierte Dateien auf einem nicht näher beschriebenen Weg hochladen. Alternativ gelingt das aufgrund einer unzureichenden Eingabevalidierung. Das lässt darauf schließen, dass bestimmte Eingaben nicht ausreichend überprüft werden und so von Angreifern manipulierte Befehlsketten durchkommen.</p>
<p>Eine weitere Sicherheitslücke mit Höchstwertung (CVE-2026-48286 „<strong>kritisch</strong>“) <a href="https://helpx.adobe.com/security/products/campaign/apsb26-69.html" rel="external noopener" target="_blank">bedroht einem Beitrag zufolge</a> Campaign Classic unter Linux und Windows. Auch hier ist die Beschreibung der Schwachstelle wie von Adobe gewohnt knapp. Dort ist lediglich die Rede von einer falschen Autorisierung.</p>
<h3 class="subheading" id="nav_sicherheitsupdat__1">Sicherheitsupdates</h3>
<p>Damit Angreifer nicht an den Lücken ansetzen können, müssen Admins <strong>Campaign Classic ACC v7: 7.4.3 build 9397</strong> und <strong>ColdFusion 2023 Update 21</strong> oder <strong>ColdFusion 2025 Update 10</strong> installieren. Alle vorigen Versionen sind den Entwicklern zufolge verwundbar.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_patchday_verände__2">Patchday-Veränderung</h3>
<p><a href="https://blog.adobe.com/security/protecting-customers-faster-how-adobe-is-responding-to-ai-accelerated-vulnerability-discovery" rel="external noopener" target="_blank">In einem Beitrag schreibt Adobe</a>, dass sie ab sofort zweimal pro Monat Sicherheitsupdates veröffentlichen wollen. Bislang geschah das immer einmal pro Monat am zweiten Dienstag im Monat. Nun gibt es zusätzlich am vierten Dienstag Patches. Als Grund dafür gibt Adobe an, dass Angreifer in Zeiten von KI jüngst bekannt gewordene Schwachstellen bereits nach wenigen Stunden statt Tagen ausnutzen. Demzufolge müssen Updates schneller erscheinen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11351219"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11351219: Lücken in Adobe ColdFusion und Campaign Classic: Patchdayzyklus verdoppelt"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Wichtige Sicherheitsupdates schließen kritische Schadcode-Lücken in Adobe ColdFusion und Campaign Classic. Ab sofort sollen Patches häufiger erscheinen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Adobe-Patch-day-for-ColdFusion-and-Campaign-Classic-now-twice-a-month-11351352.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FAdobe-Patchday-fuer-ColdFusion-und-Campaign-Classic-fortan-zweimal-im-Monat-11351219.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FAdobe-Patchday-fuer-ColdFusion-und-Campaign-Classic-fortan-zweimal-im-Monat-11351219.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Adobe-Patchday-fuer-ColdFusion-und-Campaign-Classic-fortan-zweimal-im-Monat-11351219.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Luecken-in-Adobe-ColdFusion-und-Campaign-Classic-Patchdayzyklus-verdoppelt/forum-585897/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/1/0/0/1/4/2026-03-11-Adobe_Patchday-bcc3bba62f981c3a.png 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Achtung-Schild neben Adobe-Logo, vor MAtrix-Regen-Hintergrund"
width="610"
height="343"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: heise medien)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-02T09:43:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span class="a-datetime__time ">09:43
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Adobe-Patch-day-for-ColdFusion-and-Campaign-Classic-now-twice-a-month-11351352.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Adobes Enterprise-Marketing-Automatisierungslösung Campaign Classic und die Web-Anwendungsplattform sind über mehrere „<strong>kritische</strong>“ Sicherheitslücken mit Höchstwertung angreifbar. Nach erfolgreichen Attacken kann Schadcode Computer vollständig kompromittieren. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren. Überdies will der Softwarehersteller ab sofort zweimal pro Monat Sicherheitspatches verteilen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_sieben_lücken__0">Sieben Lücken mit maximalem Score</h3>
<p><a href="https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html" rel="external noopener" target="_blank">Wie aus einer aktuellen Warnmeldung zu ColdFusion hervorgeht</a>, haben die Entwickler insgesamt elf Sicherheitslücken geschlossen. Davon sind alle Plattformen betroffen. Acht der Schwachstellen sind mit dem Bedrohungsgrad „<strong>kritisch</strong>“ eingestuft. Für sechs Lücken (CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48283) wurde der maximale CVSS Score 10 von 10 vergeben.</p>
<p>Vom CVSS Score leitet sich der Schweregrad einer Lücke und dementsprechend die Priorisierung von Sicherheitsupdates ab. Demzufolge sollten Admins umgehend handeln, um Systeme vor möglichen Attacken zu schützen. Bislang gibt es keine Berichte, dass Angreifer die Schwachstellen bereits ausnutzen.</p>
<p>Um in diesen Fällen Schadcode auf Systeme zu schieben, können Angreifer präparierte Dateien auf einem nicht näher beschriebenen Weg hochladen. Alternativ gelingt das aufgrund einer unzureichenden Eingabevalidierung. Das lässt darauf schließen, dass bestimmte Eingaben nicht ausreichend überprüft werden und so von Angreifern manipulierte Befehlsketten durchkommen.</p>
<p>Eine weitere Sicherheitslücke mit Höchstwertung (CVE-2026-48286 „<strong>kritisch</strong>“) <a href="https://helpx.adobe.com/security/products/campaign/apsb26-69.html" rel="external noopener" target="_blank">bedroht einem Beitrag zufolge</a> Campaign Classic unter Linux und Windows. Auch hier ist die Beschreibung der Schwachstelle wie von Adobe gewohnt knapp. Dort ist lediglich die Rede von einer falschen Autorisierung.</p>
<h3 class="subheading" id="nav_sicherheitsupdat__1">Sicherheitsupdates</h3>
<p>Damit Angreifer nicht an den Lücken ansetzen können, müssen Admins <strong>Campaign Classic ACC v7: 7.4.3 build 9397</strong> und <strong>ColdFusion 2023 Update 21</strong> oder <strong>ColdFusion 2025 Update 10</strong> installieren. Alle vorigen Versionen sind den Entwicklern zufolge verwundbar.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_patchday_verände__2">Patchday-Veränderung</h3>
<p><a href="https://blog.adobe.com/security/protecting-customers-faster-how-adobe-is-responding-to-ai-accelerated-vulnerability-discovery" rel="external noopener" target="_blank">In einem Beitrag schreibt Adobe</a>, dass sie ab sofort zweimal pro Monat Sicherheitsupdates veröffentlichen wollen. Bislang geschah das immer einmal pro Monat am zweiten Dienstag im Monat. Nun gibt es zusätzlich am vierten Dienstag Patches. Als Grund dafür gibt Adobe an, dass Angreifer in Zeiten von KI jüngst bekannt gewordene Schwachstellen bereits nach wenigen Stunden statt Tagen ausnutzen. Demzufolge müssen Updates schneller erscheinen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11351219"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11351219: Lücken in Adobe ColdFusion und Campaign Classic: Patchdayzyklus verdoppelt"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-02T07:43:00.000Z
urn:bid:5109866
2026-07-01T15:23:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Auf Initiative Hessens fordert die Innenministerkonferenz ein hartes Vorgehen gegen das linksextreme Portal. Doch rechtlich bleibt das Vorhaben sehr umstritten.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Acute-threat-Interior-ministers-demand-complete-ban-of-Indymedia-11350956.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FAkute-Bedrohung-Innenminister-fordern-vollstaendiges-Verbot-von-Indymedia-11350925.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.newsticker.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FAkute-Bedrohung-Innenminister-fordern-vollstaendiges-Verbot-von-Indymedia-11350925.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Akute-Bedrohung-Innenminister-fordern-vollstaendiges-Verbot-von-Indymedia-11350925.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.newsticker.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Akute-Bedrohung-Innenminister-fordern-vollstaendiges-Verbot-von-Indymedia/forum-585871/comment/"
class="a-article-action"
name="meldung.newsticker.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>152</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Glasfaserkabel"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: asharkyu / Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T17:23:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">17:23
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/newsticker/">
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Stefan-Krempl-4325443"
class="creator__link"
>Stefan Krempl</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Acute-threat-Interior-ministers-demand-complete-ban-of-Indymedia-11350956.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Die Innenminister der Länder haben auf ihrer Konferenz in Hamburg Mitte Juni ein Signal gegen den organisierten Linksextremismus gesetzt. Bei dem Treffen einigte sich das Gremium auf eine neue Initiative gegen das als linksextremistisch eingestufte Portal indymedia.org. Sie appellieren in dem nun veröffentlichten Beschluss offiziell an das Bundesinnenministerium, „alle rechtlichen Möglichkeiten für ein vollständiges Verbot“ zu prüfen und sich innerhalb der Bundesregierung dafür einzusetzen. Damit griff die Konferenz ein Anliegen auf, das der hessische Innenminister Roman Poseck (CDU) einbrachte.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav__netzsperren__0">„Netzsperren als ultima ratio“</h3>
<p>Die Konferenz weist darauf hin, dass das geltende Straf- und Gefahrenabwehrrecht bereits ausreichende Grundlagen biete, um entschieden gegen die Plattform vorzugehen. Als konkrete Instrumente nennen sie die Beschlagnahme von Webseiten, Löschungsaufforderungen an Host-Provider sowie „Netzsperren als ultima ratio“. Von diesen Optionen soll in der Vollzugspraxis konsequenter Gebrauch gemacht werden.</p>
<p>Hessen startete die Initiative, weil das Bundesland laut Poseck eine besorgniserregende Zunahme linksextremer Straftaten verzeichnete. Der Christdemokrat bezeichnete das Portal als das derzeit wichtigste Informations- und Propagandamedium der Szene, das Straftaten und Gewalt aktiv fördere.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>In der <a href="https://www.innenministerkonferenz.de/IMK/DE/termine/to-beschluesse/2026-06-19_DOK/Freie_Beschl%C3%BCsse.pdf?__blob=publicationFile&v=1" rel="external noopener" target="_blank">Begründung zeichnen die Innenminister ein ernstes Bild der Sicherheitslage</a>. Linksextremismus stelle vor allem angesichts von Angriffen auf kritische Infrastrukturen, gewaltsamen Ausschreitungen und einer zunehmenden internationalen Vernetzung eine hohe Bedrohung für die Gesellschaft und die freiheitliche demokratische Grundordnung dar.</p>
<p>Die Szene instrumentalisiere gesellschaftliche Themen wie <a href="http://www.heise.de/thema/Klimaschutz">Klimaschutz</a>, soziale Gerechtigkeit und die Wehrpflicht, heißt es. Ziel sei es, in breitere Schichten vorzudringen und immer jüngere Menschen – darunter insbesondere Schülerinnen und Schüler – zu erreichen. Daher gewinne die Absprache im Koalitionsvertrag auf Bundesebene für das Erarbeiten einer Strategie gegen linksextremistische Strukturen an Bedeutung.</p>
<h3 class="subheading" id="nav_rechtlich__1">Rechtlich vermintes Terrain</h3>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Das Vorhaben berührt juristisch sensibles Terrain. <a href="http://www.heise.de/news/Verbot-von-linksunten-indymedia-Keine-Rueckzugsraeume-fuer-Extremisten-3812305.html">Bereits im August 2017</a> hatte das damals von Thomas de Maizière (CDU) geführte Bundesinnenministerium den Indymedia-Ableger „linksunten“ auf Basis des Vereinsgesetzes verboten. Die darauffolgenden Maßnahmen wie Hausdurchsuchungen und Strafverfahren erwiesen sich im Nachgang aber als Hürdenlauf.</p>
<p>Mehrere Gerichte <a href="http://www.heise.de/news/Justiz-Schlappe-Razzien-im-Fall-Indymedia-linksunten-waren-rechtswidrig-11141277.html">erklärten die Razzien später für teilweise rechtswidrig</a>. Strafverfahren gegen mutmaßliche Administratoren und Unterstützer wurden eingestellt, da sich keine konkrete Betreiberstruktur nachweisen ließ. Es waren sogar <a href="http://www.heise.de/news/Link-auf-linksunten-indymedia-Polizeidurchsuchung-bei-Radiosender-in-Freiburg-7461240.html">Redaktionsräume des Senders Radio Dreyeckland betroffen</a>, <a href="http://www.heise.de/news/Link-auf-linksunten-indymedia-Durchsuchung-bei-Journalist-war-verfassungswidrig-11084377.html">was das Bundesverfassungsgericht rügte</a>. Die Einstufung der Webseite als Verein blieb in der Rechtswissenschaft ebenfalls umstritten, auch <a href="http://www.heise.de/news/Gericht-Linksradikales-Internetportal-Linksunten-Indymedia-bleibt-verboten-4649198.html">wenn sie das Bundesverwaltungsgericht 2020 bestätigte</a>.</p>
<p>Während „linksunten“ abgeschaltet blieb, existiert die Plattform „de.indymedia.org“ bis heute. Der neue Anlauf der Innenministerkonferenz zielt darauf ab, dieses rechtliche Vakuum zu beenden. Das Gremium dürfte damit aber wieder eine komplexe Debatte über die Grenzen digitaler Repression und die Verhältnismäßigkeit staatlicher Eingriffe im Internet anstoßen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://www.heise.de/newsletter/anmeldung.html?id=ki-update&amp;wt_mc=intern.red.ho.ho_nl_ki.ho.markenbanner.markenbanner" name="meldung.newsticker.inline.branding_" title="Melden Sie sich zum KI-Update an">
<a-img alt="Melden Sie sich zum KI-Update an" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/1/2/20250814_Fallback_KI-Update_mobil-27288d002022edd2.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Melden Sie sich zum KI-Update an" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Melden Sie sich zum KI-Update an" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/1/2/20250814_Fallback_KI-Update-c47e5f007d33025f.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Melden Sie sich zum KI-Update an" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:afl@heise.de" title="Andreas Floemer">afl</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350925"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350925: „Akute Bedrohung“: Innenminister fordern vollständiges Verbot von Indymedia"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Auf Initiative Hessens fordert die Innenministerkonferenz ein hartes Vorgehen gegen das linksextreme Portal. Doch rechtlich bleibt das Vorhaben sehr umstritten.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Acute-threat-Interior-ministers-demand-complete-ban-of-Indymedia-11350956.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FAkute-Bedrohung-Innenminister-fordern-vollstaendiges-Verbot-von-Indymedia-11350925.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.newsticker.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FAkute-Bedrohung-Innenminister-fordern-vollstaendiges-Verbot-von-Indymedia-11350925.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Akute-Bedrohung-Innenminister-fordern-vollstaendiges-Verbot-von-Indymedia-11350925.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.newsticker.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Akute-Bedrohung-Innenminister-fordern-vollstaendiges-Verbot-von-Indymedia/forum-585871/comment/"
class="a-article-action"
name="meldung.newsticker.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>152</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/8/6/6/shutterstock_606694724-5adb8e00de0c9075.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Glasfaserkabel"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: asharkyu / Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T17:23:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">17:23
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/newsticker/">
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Stefan-Krempl-4325443"
class="creator__link"
>Stefan Krempl</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Acute-threat-Interior-ministers-demand-complete-ban-of-Indymedia-11350956.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Die Innenminister der Länder haben auf ihrer Konferenz in Hamburg Mitte Juni ein Signal gegen den organisierten Linksextremismus gesetzt. Bei dem Treffen einigte sich das Gremium auf eine neue Initiative gegen das als linksextremistisch eingestufte Portal indymedia.org. Sie appellieren in dem nun veröffentlichten Beschluss offiziell an das Bundesinnenministerium, „alle rechtlichen Möglichkeiten für ein vollständiges Verbot“ zu prüfen und sich innerhalb der Bundesregierung dafür einzusetzen. Damit griff die Konferenz ein Anliegen auf, das der hessische Innenminister Roman Poseck (CDU) einbrachte.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav__netzsperren__0">„Netzsperren als ultima ratio“</h3>
<p>Die Konferenz weist darauf hin, dass das geltende Straf- und Gefahrenabwehrrecht bereits ausreichende Grundlagen biete, um entschieden gegen die Plattform vorzugehen. Als konkrete Instrumente nennen sie die Beschlagnahme von Webseiten, Löschungsaufforderungen an Host-Provider sowie „Netzsperren als ultima ratio“. Von diesen Optionen soll in der Vollzugspraxis konsequenter Gebrauch gemacht werden.</p>
<p>Hessen startete die Initiative, weil das Bundesland laut Poseck eine besorgniserregende Zunahme linksextremer Straftaten verzeichnete. Der Christdemokrat bezeichnete das Portal als das derzeit wichtigste Informations- und Propagandamedium der Szene, das Straftaten und Gewalt aktiv fördere.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>In der <a href="https://www.innenministerkonferenz.de/IMK/DE/termine/to-beschluesse/2026-06-19_DOK/Freie_Beschl%C3%BCsse.pdf?__blob=publicationFile&v=1" rel="external noopener" target="_blank">Begründung zeichnen die Innenminister ein ernstes Bild der Sicherheitslage</a>. Linksextremismus stelle vor allem angesichts von Angriffen auf kritische Infrastrukturen, gewaltsamen Ausschreitungen und einer zunehmenden internationalen Vernetzung eine hohe Bedrohung für die Gesellschaft und die freiheitliche demokratische Grundordnung dar.</p>
<p>Die Szene instrumentalisiere gesellschaftliche Themen wie <a href="http://www.heise.de/thema/Klimaschutz">Klimaschutz</a>, soziale Gerechtigkeit und die Wehrpflicht, heißt es. Ziel sei es, in breitere Schichten vorzudringen und immer jüngere Menschen – darunter insbesondere Schülerinnen und Schüler – zu erreichen. Daher gewinne die Absprache im Koalitionsvertrag auf Bundesebene für das Erarbeiten einer Strategie gegen linksextremistische Strukturen an Bedeutung.</p>
<h3 class="subheading" id="nav_rechtlich__1">Rechtlich vermintes Terrain</h3>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Das Vorhaben berührt juristisch sensibles Terrain. <a href="http://www.heise.de/news/Verbot-von-linksunten-indymedia-Keine-Rueckzugsraeume-fuer-Extremisten-3812305.html">Bereits im August 2017</a> hatte das damals von Thomas de Maizière (CDU) geführte Bundesinnenministerium den Indymedia-Ableger „linksunten“ auf Basis des Vereinsgesetzes verboten. Die darauffolgenden Maßnahmen wie Hausdurchsuchungen und Strafverfahren erwiesen sich im Nachgang aber als Hürdenlauf.</p>
<p>Mehrere Gerichte <a href="http://www.heise.de/news/Justiz-Schlappe-Razzien-im-Fall-Indymedia-linksunten-waren-rechtswidrig-11141277.html">erklärten die Razzien später für teilweise rechtswidrig</a>. Strafverfahren gegen mutmaßliche Administratoren und Unterstützer wurden eingestellt, da sich keine konkrete Betreiberstruktur nachweisen ließ. Es waren sogar <a href="http://www.heise.de/news/Link-auf-linksunten-indymedia-Polizeidurchsuchung-bei-Radiosender-in-Freiburg-7461240.html">Redaktionsräume des Senders Radio Dreyeckland betroffen</a>, <a href="http://www.heise.de/news/Link-auf-linksunten-indymedia-Durchsuchung-bei-Journalist-war-verfassungswidrig-11084377.html">was das Bundesverfassungsgericht rügte</a>. Die Einstufung der Webseite als Verein blieb in der Rechtswissenschaft ebenfalls umstritten, auch <a href="http://www.heise.de/news/Gericht-Linksradikales-Internetportal-Linksunten-Indymedia-bleibt-verboten-4649198.html">wenn sie das Bundesverwaltungsgericht 2020 bestätigte</a>.</p>
<p>Während „linksunten“ abgeschaltet blieb, existiert die Plattform „de.indymedia.org“ bis heute. Der neue Anlauf der Innenministerkonferenz zielt darauf ab, dieses rechtliche Vakuum zu beenden. Das Gremium dürfte damit aber wieder eine komplexe Debatte über die Grenzen digitaler Repression und die Verhältnismäßigkeit staatlicher Eingriffe im Internet anstoßen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://www.heise.de/newsletter/anmeldung.html?id=ki-update&amp;wt_mc=intern.red.ho.ho_nl_ki.ho.markenbanner.markenbanner" name="meldung.newsticker.inline.branding_" title="Melden Sie sich zum KI-Update an">
<a-img alt="Melden Sie sich zum KI-Update an" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/1/2/20250814_Fallback_KI-Update_mobil-27288d002022edd2.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Melden Sie sich zum KI-Update an" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Melden Sie sich zum KI-Update an" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/1/2/20250814_Fallback_KI-Update-c47e5f007d33025f.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Melden Sie sich zum KI-Update an" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:afl@heise.de" title="Andreas Floemer">afl</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350925"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350925: „Akute Bedrohung“: Innenminister fordern vollständiges Verbot von Indymedia"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-01T15:23:00.000Z
urn:bid:5109784
2026-07-01T13:04:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Die OpenWrt-Entwickler haben in einer aktuellen Version unter anderem mehrere kritische Sicherheitslücken geschlossen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Root-security-vulnerabilities-in-alternative-router-firmware-OpenWRT-closed-11350784.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FRoot-Sicherheitsluecken-in-alternativer-Router-Firmware-OpenWRT-geschlossen-11350761.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FRoot-Sicherheitsluecken-in-alternativer-Router-Firmware-OpenWRT-geschlossen-11350761.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Root-Sicherheitsluecken-in-alternativer-Router-Firmware-OpenWRT-geschlossen-11350761.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Root-Sicherheitsluecken-in-alternativer-Router-Firmware-OpenWrt-geschlossen/forum-585863/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>3</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Router, der aussieht, als ob er einem Außerirdischen gehört. Hintergrund ist Lila."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Evgeny Ostroushko / Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T15:04:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">15:04
