All news in category "Security Advisory and Patch Watch"

Actively Exploited WSUS RCE Prompts Urgent Patching

⚠️ Microsoft has released an out-of-band patch for a critical WSUS vulnerability (CVE-2025-59287) that enables unauthenticated remote code execution by sending malicious encrypted cookies to the GetCookie() endpoint. Security vendors Huntress and HawkTrace reported active exploitation of publicly exposed WSUS instances on TCP ports 8530 and 8531. Administrators should prioritize applying the update immediately; if that is not possible, isolate WSUS servers, restrict access to management hosts and Microsoft Update servers, and block inbound traffic to ports 8530/8531 until systems are remediated.

Critical WSUS RCE (CVE-2025-59287) Actively Exploited

⚠️ A critical unauthenticated remote code execution vulnerability in Microsoft Windows Server Update Services was identified as CVE-2025-59287 and observed being actively exploited in October 2025. The flaw stems from unsafe deserialization in WSUS endpoints (GetCookie and ReportingWebService) and enables remote attackers to execute arbitrary code as SYSTEM. Microsoft issued an emergency out-of-band patch on Oct 23 after initial Patch Tuesday fixes were incomplete; organizations should apply the update or follow temporary mitigations such as disabling the WSUS Server Role or blocking inbound TCP ports 8530/8531 immediately.

QNAP: NetBak PC Backup Affected by Critical ASP.NET Flaw

🔔 QNAP has warned that its NetBak PC Agent, a Windows backup utility, may include an affected ASP.NET Core runtime vulnerable to CVE-2025-55315. The flaw resides in the Kestrel ASP.NET Core web server and can allow low-privileged attackers to hijack other users' credentials or bypass front-end security via HTTP request smuggling. QNAP recommends reinstalling the app or manually installing the latest ASP.NET Core Runtime (Hosting Bundle) from the .NET 8.0 downloads to secure systems.

Italian Spyware Vendor Linked to Chrome Zero-Day Attacks

🔎 Kaspersky links a Chrome zero-day used in Operation ForumTroll to spyware tied to Memento Labs, a company formed from assets of the former Hacking Team. The campaign, revealed in March, used targeted phishing invites to the Primakov Readings and exploited a sandbox escape (CVE-2025-2783) to deploy a persistent loader. That loader decrypted and executed LeetAgent, a modular spyware, and in some cases introduced the Dante implant. Chrome and Firefox received patches soon after the discovery.

CISA orders patch for critical WSUS RCE exploited now

🔔 CISA ordered U.S. federal agencies to urgently patch a critical, actively exploited Windows Server Update Services vulnerability (CVE-2025-59287) that enables unauthenticated remote code execution with SYSTEM privileges. Microsoft released out-of-band security updates after proof-of-concept exploit code appeared, and administrators are urged to install them immediately or disable the WSUS Server role as an interim mitigation. Security firms reported scanning and attacks against WSUS instances exposed on default ports 8530/8531, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog, mandating federal patching under BOD 22-01.

Critical WordPress Plugin Flaws Exploited at Scale Globally

🔴 Wordfence warns that threat actors are actively exploiting three critical 2024 CVEs in popular WordPress plugins, GutenKit and Hunk Companion, which report more than 40,000 and 8,000 active installations respectively. The vulnerabilities permit unauthenticated attackers to install and activate arbitrary plugins or upload spoofed plugin files, enabling remote code execution (RCE) and straightforward site takeover when exploited or chained with other flaws. Discovered via Wordfence's bug bounty in late September and early October, the campaign reignited on 8 October and the vendor has already blocked nearly 8.8 million exploitation attempts while urging administrators to update or remove affected versions.

Critical Microsoft WSUS RCE Flaw Exploited in Wild Now

⚠️Microsoft released out-of-band updates to fully remediate a critical deserialization vulnerability in Windows Server Update Service (WSUS), tracked as CVE-2025-59287. The initial Oct. 14 fixes were incomplete, prompting emergency patches for multiple Windows Server versions. Exploits in the wild were reported after a public proof-of-concept was published, allowing remote code execution as SYSTEM on affected servers.

Mass Attacks Exploit Outdated WordPress Plugins in 2024

🔒 A large-scale campaign is exploiting outdated GutenKit and Hunk Companion WordPress plugins to achieve remote code execution by chaining unauthenticated or missing-authorization REST endpoint flaws (CVE-2024-9234, CVE-2024-9707, CVE-2024-11972). Wordfence observed 8.7 million blocked attempts across October 8–9. Attackers host a malicious ZIP plugin on GitHub that installs backdoors, and often drop the vulnerable wp-query-console plugin to gain RCE. Administrators should update affected plugins and scan for indicators of compromise immediately.

Microsoft issues emergency WSUS patch for critical RCE

⚠️ Microsoft released an out-of-band security update to address a critical WSUS remote code execution vulnerability, CVE-2025-59287 (CVSS 9.8). The flaw stems from unsafe deserialization of AuthorizationCookie objects at the GetCookie() endpoint, where AES-128-CBC-encrypted cookie payloads are decrypted and deserialized via BinaryFormatter without type validation, enabling SYSTEM-level code execution on servers running the WSUS role. Microsoft published updates for supported Windows Server releases and recommends installing the patch and rebooting; short-term mitigations include disabling the WSUS role or blocking TCP ports 8530 and 8531.

Critical WSUS RCE Flaw in Windows Server Exploited Now

⚠️Microsoft confirmed attackers are exploiting a critical Windows Server Update Service vulnerability tracked as CVE-2025-59287, a remote code execution flaw that affects servers running the WSUS Server role when configured as an update source for other WSUS servers. The bug can be abused remotely