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Root-security-vulnerabilities-in-alternative-router-firmware-OpenWRT-closed-11350784.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Angreifer können an zahlreichen Sicherheitslücken in der quelloffenen Router-Firmware OpenWrt ansetzen und Geräte im schlimmsten Fall als Root-Nutzer kompromittieren. Dagegen steht eine gerüstete Version zum Download.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_kritische__0">Kritische Schwachstellen</h3>
<p><a href="https://github.com/openwrt/openwrt/releases" rel="external noopener" target="_blank">Auf der GitHub-Release-Seite</a> zeigen die Entwickler die nun geschlossenen Sicherheitslücken auf. Die Schwachstellen betreffen verschiedene Komponenten wie odhcpd und das Webinterface LuCI.</p>
<p>Am gefährlichsten gilt eine „<strong>kritische</strong>“ Lücke mit einem CVSSS Score 9.9 von 10 in LuCI. Eine CVE-Nummer wurde offensichtlich bislang nicht vergeben. Voraussetzung für eine Attacke ist, dass der VPN-Dienst Tailscale installiert ist.</p>
<p>An dieser Stelle können Angreifer mit eingeschränkten Rechten im Kontext von <code>tailscale.do_login</code> Benutzereingaben manipulieren. Aufgrund des Fehlers können sie dabei beliebigen Code einschleusen und im Anschluss mit Root-Rechten ausführen. In diesem Kontext sind noch weitere Root-Attacken möglich (etwa CVE-2026-55897 „<strong>hoch</strong>“).</p>
<p>Ferner sind an anderen Stellen unter anderem noch DoS- und Stored-XSS-Attacken vorstellbar. OpenSSL und der SSH-Client Dropbear wurden in aktuellen und gegen mögliche Attacken gerüsteten Versionen implementiert. Die Entwickler listen alle weiteren Sicherheitsprobleme in dem GitHub-Beitrag auf.</p>
<p>Die Projektbetreiber raten zu einem zügigen Update. Bislang gibt es aber von ihrer Seite keine Hinweise auf laufende Attacken.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_was_hat_sich__1">Was hat sich noch getan?</h3>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Neben den Sicherheitspatches haben die Entwickler noch die Gerätekompatibilität erweitert. Zusätzlich gibt es Verbesserungen beim Funken im 6-GHz-Band, die Arbeitsweise von DHCPv4/DHCPv6 wurde optimiert und der Linuxkernel springt auf 6.12.94. Alle Neuerungen finde sich <a href="https://github.com/openwrt/openwrt/releases" rel="external noopener" target="_blank">auf GitHub</a>.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350761"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350761: Root-Sicherheitslücken in alternativer Router-Firmware OpenWrt geschlossen"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Die OpenWrt-Entwickler haben in einer aktuellen Version unter anderem mehrere kritische Sicherheitslücken geschlossen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Root-security-vulnerabilities-in-alternative-router-firmware-OpenWRT-closed-11350784.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FRoot-Sicherheitsluecken-in-alternativer-Router-Firmware-OpenWRT-geschlossen-11350761.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FRoot-Sicherheitsluecken-in-alternativer-Router-Firmware-OpenWRT-geschlossen-11350761.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Root-Sicherheitsluecken-in-alternativer-Router-Firmware-OpenWRT-geschlossen-11350761.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Root-Sicherheitsluecken-in-alternativer-Router-Firmware-OpenWrt-geschlossen/forum-585863/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>3</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/7/8/4/shutterstock_1948278403-7c6b4165f41fa6ef.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Router, der aussieht, als ob er einem Außerirdischen gehört. Hintergrund ist Lila."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Evgeny Ostroushko / Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T15:04:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">15:04
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Root-security-vulnerabilities-in-alternative-router-firmware-OpenWRT-closed-11350784.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Angreifer können an zahlreichen Sicherheitslücken in der quelloffenen Router-Firmware OpenWrt ansetzen und Geräte im schlimmsten Fall als Root-Nutzer kompromittieren. Dagegen steht eine gerüstete Version zum Download.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_kritische__0">Kritische Schwachstellen</h3>
<p><a href="https://github.com/openwrt/openwrt/releases" rel="external noopener" target="_blank">Auf der GitHub-Release-Seite</a> zeigen die Entwickler die nun geschlossenen Sicherheitslücken auf. Die Schwachstellen betreffen verschiedene Komponenten wie odhcpd und das Webinterface LuCI.</p>
<p>Am gefährlichsten gilt eine „<strong>kritische</strong>“ Lücke mit einem CVSSS Score 9.9 von 10 in LuCI. Eine CVE-Nummer wurde offensichtlich bislang nicht vergeben. Voraussetzung für eine Attacke ist, dass der VPN-Dienst Tailscale installiert ist.</p>
<p>An dieser Stelle können Angreifer mit eingeschränkten Rechten im Kontext von <code>tailscale.do_login</code> Benutzereingaben manipulieren. Aufgrund des Fehlers können sie dabei beliebigen Code einschleusen und im Anschluss mit Root-Rechten ausführen. In diesem Kontext sind noch weitere Root-Attacken möglich (etwa CVE-2026-55897 „<strong>hoch</strong>“).</p>
<p>Ferner sind an anderen Stellen unter anderem noch DoS- und Stored-XSS-Attacken vorstellbar. OpenSSL und der SSH-Client Dropbear wurden in aktuellen und gegen mögliche Attacken gerüsteten Versionen implementiert. Die Entwickler listen alle weiteren Sicherheitsprobleme in dem GitHub-Beitrag auf.</p>
<p>Die Projektbetreiber raten zu einem zügigen Update. Bislang gibt es aber von ihrer Seite keine Hinweise auf laufende Attacken.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_was_hat_sich__1">Was hat sich noch getan?</h3>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Neben den Sicherheitspatches haben die Entwickler noch die Gerätekompatibilität erweitert. Zusätzlich gibt es Verbesserungen beim Funken im 6-GHz-Band, die Arbeitsweise von DHCPv4/DHCPv6 wurde optimiert und der Linuxkernel springt auf 6.12.94. Alle Neuerungen finde sich <a href="https://github.com/openwrt/openwrt/releases" rel="external noopener" target="_blank">auf GitHub</a>.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350761"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350761: Root-Sicherheitslücken in alternativer Router-Firmware OpenWrt geschlossen"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-01T13:04:00.000Z
urn:bid:5109554
2026-07-01T12:28:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
In einer aktuellen Version von HCL BigFix haben die Entwickler insgesamt sechs Sicherheitslücken geschlossen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/PC-remote-management-Man-in-the-middle-attacks-on-HCL-BigFix-possible-11350666.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FPC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-HCL-BigFix-moeglich-11350301.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FPC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-HCL-BigFix-moeglich-11350301.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/PC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-HCL-BigFix-moeglich-11350301.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/PC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-HCL-BigFix-moeglich/forum-585859/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Ein symbolischer Updateknopf auf einer Tastatur."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Artur Szczybylo/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T14:28:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">14:28
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
1 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/PC-remote-management-Man-in-the-middle-attacks-on-HCL-BigFix-possible-11350666.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Aufgrund von Softwareschwachstellen in Ruby-Komponenten, die HCL BigFix nutzt, können Angreifer Systeme attackieren. Erfolgreiche Attacken können unter anderem zu Abstürzen führen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Admins, die in Firmen HCK BigFix etwa zum Verteilen von Sicherheitspatches auf Firmen-PCs nutzen, sollten zeitnah die <strong>Version 2.0.18 </strong>installieren. Wenn das nicht geschieht, sind Systeme verwundbar und Angreifer können an sechs Sicherheitslücken ansetzen.</p>
<h3 class="subheading" id="nav_mehrere__0">Mehrere Schwachstellen</h3>
<p>Die Lücken stecken Warnmeldungen zufolge in der E-Mail-Bibliothek <a href="https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131659" rel="external noopener" target="_blank">Ruby Net-imap </a>und dem Dokumentationstool <a href="https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131663" rel="external noopener" target="_blank">Ruby Yard Gem</a>.</p>
<p>Wie aus einer Warnmeldung hervorgeht, ist eine davon in Ruby Net-imap mit dem Bedrohungsgrad „<strong>hoch</strong>“ eingestuft (CVE-2026-42246). Hier kann sich der Beschreibung zufolge ein Angreifer als Man-in-the-Middle in Verbindungen einklinken und Verbindungen ohne TLS-Verschlüsselung starten. Wie das konkret ablaufen kann, ist bislang unklar.</p>
<p>Durch das erfolgreiche Ausnutzen der verbleibenden Lücken kommt es primär zu DoS-Zuständen. Diese Schwachstellen sind mit „<strong>mittel</strong>“ und „<strong>niedrig</strong>“ eingestuft.</p>
<p>Bislang gibt es seitens HCLSoftware keine Hinweise, dass Angreifer die Lücken bereits ausnutzen. Admins sollten die Sicherheitsupdates zeitnah installieren. </p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Im Mai haben die Entwickler <a href="http://www.heise.de/news/HCL-BigFix-SCM-Reporting-sortiert-verwundbare-Komponente-aus-11296751.html">in HCL BigFix SCM Reporting eine Schadcode-Lücke geschlossen</a>.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350301"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350301: PC-Fernverwaltung: Man-in-the-Middle-Attacken auf HCL BigFix möglich"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
In einer aktuellen Version von HCL BigFix haben die Entwickler insgesamt sechs Sicherheitslücken geschlossen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/PC-remote-management-Man-in-the-middle-attacks-on-HCL-BigFix-possible-11350666.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FPC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-HCL-BigFix-moeglich-11350301.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FPC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-HCL-BigFix-moeglich-11350301.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/PC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-HCL-BigFix-moeglich-11350301.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/PC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-HCL-BigFix-moeglich/forum-585859/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/5/4/shutterstock_1504494320-0bee224cc964f2c3.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Ein symbolischer Updateknopf auf einer Tastatur."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Artur Szczybylo/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T14:28:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">14:28
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
1 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/PC-remote-management-Man-in-the-middle-attacks-on-HCL-BigFix-possible-11350666.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Aufgrund von Softwareschwachstellen in Ruby-Komponenten, die HCL BigFix nutzt, können Angreifer Systeme attackieren. Erfolgreiche Attacken können unter anderem zu Abstürzen führen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Admins, die in Firmen HCK BigFix etwa zum Verteilen von Sicherheitspatches auf Firmen-PCs nutzen, sollten zeitnah die <strong>Version 2.0.18 </strong>installieren. Wenn das nicht geschieht, sind Systeme verwundbar und Angreifer können an sechs Sicherheitslücken ansetzen.</p>
<h3 class="subheading" id="nav_mehrere__0">Mehrere Schwachstellen</h3>
<p>Die Lücken stecken Warnmeldungen zufolge in der E-Mail-Bibliothek <a href="https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131659" rel="external noopener" target="_blank">Ruby Net-imap </a>und dem Dokumentationstool <a href="https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131663" rel="external noopener" target="_blank">Ruby Yard Gem</a>.</p>
<p>Wie aus einer Warnmeldung hervorgeht, ist eine davon in Ruby Net-imap mit dem Bedrohungsgrad „<strong>hoch</strong>“ eingestuft (CVE-2026-42246). Hier kann sich der Beschreibung zufolge ein Angreifer als Man-in-the-Middle in Verbindungen einklinken und Verbindungen ohne TLS-Verschlüsselung starten. Wie das konkret ablaufen kann, ist bislang unklar.</p>
<p>Durch das erfolgreiche Ausnutzen der verbleibenden Lücken kommt es primär zu DoS-Zuständen. Diese Schwachstellen sind mit „<strong>mittel</strong>“ und „<strong>niedrig</strong>“ eingestuft.</p>
<p>Bislang gibt es seitens HCLSoftware keine Hinweise, dass Angreifer die Lücken bereits ausnutzen. Admins sollten die Sicherheitsupdates zeitnah installieren. </p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Im Mai haben die Entwickler <a href="http://www.heise.de/news/HCL-BigFix-SCM-Reporting-sortiert-verwundbare-Komponente-aus-11296751.html">in HCL BigFix SCM Reporting eine Schadcode-Lücke geschlossen</a>.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350301"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350301: PC-Fernverwaltung: Man-in-the-Middle-Attacken auf HCL BigFix möglich"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-01T12:28:00.000Z
urn:bid:5109594
2026-07-01T10:19:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Mit Android 17 führt Google strengere Limits für PIN-Eingaben am Sperrbildschirm ein. Damit soll das Erraten von PIN oder Passwörtern deutlich erschwert werden.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Android-17-Google-makes-screen-lock-cracking-more-difficult-11350450.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FAndroid-17-Google-erschwert-das-Knacken-der-Bildschirmsperre-11350381.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.newsticker.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FAndroid-17-Google-erschwert-das-Knacken-der-Bildschirmsperre-11350381.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Android-17-Google-erschwert-das-Knacken-der-Bildschirmsperre-11350381.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.newsticker.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Android-17-Google-erschwert-das-Knacken-der-Bildschirmsperre/forum-585846/comment/"
class="a-article-action"
name="meldung.newsticker.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>16</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Smartphone-Sperrbildschirm mit PIN-Anzeige"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Android 17 wird schwerer knackbar.
</p> <p class="a-caption__source">
(Bild: i_am_zews / Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T12:19:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">12:19
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/newsticker/">
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Andreas-Floemer-4840945"
class="creator__link"
>Andreas Floemer</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Android-17-Google-makes-screen-lock-cracking-more-difficult-11350450.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Google baut die Android-Sicherheit weiter aus. Die nun im Detail angekündigten strengeren Schutzmaßnahmen für den Sperrbildschirm von <a href="http://www.heise.de/news/Google-erweitert-Android-Sicherheitsfunktionen-gegen-Geraetediebstahl-11292680.html">Android 17 hat das Unternehmen erstmals im Mai während der Android Show: I/O Edition erwähnt</a>. Diese neuen Maßnahmen sollen es Unbefugten erschweren – etwa im Falle eines Diebstahls –, den Sperrbildschirm zu durchbrechen und sich Zugang zu einem fremden Smartphone zu verschaffen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_20_versuche_0">20 Versuche</h3>
<p>Wie die neue Sicherheitsfunktion in Android 17 funktioniert, hat der Googler Mishaal Rahman erläutert. <a href="https://x.com/MishaalRahman/status/2072047759285436628" rel="external noopener" target="_blank">Er schreibt auf X</a>, dass die Anzahl der Eingabeversuche drastisch reduziert werde: Noch unter Android 16 waren in der ersten Minute bis zu 10 Versuche, in 6 Minuten 20, in 25 Minuten 50, in 24 Stunden 110 und in 5 Jahren 1800 Versuche zulässig.</p>
<p>Zwar sei dies für zufällig gewählte PINs und Passwörter recht sicher, jedoch wählten die meisten Menschen ihre PIN oder ihr Passwort nicht zufällig aus. „Angreifer können eine erhebliche Erfolgsquote beim Knacken von Geräten erzielen, indem sie PINs oder Passwörter in absteigender Häufigkeit eingeben, und wenn sie irgendetwas über Sie wissen (wie beispielsweise Ihren Geburtstag), steigt diese Erfolgsquote nur noch weiter an“, so Rahman.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Mit <a href="http://www.heise.de/news/Android-16-QPR2-Google-bringt-optimiertes-App-Theming-und-mehr-11100827.html">Android 16 QPR2 </a>hat Google eine Änderung vorgenommen, die auch in <a href="http://www.heise.de/thema/Android-17" rel="external noopener" target="_blank">Android 17</a> beibehalten wird. Die neuen Richtlinien erlauben nun nur noch sechs Eingabeversuche in der ersten Minute, sieben innerhalb von sechs Minuten, acht innerhalb von 25 Minuten, 12 innerhalb von 24 Stunden und lediglich 19 Versuche über einen Zeitraum von fünf Jahren. Nach 20 falschen Versuchen seien keine weiteren Versuche mehr zulässig.</p>
<h3 class="subheading" id="nav_ausnahmeregelung__1">Ausnahmeregelungen und Benutzerfreundlichkeit</h3>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Damit Besitzer nicht aus ihren Geräten ausgesperrt bleiben, hat Google zusätzliche Features eingeführt: So gebe es unter Android eine Ausnahmeregelung für wiederholte Eingaben. Wenn Nutzer also versehentlich dieselbe falsche PIN mehrmals eingeben, werden diese doppelten falschen Eingaben nicht mehr auf das Limit für fehlgeschlagene Versuche angerechnet, erklärt der Googler. Stattdessen erkenne das System den wiederholten Fehler, ignoriere ihn und zeige eine spezielle Meldung an, in der erklärt wird, warum der Versuch nicht gezählt wurde.</p>
<!-- RSPEAK_STOP -->
<div class="a-u-inline" style="margin: 1.5rem 0 1.5rem 1rem;">
<div class="ho-text" data-component="RecommendationBox"><header class="mb-4"><h3 class="inline-flex border-b-4 border-gray-800 pb-2 pr-8 text-xl leading-none font-bold dark:border-white">Lesen Sie auch</h3></header><section data-component="TeaserList" class="grid gap-6 md:gap-y-4" data-sneak-peek-elements-container="true"><article data-component="TeaserContainer" data-cid="" data-content-id="4854496" class="ho-text flex" data-teaser-name="MinimalHorizontalTeaser" data-upscore-object-id="10384668"><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Google-will-gestohlene-Android-Smartphones-unverkaeuflich-machen-10384668.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="2560" height="1439" src="https://www.heise.de/imgs/18/4/8/5/4/4/9/6/android-16-factory-reset-protection-30e2cfdcdc74b322.jpeg" alt="Android 16 FRP Screenshots" style="aspect-ratio:2560 / 1439"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2560" height="1439" alt="Android 16 FRP Screenshots" style="aspect-ratio:2560 / 1439;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Google will gestohlene Android-Smartphones unverkäuflich machen</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Besserer-Schutz-fuer-Android-Geraete-Google-fuehrt-neue-Sicherheitsfeatures-ein-11157318.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="5472" height="3075" src="https://www.heise.de/imgs/18/5/0/1/7/9/9/2/android-bugdroid-schloss-c73ee4b489ef93ea.jpeg" alt="Grüne Android-Figur vor Schloss-Symbol" style="aspect-ratio:5472 / 3075"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="5472" height="3075" alt="Grüne Android-Figur vor Schloss-Symbol" style="aspect-ratio:5472 / 3075;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Besserer Schutz für Android-Geräte: Google führt neue Sicherheitsfeatures ein</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/ratgeber/Handy-weg-was-nun-Die-wichtigsten-Schritte-danach-und-wie-Sie-vorbeugen-9682534.html" class="group/teaser flex" data-google-interstitial="false" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="6016" height="3380" src="https://www.heise.de/imgs/18/4/5/7/1/2/6/9/shutterstock_1675274494-d358cddbc180e635.jpeg" alt="iPhone-Diebstahl (Symbolbild)" style="aspect-ratio:6016 / 3380"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="6016" height="3380" alt="iPhone-Diebstahl (Symbolbild)" style="aspect-ratio:6016 / 3380;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><img src="http://www.heise.de/icons/svg/logos/svg/heise_plus_blue.svg" alt="heise Plus" class="align-middle dark:hidden mr-[0.3em] inline-block h-3 md:h-4 relative -top-[0.1em]"/><img src="http://www.heise.de/icons/svg/logos/svg/heise_plus_blue_negativ.svg" alt="heise Plus" class="hidden align-middle dark:inline-block mr-[0.3em] inline-block h-3 md:h-4 relative -top-[0.1em]"/><span data-upscore-title="true">Handy weg, was nun? Die wichtigsten Schritte danach – und wie Sie vorbeugen</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Mit Android 17 führt Google strengere Limits für PIN-Eingaben am Sperrbildschirm ein. Damit soll das Erraten von PIN oder Passwörtern deutlich erschwert werden.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Android-17-Google-makes-screen-lock-cracking-more-difficult-11350450.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FAndroid-17-Google-erschwert-das-Knacken-der-Bildschirmsperre-11350381.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.newsticker.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FAndroid-17-Google-erschwert-das-Knacken-der-Bildschirmsperre-11350381.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Android-17-Google-erschwert-das-Knacken-der-Bildschirmsperre-11350381.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.newsticker.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Android-17-Google-erschwert-das-Knacken-der-Bildschirmsperre/forum-585846/comment/"
class="a-article-action"
name="meldung.newsticker.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>16</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/5/9/4/android-sperrrbildschirm-pin-a5de8f0aaf58e9bd.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Smartphone-Sperrbildschirm mit PIN-Anzeige"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Android 17 wird schwerer knackbar.
</p> <p class="a-caption__source">
(Bild: i_am_zews / Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T12:19:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">12:19
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/newsticker/">
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Andreas-Floemer-4840945"
class="creator__link"
>Andreas Floemer</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Android-17-Google-makes-screen-lock-cracking-more-difficult-11350450.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Google baut die Android-Sicherheit weiter aus. Die nun im Detail angekündigten strengeren Schutzmaßnahmen für den Sperrbildschirm von <a href="http://www.heise.de/news/Google-erweitert-Android-Sicherheitsfunktionen-gegen-Geraetediebstahl-11292680.html">Android 17 hat das Unternehmen erstmals im Mai während der Android Show: I/O Edition erwähnt</a>. Diese neuen Maßnahmen sollen es Unbefugten erschweren – etwa im Falle eines Diebstahls –, den Sperrbildschirm zu durchbrechen und sich Zugang zu einem fremden Smartphone zu verschaffen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_20_versuche_0">20 Versuche</h3>
<p>Wie die neue Sicherheitsfunktion in Android 17 funktioniert, hat der Googler Mishaal Rahman erläutert. <a href="https://x.com/MishaalRahman/status/2072047759285436628" rel="external noopener" target="_blank">Er schreibt auf X</a>, dass die Anzahl der Eingabeversuche drastisch reduziert werde: Noch unter Android 16 waren in der ersten Minute bis zu 10 Versuche, in 6 Minuten 20, in 25 Minuten 50, in 24 Stunden 110 und in 5 Jahren 1800 Versuche zulässig.</p>
<p>Zwar sei dies für zufällig gewählte PINs und Passwörter recht sicher, jedoch wählten die meisten Menschen ihre PIN oder ihr Passwort nicht zufällig aus. „Angreifer können eine erhebliche Erfolgsquote beim Knacken von Geräten erzielen, indem sie PINs oder Passwörter in absteigender Häufigkeit eingeben, und wenn sie irgendetwas über Sie wissen (wie beispielsweise Ihren Geburtstag), steigt diese Erfolgsquote nur noch weiter an“, so Rahman.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Mit <a href="http://www.heise.de/news/Android-16-QPR2-Google-bringt-optimiertes-App-Theming-und-mehr-11100827.html">Android 16 QPR2 </a>hat Google eine Änderung vorgenommen, die auch in <a href="http://www.heise.de/thema/Android-17" rel="external noopener" target="_blank">Android 17</a> beibehalten wird. Die neuen Richtlinien erlauben nun nur noch sechs Eingabeversuche in der ersten Minute, sieben innerhalb von sechs Minuten, acht innerhalb von 25 Minuten, 12 innerhalb von 24 Stunden und lediglich 19 Versuche über einen Zeitraum von fünf Jahren. Nach 20 falschen Versuchen seien keine weiteren Versuche mehr zulässig.</p>
<h3 class="subheading" id="nav_ausnahmeregelung__1">Ausnahmeregelungen und Benutzerfreundlichkeit</h3>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Damit Besitzer nicht aus ihren Geräten ausgesperrt bleiben, hat Google zusätzliche Features eingeführt: So gebe es unter Android eine Ausnahmeregelung für wiederholte Eingaben. Wenn Nutzer also versehentlich dieselbe falsche PIN mehrmals eingeben, werden diese doppelten falschen Eingaben nicht mehr auf das Limit für fehlgeschlagene Versuche angerechnet, erklärt der Googler. Stattdessen erkenne das System den wiederholten Fehler, ignoriere ihn und zeige eine spezielle Meldung an, in der erklärt wird, warum der Versuch nicht gezählt wurde.</p>
<!-- RSPEAK_STOP -->
<div class="a-u-inline" style="margin: 1.5rem 0 1.5rem 1rem;">
<div class="ho-text" data-component="RecommendationBox"><header class="mb-4"><h3 class="inline-flex border-b-4 border-gray-800 pb-2 pr-8 text-xl leading-none font-bold dark:border-white">Lesen Sie auch</h3></header><section data-component="TeaserList" class="grid gap-6 md:gap-y-4" data-sneak-peek-elements-container="true"><article data-component="TeaserContainer" data-cid="" data-content-id="4854496" class="ho-text flex" data-teaser-name="MinimalHorizontalTeaser" data-upscore-object-id="10384668"><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Google-will-gestohlene-Android-Smartphones-unverkaeuflich-machen-10384668.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="2560" height="1439" src="https://www.heise.de/imgs/18/4/8/5/4/4/9/6/android-16-factory-reset-protection-30e2cfdcdc74b322.jpeg" alt="Android 16 FRP Screenshots" style="aspect-ratio:2560 / 1439"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2560" height="1439" alt="Android 16 FRP Screenshots" style="aspect-ratio:2560 / 1439;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Google will gestohlene Android-Smartphones unverkäuflich machen</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/news/Besserer-Schutz-fuer-Android-Geraete-Google-fuehrt-neue-Sicherheitsfeatures-ein-11157318.html" class="group/teaser flex" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="5472" height="3075" src="https://www.heise.de/imgs/18/5/0/1/7/9/9/2/android-bugdroid-schloss-c73ee4b489ef93ea.jpeg" alt="Grüne Android-Figur vor Schloss-Symbol" style="aspect-ratio:5472 / 3075"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="5472" height="3075" alt="Grüne Android-Figur vor Schloss-Symbol" style="aspect-ratio:5472 / 3075;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Besserer Schutz für Android-Geräte: Google führt neue Sicherheitsfeatures ein</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="http://www.heise.de/ratgeber/Handy-weg-was-nun-Die-wichtigsten-Schritte-danach-und-wie-Sie-vorbeugen-9682534.html" class="group/teaser flex" data-google-interstitial="false" data-upscore-url="true"><figure data-component="Image" class="mr-2 w-24 shrink-0 md:mr-4 md:w-40"><a-img width="6016" height="3380" src="https://www.heise.de/imgs/18/4/5/7/1/2/6/9/shutterstock_1675274494-d358cddbc180e635.jpeg" alt="iPhone-Diebstahl (Symbolbild)" style="aspect-ratio:6016 / 3380"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="6016" height="3380" alt="iPhone-Diebstahl (Symbolbild)" style="aspect-ratio:6016 / 3380;object-fit:cover"/></a-img></figure><div class="-translate-y-1"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-base leading-snug md:text-lg md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><img src="http://www.heise.de/icons/svg/logos/svg/heise_plus_blue.svg" alt="heise Plus" class="align-middle dark:hidden mr-[0.3em] inline-block h-3 md:h-4 relative -top-[0.1em]"/><img src="http://www.heise.de/icons/svg/logos/svg/heise_plus_blue_negativ.svg" alt="heise Plus" class="hidden align-middle dark:inline-block mr-[0.3em] inline-block h-3 md:h-4 relative -top-[0.1em]"/><span data-upscore-title="true">Handy weg, was nun? Die wichtigsten Schritte danach – und wie Sie vorbeugen</span></span></h3></header></div></a><div></div><a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-01T10:19:00.000Z
urn:bid:5109475
2026-07-01T09:04:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Die Citrix-Entwickler haben im Load-Balancer NetScaler ADC und in der Fernzugriffslösung NetScaler Gateway insgesamt sechs Sicherheitslücken geschlossen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Attackers-can-disable-Citrix-NetScaler-ADC-and-NetScaler-Gateway-11350245.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FAngreifer-koennen-Citrix-NetScaler-ADC-und-NetScaler-Gateway-lahmlegen-11350144.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FAngreifer-koennen-Citrix-NetScaler-ADC-und-NetScaler-Gateway-lahmlegen-11350144.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Angreifer-koennen-Citrix-NetScaler-ADC-und-NetScaler-Gateway-lahmlegen-11350144.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Angreifer-koennen-Citrix-NetScaler-ADC-und-NetScaler-Gateway-lahmlegen/forum-585835/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Ein symbolischer Updatebalken füllt sich."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: AFANASEV IVAN/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T11:04:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">11:04
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Attackers-can-disable-Citrix-NetScaler-ADC-and-NetScaler-Gateway-11350245.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Citrix NetScaler ADC und NetScaler Gateway sind verwundbar, und Angreifer können Instanzen mittels DoS-Attacken zum Erliegen bringen. Dadurch können unter anderem wichtige Netzwerkbereiche in Unternehmen nicht erreichbar sein. Sicherheitsupdates stehen zum Download bereit. Bislang gibt es keine Hinweise, dass Angreifer die Schwachstellen bereits ausnutzen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Das Softwareunternehmen weist darauf hin, dass die Cloudinstanzen bereits verarztet sind. Admins, die Instanzen selbst hosten, müssen handeln.</p>
<h3 class="subheading" id="nav_angriffe_mit__0">Angriffe mit Hürden</h3>
<p>Bis auf eine Sicherheitslücke (CVE-2026-10817 „<strong>mittel</strong>“) sind alle weiteren (CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, 13474) mit dem Bedrohungsgrad „<strong>hoch</strong>“ eingestuft. In allen Fällen müssen bestimmte Voraussetzungen gegeben sein, damit Attacken überhaupt möglich sind. Diese und weitere Informationen <a href="https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604" rel="external noopener" target="_blank">führen die Entwickler in einer Warnmeldung aus.</a></p>
<p>In einem Fall muss etwa die Single-Sign-On-Komponente SAML IDP aktiv sein. Ist das gegeben, können Angreifer auf einem nicht näher beschriebenen Weg einen Speicherfehler auslösen. In so einem Kontext kommt es oft zur Ausführung von Schadcode und somit zur vollständigen Kompromittierung von Systemen.</p>
<p>Die DoS-Attacken gehen ebenfalls auf Speicherfehler zurück und Dienste können abstürzen. Damit das klappt, muss NetScaler ADC etwa als DNS-Proxy konfiguriert sein. In einem anderen Fall können präparierte HTTP/2-Anfragen für Probleme sorgen und Abstürze auslösen. Dafür muss aber vorab das HTTP/2-Profil aktiviert sein. Angreifer können aber auch unbefugt auf Dateien zugreifen und diese lesen.</p>
<p>Um solchen Attacken vorzubeugen, müssen Admins eine der folgenden Versionen installieren. Alle vorigen Ausgaben sind verwundbar.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<ul class="rte__list rte__list--unordered"><li>NetScaler ADC und NetScaler Gateway 14.1-72.61</li><li>NetScaler ADC und NetScaler Gateway 13.1-63.18</li><li>NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS</li><li>NetScaler ADC 13.1-FIPS und 13.1-NDcPP 13.1.37.272</li></ul>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Eine so ausführliche wie launige Analyse zu CVE-2026-8451, liebevoll „Citrixbleed: To Infinity and Beyond“ getauft, haben die Entdecker von WatchTowr Labs <a href="https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451/" rel="external noopener" target="_blank">in ihrem Blog veröffentlicht</a>.</p>
<div class="update-box a-u-inline">
<div class="a-publish-info update-box__datetime">
<!-- RSPEAK_STOP -->
<span class="a-publish-info__update">Update</span>
<time class="
a-datetime
a-publish-info__datetime" datetime="2026-07-01T18:02:00">
<span class="
a-datetime__date
a-publish-info__date">01.07.2026,
</span>
<span class="a-datetime__time ">18:02
</span>
<span class="
a-datetime__word
">
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
</div>
<div class="update-box__text">
<p>Blogeintrag von WatchTowr Labs nachgetragen.</p>
</div>
</div>
<p>Zuletzt sorgte Citrix <a href="http://www.heise.de/news/Angriffe-laufen-auf-Citrix-Gateway-und-Netscaler-ADC-11229094.html">Ende März mit Attacken auf Gateway und NetScaler ADC für Schlagzeilen</a>.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350144"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350144: Angreifer können Citrix NetScaler ADC und NetScaler Gateway lahmlegen"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Die Citrix-Entwickler haben im Load-Balancer NetScaler ADC und in der Fernzugriffslösung NetScaler Gateway insgesamt sechs Sicherheitslücken geschlossen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Attackers-can-disable-Citrix-NetScaler-ADC-and-NetScaler-Gateway-11350245.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FAngreifer-koennen-Citrix-NetScaler-ADC-und-NetScaler-Gateway-lahmlegen-11350144.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FAngreifer-koennen-Citrix-NetScaler-ADC-und-NetScaler-Gateway-lahmlegen-11350144.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Angreifer-koennen-Citrix-NetScaler-ADC-und-NetScaler-Gateway-lahmlegen-11350144.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Angreifer-koennen-Citrix-NetScaler-ADC-und-NetScaler-Gateway-lahmlegen/forum-585835/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/7/5/shutterstock_1024271563-0c1d5f41e4170267.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Ein symbolischer Updatebalken füllt sich."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: AFANASEV IVAN/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T11:04:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">11:04
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/dennis-schirrmacher-4256415"
class="creator__link"
>Dennis Schirrmacher</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Attackers-can-disable-Citrix-NetScaler-ADC-and-NetScaler-Gateway-11350245.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Citrix NetScaler ADC und NetScaler Gateway sind verwundbar, und Angreifer können Instanzen mittels DoS-Attacken zum Erliegen bringen. Dadurch können unter anderem wichtige Netzwerkbereiche in Unternehmen nicht erreichbar sein. Sicherheitsupdates stehen zum Download bereit. Bislang gibt es keine Hinweise, dass Angreifer die Schwachstellen bereits ausnutzen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Das Softwareunternehmen weist darauf hin, dass die Cloudinstanzen bereits verarztet sind. Admins, die Instanzen selbst hosten, müssen handeln.</p>
<h3 class="subheading" id="nav_angriffe_mit__0">Angriffe mit Hürden</h3>
<p>Bis auf eine Sicherheitslücke (CVE-2026-10817 „<strong>mittel</strong>“) sind alle weiteren (CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, 13474) mit dem Bedrohungsgrad „<strong>hoch</strong>“ eingestuft. In allen Fällen müssen bestimmte Voraussetzungen gegeben sein, damit Attacken überhaupt möglich sind. Diese und weitere Informationen <a href="https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604" rel="external noopener" target="_blank">führen die Entwickler in einer Warnmeldung aus.</a></p>
<p>In einem Fall muss etwa die Single-Sign-On-Komponente SAML IDP aktiv sein. Ist das gegeben, können Angreifer auf einem nicht näher beschriebenen Weg einen Speicherfehler auslösen. In so einem Kontext kommt es oft zur Ausführung von Schadcode und somit zur vollständigen Kompromittierung von Systemen.</p>
<p>Die DoS-Attacken gehen ebenfalls auf Speicherfehler zurück und Dienste können abstürzen. Damit das klappt, muss NetScaler ADC etwa als DNS-Proxy konfiguriert sein. In einem anderen Fall können präparierte HTTP/2-Anfragen für Probleme sorgen und Abstürze auslösen. Dafür muss aber vorab das HTTP/2-Profil aktiviert sein. Angreifer können aber auch unbefugt auf Dateien zugreifen und diese lesen.</p>
<p>Um solchen Attacken vorzubeugen, müssen Admins eine der folgenden Versionen installieren. Alle vorigen Ausgaben sind verwundbar.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<ul class="rte__list rte__list--unordered"><li>NetScaler ADC und NetScaler Gateway 14.1-72.61</li><li>NetScaler ADC und NetScaler Gateway 13.1-63.18</li><li>NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS</li><li>NetScaler ADC 13.1-FIPS und 13.1-NDcPP 13.1.37.272</li></ul>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Eine so ausführliche wie launige Analyse zu CVE-2026-8451, liebevoll „Citrixbleed: To Infinity and Beyond“ getauft, haben die Entdecker von WatchTowr Labs <a href="https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451/" rel="external noopener" target="_blank">in ihrem Blog veröffentlicht</a>.</p>
<div class="update-box a-u-inline">
<div class="a-publish-info update-box__datetime">
<!-- RSPEAK_STOP -->
<span class="a-publish-info__update">Update</span>
<time class="
a-datetime
a-publish-info__datetime" datetime="2026-07-01T18:02:00">
<span class="
a-datetime__date
a-publish-info__date">01.07.2026,
</span>
<span class="a-datetime__time ">18:02
</span>
<span class="
a-datetime__word
">
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
</div>
<div class="update-box__text">
<p>Blogeintrag von WatchTowr Labs nachgetragen.</p>
</div>
</div>
<p>Zuletzt sorgte Citrix <a href="http://www.heise.de/news/Angriffe-laufen-auf-Citrix-Gateway-und-Netscaler-ADC-11229094.html">Ende März mit Attacken auf Gateway und NetScaler ADC für Schlagzeilen</a>.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:des@heise.de" title="Dennis Schirrmacher">des</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350144"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350144: Angreifer können Citrix NetScaler ADC und NetScaler Gateway lahmlegen"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-01T09:04:00.000Z
urn:bid:5109421
2026-07-01T07:59:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Von PHP bis RustDesk: Der Unbekannte hat mit KI-Unterstützung Sicherheitslücken in allerlei quelloffener Software entdeckt und publik gemacht – als Geschenk.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Exploitarium-Anonymous-security-researcher-publishes-two-dozen-zero-days-11350105.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FExploitarium-Anonymer-Sicherheitsforscher-veroeffentlicht-zwei-Dutzend-Zero-Days-11350036.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FExploitarium-Anonymer-Sicherheitsforscher-veroeffentlicht-zwei-Dutzend-Zero-Days-11350036.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Exploitarium-Anonymer-Sicherheitsforscher-veroeffentlicht-zwei-Dutzend-Zero-Days-11350036.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Exploitarium-Anonymer-Sicherheitsforscher-veroeffentlicht-zwei-Dutzend-Zero-Days/forum-585825/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>20</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Aufkleber auf Macbook: Dropping 0-days faster than Newton's apple"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Aufkleber auf Macbook: Dropping 0-days faster than Newton's apple
</p> <p class="a-caption__source">
(Bild: heise medien / cku)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T09:59:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">09:59
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dr-Christopher-Kunz-4325470"
class="creator__link"
>Dr. Christopher Kunz</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Exploitarium-Anonymous-security-researcher-publishes-two-dozen-zero-days-11350105.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Ein Unbekannter mit dem sommerlichen Pseudonym „Bikini“ hat auf der Codesharing-Plattform Github Proof-of-Concept-Code für knapp zwei Dutzend Sicherheitslücken veröffentlicht – nach eigener Aussage allesamt bislang ungefixte Zero-Days. Darunter befinden sich Exploits für PHP, OpenVPN, VLC und andere Projekte. Die Schwere der Sicherheitslücken variiert von Informationslecks bis zu Codeeinschleusung. Wer will, kann die Lücken an den Hersteller melden, um Ruhm einzuheimsen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Im Github-Repository „<a href="https://github.com/bikini/exploitarium" rel="external noopener" target="_blank">Exploitarium</a>“ finden sich alle Lücken mit einer kurzen README, die wie Teile der eigentlichen Lückenfindung KI-generiert ist. Im Einzelnen sind folgende Projekte betroffen:</p>
<ul class="rte__list rte__list--unordered"><li>7-Zip 26.01 (Windows)</li><li>AnyDesk 9.7.6 (Windows)</li><li>c-ares</li><li>Docker Engine 29.6.0</li><li>FFmpeg: RASC-Decoder</li><li>Firefox 152.0.2 (Windows)</li><li>Floci 1.5.27 API Gateway</li><li>Flowise 3.1.2 / flowise-components 3.1.2</li><li>Ghidra 12.1.2</li><li>Gitea</li><li>ImageMagick 7.1.2-25 mit Ghostscript 10.07.1 (Windows)</li><li>libssh2 (PoC für <a href="http://www.heise.de/news/Kritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht-11347855.html">CVE-2026-55200</a> sowie für neue Lücke unter Windows)</li><li>Lunar Client</li><li>MyBB 1.8.40</li><li>nghttp2 1.69.0</li><li>nmap</li><li>objdump</li><li>OpenVPN 3.11.3 sowie OpenVPN Connect für Windows 3.8.0</li><li>PHP 8.5.7</li><li>RustDesk</li><li>SystemInformer 4.0.26162.539 (Windows)</li><li>VLC 3.0.23 (Windows)</li></ul>
<p>Wie der unbekannte Sicherheitsforscher selber schreibt, sind manche seiner Funde „ein bißchen schrottig“, manche seien aber besser. Er nutzte KI für Handreichungen bei der Lückensuche, betont jedoch, dass fast alle PoCs handkodiert seien. Bis auf eine Lücke – CVE-2026-55200 – gibt es weder CVE-Kennungen noch CVSS-Punkte oder andere Zusatzinformationen. Potenziell Betroffene müssen diese aus den jeweiligen Readmes und dem PoC-Code extrahieren oder auf Bearbeitung durch die Hersteller warten. Auf die Hintergründe von CVE, CVSS und anderen Metadaten für Sicherheitslücken geht der Podcast „Passwort“ in seiner aktuellen Folge ausführlich ein.</p>
<a-opt-in checkbox-text="Podcasts immer laden" class=" a-u-inline" type="Podigee">
<div class="opt-in__content-container">
<h2 class="opt-in__title">Empfohlener redaktioneller Inhalt</h2>
<p class="opt-in__description">
Mit Ihrer Zustimmung wird hier ein externer Podcast (Podigee GmbH) geladen.
</p>
<div class="opt-in__cta-container">
<button class="opt-in__cta" data-opt-in>Podcast jetzt laden</button>
</div>
<p class="opt-in__footnote">
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden.
Damit können personenbezogene Daten an Drittplattformen (Podigee GmbH) übermittelt werden.
Mehr dazu in unserer
<a href="https://www.heise.de/Datenschutzerklaerung-der-Heise-Medien-GmbH-Co-KG-4860.html">Datenschutzerklärung</a>.
</p>
</div>
</a-opt-in>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_motivation__0">Motivation: Nachwuchswerbung</h3>
<p>Die Motivation hinter dem Exploitarium sei Nachwuchswerbung, schreibt der Anonymous. Er schenkt die Funde der Öffentlichkeit und betont, dass ein jeder sie an die betroffenen Hersteller melden dürfe, um einen CVE dafür „einzuheimsen“. Der Sicherheitsforscher habe sich zu diesem Vorgehen entschlossen, um „Leute in das Feld [der Exploitsuche, d.R.] zu locken“, er empfinde es als „effizientesten Weg“ der Nachwuchswerbung.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>KI-generierte Sicherheitslücken überschwemmen in den vergangenen Monaten in einer Art „Vulnokalypse“ die Bug-Bounty-Programme vieler Hersteller und führen zu spürbaren Abnutzungserscheinungen. Das cURL-Projekt hat daher den „<a href="http://www.heise.de/news/Sommer-der-Glueckseligkeit-curl-nimmt-einen-Monat-lang-keine-Bug-Reports-an-11332339.html">Summer of Bliss</a>“ ausgerufen und bearbeitet im Juli keine Fehlermeldungen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:cku@heise.de" title="Dr. Christopher Kunz">cku</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350036"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350036: Exploitarium: Anonymer Sicherheitsforscher veröffentlicht zwei Dutzend Zero-Days"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Von PHP bis RustDesk: Der Unbekannte hat mit KI-Unterstützung Sicherheitslücken in allerlei quelloffener Software entdeckt und publik gemacht – als Geschenk.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Exploitarium-Anonymous-security-researcher-publishes-two-dozen-zero-days-11350105.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FExploitarium-Anonymer-Sicherheitsforscher-veroeffentlicht-zwei-Dutzend-Zero-Days-11350036.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FExploitarium-Anonymer-Sicherheitsforscher-veroeffentlicht-zwei-Dutzend-Zero-Days-11350036.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Exploitarium-Anonymer-Sicherheitsforscher-veroeffentlicht-zwei-Dutzend-Zero-Days-11350036.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Exploitarium-Anonymer-Sicherheitsforscher-veroeffentlicht-zwei-Dutzend-Zero-Days/forum-585825/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>20</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/1/0days-apple-d697ffa8bace9006.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Aufkleber auf Macbook: Dropping 0-days faster than Newton's apple"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Aufkleber auf Macbook: Dropping 0-days faster than Newton's apple
</p> <p class="a-caption__source">
(Bild: heise medien / cku)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T09:59:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">09:59
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dr-Christopher-Kunz-4325470"
class="creator__link"
>Dr. Christopher Kunz</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Exploitarium-Anonymous-security-researcher-publishes-two-dozen-zero-days-11350105.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Ein Unbekannter mit dem sommerlichen Pseudonym „Bikini“ hat auf der Codesharing-Plattform Github Proof-of-Concept-Code für knapp zwei Dutzend Sicherheitslücken veröffentlicht – nach eigener Aussage allesamt bislang ungefixte Zero-Days. Darunter befinden sich Exploits für PHP, OpenVPN, VLC und andere Projekte. Die Schwere der Sicherheitslücken variiert von Informationslecks bis zu Codeeinschleusung. Wer will, kann die Lücken an den Hersteller melden, um Ruhm einzuheimsen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Im Github-Repository „<a href="https://github.com/bikini/exploitarium" rel="external noopener" target="_blank">Exploitarium</a>“ finden sich alle Lücken mit einer kurzen README, die wie Teile der eigentlichen Lückenfindung KI-generiert ist. Im Einzelnen sind folgende Projekte betroffen:</p>
<ul class="rte__list rte__list--unordered"><li>7-Zip 26.01 (Windows)</li><li>AnyDesk 9.7.6 (Windows)</li><li>c-ares</li><li>Docker Engine 29.6.0</li><li>FFmpeg: RASC-Decoder</li><li>Firefox 152.0.2 (Windows)</li><li>Floci 1.5.27 API Gateway</li><li>Flowise 3.1.2 / flowise-components 3.1.2</li><li>Ghidra 12.1.2</li><li>Gitea</li><li>ImageMagick 7.1.2-25 mit Ghostscript 10.07.1 (Windows)</li><li>libssh2 (PoC für <a href="http://www.heise.de/news/Kritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht-11347855.html">CVE-2026-55200</a> sowie für neue Lücke unter Windows)</li><li>Lunar Client</li><li>MyBB 1.8.40</li><li>nghttp2 1.69.0</li><li>nmap</li><li>objdump</li><li>OpenVPN 3.11.3 sowie OpenVPN Connect für Windows 3.8.0</li><li>PHP 8.5.7</li><li>RustDesk</li><li>SystemInformer 4.0.26162.539 (Windows)</li><li>VLC 3.0.23 (Windows)</li></ul>
<p>Wie der unbekannte Sicherheitsforscher selber schreibt, sind manche seiner Funde „ein bißchen schrottig“, manche seien aber besser. Er nutzte KI für Handreichungen bei der Lückensuche, betont jedoch, dass fast alle PoCs handkodiert seien. Bis auf eine Lücke – CVE-2026-55200 – gibt es weder CVE-Kennungen noch CVSS-Punkte oder andere Zusatzinformationen. Potenziell Betroffene müssen diese aus den jeweiligen Readmes und dem PoC-Code extrahieren oder auf Bearbeitung durch die Hersteller warten. Auf die Hintergründe von CVE, CVSS und anderen Metadaten für Sicherheitslücken geht der Podcast „Passwort“ in seiner aktuellen Folge ausführlich ein.</p>
<a-opt-in checkbox-text="Podcasts immer laden" class=" a-u-inline" type="Podigee">
<div class="opt-in__content-container">
<h2 class="opt-in__title">Empfohlener redaktioneller Inhalt</h2>
<p class="opt-in__description">
Mit Ihrer Zustimmung wird hier ein externer Podcast (Podigee GmbH) geladen.
</p>
<div class="opt-in__cta-container">
<button class="opt-in__cta" data-opt-in>Podcast jetzt laden</button>
</div>
<p class="opt-in__footnote">
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden.
Damit können personenbezogene Daten an Drittplattformen (Podigee GmbH) übermittelt werden.
Mehr dazu in unserer
<a href="https://www.heise.de/Datenschutzerklaerung-der-Heise-Medien-GmbH-Co-KG-4860.html">Datenschutzerklärung</a>.
</p>
</div>
</a-opt-in>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_motivation__0">Motivation: Nachwuchswerbung</h3>
<p>Die Motivation hinter dem Exploitarium sei Nachwuchswerbung, schreibt der Anonymous. Er schenkt die Funde der Öffentlichkeit und betont, dass ein jeder sie an die betroffenen Hersteller melden dürfe, um einen CVE dafür „einzuheimsen“. Der Sicherheitsforscher habe sich zu diesem Vorgehen entschlossen, um „Leute in das Feld [der Exploitsuche, d.R.] zu locken“, er empfinde es als „effizientesten Weg“ der Nachwuchswerbung.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>KI-generierte Sicherheitslücken überschwemmen in den vergangenen Monaten in einer Art „Vulnokalypse“ die Bug-Bounty-Programme vieler Hersteller und führen zu spürbaren Abnutzungserscheinungen. Das cURL-Projekt hat daher den „<a href="http://www.heise.de/news/Sommer-der-Glueckseligkeit-curl-nimmt-einen-Monat-lang-keine-Bug-Reports-an-11332339.html">Summer of Bliss</a>“ ausgerufen und bearbeitet im Juli keine Fehlermeldungen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:cku@heise.de" title="Dr. Christopher Kunz">cku</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350036"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350036: Exploitarium: Anonymer Sicherheitsforscher veröffentlicht zwei Dutzend Zero-Days"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-01T07:59:00.000Z
urn:bid:5109423
2026-07-01T07:46:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Die Flut an identifizierten Sicherheitslücken reißt nicht ab, im Chrome werden jetzt erneut fast 400 geschlossen. Ob die Zahl wieder sinken wird, ist unklar.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Google-Chrome-Large-update-closes-hundreds-of-security-vulnerabilities-again-11350087.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FGoogle-Chrome-Grosses-Update-schliesst-erneut-Hunderte-Sicherheitsluecken-11350040.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FGoogle-Chrome-Grosses-Update-schliesst-erneut-Hunderte-Sicherheitsluecken-11350040.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Google-Chrome-Grosses-Update-schliesst-erneut-Hunderte-Sicherheitsluecken-11350040.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Google-Chrome-Grosses-Update-schliesst-erneut-Hunderte-Sicherheitsluecken/forum-585824/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>11</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Das Chrome-Logo in einer Taskleiste, darüber die Maus und die Beschriftung "Google Chrome""
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: annd.img/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T09:46:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">09:46
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Martin-Holland-3639057"
class="creator__link"
>Martin Holland</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Google-Chrome-Large-update-closes-hundreds-of-security-vulnerabilities-again-11350087.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Google hat im Chrome-Browser erneut 382 Sicherheitslücken geschlossen, das sind nur 47 weniger als beim Rekordupdate vor einem Monat. Bei insgesamt 15 der gestopften Lücken hat es sich um solche mit der Einstufung „kritisch“ gehandelt. Details zu den zahlreichen behobenen Fehlern finden sich in der <a href="https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html" rel="external noopener" target="_blank">Bekanntmachung von Google</a>, mit dem Update wird Chrome auf Version 150.0.7871.46 (Linux), auf Version 150.0.7871.46 (Mac) beziehungsweise 150.0.7871.47 (Windows) gehoben. Ein rasches Updaten wird empfohlen, zumeist wird das aber automatisch installiert. Aktualisiert wurde auch Chrome für Android, hier <a href="https://chromereleases.googleblog.com/2026/06/chrome-for-android-update_01486779060.html" rel="external noopener" target="_blank">sollte man</a> nun Version 150.0.7871.63 nutzen. Die darin geschlossenen Lücken entsprechen jenen der Desktopversion.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_ki_sorgt_für__0">KI sorgt für Flut an bekannten Lücken</h3>
<p>Mit der erneut <a href="http://www.heise.de/news/Google-Chrome-Update-schliesst-429-Sicherheitsluecken-11319210.html">riesigen Anzahl an geschlossenen Lücken</a> setzt sich auch bei Chrome ein Trend fort, der darauf zurückzuführen ist, dass die leistungsfähigsten KI-Modelle seit einigen Monaten deutlich besser darin sind, Lücken und darüber mögliche Cyberangriffe zu finden. Auch im Firefox-Browser wurden damit zuletzt jeden Monat <a href="http://www.heise.de/news/Dank-KI-Im-April-so-viele-Firefox-Luecken-geschlossen-wie-vorher-in-zwei-Jahren-11287023.html">Hunderte Sicherheitslücken gefunden und geschlossen</a>, bislang waren es in solch einem Zeitraum immer maximal wenige Dutzend. Dem aktuellen Riesenupdate von Chrome stehen sogar nur genau drei Lücken gegenüber, die bei der entsprechenden Aktualisierung im Stable Channel <a href="http://www.heise.de/news/Chrome-Firefox-Thunderbird-Neue-Versionen-beheben-Schwachstellen-10497296.html">ein Jahr vorher geschlossen wurden</a>.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Das Chrome-Update kommt jetzt mittels Versionsdialog auf den Rechner. Dazu das Browser-Menü öffnen und auf „Hilfe“ und dort auf „Über <Browsername>“ respektive „Info“ bei einigen auf Chromium basierenden Browsern klicken. Das zeigt den derzeit aktiven Softwarestand an und lädt gegebenenfalls verfügbare Aktualisierungen herunter. Unter Linux ist dafür in der Regel die Softwareverwaltung der Distribution zuständig. Auf Mobilgeräten hingegen müssen Nutzerinnen und Nutzer im jeweiligen App-Store nachsehen, dort kommen die Aktualisierungen jedoch oftmals mit deutlicher Verzögerung an – ein beschleunigtes Update kann nicht erzwungen werden. Da auch andere Browser auf Chromium basieren, dürften sie ebenfalls ein umfangreiches Update ausliefern.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:mho@heise.de" title="Martin Holland">mho</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350040"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350040: Google Chrome: Großes Update schließt erneut Hunderte Sicherheitslücken"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Die Flut an identifizierten Sicherheitslücken reißt nicht ab, im Chrome werden jetzt erneut fast 400 geschlossen. Ob die Zahl wieder sinken wird, ist unklar.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Google-Chrome-Large-update-closes-hundreds-of-security-vulnerabilities-again-11350087.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FGoogle-Chrome-Grosses-Update-schliesst-erneut-Hunderte-Sicherheitsluecken-11350040.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FGoogle-Chrome-Grosses-Update-schliesst-erneut-Hunderte-Sicherheitsluecken-11350040.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Google-Chrome-Grosses-Update-schliesst-erneut-Hunderte-Sicherheitsluecken-11350040.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Google-Chrome-Grosses-Update-schliesst-erneut-Hunderte-Sicherheitsluecken/forum-585824/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>11</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/4/2/3/shutterstock_2617324169-830e0ede628d9d29.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Das Chrome-Logo in einer Taskleiste, darüber die Maus und die Beschriftung "Google Chrome""
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: annd.img/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-07-01T09:46:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>01.07.2026,
</span>
<span class="a-datetime__time ">09:46
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Martin-Holland-3639057"
class="creator__link"
>Martin Holland</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Google-Chrome-Large-update-closes-hundreds-of-security-vulnerabilities-again-11350087.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Google hat im Chrome-Browser erneut 382 Sicherheitslücken geschlossen, das sind nur 47 weniger als beim Rekordupdate vor einem Monat. Bei insgesamt 15 der gestopften Lücken hat es sich um solche mit der Einstufung „kritisch“ gehandelt. Details zu den zahlreichen behobenen Fehlern finden sich in der <a href="https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html" rel="external noopener" target="_blank">Bekanntmachung von Google</a>, mit dem Update wird Chrome auf Version 150.0.7871.46 (Linux), auf Version 150.0.7871.46 (Mac) beziehungsweise 150.0.7871.47 (Windows) gehoben. Ein rasches Updaten wird empfohlen, zumeist wird das aber automatisch installiert. Aktualisiert wurde auch Chrome für Android, hier <a href="https://chromereleases.googleblog.com/2026/06/chrome-for-android-update_01486779060.html" rel="external noopener" target="_blank">sollte man</a> nun Version 150.0.7871.63 nutzen. Die darin geschlossenen Lücken entsprechen jenen der Desktopversion.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_ki_sorgt_für__0">KI sorgt für Flut an bekannten Lücken</h3>
<p>Mit der erneut <a href="http://www.heise.de/news/Google-Chrome-Update-schliesst-429-Sicherheitsluecken-11319210.html">riesigen Anzahl an geschlossenen Lücken</a> setzt sich auch bei Chrome ein Trend fort, der darauf zurückzuführen ist, dass die leistungsfähigsten KI-Modelle seit einigen Monaten deutlich besser darin sind, Lücken und darüber mögliche Cyberangriffe zu finden. Auch im Firefox-Browser wurden damit zuletzt jeden Monat <a href="http://www.heise.de/news/Dank-KI-Im-April-so-viele-Firefox-Luecken-geschlossen-wie-vorher-in-zwei-Jahren-11287023.html">Hunderte Sicherheitslücken gefunden und geschlossen</a>, bislang waren es in solch einem Zeitraum immer maximal wenige Dutzend. Dem aktuellen Riesenupdate von Chrome stehen sogar nur genau drei Lücken gegenüber, die bei der entsprechenden Aktualisierung im Stable Channel <a href="http://www.heise.de/news/Chrome-Firefox-Thunderbird-Neue-Versionen-beheben-Schwachstellen-10497296.html">ein Jahr vorher geschlossen wurden</a>.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Das Chrome-Update kommt jetzt mittels Versionsdialog auf den Rechner. Dazu das Browser-Menü öffnen und auf „Hilfe“ und dort auf „Über <Browsername>“ respektive „Info“ bei einigen auf Chromium basierenden Browsern klicken. Das zeigt den derzeit aktiven Softwarestand an und lädt gegebenenfalls verfügbare Aktualisierungen herunter. Unter Linux ist dafür in der Regel die Softwareverwaltung der Distribution zuständig. Auf Mobilgeräten hingegen müssen Nutzerinnen und Nutzer im jeweiligen App-Store nachsehen, dort kommen die Aktualisierungen jedoch oftmals mit deutlicher Verzögerung an – ein beschleunigtes Update kann nicht erzwungen werden. Da auch andere Browser auf Chromium basieren, dürften sie ebenfalls ein umfangreiches Update ausliefern.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:mho@heise.de" title="Martin Holland">mho</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11350040"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11350040: Google Chrome: Großes Update schließt erneut Hunderte Sicherheitslücken"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-das-beste-city-e-bike-preis-leistungs-sieger-kostet-799-euro/syrrc15?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="2419" height="1359" src="https://www.heise.de/imgs/18/5/1/0/9/8/9/9/b10da8094b406704.jpeg" style="aspect-ratio:2419 / 1359"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="2419" height="1359" style="aspect-ratio:2419 / 1359;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Das beste City-E-Bike</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-bestes-smartphone-bis-400-euro-im-test-schon-mit-guter-kamera/22wwybb?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="4080" height="2293" src="https://www.heise.de/imgs/18/5/1/0/8/3/2/8/5ca3ec1b02318d49.jpeg" style="aspect-ratio:4080 / 2293"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="4080" height="2293" style="aspect-ratio:4080 / 2293;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Bestes Smartphone bis 400 Euro im Test</span></span></h3></header></div></a>
2026-07-01T07:46:00.000Z
urn:bid:5109274
2026-06-30T16:30:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Sicherheitsforscher haben Schwachstellen in Apples AirDrop sowie in Googles und Samsungs Quick Share gefunden, die Systemabstürze provozieren können.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Security-vulnerabilities-discovered-in-Apple-s-AirDrop-and-Android-s-Quick-Share-11349772.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FSicherheitsluecken-in-Apples-AirDrop-und-Androids-Quick-Share-entdeckt-11349745.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.newsticker.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FSicherheitsluecken-in-Apples-AirDrop-und-Androids-Quick-Share-entdeckt-11349745.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Sicherheitsluecken-in-Apples-AirDrop-und-Androids-Quick-Share-entdeckt-11349745.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.newsticker.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Sicherheitsluecken-in-Apples-AirDrop-und-Androids-Quick-Share-entdeckt/forum-585797/comment/"
class="a-article-action"
name="meldung.newsticker.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Menschen teilen Dateien zwischen Smartphones und Computer"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Dirk Knop / KI / heise medien)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T18:30:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">18:30
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/newsticker/">
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Malte-Kirchner-3659878"
class="creator__link"
>Malte Kirchner</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Security-vulnerabilities-discovered-in-Apple-s-AirDrop-and-Android-s-Quick-Share-11349772.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Sicherheitsforscher des CISPA Helmholtz-Zentrums für Informationssicherheit haben gleich drei Schwachstellen in Apples AirDrop-Funktion zur kabellosen Übertragung von Daten gefunden. Glücklicherweise kann keine der Lücken genutzt werden, um Schadcode auszuführen. Schlimm genug ist aber, dass sie dafür genutzt werden können, um Abstürze auszulösen. Weitere drei Sicherheitslücken wurden in Googles und Samsungs Quick Share aufgedeckt.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Arash Ale Ebrahim und Nils Ole Tippenhauer haben <a href="https://cispa.de/en/research/publications/213183-protocol-prying-systematic-vulnerability-research-in-the-airdrop-and-android-quick-share-proximity-transfer-protocols" rel="external noopener" target="_blank">für ihre Untersuchung</a> eigens das Testprogramm „AirFuzz“ entwickelt, ein Werkzeug, das automatisiert fehlerhafte oder manipulierte Datenpakete an AirDrop schickt, um Abstürze und Fehlverhalten zu provozieren. Im Fokus stand dabei die Anwendungsebene der Funktionen und nicht Schwachstellen auf der reinen Funkebene.</p>
<h3 class="subheading" id="nav_wie_die_lücken__0">Wie die Lücken funktionieren</h3>
<p>Zwei der drei AirDrop-Lücken lassen sich bereits auslösen, wenn AirDrop auf „Jeder“ steht. Die dritte wird erst nach Annahme einer Übertragung erreicht.</p>
<p>So reicht ein einzelner, fehlerhaft formatierter HTTP-Request aus, um den zuständigen Systemdienst <code>sharingd</code> abstürzen zu lassen. Das bringt nicht nur AirDrop zum Erliegen, sondern auch verwandte Funktionen wie AirPlay, Handoff und die Zwischenablage-Synchronisation zwischen Geräten.</p>
<p>Eine zweite Lücke steckt in der Verarbeitung von Property-Lists, einem internen Datenformat, und kann durch verschachtelte Datenstrukturen einen Speicherüberlauf auslösen. Eine dritte Schwachstelle in Apples Netzwerk-Framework lässt sich durch präparierte HTTP-Header provozieren.</p>
<p>Die Forscher betonen ausdrücklich, dass zehn verschiedene Versuche, die eigentliche Nutzerbestätigung für Dateiübertragungen zu umgehen, allesamt scheiterten – Apples Prüfung der Apple-ID hält demnach stand.</p>
<h3 class="subheading" id="nav_auch_probleme__1">Auch Probleme bei Google und Samsung</h3>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Bei Quick Share fanden die Forscher zwei Probleme in Samsungs Implementierung: Zum einen verarbeitet der Dienst bestimmte Datenpakete bereits, bevor der eigentliche Authentifizierungs-Handshake abgeschlossen ist. Zum anderen werden drei von sieben Nachrichtentypen auch dann verarbeitet, wenn sie entgegen der Spezifikation unverschlüsselt ankommen – ein Angreifer im selben WLAN könnte so etwa Verbindungen manipulieren oder Sitzungen künstlich am Leben halten.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Am gravierendsten ist ein Fund in Googles Quick-Share-Client für Windows: ein sogenannter Use-after-Free-Fehler, bei dem das Programm auf bereits freigegebenen Speicher zugreift. Diese Klasse von Fehlern lässt sich unter bestimmten Umständen zur Ausführung von Schadcode missbrauchen. Die Forscher konnten zwar einen zuverlässigen Absturz auslösen, aber keinen vollständigen Exploit entwickeln.</p>
<h3 class="subheading" id="nav_bugfixes_sind__2">Bugfixes sind in Arbeit</h3>
<p>Apple hat die drei AirDrop-Lücken bestätigt, an Fixes wird laut den Forschern gearbeitet. Samsung hat seine beiden Funde an Google weitergereicht, da der betroffene Code aus Googles Quick-Share-Komponenten stammt; diese werden derzeit noch geprüft. Google hat die Windows-Lücke bestätigt und mit einer Bug-Bounty-Prämie belohnt.</p>
<p>Die Angriffe funktionieren nur aus relativer Funknähe von etwa 10 bis 30 Metern – ein Angreifer muss sich also physisch in der Nähe des Zielgeräts aufhalten. In dicht gedrängten Umgebungen wie Flughäfen, Bahnhöfen oder auf Konferenzen ließen sich damit aber theoretisch viele Geräte gleichzeitig ins Visier nehmen.</p>
<p>Da noch keine Patches vorliegen, empfiehlt sich vorerst Zurückhaltung: Wer AirDrop nicht aktiv nutzt, sollte den Modus meiden, mit dem einen jeder im Umkreis für einige Minuten sehen kann, oder zumindest so kurz wie möglich halten. Bei Quick Share gilt ähnliche Vorsicht in unbekannten Umgebungen mit aktivierter Sichtbarkeit für alle Geräte.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://www.heise.de/newsletter/anmeldung.html?id=ki-update&amp;wt_mc=intern.red.ho.ho_nl_ki.ho.markenbanner.markenbanner" name="meldung.newsticker.inline.branding_" title="Melden Sie sich zum KI-Update an">
<a-img alt="Melden Sie sich zum KI-Update an" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/1/2/20250814_Fallback_KI-Update_mobil-27288d002022edd2.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Melden Sie sich zum KI-Update an" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Melden Sie sich zum KI-Update an" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/1/2/20250814_Fallback_KI-Update-c47e5f007d33025f.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Melden Sie sich zum KI-Update an" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:mki@heise.de" title="Malte Kirchner">mki</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11349745"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11349745: Sicherheitslücken in Apples AirDrop und Androids Quick Share entdeckt"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Sicherheitsforscher haben Schwachstellen in Apples AirDrop sowie in Googles und Samsungs Quick Share gefunden, die Systemabstürze provozieren können.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Security-vulnerabilities-discovered-in-Apple-s-AirDrop-and-Android-s-Quick-Share-11349772.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FSicherheitsluecken-in-Apples-AirDrop-und-Androids-Quick-Share-entdeckt-11349745.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.newsticker.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FSicherheitsluecken-in-Apples-AirDrop-und-Androids-Quick-Share-entdeckt-11349745.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Sicherheitsluecken-in-Apples-AirDrop-und-Androids-Quick-Share-entdeckt-11349745.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.newsticker.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Sicherheitsluecken-in-Apples-AirDrop-und-Androids-Quick-Share-entdeckt/forum-585797/comment/"
class="a-article-action"
name="meldung.newsticker.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/9/2/7/4/2024-12-16-Bing_Designer-Datei_drahtlos_teilen-3-2d5c4afbc637d5df.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Menschen teilen Dateien zwischen Smartphones und Computer"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Dirk Knop / KI / heise medien)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T18:30:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">18:30
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/newsticker/">
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Malte-Kirchner-3659878"
class="creator__link"
>Malte Kirchner</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Security-vulnerabilities-discovered-in-Apple-s-AirDrop-and-Android-s-Quick-Share-11349772.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Sicherheitsforscher des CISPA Helmholtz-Zentrums für Informationssicherheit haben gleich drei Schwachstellen in Apples AirDrop-Funktion zur kabellosen Übertragung von Daten gefunden. Glücklicherweise kann keine der Lücken genutzt werden, um Schadcode auszuführen. Schlimm genug ist aber, dass sie dafür genutzt werden können, um Abstürze auszulösen. Weitere drei Sicherheitslücken wurden in Googles und Samsungs Quick Share aufgedeckt.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Arash Ale Ebrahim und Nils Ole Tippenhauer haben <a href="https://cispa.de/en/research/publications/213183-protocol-prying-systematic-vulnerability-research-in-the-airdrop-and-android-quick-share-proximity-transfer-protocols" rel="external noopener" target="_blank">für ihre Untersuchung</a> eigens das Testprogramm „AirFuzz“ entwickelt, ein Werkzeug, das automatisiert fehlerhafte oder manipulierte Datenpakete an AirDrop schickt, um Abstürze und Fehlverhalten zu provozieren. Im Fokus stand dabei die Anwendungsebene der Funktionen und nicht Schwachstellen auf der reinen Funkebene.</p>
<h3 class="subheading" id="nav_wie_die_lücken__0">Wie die Lücken funktionieren</h3>
<p>Zwei der drei AirDrop-Lücken lassen sich bereits auslösen, wenn AirDrop auf „Jeder“ steht. Die dritte wird erst nach Annahme einer Übertragung erreicht.</p>
<p>So reicht ein einzelner, fehlerhaft formatierter HTTP-Request aus, um den zuständigen Systemdienst <code>sharingd</code> abstürzen zu lassen. Das bringt nicht nur AirDrop zum Erliegen, sondern auch verwandte Funktionen wie AirPlay, Handoff und die Zwischenablage-Synchronisation zwischen Geräten.</p>
<p>Eine zweite Lücke steckt in der Verarbeitung von Property-Lists, einem internen Datenformat, und kann durch verschachtelte Datenstrukturen einen Speicherüberlauf auslösen. Eine dritte Schwachstelle in Apples Netzwerk-Framework lässt sich durch präparierte HTTP-Header provozieren.</p>
<p>Die Forscher betonen ausdrücklich, dass zehn verschiedene Versuche, die eigentliche Nutzerbestätigung für Dateiübertragungen zu umgehen, allesamt scheiterten – Apples Prüfung der Apple-ID hält demnach stand.</p>
<h3 class="subheading" id="nav_auch_probleme__1">Auch Probleme bei Google und Samsung</h3>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Bei Quick Share fanden die Forscher zwei Probleme in Samsungs Implementierung: Zum einen verarbeitet der Dienst bestimmte Datenpakete bereits, bevor der eigentliche Authentifizierungs-Handshake abgeschlossen ist. Zum anderen werden drei von sieben Nachrichtentypen auch dann verarbeitet, wenn sie entgegen der Spezifikation unverschlüsselt ankommen – ein Angreifer im selben WLAN könnte so etwa Verbindungen manipulieren oder Sitzungen künstlich am Leben halten.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Am gravierendsten ist ein Fund in Googles Quick-Share-Client für Windows: ein sogenannter Use-after-Free-Fehler, bei dem das Programm auf bereits freigegebenen Speicher zugreift. Diese Klasse von Fehlern lässt sich unter bestimmten Umständen zur Ausführung von Schadcode missbrauchen. Die Forscher konnten zwar einen zuverlässigen Absturz auslösen, aber keinen vollständigen Exploit entwickeln.</p>
<h3 class="subheading" id="nav_bugfixes_sind__2">Bugfixes sind in Arbeit</h3>
<p>Apple hat die drei AirDrop-Lücken bestätigt, an Fixes wird laut den Forschern gearbeitet. Samsung hat seine beiden Funde an Google weitergereicht, da der betroffene Code aus Googles Quick-Share-Komponenten stammt; diese werden derzeit noch geprüft. Google hat die Windows-Lücke bestätigt und mit einer Bug-Bounty-Prämie belohnt.</p>
<p>Die Angriffe funktionieren nur aus relativer Funknähe von etwa 10 bis 30 Metern – ein Angreifer muss sich also physisch in der Nähe des Zielgeräts aufhalten. In dicht gedrängten Umgebungen wie Flughäfen, Bahnhöfen oder auf Konferenzen ließen sich damit aber theoretisch viele Geräte gleichzeitig ins Visier nehmen.</p>
<p>Da noch keine Patches vorliegen, empfiehlt sich vorerst Zurückhaltung: Wer AirDrop nicht aktiv nutzt, sollte den Modus meiden, mit dem einen jeder im Umkreis für einige Minuten sehen kann, oder zumindest so kurz wie möglich halten. Bei Quick Share gilt ähnliche Vorsicht in unbekannten Umgebungen mit aktivierter Sichtbarkeit für alle Geräte.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://www.heise.de/newsletter/anmeldung.html?id=ki-update&amp;wt_mc=intern.red.ho.ho_nl_ki.ho.markenbanner.markenbanner" name="meldung.newsticker.inline.branding_" title="Melden Sie sich zum KI-Update an">
<a-img alt="Melden Sie sich zum KI-Update an" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/1/2/20250814_Fallback_KI-Update_mobil-27288d002022edd2.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Melden Sie sich zum KI-Update an" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Melden Sie sich zum KI-Update an" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/1/2/20250814_Fallback_KI-Update-c47e5f007d33025f.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Melden Sie sich zum KI-Update an" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:mki@heise.de" title="Malte Kirchner">mki</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11349745"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11349745: Sicherheitslücken in Apples AirDrop und Androids Quick Share entdeckt"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
2026-06-30T16:30:00.000Z
urn:bid:5108815
2026-06-30T09:23:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Google hat vergangene Woche angekündigt, den reCaptcha-Bot-Schutz mit Handgesten auszustatten. Das lässt sich mit Fotos aushebeln.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Bot-protection-with-hand-gestures-Google-s-reCaptcha-can-be-fooled-by-photos-11348993.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FBot-Schutz-mit-Handgesten-Googles-reCaptcha-laesst-sich-Fotos-unterjubeln-11348830.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FBot-Schutz-mit-Handgesten-Googles-reCaptcha-laesst-sich-Fotos-unterjubeln-11348830.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Bot-Schutz-mit-Handgesten-Googles-reCaptcha-laesst-sich-Fotos-unterjubeln-11348830.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Bot-Schutz-Googles-reCaptcha-mit-Handgesten-faellt-auf-Fotos-rein/forum-585757/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>16</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Gespreizte Hand"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Bruce Rolff/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T11:23:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">11:23
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Bot-protection-with-hand-gestures-Google-s-reCaptcha-can-be-fooled-by-photos-11348993.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Das als Schutz vor Bots und Betrug dienende Google reCaptcha wollen die Entwickler mit einer Erkennung von Handgesten verbessern. Erste Bastler haben die frühe Version schon jetzt ausgetrickst – mit untergeschobenen Fotos aus Stock-Archiven. Damit lässt sich das System derzeit täuschen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>In der vergangenen Woche hatte <a href="http://www.heise.de/news/Googles-reCaptcha-bekommt-Handgestenerkennung-11339773.html">Google die reCaptcha-Erweiterung um Handgesten</a> vorgestellt. Sie basiert auf einem Machine-Learning-Modell, also <a href="http://www.heise.de/thema/Kuenstliche-Intelligenz">Künstlicher Intelligenz</a>. Sie soll Referenzpunkte auf Händen erkennen und vermessen, insgesamt 21 Stück an der Zahl. Bei der Prüfung fordert das System Nutzerinnen und Nutzer auf, eine Handgeste vor einer Kamera nachzuvollziehen. Eigentlich soll die Funktion menschliche Bewegungen erkennen und damit etwa KI-Bots abwehren, die beim Lösen der bisherigen Captcha-Puzzles zunehmend besser werden.</p>
<p>Auf <a href="https://x.com/VGTimes/status/2071675967760933086" rel="external noopener" target="_blank">X haben IT-Forscher</a> nun vorgeführt, wie sich das System hinter die Fichte führen lässt. Sie nehmen eine Software wie Open Broadcaster Software (OBS), die sich ins System als (virtuelle) Kamera installieren lässt. Für die vom reCaptcha-System angefragte Handgeste verwenden sie einfach Stock-Fotos, auf denen die Personen die abgebildete Handgeste zeigen. Das genügt reCaptcha offenbar, die Anti-Bot- respektive Anti-Betrugs-Prüfung gilt als bestanden.</p>
<h3 class="subheading" id="nav_recaptcha_als__0">reCaptcha als einfacher Schutz</h3>
<p>Die Handgestenerkennung in Googles reCaptcha ist ein noch junges Feature und in früher Entwicklung, daher werden die Programmierer sicherlich noch Lösungen finden, solche plumpen Fälschungen zu entlarven. Es zeigt jedoch auch klar die Grenzen eines solchen Systems auf. Es bietet keine hundertprozentige Sicherheit, sondern siebt einfache Bots aus. </p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Es handelt sich um einen immerwährenden Wettlauf zwischen Angreifern auf das System und den Entwicklern. Das Ziel bleibt jedoch, die <a href="http://www.heise.de/news/Mensch-Maschine-Unterscheidung-mit-weniger-Nerverei-4022981.html">Menschen möglichst wenig zu nerven</a> und zu stören. Neue Captcha-Systeme sind nötig, da <a href="http://www.heise.de/news/Fast-immer-schneller-immer-korrekter-Bots-schlagen-Menschen-bei-Captchas-9240739.html">Bots in der Regel rasch aufholen und sogar schneller als Menschen</a> beim Lösen der Aufgaben werden. </p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348830"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348830: Bot-Schutz: Googles reCaptcha mit Handgesten fällt auf Fotos rein"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Google hat vergangene Woche angekündigt, den reCaptcha-Bot-Schutz mit Handgesten auszustatten. Das lässt sich mit Fotos aushebeln.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Bot-protection-with-hand-gestures-Google-s-reCaptcha-can-be-fooled-by-photos-11348993.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FBot-Schutz-mit-Handgesten-Googles-reCaptcha-laesst-sich-Fotos-unterjubeln-11348830.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FBot-Schutz-mit-Handgesten-Googles-reCaptcha-laesst-sich-Fotos-unterjubeln-11348830.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Bot-Schutz-mit-Handgesten-Googles-reCaptcha-laesst-sich-Fotos-unterjubeln-11348830.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Bot-Schutz-Googles-reCaptcha-mit-Handgesten-faellt-auf-Fotos-rein/forum-585757/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>16</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/8/1/5/shutterstock_515344588-77e552891ce25113.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Gespreizte Hand"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: Bruce Rolff/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T11:23:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">11:23
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Bot-protection-with-hand-gestures-Google-s-reCaptcha-can-be-fooled-by-photos-11348993.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Das als Schutz vor Bots und Betrug dienende Google reCaptcha wollen die Entwickler mit einer Erkennung von Handgesten verbessern. Erste Bastler haben die frühe Version schon jetzt ausgetrickst – mit untergeschobenen Fotos aus Stock-Archiven. Damit lässt sich das System derzeit täuschen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>In der vergangenen Woche hatte <a href="http://www.heise.de/news/Googles-reCaptcha-bekommt-Handgestenerkennung-11339773.html">Google die reCaptcha-Erweiterung um Handgesten</a> vorgestellt. Sie basiert auf einem Machine-Learning-Modell, also <a href="http://www.heise.de/thema/Kuenstliche-Intelligenz">Künstlicher Intelligenz</a>. Sie soll Referenzpunkte auf Händen erkennen und vermessen, insgesamt 21 Stück an der Zahl. Bei der Prüfung fordert das System Nutzerinnen und Nutzer auf, eine Handgeste vor einer Kamera nachzuvollziehen. Eigentlich soll die Funktion menschliche Bewegungen erkennen und damit etwa KI-Bots abwehren, die beim Lösen der bisherigen Captcha-Puzzles zunehmend besser werden.</p>
<p>Auf <a href="https://x.com/VGTimes/status/2071675967760933086" rel="external noopener" target="_blank">X haben IT-Forscher</a> nun vorgeführt, wie sich das System hinter die Fichte führen lässt. Sie nehmen eine Software wie Open Broadcaster Software (OBS), die sich ins System als (virtuelle) Kamera installieren lässt. Für die vom reCaptcha-System angefragte Handgeste verwenden sie einfach Stock-Fotos, auf denen die Personen die abgebildete Handgeste zeigen. Das genügt reCaptcha offenbar, die Anti-Bot- respektive Anti-Betrugs-Prüfung gilt als bestanden.</p>
<h3 class="subheading" id="nav_recaptcha_als__0">reCaptcha als einfacher Schutz</h3>
<p>Die Handgestenerkennung in Googles reCaptcha ist ein noch junges Feature und in früher Entwicklung, daher werden die Programmierer sicherlich noch Lösungen finden, solche plumpen Fälschungen zu entlarven. Es zeigt jedoch auch klar die Grenzen eines solchen Systems auf. Es bietet keine hundertprozentige Sicherheit, sondern siebt einfache Bots aus. </p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Es handelt sich um einen immerwährenden Wettlauf zwischen Angreifern auf das System und den Entwicklern. Das Ziel bleibt jedoch, die <a href="http://www.heise.de/news/Mensch-Maschine-Unterscheidung-mit-weniger-Nerverei-4022981.html">Menschen möglichst wenig zu nerven</a> und zu stören. Neue Captcha-Systeme sind nötig, da <a href="http://www.heise.de/news/Fast-immer-schneller-immer-korrekter-Bots-schlagen-Menschen-bei-Captchas-9240739.html">Bots in der Regel rasch aufholen und sogar schneller als Menschen</a> beim Lösen der Aufgaben werden. </p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348830"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348830: Bot-Schutz: Googles reCaptcha mit Handgesten fällt auf Fotos rein"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
2026-06-30T09:23:00.000Z
urn:bid:5108732
2026-06-30T07:46:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
In Oracles E-Business Suite greifen Kriminelle eine Lücke an, die die Oracle-Payments-Komponente betrifft und deren Übernahme ermöglicht.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Oracle-E-Business-Suite-Attacks-on-Payments-Observed-11348717.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FOracle-E-Business-Suite-Angriffe-auf-Payments-beobachtet-11348676.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FOracle-E-Business-Suite-Angriffe-auf-Payments-beobachtet-11348676.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Oracle-E-Business-Suite-Angriffe-auf-Payments-beobachtet-11348676.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Oracle-E-Business-Suite-Angriffe-auf-Payments-beobachtet/forum-585744/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Stark verzerrtes Bild eines Fingers auf einer Tastatur, im Vordergrund ein digitales Ausrufezeichen"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: janews/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T09:46:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">09:46
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Oracle-E-Business-Suite-Attacks-on-Payments-Observed-11348717.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>In Oracles E-Business Suite können Angreifer an einer Schwachstelle in Oracle Payments ansetzen, um die Systeme vollständig zu übernehmen. IT-Sicherheitsforscher haben nun <a href="http://www.heise.de/thema/Cyberangriff">Angriffe</a> auf die Lücke in freier Wildbahn beobachtet.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Die IT-Forscher von <a href="https://x.com/DefusedCyber/status/2071555353733394618" rel="external noopener" target="_blank">DefusedCyber haben am Montag auf X</a> gepostet, dass sie seit dem Wochenende Angriffe auf diese Sicherheitslücke in ihren Honeypot-Systemen beobachtet haben. Bis dahin war noch kein Missbrauch der Lücke oder Proof-of-Concept-Code bekannt, erklären die IT-Sicherheitsforscher. Weitere Hinweise, wie die Angriffe genau aussehen oder in welchem Umfang sie stattfinden, nennt DefusedCyber jedoch nicht. Aus dem Ausschnitt der Anfrage, die der Screenshot auf X zeigt, lässt sich dahingehend nichts ableiten. Es gibt daher auch keine Hinweise auf erfolgreiche Angriffe (Indicators of Compromise, IOC), anhand derer Admins ihre Systeme auf Spuren von Attacken untersuchen könnten.</p>
<h3 class="subheading" id="nav_oracle__0">Oracle E-Business Suite: Angriffe aus dem Netz</h3>
<p>Die Sicherheitslücke ermöglicht nicht authentifizierten Angreifern aus dem Netz, die HTTP-Zugriff auf verwundbare Systeme haben, eine Schwachstelle in der Dateitransfer-Komponente von Oracle Payments aus der Oracle E-Business Suite zum Kompromittieren von Oracle Payments auszunutzen. Das Leck ist einfach zu missbrauchen, schreibt Oracle in der Schwachstellenbeschreibung (<a href="https://nvd.nist.gov/vuln/detail/CVE-2026-46817" rel="external noopener" target="_blank">CVE-2026-46817</a>, CVSS <strong>9.8</strong>, Risiko „<strong>hoch</strong>“). Betroffen ist Oracle Payments in den Versionen 12.2.3 bis einschließlich 12.2.15. </p>
<p>Oracle hat die Sicherheitslücke am ersten <a href="http://www.heise.de/news/Oracle-CSPU-35-Sicherheitsupdates-im-Mai-11310949.html">„Critical Security Patch Update“ (CSPU) im Mai dieses Jahres mit einem Softwareflicken</a> versorgt. In der Übersicht zu dem <a href="https://www.oracle.com/security-alerts/cspumay2026.html" rel="external noopener" target="_blank">Mai-Patchday von Oracle</a> findet sich jedoch bislang noch kein Hinweis darauf, dass die Sicherheitslücke aktiv angegriffen wird. </p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Die Schwachstelle weckt Erinnerungen an <a href="http://www.heise.de/news/Jetzt-patchen-Angreifer-erpressen-Oracle-E-Business-Suite-Kunden-10712120.html">Sicherheitslücken in Oracles E-Business Suite, die im Herbst</a> vergangenen Jahres massiv angegriffen wurden. Die Täter haben die Oracle-Kunden im Anschluss um Lösegeld erpresst.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348676"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348676: Oracle E-Business Suite: Angriffe auf Payments beobachtet"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
In Oracles E-Business Suite greifen Kriminelle eine Lücke an, die die Oracle-Payments-Komponente betrifft und deren Übernahme ermöglicht.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Oracle-E-Business-Suite-Attacks-on-Payments-Observed-11348717.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FOracle-E-Business-Suite-Angriffe-auf-Payments-beobachtet-11348676.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FOracle-E-Business-Suite-Angriffe-auf-Payments-beobachtet-11348676.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Oracle-E-Business-Suite-Angriffe-auf-Payments-beobachtet-11348676.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Oracle-E-Business-Suite-Angriffe-auf-Payments-beobachtet/forum-585744/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/3/2/shutterstock_2404056471-f1844a4a111d0573.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Stark verzerrtes Bild eines Fingers auf einer Tastatur, im Vordergrund ein digitales Ausrufezeichen"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: janews/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T09:46:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">09:46
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Oracle-E-Business-Suite-Attacks-on-Payments-Observed-11348717.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>In Oracles E-Business Suite können Angreifer an einer Schwachstelle in Oracle Payments ansetzen, um die Systeme vollständig zu übernehmen. IT-Sicherheitsforscher haben nun <a href="http://www.heise.de/thema/Cyberangriff">Angriffe</a> auf die Lücke in freier Wildbahn beobachtet.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Die IT-Forscher von <a href="https://x.com/DefusedCyber/status/2071555353733394618" rel="external noopener" target="_blank">DefusedCyber haben am Montag auf X</a> gepostet, dass sie seit dem Wochenende Angriffe auf diese Sicherheitslücke in ihren Honeypot-Systemen beobachtet haben. Bis dahin war noch kein Missbrauch der Lücke oder Proof-of-Concept-Code bekannt, erklären die IT-Sicherheitsforscher. Weitere Hinweise, wie die Angriffe genau aussehen oder in welchem Umfang sie stattfinden, nennt DefusedCyber jedoch nicht. Aus dem Ausschnitt der Anfrage, die der Screenshot auf X zeigt, lässt sich dahingehend nichts ableiten. Es gibt daher auch keine Hinweise auf erfolgreiche Angriffe (Indicators of Compromise, IOC), anhand derer Admins ihre Systeme auf Spuren von Attacken untersuchen könnten.</p>
<h3 class="subheading" id="nav_oracle__0">Oracle E-Business Suite: Angriffe aus dem Netz</h3>
<p>Die Sicherheitslücke ermöglicht nicht authentifizierten Angreifern aus dem Netz, die HTTP-Zugriff auf verwundbare Systeme haben, eine Schwachstelle in der Dateitransfer-Komponente von Oracle Payments aus der Oracle E-Business Suite zum Kompromittieren von Oracle Payments auszunutzen. Das Leck ist einfach zu missbrauchen, schreibt Oracle in der Schwachstellenbeschreibung (<a href="https://nvd.nist.gov/vuln/detail/CVE-2026-46817" rel="external noopener" target="_blank">CVE-2026-46817</a>, CVSS <strong>9.8</strong>, Risiko „<strong>hoch</strong>“). Betroffen ist Oracle Payments in den Versionen 12.2.3 bis einschließlich 12.2.15. </p>
<p>Oracle hat die Sicherheitslücke am ersten <a href="http://www.heise.de/news/Oracle-CSPU-35-Sicherheitsupdates-im-Mai-11310949.html">„Critical Security Patch Update“ (CSPU) im Mai dieses Jahres mit einem Softwareflicken</a> versorgt. In der Übersicht zu dem <a href="https://www.oracle.com/security-alerts/cspumay2026.html" rel="external noopener" target="_blank">Mai-Patchday von Oracle</a> findet sich jedoch bislang noch kein Hinweis darauf, dass die Sicherheitslücke aktiv angegriffen wird. </p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Die Schwachstelle weckt Erinnerungen an <a href="http://www.heise.de/news/Jetzt-patchen-Angreifer-erpressen-Oracle-E-Business-Suite-Kunden-10712120.html">Sicherheitslücken in Oracles E-Business Suite, die im Herbst</a> vergangenen Jahres massiv angegriffen wurden. Die Täter haben die Oracle-Kunden im Anschluss um Lösegeld erpresst.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348676"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348676: Oracle E-Business Suite: Angriffe auf Payments beobachtet"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
2026-06-30T07:46:00.000Z
urn:bid:5108704
2026-06-30T07:14:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Eine kritische Sicherheitslücke mit Risiko-Höchstwertung in der Fernwartungssoftware SimpleHelp wird im Internet angegriffen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/SimpleHelp-Remote-Maintenance-Vulnerability-Under-Attack-11348671.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FFernwartung-SimpleHelp-Schwachstelle-wird-angegriffen-11348620.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FFernwartung-SimpleHelp-Schwachstelle-wird-angegriffen-11348620.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Fernwartung-SimpleHelp-Schwachstelle-wird-angegriffen-11348620.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/SimpleHelp-Luecke-in-Fernwartungssoftware-in-freier-Wildbahn-missbraucht/forum-585743/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Eine Hand mit einer digitalen roten Weltkugel und lauter Warnzeichen"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: tete_escape/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T09:14:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">09:14
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/SimpleHelp-Remote-Maintenance-Vulnerability-Under-Attack-11348671.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>In der Fernwartungssoftware SimpleHelp klafft eine Sicherheitslücke, die die Höchstwertung beim Risiko erreicht. Sie wurde Mitte des Monats bekannt. Jetzt haben IT-Sicherheitsexperten <a href="http://www.heise.de/thema/Cyberangriff">Cyberangriffe</a> auf das Sicherheitsleck beobachtet.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Davor <a href="https://www.cisa.gov/news-events/alerts/2026/06/29/cisa-adds-one-known-exploited-vulnerability-catalog" rel="external noopener" target="_blank">warnt die US-amerikanische IT-Sicherheitsbehörde CISA</a>. Sie hat die Schwachstelle dem „Known Exploited Vulnerabilities“-Katalog hinzugefügt. Details zu den Angriffen nennt die Behörde wie üblich nicht, wie diese aussehen und in welchem Umfang sie stattfinden, bleibt daher unklar. Allerdings hat <a href="https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/" rel="external noopener" target="_blank">Blackpoint einen Blogbeitrag</a> veröffentlicht, in dem das IT-Sicherheitsunternehmen erörtert, dass es die Malware „TaskWeaver“ und „Djinn Stealer“ entdeckt hat, die nach Einbrüchen über die Schwachstelle CVE-2026-48558 auf die attackierten Systeme verfrachtet wurden. Die Malware läuft auf Linux ebenso wie unter macOS und Windows. Blackpoint stellt auch Hinweise für erfolgreiche Angriffe (Indicator of Compromise, IOC) bereit, anhand derer Admins prüfen können, ob sie mit der bekannten Malware attackiert wurden.</p>
<p>Bei der angegriffenen Schwachstelle handelt es sich um eine mögliche Umgehung der Authentifizierung, sofern „OIDC-Authentifizierung“ konfiguriert wurde. Die Identity-Tokens beim Login akzeptiert die Software, ohne zuvor ihre kryptografische Signatur zu prüfen. Angreifer aus dem Netz können dadurch ohne vorherige Anmeldung manipulierte Token senden und dadurch vollen Techniker-Zugang erhalten; in manchen Fällen lässt sich dadurch auch die Mehr-Faktor-Authentifizierung umgehen (<a href="https://nvd.nist.gov/vuln/detail/CVE-2026-48558" rel="external noopener" target="_blank">CVE-2026-48558</a>, CVSS <strong>10.0</strong>, Risiko „<strong>kritisch</strong>“).</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_simplehelp__0">SimpleHelp: Updates verfügbar</h3>
<p>Verwundbar sind die SimpleHelp-Versionen 5.5.15 und ältere sowie die 6.0-Pre-Release-Fassung. Laut <a href="https://simple-help.com/release-news" rel="external noopener" target="_blank">der Release-News</a> steht SimpleHelp 5.5.16 bereit, außerdem erhält SimpleHelp 6.0 RC2 den Sicherheitsfix, wie die Entwickler <a href="https://simple-help.com/security/simplehelp-security-update-2026-05" rel="external noopener" target="_blank">in ihrer Sicherheitsmitteilung schreiben</a>. Sie raten IT-Verantwortlichen dringend dazu, die bereitstehenden Aktualisierungen zügig zu installieren. Die SimpleHelp-Entwickler erwähnen bislang noch nichts von den beobachteten Angriffen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348620"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348620: SimpleHelp: Lücke in Fernwartungssoftware in freier Wildbahn missbraucht"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Eine kritische Sicherheitslücke mit Risiko-Höchstwertung in der Fernwartungssoftware SimpleHelp wird im Internet angegriffen.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/SimpleHelp-Remote-Maintenance-Vulnerability-Under-Attack-11348671.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FFernwartung-SimpleHelp-Schwachstelle-wird-angegriffen-11348620.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FFernwartung-SimpleHelp-Schwachstelle-wird-angegriffen-11348620.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Fernwartung-SimpleHelp-Schwachstelle-wird-angegriffen-11348620.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/SimpleHelp-Luecke-in-Fernwartungssoftware-in-freier-Wildbahn-missbraucht/forum-585743/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/7/0/4/shutterstock_2692522213-92a72f14a4333716.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Eine Hand mit einer digitalen roten Weltkugel und lauter Warnzeichen"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: tete_escape/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T09:14:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">09:14
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/SimpleHelp-Remote-Maintenance-Vulnerability-Under-Attack-11348671.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>In der Fernwartungssoftware SimpleHelp klafft eine Sicherheitslücke, die die Höchstwertung beim Risiko erreicht. Sie wurde Mitte des Monats bekannt. Jetzt haben IT-Sicherheitsexperten <a href="http://www.heise.de/thema/Cyberangriff">Cyberangriffe</a> auf das Sicherheitsleck beobachtet.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Davor <a href="https://www.cisa.gov/news-events/alerts/2026/06/29/cisa-adds-one-known-exploited-vulnerability-catalog" rel="external noopener" target="_blank">warnt die US-amerikanische IT-Sicherheitsbehörde CISA</a>. Sie hat die Schwachstelle dem „Known Exploited Vulnerabilities“-Katalog hinzugefügt. Details zu den Angriffen nennt die Behörde wie üblich nicht, wie diese aussehen und in welchem Umfang sie stattfinden, bleibt daher unklar. Allerdings hat <a href="https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/" rel="external noopener" target="_blank">Blackpoint einen Blogbeitrag</a> veröffentlicht, in dem das IT-Sicherheitsunternehmen erörtert, dass es die Malware „TaskWeaver“ und „Djinn Stealer“ entdeckt hat, die nach Einbrüchen über die Schwachstelle CVE-2026-48558 auf die attackierten Systeme verfrachtet wurden. Die Malware läuft auf Linux ebenso wie unter macOS und Windows. Blackpoint stellt auch Hinweise für erfolgreiche Angriffe (Indicator of Compromise, IOC) bereit, anhand derer Admins prüfen können, ob sie mit der bekannten Malware attackiert wurden.</p>
<p>Bei der angegriffenen Schwachstelle handelt es sich um eine mögliche Umgehung der Authentifizierung, sofern „OIDC-Authentifizierung“ konfiguriert wurde. Die Identity-Tokens beim Login akzeptiert die Software, ohne zuvor ihre kryptografische Signatur zu prüfen. Angreifer aus dem Netz können dadurch ohne vorherige Anmeldung manipulierte Token senden und dadurch vollen Techniker-Zugang erhalten; in manchen Fällen lässt sich dadurch auch die Mehr-Faktor-Authentifizierung umgehen (<a href="https://nvd.nist.gov/vuln/detail/CVE-2026-48558" rel="external noopener" target="_blank">CVE-2026-48558</a>, CVSS <strong>10.0</strong>, Risiko „<strong>kritisch</strong>“).</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_simplehelp__0">SimpleHelp: Updates verfügbar</h3>
<p>Verwundbar sind die SimpleHelp-Versionen 5.5.15 und ältere sowie die 6.0-Pre-Release-Fassung. Laut <a href="https://simple-help.com/release-news" rel="external noopener" target="_blank">der Release-News</a> steht SimpleHelp 5.5.16 bereit, außerdem erhält SimpleHelp 6.0 RC2 den Sicherheitsfix, wie die Entwickler <a href="https://simple-help.com/security/simplehelp-security-update-2026-05" rel="external noopener" target="_blank">in ihrer Sicherheitsmitteilung schreiben</a>. Sie raten IT-Verantwortlichen dringend dazu, die bereitstehenden Aktualisierungen zügig zu installieren. Die SimpleHelp-Entwickler erwähnen bislang noch nichts von den beobachteten Angriffen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348620"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348620: SimpleHelp: Lücke in Fernwartungssoftware in freier Wildbahn missbraucht"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
2026-06-30T07:14:00.000Z
urn:bid:5108646
2026-06-30T04:23:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
In der Nacht zum Dienstag hat Apple drei Betriebssystem-Updates und ein neues Safari für ältere macOS-Versionen publiziert. Apple fürchtet schnellere Angriffe.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/iOS-26-5-2-iPadOS-26-5-2-and-macOS-26-5-2-Important-security-fixes-due-to-AI-11348563.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FiOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtige-Sicherheitsfixes-wegen-KI-11348504.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.mac-and-i.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FiOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtige-Sicherheitsfixes-wegen-KI-11348504.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/iOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtige-Sicherheitsfixes-wegen-KI-11348504.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.mac-and-i.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/iOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtige-Sicherheitsfixes-wegen-KI/forum-585732/comment/"
class="a-article-action"
name="meldung.mac-and-i.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>5</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Apple und die Sicherheit"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Apple und die Sicherheit: Wichtige Lücken gestopft.
</p> <p class="a-caption__source">
(Bild: Alberto Garcia Guillen/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T06:23:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">06:23
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/mac-and-i/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Mac & i"
>
Mac & i
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Ben-Schwan-4508422"
class="creator__link"
>Ben Schwan</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/iOS-26-5-2-iPadOS-26-5-2-and-macOS-26-5-2-Important-security-fixes-due-to-AI-11348563.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Apple hat am Montagabend insgesamt drei Betriebssysteme aktualisiert sowie seinen Browser Safari für macOS 15 (Sequoia) und 14 (Sonoma) auf einen neuen Stand gebracht. Systeme und Browser enthalten keine bekannten Neuerungen, dafür stopfen sie diverse Sicherheitslöcher, die Apple laut eigenen Angaben auch aufgrund der <a href="http://www.heise.de/news/Sicherheitsfirma-Claude-Mythos-findet-macOS-Exploit-11294837.html">neuen Gefahren durch KI </a> flotter liefert.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_angst_vor__0">Angst vor KI-gestützten Angriffen</h3>
<p>Gegenüber der Nachrichtenagentur Reuters teilte der Konzern mit, man reagiere schneller mit den Fehlerbehebungen, weil man aufgrund von KI <a href="https://www.reuters.com/business/apple-says-it-is-releasing-updates-early-response-ai-cybersecurity-concerns-2026-06-29/" rel="external noopener" target="_blank">eine Geschwindigkeitssteigerung bei böswilligen Hackingtools</a> fürchtet. Sonst hätte Apple die Sicherheitspatches womöglich erst mit einer neuen Hauptversion gebracht. Das heißt: Die Fixes kommen nun mit iOS 26.5.2, iPadOS 26.5.2 und macOS 26.5.2, sonst hätte Apple auf Version 26.6 der Systeme gewartet. Bei dem Auffinden der Fehler kam auch KI zum Einsatz, unter anderem durch Anthropic.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Neben den drei neuen Betriebssystemversionen stellt Apple auch <a href="https://support.apple.com/en-us/127685" rel="external noopener" target="_blank">Safari 26.5.2</a> als Einzeldownload bereit. Allein der Browser patcht über 20 Lücken plus zwei weitere Fehler, die Apple aber nicht näher ausführt. Es geht um Informationsabfluss, Abstürze, Speicherfehler, das Verlassen der Sandbox und mehr. WebKit Canvas, WebKit Storage und WebRTC sind auch betroffen. Ältere macOS-Versionen fasst Apple hingegen nicht an, zumindest lagen zunächst weder Updates für Sonoma noch Sequoia vor.</p>
<h3 class="subheading" id="nav_jeweils_über_30__1">Jeweils über 30 Lücken behoben</h3>
<p><a href="https://support.apple.com/en-us/127594" rel="external noopener" target="_blank">IOS und iPadOS 26.5.2</a> kommen jeweils mit knapp 30 Fixes plus Problembehebungen in drei Bereichen, die Apple nicht näher ausführt. Betroffen sind Kernel, libxslt oder IOGPUFamily, außerdem werden die WebKit-Löcher wie in Safari 26.5.2 gestopft.</p>
<p><a href="https://support.apple.com/en-us/127595" rel="external noopener" target="_blank">macOS 26.5.2</a> kommt ebenfalls mit mehr als zwei Dutzend Fehlerbehebungen plus drei weiteren ohne Details. Auch hier geht es unter anderem um den Kernel und libxslit, auch Safari-Lücken wurden gestopft. Apple teilte weiter mit, dass keine Berichte zu Angriffen auf Basis der Lücken in den Systemen vorliegen. Dennoch sei es notwendig, die Zeit zwischen Ankündigung und Rollout zu verringern. Apple wird mindestens noch 26.6-Versionen bringen, bevor dann <a href="http://www.heise.de/news/iOS-27-Mehr-Tempo-besserer-Schutz-neue-Siri-11321931.html">iOS 27</a> & Co. im September erscheinen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<a-opt-in checkbox-text="Preisvergleiche immer laden" class=" a-u-inline" type="Preisvergleichinternetservices">
<div class="opt-in__content-container">
<h2 class="opt-in__title">Empfohlener redaktioneller Inhalt</h2>
<p class="opt-in__description">
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
</p>
<div class="opt-in__cta-container">
<button class="opt-in__cta" data-opt-in>Preisvergleich jetzt laden</button>
</div>
<p class="opt-in__footnote">
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden.
Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden.
Mehr dazu in unserer
<a href="https://www.heise.de/Datenschutzerklaerung-der-Heise-Medien-GmbH-Co-KG-4860.html">Datenschutzerklärung</a>.
</p>
</div>
</a-opt-in>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="http://www.heise.de/mac-and-i" name="meldung.newsticker.inline.branding_mac-and-i" title="Mehr von Mac & i">
<a-img alt="Mehr von Mac & i" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/9/4/ho_markenbanner_mobil_mc2-b2508549b3fb181e.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Mehr von Mac & i" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Mehr von Mac & i" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/9/4/ho_markenbanner_desktop_neu_mc2-1b400c32629f6abc.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Mehr von Mac & i" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:bsc@heise.de" title="Ben Schwan">bsc</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348504"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348504: iOS 26.5.2, iPadOS 26.5.2 und macOS 26.5.2: Wichtige Sicherheitsfixes wegen KI"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
In der Nacht zum Dienstag hat Apple drei Betriebssystem-Updates und ein neues Safari für ältere macOS-Versionen publiziert. Apple fürchtet schnellere Angriffe.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/iOS-26-5-2-iPadOS-26-5-2-and-macOS-26-5-2-Important-security-fixes-due-to-AI-11348563.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FiOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtige-Sicherheitsfixes-wegen-KI-11348504.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.mac-and-i.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FiOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtige-Sicherheitsfixes-wegen-KI-11348504.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/iOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtige-Sicherheitsfixes-wegen-KI-11348504.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.mac-and-i.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/iOS-26-5-2-iPadOS-26-5-2-und-macOS-26-5-2-Wichtige-Sicherheitsfixes-wegen-KI/forum-585732/comment/"
class="a-article-action"
name="meldung.mac-and-i.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>5</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/6/4/6/shutterstock_1748211680-dbb2b41efff5480f.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Apple und die Sicherheit"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Apple und die Sicherheit: Wichtige Lücken gestopft.
</p> <p class="a-caption__source">
(Bild: Alberto Garcia Guillen/Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-30T06:23:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>30.06.2026,
</span>
<span class="a-datetime__time ">06:23
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/mac-and-i/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Mac & i"
>
Mac & i
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Ben-Schwan-4508422"
class="creator__link"
>Ben Schwan</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/iOS-26-5-2-iPadOS-26-5-2-and-macOS-26-5-2-Important-security-fixes-due-to-AI-11348563.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Apple hat am Montagabend insgesamt drei Betriebssysteme aktualisiert sowie seinen Browser Safari für macOS 15 (Sequoia) und 14 (Sonoma) auf einen neuen Stand gebracht. Systeme und Browser enthalten keine bekannten Neuerungen, dafür stopfen sie diverse Sicherheitslöcher, die Apple laut eigenen Angaben auch aufgrund der <a href="http://www.heise.de/news/Sicherheitsfirma-Claude-Mythos-findet-macOS-Exploit-11294837.html">neuen Gefahren durch KI </a> flotter liefert.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_angst_vor__0">Angst vor KI-gestützten Angriffen</h3>
<p>Gegenüber der Nachrichtenagentur Reuters teilte der Konzern mit, man reagiere schneller mit den Fehlerbehebungen, weil man aufgrund von KI <a href="https://www.reuters.com/business/apple-says-it-is-releasing-updates-early-response-ai-cybersecurity-concerns-2026-06-29/" rel="external noopener" target="_blank">eine Geschwindigkeitssteigerung bei böswilligen Hackingtools</a> fürchtet. Sonst hätte Apple die Sicherheitspatches womöglich erst mit einer neuen Hauptversion gebracht. Das heißt: Die Fixes kommen nun mit iOS 26.5.2, iPadOS 26.5.2 und macOS 26.5.2, sonst hätte Apple auf Version 26.6 der Systeme gewartet. Bei dem Auffinden der Fehler kam auch KI zum Einsatz, unter anderem durch Anthropic.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Neben den drei neuen Betriebssystemversionen stellt Apple auch <a href="https://support.apple.com/en-us/127685" rel="external noopener" target="_blank">Safari 26.5.2</a> als Einzeldownload bereit. Allein der Browser patcht über 20 Lücken plus zwei weitere Fehler, die Apple aber nicht näher ausführt. Es geht um Informationsabfluss, Abstürze, Speicherfehler, das Verlassen der Sandbox und mehr. WebKit Canvas, WebKit Storage und WebRTC sind auch betroffen. Ältere macOS-Versionen fasst Apple hingegen nicht an, zumindest lagen zunächst weder Updates für Sonoma noch Sequoia vor.</p>
<h3 class="subheading" id="nav_jeweils_über_30__1">Jeweils über 30 Lücken behoben</h3>
<p><a href="https://support.apple.com/en-us/127594" rel="external noopener" target="_blank">IOS und iPadOS 26.5.2</a> kommen jeweils mit knapp 30 Fixes plus Problembehebungen in drei Bereichen, die Apple nicht näher ausführt. Betroffen sind Kernel, libxslt oder IOGPUFamily, außerdem werden die WebKit-Löcher wie in Safari 26.5.2 gestopft.</p>
<p><a href="https://support.apple.com/en-us/127595" rel="external noopener" target="_blank">macOS 26.5.2</a> kommt ebenfalls mit mehr als zwei Dutzend Fehlerbehebungen plus drei weiteren ohne Details. Auch hier geht es unter anderem um den Kernel und libxslit, auch Safari-Lücken wurden gestopft. Apple teilte weiter mit, dass keine Berichte zu Angriffen auf Basis der Lücken in den Systemen vorliegen. Dennoch sei es notwendig, die Zeit zwischen Ankündigung und Rollout zu verringern. Apple wird mindestens noch 26.6-Versionen bringen, bevor dann <a href="http://www.heise.de/news/iOS-27-Mehr-Tempo-besserer-Schutz-neue-Siri-11321931.html">iOS 27</a> & Co. im September erscheinen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<a-opt-in checkbox-text="Preisvergleiche immer laden" class=" a-u-inline" type="Preisvergleichinternetservices">
<div class="opt-in__content-container">
<h2 class="opt-in__title">Empfohlener redaktioneller Inhalt</h2>
<p class="opt-in__description">
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
</p>
<div class="opt-in__cta-container">
<button class="opt-in__cta" data-opt-in>Preisvergleich jetzt laden</button>
</div>
<p class="opt-in__footnote">
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden.
Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden.
Mehr dazu in unserer
<a href="https://www.heise.de/Datenschutzerklaerung-der-Heise-Medien-GmbH-Co-KG-4860.html">Datenschutzerklärung</a>.
</p>
</div>
</a-opt-in>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="http://www.heise.de/mac-and-i" name="meldung.newsticker.inline.branding_mac-and-i" title="Mehr von Mac & i">
<a-img alt="Mehr von Mac & i" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/9/4/ho_markenbanner_mobil_mc2-b2508549b3fb181e.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Mehr von Mac & i" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Mehr von Mac & i" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/9/4/ho_markenbanner_desktop_neu_mc2-1b400c32629f6abc.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Mehr von Mac & i" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:bsc@heise.de" title="Ben Schwan">bsc</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348504"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348504: iOS 26.5.2, iPadOS 26.5.2 und macOS 26.5.2: Wichtige Sicherheitsfixes wegen KI"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
2026-06-30T04:23:00.000Z
urn:bid:5108391
2026-06-29T15:46:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Zhipu AIs offenes Modell GLM-5.2 erreicht laut Sicherheitsexperten die Fähigkeiten von Anthropics Opus 4.8 bei der Bug-Erkennung.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/China-s-AI-Hacking-Skills-Reportedly-on-Par-with-Claude-11348370.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FHacking-Faehigkeiten-von-Chinas-KI-Z-ai-angeblich-so-gut-wie-die-von-Claude-11348003.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FHacking-Faehigkeiten-von-Chinas-KI-Z-ai-angeblich-so-gut-wie-die-von-Claude-11348003.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Hacking-Faehigkeiten-von-Chinas-KI-Z-ai-angeblich-so-gut-wie-die-von-Claude-11348003.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Chinas-GLM-5-2-erreicht-Anthropics-Opus-4-8-bei-der-Schwachstellensuche/forum-585722/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>47</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Chinesische Flagge auf Laptop-Display"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Internationales Wettrennen um KI-Hackingfähigkeiten
</p> <p class="a-caption__source">
(Bild: Herr Loeffler / Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-29T17:46:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>29.06.2026,
</span>
<span class="a-datetime__time ">17:46
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name">Carolin Riethmüller</li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/China-s-AI-Hacking-Skills-Reportedly-on-Par-with-Claude-11348370.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Der chinesische KI-Anbieter Z.ai hat mit GLM-5.2 ein Open-Weight-Modell veröffentlicht, das sich bei der Erkennung von Sicherheitslücken offenbar mit Anthropics Opus 4.8 messen kann.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Das haben <a href="https://semgrep.dev/blog/2026/we-have-mythos-at-home-glm-52-beats-claude-in-our-cyber-benchmarks/" rel="external noopener" target="_blank">IDOR-Benchmark-Tests</a> der Cybersicherheitsfirma Semgrep ergeben. Da es sich um ein Open-Weight-Modell handelt, kann jeder GLM-5.2 herunterladen, lokal betreiben und modifizieren. Das eröffnet für Hacker weitere Möglichkeiten für kriminelle Einsätze.</p>
<h3 class="subheading" id="nav_open_weight_als__0">Open Weight als Chance und Risiko</h3>
<p>Die offene Verfügbarkeit von GLM-5.2 ist ein zweischneidiges Schwert. Sicherheitsfirmen, CERTs und interne Red Teams können das Modell in abgeschotteten Umgebungen für Code-Reviews und Penetrationstests nutzen, ohne sensible Daten an US-Clouds zu übermitteln. Für DSGVO-konforme Umgebungen in Europa ist das ein Vorteil.</p>
<p>Gleichzeitig können auch Angreifer GLM-5.2 ohne jede Aufsicht betreiben. Diese Eigenschaft macht das Modell attraktiv für Akteure, die nach Schwachstellen in kritischen Systemen suchen wollen. Lior Div, Chef der Cybersicherheitsfirma 7AI, fasste die Lage gegenüber dem <a href="https://www.wsj.com/tech/ai/chinese-ai-anthropic-mythos-cybersecurity-574b02c2?st=FRKgap&reflink=desktopwebshare_permalink" rel="external noopener" target="_blank">Wall Street Journal</a> zusammen: China sorge dafür, dass der Abstand zu den US-KIs "immer kleiner" werde.</p>
<p>Zhipu AI selbst räumt in den Release Notes ein, dass GLM-5.2 während des Reinforcement-Learning-Trainings verstärkt sogenanntes Reward Hacking zeigte. <a href="https://z.ai/blog/glm-5.2" rel="external noopener" target="_blank">Das Unternehmen</a> habe daraufhin spezielle Anti-Hacking-Sicherungen für das Training und die Evalution des Modells integriert.</p>
<h3 class="subheading" id="nav_geopolitische__1">Geopolitische Dimension: USA unter Zugzwang</h3>
<p>Die Entwicklung trifft die US-Regierung in einem heiklen Moment. Eines von Anthropics Modellen war <a class="heiseplus-lnk" href="http://www.heise.de/hintergrund/Fable-5-Notaus-So-zog-die-US-Regierung-die-Anthropic-KI-aus-dem-Verkehr-11340173.html?wt_mc=intern.red.plus.newsticker.7-tage-news.teaser.teaser" rel="external noopener" target="_blank">kurzzeitig komplett gesperrt</a>, weil die Trump-Administration den Zugriff durch ausländische Nutzer untersagte. Auch OpenAI bekommt von der US-Regierung Auflagen „aus Sicherheitsgründen“.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Für europäische Unternehmen und Behörden stellt sich mit der wachsenden Leistungsfähigkeit der KI-Modelle die Governance-Frage: Wie lässt sich der Einsatz solcher Werkzeuge in sicherheitskritischen Bereichen mit dem EU AI Act und nationalen Sicherheitsvorgaben vereinbaren – und wie geht man mit einem Modell um, das beim Schwachstellen-Finden brilliert, aber keiner Aufsicht unterliegt?</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:c.riethmueller@heise.de" title="Carolin Riethmüller">rie</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348003"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348003: Chinas GLM-5.2 erreicht Anthropics Opus 4.8 bei der Schwachstellensuche"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Zhipu AIs offenes Modell GLM-5.2 erreicht laut Sicherheitsexperten die Fähigkeiten von Anthropics Opus 4.8 bei der Bug-Erkennung.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/China-s-AI-Hacking-Skills-Reportedly-on-Par-with-Claude-11348370.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FHacking-Faehigkeiten-von-Chinas-KI-Z-ai-angeblich-so-gut-wie-die-von-Claude-11348003.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FHacking-Faehigkeiten-von-Chinas-KI-Z-ai-angeblich-so-gut-wie-die-von-Claude-11348003.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Hacking-Faehigkeiten-von-Chinas-KI-Z-ai-angeblich-so-gut-wie-die-von-Claude-11348003.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Chinas-GLM-5-2-erreicht-Anthropics-Opus-4-8-bei-der-Schwachstellensuche/forum-585722/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>47</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/9/1/shutterstock_1261948831-824a97d89d1bf7b6.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Chinesische Flagge auf Laptop-Display"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__text">
Internationales Wettrennen um KI-Hackingfähigkeiten
</p> <p class="a-caption__source">
(Bild: Herr Loeffler / Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-29T17:46:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>29.06.2026,
</span>
<span class="a-datetime__time ">17:46
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name">Carolin Riethmüller</li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/China-s-AI-Hacking-Skills-Reportedly-on-Par-with-Claude-11348370.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Der chinesische KI-Anbieter Z.ai hat mit GLM-5.2 ein Open-Weight-Modell veröffentlicht, das sich bei der Erkennung von Sicherheitslücken offenbar mit Anthropics Opus 4.8 messen kann.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Das haben <a href="https://semgrep.dev/blog/2026/we-have-mythos-at-home-glm-52-beats-claude-in-our-cyber-benchmarks/" rel="external noopener" target="_blank">IDOR-Benchmark-Tests</a> der Cybersicherheitsfirma Semgrep ergeben. Da es sich um ein Open-Weight-Modell handelt, kann jeder GLM-5.2 herunterladen, lokal betreiben und modifizieren. Das eröffnet für Hacker weitere Möglichkeiten für kriminelle Einsätze.</p>
<h3 class="subheading" id="nav_open_weight_als__0">Open Weight als Chance und Risiko</h3>
<p>Die offene Verfügbarkeit von GLM-5.2 ist ein zweischneidiges Schwert. Sicherheitsfirmen, CERTs und interne Red Teams können das Modell in abgeschotteten Umgebungen für Code-Reviews und Penetrationstests nutzen, ohne sensible Daten an US-Clouds zu übermitteln. Für DSGVO-konforme Umgebungen in Europa ist das ein Vorteil.</p>
<p>Gleichzeitig können auch Angreifer GLM-5.2 ohne jede Aufsicht betreiben. Diese Eigenschaft macht das Modell attraktiv für Akteure, die nach Schwachstellen in kritischen Systemen suchen wollen. Lior Div, Chef der Cybersicherheitsfirma 7AI, fasste die Lage gegenüber dem <a href="https://www.wsj.com/tech/ai/chinese-ai-anthropic-mythos-cybersecurity-574b02c2?st=FRKgap&reflink=desktopwebshare_permalink" rel="external noopener" target="_blank">Wall Street Journal</a> zusammen: China sorge dafür, dass der Abstand zu den US-KIs "immer kleiner" werde.</p>
<p>Zhipu AI selbst räumt in den Release Notes ein, dass GLM-5.2 während des Reinforcement-Learning-Trainings verstärkt sogenanntes Reward Hacking zeigte. <a href="https://z.ai/blog/glm-5.2" rel="external noopener" target="_blank">Das Unternehmen</a> habe daraufhin spezielle Anti-Hacking-Sicherungen für das Training und die Evalution des Modells integriert.</p>
<h3 class="subheading" id="nav_geopolitische__1">Geopolitische Dimension: USA unter Zugzwang</h3>
<p>Die Entwicklung trifft die US-Regierung in einem heiklen Moment. Eines von Anthropics Modellen war <a class="heiseplus-lnk" href="http://www.heise.de/hintergrund/Fable-5-Notaus-So-zog-die-US-Regierung-die-Anthropic-KI-aus-dem-Verkehr-11340173.html?wt_mc=intern.red.plus.newsticker.7-tage-news.teaser.teaser" rel="external noopener" target="_blank">kurzzeitig komplett gesperrt</a>, weil die Trump-Administration den Zugriff durch ausländische Nutzer untersagte. Auch OpenAI bekommt von der US-Regierung Auflagen „aus Sicherheitsgründen“.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<p>Für europäische Unternehmen und Behörden stellt sich mit der wachsenden Leistungsfähigkeit der KI-Modelle die Governance-Frage: Wie lässt sich der Einsatz solcher Werkzeuge in sicherheitskritischen Bereichen mit dem EU AI Act und nationalen Sicherheitsvorgaben vereinbaren – und wie geht man mit einem Modell um, das beim Schwachstellen-Finden brilliert, aber keiner Aufsicht unterliegt?</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:c.riethmueller@heise.de" title="Carolin Riethmüller">rie</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11348003"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11348003: Chinas GLM-5.2 erreicht Anthropics Opus 4.8 bei der Schwachstellensuche"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
2026-06-29T15:46:00.000Z
urn:bid:5108317
2026-06-29T11:29:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Vergangene Woche wurde eine Sicherheitslücke in libssh2 bekannt. Jetzt ist Exploit-Code aufgetaucht, der sie missbrauchen kann.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Critical-libssh2-vulnerability-Proof-of-concept-exploit-released-11347906.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FKritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht-11347855.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FKritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht-11347855.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Kritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht-11347855.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Kritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht/forum-585698/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>20</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Nullen und Einsen, darunter versteckt sich die Zeichenkette EXPLOIT"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: heise online / dmk)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-29T13:29:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>29.06.2026,
</span>
<span class="a-datetime__time ">13:29
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Critical-libssh2-vulnerability-Proof-of-concept-exploit-released-11347906.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Admins und Nutzer sollten Ausschau nach Aktualisierungen für diverse Softwarepakete halten. Die libssh2-Bibliothek, die weit verbreitet zum Einsatz kommt, enthält eine kritische Sicherheitslücke. Ein veröffentlichter Proof-of-Concept-Exploit vereinfacht deren Ausnutzung durch bösartige Akteure deutlich.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-55200" rel="external noopener" target="_blank">Im Schwachstelleneintrag hat</a> die US-amerikanische IT-Sicherheitsbehörde CISA inzwischen die freie Verfügbarkeit des Proof-of-Concept-Exploits ergänzt. Die Sicherheitslücke basiert auf einer nicht erfolgten Begrenzung des „packet_length“-Feldes bei der Verarbeitung in der Funktion ssh2_transport_read(). Angreifer aus dem Netz können das missbrauchen, um mit übermäßig großen „packet_length“-Werten in manipulierten SSH-Paketen den Speicher auf dem Heap durcheinander zu bringen und dabei das Ausführen von eingeschleustem Code zu provozieren (CVE-2026-55200, CVSS <strong>9.8</strong>, Risiko „<strong>kritisch</strong>“).</p>
<p>Wenn Angreifer Opfer dazu bringen, sich mit ihrer Client-Software mit manipulierten Servern zu verbinden, können sie ihnen damit Schadcode unterjubeln. Projekte wie curl, PHP, libgit2 und diverse weitere setzen libssh2 ein. libssh2 ist bis einschließlich Version 1.11.1 anfällig. Noch immer ist das die letzte verfügbare offizielle Version, der Patch ist derzeit lediglich als Quellcode-Commit verfügbar. Diverse Linux-Distributionen stellen jedoch aktualisierte Pakete mit eigenen Backports bereit.</p>
<h3 class="subheading" id="nav_zügig__0">Zügig aktualisieren</h3>
<p>Unter Linux sollte also das Aufrufen der Softwareverwaltung und die Installation der angebotenen Aktualisierungen zum Ziel führen. Etwa unter Windows wird das jedoch schwieriger. Die <a href="https://curl.se/windows/" rel="external noopener" target="_blank">offiziellen curl-Binaries für Windows</a> 8.21.0_2 vom 24. Juni 2026 sind etwa noch statisch mit libssh2 1.11.1 verlinkt, die die Sicherheitslücke aufweist. Zwar macht das <a href="http://www.heise.de/news/Sommer-der-Glueckseligkeit-curl-nimmt-einen-Monat-lang-keine-Bug-Reports-an-11332339.html">curl-Team im „Sommer der Glückseligkeit“ Urlaub</a> – allerdings dürfte der Bedarf nach einer Aktualisierung seitens der zahlenden Supportkunden nun wachsen und in Kürze eine Aktualisierung bereitstehen. </p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Die <a href="http://www.heise.de/news/Sicherheitsluecken-gefaehrden-Verbindungen-ueber-libssh2-11339571.html">Sicherheitslücke und eine weitere in libssh2</a> wurden in der vergangenen Woche bekannt. Seitdem steht lediglich der Commit im Quellcode bereit, ein offizielles neues Paket mit dem Update steht seitdem noch aus.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11347855"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11347855: Kritische libssh2-Lücke: Proof-of-Concept-Exploit veröffentlicht"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<div class="a-article-header__label">
<div class="a-article-header__alert">
Alert!
</div>
</div>
<p class="a-article-header__lead" dir="ltr">
Vergangene Woche wurde eine Sicherheitslücke in libssh2 bekannt. Jetzt ist Exploit-Code aufgetaucht, der sie missbrauchen kann.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Critical-libssh2-vulnerability-Proof-of-concept-exploit-released-11347906.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FKritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht-11347855.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FKritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht-11347855.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Kritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht-11347855.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Kritische-libssh2-Luecke-Proof-of-Concept-Exploit-veroeffentlicht/forum-585698/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>20</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/3/1/7/2025-05-16-0101-Exploit-6f4aba6dfb7851b5.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Nullen und Einsen, darunter versteckt sich die Zeichenkette EXPLOIT"
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: heise online / dmk)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-29T13:29:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>29.06.2026,
</span>
<span class="a-datetime__time ">13:29
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
2 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Critical-libssh2-vulnerability-Proof-of-concept-exploit-released-11347906.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Admins und Nutzer sollten Ausschau nach Aktualisierungen für diverse Softwarepakete halten. Die libssh2-Bibliothek, die weit verbreitet zum Einsatz kommt, enthält eine kritische Sicherheitslücke. Ein veröffentlichter Proof-of-Concept-Exploit vereinfacht deren Ausnutzung durch bösartige Akteure deutlich.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-55200" rel="external noopener" target="_blank">Im Schwachstelleneintrag hat</a> die US-amerikanische IT-Sicherheitsbehörde CISA inzwischen die freie Verfügbarkeit des Proof-of-Concept-Exploits ergänzt. Die Sicherheitslücke basiert auf einer nicht erfolgten Begrenzung des „packet_length“-Feldes bei der Verarbeitung in der Funktion ssh2_transport_read(). Angreifer aus dem Netz können das missbrauchen, um mit übermäßig großen „packet_length“-Werten in manipulierten SSH-Paketen den Speicher auf dem Heap durcheinander zu bringen und dabei das Ausführen von eingeschleustem Code zu provozieren (CVE-2026-55200, CVSS <strong>9.8</strong>, Risiko „<strong>kritisch</strong>“).</p>
<p>Wenn Angreifer Opfer dazu bringen, sich mit ihrer Client-Software mit manipulierten Servern zu verbinden, können sie ihnen damit Schadcode unterjubeln. Projekte wie curl, PHP, libgit2 und diverse weitere setzen libssh2 ein. libssh2 ist bis einschließlich Version 1.11.1 anfällig. Noch immer ist das die letzte verfügbare offizielle Version, der Patch ist derzeit lediglich als Quellcode-Commit verfügbar. Diverse Linux-Distributionen stellen jedoch aktualisierte Pakete mit eigenen Backports bereit.</p>
<h3 class="subheading" id="nav_zügig__0">Zügig aktualisieren</h3>
<p>Unter Linux sollte also das Aufrufen der Softwareverwaltung und die Installation der angebotenen Aktualisierungen zum Ziel führen. Etwa unter Windows wird das jedoch schwieriger. Die <a href="https://curl.se/windows/" rel="external noopener" target="_blank">offiziellen curl-Binaries für Windows</a> 8.21.0_2 vom 24. Juni 2026 sind etwa noch statisch mit libssh2 1.11.1 verlinkt, die die Sicherheitslücke aufweist. Zwar macht das <a href="http://www.heise.de/news/Sommer-der-Glueckseligkeit-curl-nimmt-einen-Monat-lang-keine-Bug-Reports-an-11332339.html">curl-Team im „Sommer der Glückseligkeit“ Urlaub</a> – allerdings dürfte der Bedarf nach einer Aktualisierung seitens der zahlenden Supportkunden nun wachsen und in Kürze eine Aktualisierung bereitstehen. </p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Die <a href="http://www.heise.de/news/Sicherheitsluecken-gefaehrden-Verbindungen-ueber-libssh2-11339571.html">Sicherheitslücke und eine weitere in libssh2</a> wurden in der vergangenen Woche bekannt. Seitdem steht lediglich der Commit im Quellcode bereit, ein offizielles neues Paket mit dem Update steht seitdem noch aus.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11347855"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11347855: Kritische libssh2-Lücke: Proof-of-Concept-Exploit veröffentlicht"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
2026-06-29T11:29:00.000Z
urn:bid:5108218
2026-06-29T10:37:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Die Linux Foundation und Tech-Giganten starten Akrites, um Open-Source-Sicherheitslücken zentral und vertraulich zu beheben.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/New-alliance-for-open-source-protection-11347822.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FNeues-Buendnis-fuer-Open-Source-Schutz-11347664.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.ix.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FNeues-Buendnis-fuer-Open-Source-Schutz-11347664.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Neues-Buendnis-fuer-Open-Source-Schutz-11347664.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.ix.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Neue-Allianz-fuer-mehr-Open-Source-Schutz/forum-585692/comment/"
class="a-article-action"
name="meldung.ix.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>3</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Zwei Figuren in einem Kreis, eine hält eine Antenne, die andere eine Bombe."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: heise medien)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-29T12:37:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>29.06.2026,
</span>
<span class="a-datetime__time ">12:37
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/ix/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: iX Magazin"
>
iX Magazin
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Moritz-Foerster-3688111"
class="creator__link"
>Moritz Förster</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/New-alliance-for-open-source-protection-11347822.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Die Linux Foundation hat gemeinsam mit zahlreichen Tech-Unternehmen und Finanzinstituten die Initiative Akrites gestartet. Ziel ist es, den Umgang mit Sicherheitslücken in wichtiger Open-Source-Software zentral zu koordinieren, sie vertraulich mit den jeweiligen Projektverantwortlichen zu beheben und erst anschließend offenzulegen. Hintergrund ist die wachsende Sorge, dass moderne KI-Modelle Schwachstellen deutlich schneller finden als bisher und damit den Zeitdruck für Verteidiger erheblich erhöhen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Zu den Gründungsmitgliedern gehören unter anderem Amazon Web Services, Anthropic, Cisco, Google, IBM, Microsoft, GitHub, Nvidia, OpenAI, Red Hat sowie JPMorganChase, Citi und Vodafone. Die beteiligten Unternehmen wollen Personal, Sicherheitswissen und finanzielle Mittel bereitstellen.</p>
<h3 class="subheading" id="nav_reaktion_auf__0">Reaktion auf KI-gestützte Schwachstellenanalyse</h3>
<p>Nach <a href="https://akrites.org/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats/">Angaben in der Ankündigung der Linux Foundation</a> verändert generative KI die Sicherheitslandschaft grundlegend. Während die Suche nach schwerwiegenden Sicherheitslücken bislang viel Fachwissen und oft Wochen an Analyse erforderte, könnten <a href="http://www.heise.de/news/Anthropics-neues-KI-Modell-Mythos-Zu-gefaehrlich-fuer-die-Oeffentlichkeit-11248034.html">leistungsfähige KI-Modelle</a> große Open-Source-Projekte inzwischen innerhalb weniger Minuten auf potenzielle Schwachstellen untersuchen. Dadurch verkürze sich die Zeit zwischen dem Auffinden einer Lücke und ihrer möglichen Ausnutzung erheblich.</p>
<p>Akrites soll diese Entwicklung mit einem gemeinsamen Sicherheitsprozess beantworten. Statt dass mehrere Unternehmen dieselbe Schwachstelle unabhängig voneinander melden oder unterschiedliche Patches entwickeln, bündelt die Initiative die Koordination. Kern des Projekts sind ein gemeinsames Security Incident Response Team (SIRT) sowie ein einheitlicher Prozess zur koordinierten Offenlegung von Sicherheitslücken (Coordinated Vulnerability Disclosure, CVD). Die beteiligten Organisationen wollen bestätigte Schwachstellen gemeinsam mit den Upstream-Maintainern beheben, bevor Details veröffentlicht werden.</p>
<h3 class="subheading" id="nav_maintainer__1">Maintainer sollen entlastet werden</h3>
<p>Ein Schwerpunkt liegt auf der Zusammenarbeit mit den Entwicklern der betroffenen Open-Source-Projekte. Laut Linux Foundation sollen Fehlerbehebungen grundsätzlich in die Originalprojekte zurückfließen. Maintainer behalten die Kontrolle über ihre Projekte und sollen nicht mit mehrfachen oder widersprüchlichen Sicherheitsmeldungen belastet werden.</p>
<p>Für Pakete, die nicht mehr aktiv gepflegt werden, sieht Akrites zudem eine Rolle als „Maintainer of Last Resort“ vor. In solchen Fällen soll die Initiative Korrekturen für aktuelle Versionen bereitstellen, damit kritische Sicherheitslücken auch dann geschlossen werden können, wenn ursprüngliche Entwickler nicht mehr verfügbar sind.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_aufbau_auf__2">Aufbau auf bestehenden Sicherheitsstandards</h3>
<p>Technisch setzt Akrites auf etablierte Verfahren und Standards der IT-Sicherheitsbranche. Dazu zählen unter anderem CVE zur Identifikation von Schwachstellen, CVSS zur Bewertung ihrer Schwere sowie CWE zur Klassifizierung von Schwachstellentypen. Dadurch soll sich die Initiative in bestehende Prozesse von Softwareherstellern, Sicherheitsforschern und Betreibern kritischer Infrastruktur einfügen.</p>
<p>Die Anschubfinanzierung übernimmt Alpha-Omega, ein Förderfonds der Linux Foundation für Open-Source-Sicherheit. Weitere Unternehmen und Organisationen können sich beteiligen, indem sie Entwicklerkapazitäten oder finanzielle Mittel bereitstellen. Parallel zum Start hat die Initiative einen <a href="https://akrites.org/letter/">offenen Brief</a> veröffentlicht, in dem die Gründungsmitglieder zu einer gemeinsamen Absicherung der Open-Source-Infrastruktur aufrufen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="http://www.heise.de/ix" name="meldung.newsticker.inline.branding_ix" title="Mehr von iX Magazin">
<a-img alt="Mehr von iX Magazin" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/7/6/ho_markenbanner_mobil_ix-c627affd5b73ee46.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Mehr von iX Magazin" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Mehr von iX Magazin" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/7/6/ho_markenbanner_desktop_neu_ix2-7dde18964795e578.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Mehr von iX Magazin" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:fo@ix.de" title="Moritz Förster">fo</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11347664"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11347664: Neue Allianz für mehr Open-Source-Schutz"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Die Linux Foundation und Tech-Giganten starten Akrites, um Open-Source-Sicherheitslücken zentral und vertraulich zu beheben.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/New-alliance-for-open-source-protection-11347822.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FNeues-Buendnis-fuer-Open-Source-Schutz-11347664.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.ix.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FNeues-Buendnis-fuer-Open-Source-Schutz-11347664.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Neues-Buendnis-fuer-Open-Source-Schutz-11347664.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.ix.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Neue-Allianz-fuer-mehr-Open-Source-Schutz/forum-585692/comment/"
class="a-article-action"
name="meldung.ix.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>3</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/2/1/8/security_spy-f8b85239d1807a67.png 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Zwei Figuren in einem Kreis, eine hält eine Antenne, die andere eine Bombe."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: heise medien)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-29T12:37:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>29.06.2026,
</span>
<span class="a-datetime__time ">12:37
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/ix/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: iX Magazin"
>
iX Magazin
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Moritz-Foerster-3688111"
class="creator__link"
>Moritz Förster</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<!-- RSPEAK_STOP -->
<a-collapse
class="
a-box
a-box--collapsable
a-box--full-bordered
a-toc
"
has-indicator
>
<header
data-collapse-trigger
class="
a-box__header
"
>
<span>
Inhaltsverzeichnis
</span>
</header>
<div data-collapse-target class="a-box__target">
<div class="a-box__content">
</div>
</div>
</a-collapse>
<!-- RSPEAK_START -->
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/New-alliance-for-open-source-protection-11347822.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Die Linux Foundation hat gemeinsam mit zahlreichen Tech-Unternehmen und Finanzinstituten die Initiative Akrites gestartet. Ziel ist es, den Umgang mit Sicherheitslücken in wichtiger Open-Source-Software zentral zu koordinieren, sie vertraulich mit den jeweiligen Projektverantwortlichen zu beheben und erst anschließend offenzulegen. Hintergrund ist die wachsende Sorge, dass moderne KI-Modelle Schwachstellen deutlich schneller finden als bisher und damit den Zeitdruck für Verteidiger erheblich erhöhen.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p>Zu den Gründungsmitgliedern gehören unter anderem Amazon Web Services, Anthropic, Cisco, Google, IBM, Microsoft, GitHub, Nvidia, OpenAI, Red Hat sowie JPMorganChase, Citi und Vodafone. Die beteiligten Unternehmen wollen Personal, Sicherheitswissen und finanzielle Mittel bereitstellen.</p>
<h3 class="subheading" id="nav_reaktion_auf__0">Reaktion auf KI-gestützte Schwachstellenanalyse</h3>
<p>Nach <a href="https://akrites.org/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats/">Angaben in der Ankündigung der Linux Foundation</a> verändert generative KI die Sicherheitslandschaft grundlegend. Während die Suche nach schwerwiegenden Sicherheitslücken bislang viel Fachwissen und oft Wochen an Analyse erforderte, könnten <a href="http://www.heise.de/news/Anthropics-neues-KI-Modell-Mythos-Zu-gefaehrlich-fuer-die-Oeffentlichkeit-11248034.html">leistungsfähige KI-Modelle</a> große Open-Source-Projekte inzwischen innerhalb weniger Minuten auf potenzielle Schwachstellen untersuchen. Dadurch verkürze sich die Zeit zwischen dem Auffinden einer Lücke und ihrer möglichen Ausnutzung erheblich.</p>
<p>Akrites soll diese Entwicklung mit einem gemeinsamen Sicherheitsprozess beantworten. Statt dass mehrere Unternehmen dieselbe Schwachstelle unabhängig voneinander melden oder unterschiedliche Patches entwickeln, bündelt die Initiative die Koordination. Kern des Projekts sind ein gemeinsames Security Incident Response Team (SIRT) sowie ein einheitlicher Prozess zur koordinierten Offenlegung von Sicherheitslücken (Coordinated Vulnerability Disclosure, CVD). Die beteiligten Organisationen wollen bestätigte Schwachstellen gemeinsam mit den Upstream-Maintainern beheben, bevor Details veröffentlicht werden.</p>
<h3 class="subheading" id="nav_maintainer__1">Maintainer sollen entlastet werden</h3>
<p>Ein Schwerpunkt liegt auf der Zusammenarbeit mit den Entwicklern der betroffenen Open-Source-Projekte. Laut Linux Foundation sollen Fehlerbehebungen grundsätzlich in die Originalprojekte zurückfließen. Maintainer behalten die Kontrolle über ihre Projekte und sollen nicht mit mehrfachen oder widersprüchlichen Sicherheitsmeldungen belastet werden.</p>
<p>Für Pakete, die nicht mehr aktiv gepflegt werden, sieht Akrites zudem eine Rolle als „Maintainer of Last Resort“ vor. In solchen Fällen soll die Initiative Korrekturen für aktuelle Versionen bereitstellen, damit kritische Sicherheitslücken auch dann geschlossen werden können, wenn ursprüngliche Entwickler nicht mehr verfügbar sind.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<h3 class="subheading" id="nav_aufbau_auf__2">Aufbau auf bestehenden Sicherheitsstandards</h3>
<p>Technisch setzt Akrites auf etablierte Verfahren und Standards der IT-Sicherheitsbranche. Dazu zählen unter anderem CVE zur Identifikation von Schwachstellen, CVSS zur Bewertung ihrer Schwere sowie CWE zur Klassifizierung von Schwachstellentypen. Dadurch soll sich die Initiative in bestehende Prozesse von Softwareherstellern, Sicherheitsforschern und Betreibern kritischer Infrastruktur einfügen.</p>
<p>Die Anschubfinanzierung übernimmt Alpha-Omega, ein Förderfonds der Linux Foundation für Open-Source-Sicherheit. Weitere Unternehmen und Organisationen können sich beteiligen, indem sie Entwicklerkapazitäten oder finanzielle Mittel bereitstellen. Parallel zum Start hat die Initiative einen <a href="https://akrites.org/letter/">offenen Brief</a> veröffentlicht, in dem die Gründungsmitglieder zu einer gemeinsamen Absicherung der Open-Source-Infrastruktur aufrufen.</p>
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="http://www.heise.de/ix" name="meldung.newsticker.inline.branding_ix" title="Mehr von iX Magazin">
<a-img alt="Mehr von iX Magazin" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/7/6/ho_markenbanner_mobil_ix-c627affd5b73ee46.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Mehr von iX Magazin" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Mehr von iX Magazin" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/7/9/7/6/ho_markenbanner_desktop_neu_ix2-7dde18964795e578.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Mehr von iX Magazin" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:fo@ix.de" title="Moritz Förster">fo</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11347664"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11347664: Neue Allianz für mehr Open-Source-Schutz"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
2026-06-29T10:37:00.000Z
urn:bid:5108188
2026-06-29T09:43:00.000Z
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Microsoft Threat Intelligence beobachtet eine mehrstufige Angriffswelle auf das Hotel- und Gastgewerbe in Asien und Europa.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Cyberattacks-on-hospitality-perpetrators-establish-a-foothold-11347718.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FCyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-nisten-sich-ein-11347609.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FCyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-nisten-sich-ein-11347609.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Cyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-nisten-sich-ein-11347609.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Cyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-nisten-sich-ein/forum-585689/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>38</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Man,Interacting,With,A,Holographic,Touchscreen,Interface,In,Red,Color."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: amgun/ Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-29T11:43:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>29.06.2026,
</span>
<span class="a-datetime__time ">11:43
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Cyberattacks-on-hospitality-perpetrators-establish-a-foothold-11347718.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Microsoft hat eine Angriffswelle auf das Hotel- und Gastgewerbe in Asien und Europa beobachtet. Sie läuft bereits seit April dieses Jahres. Die Quelle der Angriffe mag <a href="http://www.heise.de/thema/Microsoft" rel="external noopener" target="_blank">Microsoft</a> jedoch nicht genau einordnen – es bleibt unklar, wer hinter den Attacken steckt.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p><a href="https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access/" rel="external noopener" target="_blank">Microsoft berichtet in einem Blogbeitrag</a>, dass die Malware-Kampagne auf .zip-Dateien mit Foto-Namensschema setzt. Die laden potenzielle Opfer mit dem Webbrowser herunter. In den Archiven finden sich Shortcut-Dateien (Verknüpfungen), die als Bilder getarnt sind. Sofern ein Opfer diese etwa mittels Doppelklick startet, fangen diese eine Angriffskette an, die auf verschleierter PowerShell fußt. In der Folge installiert sie ein Node.js-Implantat, nistet sich zweifach in der Registry ein, um Persistenz zu erreichen und kommuniziert mit den Command-and-Control-Servern (C2) über Ports abseits der Standardports.</p>
<h3 class="subheading" id="nav_kampagnen_ziel__0">Kampagnen-Ziel unklar</h3>
<p>Die IT-Sicherheitsforscher von Microsoft führen weiter aus, dass die Täter die betroffenen Maschinen nach der Infektion am C2-Server anmelden. Teils erzwingen sie das Herunterfahren der Systeme. Außerdem kompilieren sie Binärdateien im Portable-Executable-Format (PE). Allerdings bleibt den IT-Forschern zufolge unklar, was das eigentliche Ziel der Angreifer ist. Durch die Verschleierung und das Einnisten gehen sie jedoch davon aus, dass sie Nachfolge-Aktivitäten auf den kompromittierten Systemen planen.</p>
<p>Die Drahtzieher hinter der Kampagne haben im Mai dieses Jahres legitime Dienste missbraucht, um Phishing-E-Mails an die Opfer zu senden. Darunter die Cloud-Plattform Calendly und Googles URL-Redirector-Dienst. In Anlehnung an „Geldwäsche“ bezeichnen Microsofts IT-Forscher das als „Authentifizierungswäsche“. Die Phishingmails erhalten dadurch einen seriöseren Anstrich. Die Betrugsmails waren mehrsprachig, mit unterschiedlichen Ködern und Betreffzeilen. Thematisch gaben die Angreifer vor, es gehe um Beschwerden von Gästen und Zimmeranfragen. Das soll die Angestellten der Hotel- und Gastwirtschaftsbetriebe dazu bringen, die E-Mails zu lesen und die enthaltenen bösartigen Links und Dateien zu öffnen.</p>
<p>In den zwei beobachteten Wellen der Kampagne kamen zunächst bösartige Dateien nach dem Namensschema „IMG<Zufallszahl>.png.lnk“ zum Einsatz, in der zweiten hingegen „PHOTO<Zufallszahl>.png.lnk“. Die zweite Welle war noch etwas ausgefeilter und kompiliert dynamisch eine .NET-DLL mittels „csc.exe“. Die C2-Infrastruktur haben die Täter zudem auf „.cfd“-Domains ausgeweitet, die hinter Cloudflare-Schutz gehostet werden. Der Blogbeitrag beschreibt die einzelnen Stufen der Angriffe für Interessierte im Detail.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Während Microsofts IT-Forscher sich nicht sicher sind, was die Angreifer bezwecken, fällt die Kampagne in die Zeit, in der viele Menschen ihren Urlaub buchen. Uns erreichen noch immer zahlreiche Hinweise, dass Leser nach Buchung eines Hotelzimmers Phishing-WhatsApp-Nachrichten mit echten Daten und Bezug auf die Buchung erhalten. Im März hatten etwa<a href="http://www.heise.de/news/Best-Western-Hotels-Weltweite-Cyberangriffe-auf-touristische-Buchungssysteme-11205460.html"> die Best Western Hotels vor Cyberangriffen auf touristische Buchungssysteme</a> gewarnt. Im April wurde bekannt, dass auch bei <a href="http://www.heise.de/news/Booking-com-Unbefugte-Zugriffe-von-Kriminellen-entdeckt-11256689.html">Booking.com Zugriffe von unbefugten Kriminellen entdeckt</a> wurden.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11347609"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11347609: Cyberangriffe auf Hotel- und Gastgewerbe: Täter nisten sich ein"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<a
href="${url}"
title="${title}"
class="
a-article-teaser__link
"
data-upscore-url
data-google-interstitial=false
>
<figure
class=" a-article-teaser__image-container"
>
<div
>
<a-img
width="16"
height="9"
layout="responsive"
src="${image}"
alt="${title}"
quality="85"
high-dpi-quality="70"
style="
aspect-ratio: 16 / 9;"
>
<img
src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E"
width="16"
height="9"
alt="${title}"
style="aspect-ratio: 16 / 9; object-fit: cover;"
>
</a-img>
</div>
</figure>
<div
class="
a-article-teaser__content-container
"
>
<header>
<h3
class="
a-article-teaser__title
"
>
<span class="
a-article-teaser__kicker
"
>
${intro}
</span>
<span class="a-article-teaser__title-text" data-upscore-title>
<svg
xmlns="http://www.w3.org/2000/svg"
viewBox="0 0 32 32"
role="img"
preserveAspectRatio="xMinYMin"
class="heise-plus-logo a-article-teaser__plus-icon"
>
<style>
.plus-icon-svg-rec {
fill: #14315b;
}
.plus-icon-svg-path {
fill: #f2f2f2;
}
.dark .plus-icon-svg-rec {
fill: #f2f2f2;
}
.dark .plus-icon-svg-path {
fill: #323232;
}
</style>
<rect class="plus-icon-svg-rec" width="32" height="32" rx="12" ry="12"/>
<path class="plus-icon-svg-path" d="M24 14.3h-6.3V8h-3.4v6.3H8v3.4h6.3V24h3.4v-6.3H24z"/>
</svg>${title}
</span>
</h3>
</header>
<p class="
a-article-teaser__synopsis
"
>${lead} </p>
</div>
</a>
<div class="article-layout__header-container">
<!-- RSPEAK_START -->
<header
class="
a-article-header
">
<p class="a-article-header__lead" dir="ltr">
Microsoft Threat Intelligence beobachtet eine mehrstufige Angriffswelle auf das Hotel- und Gastgewerbe in Asien und Europa.
</p>
<!-- RSPEAK_STOP -->
<div class="a-article-header__service a-article-header__service--right">
<a
href="http://www.heise.de/en/news/Cyberattacks-on-hospitality-perpetrators-establish-a-foothold-11347718.html"
title="Change language"
class="a-article-action"
name="sprache.en"
>
<svg
xmlns="http://www.w3.org/2000/svg"
class="a-article-header__flag"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class="a-article-header__flag-stroke"
/>
</svg>
</a>
<a
href="//app-eu.readspeaker.com/cgi-bin/rsent?customerid=4407&lang=de_de&readid=meldung&url=https%3A%2F%2Fwww.heise.de%2Fnews%2FCyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-nisten-sich-ein-11347609.html%3Fseite%3Dall"
title="Beitrag vorlesen und MP3-Download"
class="a-article-action
js-article-header__readspeaker"
name="meldung.security.header.vorlesen"
data-read-aloud-url="https%3A%2F%2Fwww.heise.de%2Fnews%2FCyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-nisten-sich-ein-11347609.html%3Fseite%3Dall"
data-iso-language-code="de"
target="_blank"
rel="nofollow noopener noreferrer"
>
<span class="a-u-sr-only">vorlesen</span>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#readspeaker"></use>
</svg>
</a>
<a
href="http://www.heise.de/news/Cyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-nisten-sich-ein-11347609.html?view=print"
class="
link
a-article-action a-u-show-from-tablet
"
name="meldung.security.header.drucken"
title="Druckansicht"
rel="nofollow"
>
<svg
id=""
xmlns="http://www.w3.org/2000/svg"
class="a-article-action__icon"
viewBox="0 0 24 24"
>
<path d="M22,7H19V2H5V7H2A2,2,0,0,0,0,9v7a2,2,0,0,0,2,2H5v4H19V18h3a2,2,0,0,0,2-2V9A2,2,0,0,0,22,7ZM7,4H17V7H7ZM17,20H7V15H17v5Zm5-5a1,1,0,0,1-1,1H19V13H5v3H3a1,1,0,0,1-1-1V10A1,1,0,0,1,3,9H21a1,1,0,0,1,1,1Z"/>
</svg>
<span
class="a-u-sr-only"
>
Druckansicht
</span>
</a>
<a
href="http://www.heise.de/forum/heise-online/Kommentare/Cyberangriffe-auf-Hotel-und-Gastgewerbe-Taeter-nisten-sich-ein/forum-585689/comment/"
class="a-article-action"
name="meldung.security.header.kommentarelesen"
title="Kommentar lesen"
>
<svg class="a-article-action__icon">
<use href="http://www.heise.de/icons/common-icons.svg#comment-bubble"></use>
</svg>
<span class="a-article-action__label">
<span>38</span>
<span class="a-u-sr-only">Kommentare lesen</span>
</span>
</a>
</div>
<a-lightbox
class="article-image"
tabindex="1"
src="/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg"
>
<figure
>
<div
class="article-image__gallery-container"
>
<img
src="https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg"
srcset="
https://heise.cloudimg.io/width/336/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg 336w,
https://heise.cloudimg.io/width/1008/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg 1008w,
https://heise.cloudimg.io/width/610/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg 610w,
https://heise.cloudimg.io/width/1220/q70.png-lossy-70.webp-lossy-70.foil1/_www-heise-de_/imgs/18/5/1/0/8/1/8/8/shutterstock_2602293623-faec070b7a2b1197.jpeg 1220w
"
sizes="(max-width: 991px) 95vw,610px"
alt="Man,Interacting,With,A,Holographic,Touchscreen,Interface,In,Red,Color."
width="610"
height="342"
class="legacy-img "
loading="eager"
decoding="async"
style="background-color: #f2f2f2;"
onload="this.style=null;"
>
</div>
<figcaption
class="a-caption "
> <p class="a-caption__source">
(Bild: amgun/ Shutterstock.com)
</p>
</figcaption>
</figure>
</a-lightbox>
<!-- RSPEAK_START -->
<div class="a-article-header__publish-info">
<div class="a-publish-info ">
<time
datetime="2026-06-29T11:43:00+02:00"
class="
a-datetime
a-publish-info__datetime"
>
<span
class="
a-datetime__date
a-publish-info__date"
>29.06.2026,
</span>
<span class="a-datetime__time ">11:43
</span>
<span
class="
a-datetime__word
"
>
<!-- RSPEAK_STOP -->Uhr<!-- RSPEAK_START -->
</span>
</time>
<!-- RSPEAK_STOP -->
<div class="a-publish-info__read-time">
<span class="a-publish-info__read-time-value">
Lesezeit:
3 Min.
</span>
</div>
<div class="a-publish-info__branding">
<a href="http://www.heise.de/security/">
<div
class="a-article-branding a-article-branding--with-hover"
title="Ein Beitrag von: Security"
>
Security
</div>
</a>
</div>
<!-- RSPEAK_START -->
</div>
<div class="creator">
<span class="creator__label">
Von
</span>
<ul class="creator__names">
<li class="creator__name"><a
href="http://www.heise.de/autor/Dirk-Knop-3629568"
class="creator__link"
>Dirk Knop</a></li>
</ul>
</div>
</div></header>
</div>
<div class="article-layout__content-container">
<div
class="article-layout__content"
dir="ltr"
>
<div class="article-content">
<details class="notice-banner a-box a-box--full-bordered a-box--notice a-u-mb-2">
<summary class="notice-banner__summary" aria-label="close notice">
<span class="a-u-sr-only">close notice</span>
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__close-icon"
viewBox="0 0 24 24"
role="img"
aria-hidden="true"
stroke="currentColor"
>
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
</svg>
</summary>
<div class="notice-banner__content a-box__content" lang="en-GB">
<svg
xmlns="http://www.w3.org/2000/svg"
class="notice-banner__flag-icon"
width="24"
height="24"
viewBox="0 0 24 24"
>
<defs>
<clipPath id="clippath">
<rect x="2" y="2" width="20" height="20" fill="none" stroke-width="0"/>
</clipPath>
</defs>
<g clip-path="url(#clippath)">
<g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="#f0f0f0" stroke-width="0"/>
<path d="m4.07,5.91c-.79,1.02-1.38,2.2-1.72,3.48h5.2l-3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.66,9.39c-.34-1.28-.94-2.46-1.72-3.48l-3.48,3.48h5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m2.34,14.61c.34,1.28.94,2.46,1.72,3.48l3.48-3.48H2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m18.09,4.07c-1.02-.79-2.2-1.38-3.48-1.72v5.2l3.48-3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m5.91,19.93c1.02.79,2.2,1.38,3.48,1.72v-5.2l-3.48,3.48Z" fill="#0052b4" stroke-width="0"/>
<path d="m9.39,2.34c-1.28.34-2.46.94-3.48,1.72l3.48,3.48V2.34Z" fill="#0052b4" stroke-width="0"/>
<path d="m14.61,21.66c1.28-.35,2.46-.94,3.48-1.72l-3.48-3.48v5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m16.45,14.61l3.48,3.48c.79-1.02,1.38-2.2,1.72-3.48h-5.2Z" fill="#0052b4" stroke-width="0"/>
<path d="m21.92,10.7h-8.61V2.08c-.43-.06-.86-.08-1.3-.08s-.88.03-1.3.08v8.61h0s-8.61,0-8.61,0c-.06.43-.08.86-.08,1.3s.03.88.08,1.3h8.61v8.61c.43.06.86.08,1.3.08s.88-.03,1.3-.08v-8.61h0s8.61,0,8.61,0c.06-.43.08-.86.08-1.3s-.03-.88-.08-1.3h0Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,14.61l4.46,4.46c.21-.21.4-.42.59-.64l-3.82-3.82h-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,14.61h0l-4.46,4.46c.21.21.42.4.64.59l3.82-3.82v-1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m9.39,9.39h0l-4.46-4.46c-.21.21-.4.42-.59.64l3.82,3.82h1.23Z" fill="#d80027" stroke-width="0"/>
<path d="m14.61,9.39l4.46-4.46c-.21-.21-.42-.4-.64-.59l-3.82,3.82v1.23Z" fill="#d80027" stroke-width="0"/>
</g>
</g>
<path d="m12,22c5.52,0,10-4.48,10-10S17.52,2,12,2,2,6.48,2,12s4.48,10,10,10Z" fill="none"
class=""
/>
</svg>
<p class="notice-banner__text a-u-mb-0">
This article is also available in
<a href="http://www.heise.de/en/news/Cyberattacks-on-hospitality-perpetrators-establish-a-foothold-11347718.html" class="notice-banner__link a-u-inline-link">English</a>.
It was translated with technical assistance and editorially reviewed before publication.
</p>
<p class="notice-banner__link a-u-mb-0">
<button data-action="hide-en-pointer" class="notice-banner__hide-link">Don’t show this again</button>.
</p>
</div>
</details>
<p>Microsoft hat eine Angriffswelle auf das Hotel- und Gastgewerbe in Asien und Europa beobachtet. Sie läuft bereits seit April dieses Jahres. Die Quelle der Angriffe mag <a href="http://www.heise.de/thema/Microsoft" rel="external noopener" target="_blank">Microsoft</a> jedoch nicht genau einordnen – es bleibt unklar, wer hinter den Attacken steckt.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-3">
<div class="ad-label" id="HEI_M_Incontent-1-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-1"></div>
</div>
<!-- RSPEAK_START -->
<p><a href="https://www.microsoft.com/en-us/security/blog/2026/06/25/photo-zip-campaign-targeting-hospitality-industry-delivers-node-js-implant-persistent-access/" rel="external noopener" target="_blank">Microsoft berichtet in einem Blogbeitrag</a>, dass die Malware-Kampagne auf .zip-Dateien mit Foto-Namensschema setzt. Die laden potenzielle Opfer mit dem Webbrowser herunter. In den Archiven finden sich Shortcut-Dateien (Verknüpfungen), die als Bilder getarnt sind. Sofern ein Opfer diese etwa mittels Doppelklick startet, fangen diese eine Angriffskette an, die auf verschleierter PowerShell fußt. In der Folge installiert sie ein Node.js-Implantat, nistet sich zweifach in der Registry ein, um Persistenz zu erreichen und kommuniziert mit den Command-and-Control-Servern (C2) über Ports abseits der Standardports.</p>
<h3 class="subheading" id="nav_kampagnen_ziel__0">Kampagnen-Ziel unklar</h3>
<p>Die IT-Sicherheitsforscher von Microsoft führen weiter aus, dass die Täter die betroffenen Maschinen nach der Infektion am C2-Server anmelden. Teils erzwingen sie das Herunterfahren der Systeme. Außerdem kompilieren sie Binärdateien im Portable-Executable-Format (PE). Allerdings bleibt den IT-Forschern zufolge unklar, was das eigentliche Ziel der Angreifer ist. Durch die Verschleierung und das Einnisten gehen sie jedoch davon aus, dass sie Nachfolge-Aktivitäten auf den kompromittierten Systemen planen.</p>
<p>Die Drahtzieher hinter der Kampagne haben im Mai dieses Jahres legitime Dienste missbraucht, um Phishing-E-Mails an die Opfer zu senden. Darunter die Cloud-Plattform Calendly und Googles URL-Redirector-Dienst. In Anlehnung an „Geldwäsche“ bezeichnen Microsofts IT-Forscher das als „Authentifizierungswäsche“. Die Phishingmails erhalten dadurch einen seriöseren Anstrich. Die Betrugsmails waren mehrsprachig, mit unterschiedlichen Ködern und Betreffzeilen. Thematisch gaben die Angreifer vor, es gehe um Beschwerden von Gästen und Zimmeranfragen. Das soll die Angestellten der Hotel- und Gastwirtschaftsbetriebe dazu bringen, die E-Mails zu lesen und die enthaltenen bösartigen Links und Dateien zu öffnen.</p>
<p>In den zwei beobachteten Wellen der Kampagne kamen zunächst bösartige Dateien nach dem Namensschema „IMG<Zufallszahl>.png.lnk“ zum Einsatz, in der zweiten hingegen „PHOTO<Zufallszahl>.png.lnk“. Die zweite Welle war noch etwas ausgefeilter und kompiliert dynamisch eine .NET-DLL mittels „csc.exe“. Die C2-Infrastruktur haben die Täter zudem auf „.cfd“-Domains ausgeweitet, die hinter Cloudflare-Schutz gehostet werden. Der Blogbeitrag beschreibt die einzelnen Stufen der Angriffe für Interessierte im Detail.</p>
<!-- RSPEAK_STOP -->
<div class="ad ad--inread">
<div class="ad--inread-header">
<p class="ad--inread-header__text">
Videos by heise
</p>
<div class="ad--inread-header__more">
<button class="ad--inread-header-menu-toggle" popovertarget="ad--inread-header-menu">
mehr Videos
<svg fill="none" height="24" viewbox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg">
<path d="M8.625 12.0023C8.625 12.2094 8.45711 12.3773 8.25 12.3773C8.04289 12.3773 7.875 12.2094 7.875 12.0023C7.875 11.7952 8.04289 11.6273 8.25 11.6273C8.45711 11.6273 8.625 11.7952 8.625 12.0023ZM8.625 12.0023H8.25M12.375 12.0023C12.375 12.2094 12.2071 12.3773 12 12.3773C11.7929 12.3773 11.625 12.2094 11.625 12.0023C11.625 11.7952 11.7929 11.6273 12 11.6273C12.2071 11.6273 12.375 11.7952 12.375 12.0023ZM12.375 12.0023H12M16.125 12.0023C16.125 12.2094 15.9571 12.3773 15.75 12.3773C15.5429 12.3773 15.375 12.2094 15.375 12.0023C15.375 11.7952 15.5429 11.6273 15.75 11.6273C15.9571 11.6273 16.125 11.7952 16.125 12.0023ZM16.125 12.0023H15.75M21 12.0023C21 16.9729 16.9706 21.0023 12 21.0023C7.02944 21.0023 3 16.9729 3 12.0023C3 7.03176 7.02944 3.00232 12 3.00232C16.9706 3.00232 21 7.03176 21 12.0023Z" stroke="#777" stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5"></path>
</svg>
</button>
<div class="ad--inread-header-menu" id="ad--inread-header-menu" popover>
<ul class="a-u-mb-0">
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/@ct3003" target="_blank">
c't 3003
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://www.youtube.com/heiseonline" target="_blank">
heise & ct
</a>
</li>
<li>
<a class="ad--inread-header-menu-link" href="https://peertube.heise.de/" target="_blank">
Peertube
</a>
</li>
</ul>
</div>
</div>
</div>
<figure class="video video--fullwidth">
<a-video height="9" instant is-target-video-ai-matching style="aspect-ratio: 16 / 9" type="targetvideo" width="16"></a-video>
</figure>
</div>
<!-- RSPEAK_START -->
<p>Während Microsofts IT-Forscher sich nicht sicher sind, was die Angreifer bezwecken, fällt die Kampagne in die Zeit, in der viele Menschen ihren Urlaub buchen. Uns erreichen noch immer zahlreiche Hinweise, dass Leser nach Buchung eines Hotelzimmers Phishing-WhatsApp-Nachrichten mit echten Daten und Bezug auf die Buchung erhalten. Im März hatten etwa<a href="http://www.heise.de/news/Best-Western-Hotels-Weltweite-Cyberangriffe-auf-touristische-Buchungssysteme-11205460.html"> die Best Western Hotels vor Cyberangriffen auf touristische Buchungssysteme</a> gewarnt. Im April wurde bekannt, dass auch bei <a href="http://www.heise.de/news/Booking-com-Unbefugte-Zugriffe-von-Kriminellen-entdeckt-11256689.html">Booking.com Zugriffe von unbefugten Kriminellen entdeckt</a> wurden.</p>
<!-- RSPEAK_STOP -->
<div class="ad-mobile-group-1">
<div class="ad-label" id="HEI_M_Incontent-2-label" style="display: none;">
Weiterlesen nach der Anzeige
</div>
<div class="ad ad--sticky" id="HEI_M_Incontent-2"></div>
</div>
<!-- RSPEAK_START -->
<!-- RSPEAK_STOP -->
<div id="wtma_teaser_ho_vertrieb_inline_branding">
<figure class="branding">
<a href="https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&amp;wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp" name="meldung.newsticker.inline.branding_security" title="Jetzt heise security PRO entdecken">
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-hide-from-tablet" height="693" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_1386x800px-da2d5fade264ec54.png" style="aspect-ratio: 1200 / 693;" width="1200">
<img alt="Jetzt heise security PRO entdecken" height="693" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1200 / 693; object-fit: cover;" width="1200">
</a-img>
<a-img alt="Jetzt heise security PRO entdecken" class="a-u-show-from-tablet" height="500" high-dpi-quality="100" quality="100" src="/imgs/09/4/8/9/8/0/5/9/HSP-Kampa-2026_2927x800px-e80ba1d23903c359.png" style="aspect-ratio: 1830 / 500;" width="1830">
<img alt="Jetzt heise security PRO entdecken" height="500" src="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='696px' height='391px' viewBox='0 0 696 391'%3E%3Crect x='0' y='0' width='696' height='391' fill='%23f2f2f2'%3E%3C/rect%3E%3C/svg%3E" style="aspect-ratio: 1830 / 500; object-fit: cover;" width="1830">
</a-img>
</a>
</figure>
</div>
<!-- RSPEAK_START -->
<p>
<!-- RSPEAK_STOP -->
<span class="redakteurskuerzel ISI_IGNORE">(<a class="redakteurskuerzel__link" href="mailto:dmk@heise.de" title="Dirk Knop">dmk</a>)</span>
<!-- RSPEAK_START -->
</p>
<!-- RSPEAK_STOP -->
<a-gift has-access>
<div data-show-has-gift-no-access>
<div class="curtain curtain--gradient article-layout__curtain"
data-teaser-tracking-id="gift_curtain_11347609"
data-teaser-tracking-name="gift_curtain"
data-teaser-tracking-rank="11347609: Cyberangriffe auf Hotel- und Gastgewerbe: Täter nisten sich ein"
data-teaser-tracking-content="gift_curtain"
google-curtain
>
</div>
</div>
</a-gift>
</div>
</div>
</div>
<a index="0" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-der-beste-ventilator-im-test-switchbot-standventilator-ist-testsieger/3vw0k3j?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 md:w-full"><a-img width="3231" height="1816" src="https://www.heise.de/imgs/18/5/0/9/9/7/5/5/b175fff1ca43637c.jpeg" style="aspect-ratio:3231 / 1816"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3231" height="1816" style="aspect-ratio:3231 / 1816;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-xl md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Der beste Ventilator im Test</span></span></h3></header></div></a><a index="1" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-speicher-fuer-balkonkraftwerk-im-test-zendure-vor-solakon-und-marstek/9g7b03h?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3324" height="1868" src="https://www.heise.de/imgs/18/5/1/0/7/8/9/6/9c8d81ffe45939a8.jpeg" style="aspect-ratio:3324 / 1868"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3324" height="1868" style="aspect-ratio:3324 / 1868;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Speicher für Balkonkraftwerk im Test</span></span></h3></header></div></a><a index="2" data-component="TeaserLinkContainer" href="https://www.heise.de/bestenlisten/testsieger/top-10-carplay-wireless-adapter-im-test-iphone-im-auto-kabellos-nutzen/wwqt5v6?wt_mc=intern.red.bestenlisten.bestenlisten_beitragsbuehne.beitrag.buehne.buehne" class="group/teaser" data-google-interstitial="true" data-upscore-url="true"><figure data-component="Image" class="mb-4 float-right ml-4 w-[28%] md:float-none md:ml-0 md:w-full"><a-img width="3761" height="2113" src="https://www.heise.de/imgs/18/5/1/0/6/9/5/7/_-c63dc724738e1439.jpeg" style="aspect-ratio:3761 / 2113"><img src="data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNjk2cHgiIGhlaWdodD0iMzkxcHgiIHZpZXdCb3g9IjAgMCA2OTYgMzkxIiB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiPgogICAgPGcgc3Ryb2tlPSJub25lIiBmaWxsPSIjZjJmMmYyIiBmaWxsLW9wYWNpdHk9IjEiPgogICAgICAgIDxyZWN0IHg9IjAiIHk9IjAiIHdpZHRoPSI2OTYiIGhlaWdodD0iMzkxIj48L3JlY3Q+CiAgICA8L2c+Cjwvc3ZnPg==" width="3761" height="2113" style="aspect-ratio:3761 / 2113;object-fit:cover"/></a-img></figure><div data-component="TeaserLinkContainer" class="-translate-y-1.5 md:transform-none"><header data-component="TeaserHeader"><h3 class="flex flex-col"><span data-component="TeaserHeadline" class="text-lg leading-snug md:text-xl md:leading-snug max-w-prose font-bold group-hover/teaser:text-brand-branding dark:group-hover/teaser:text-white"><span data-upscore-title="true">Top 10: Carplay-Wireless-Adapter im Test</span></span></h3></header></div></a>
2026-06-29T09:43:00.000Z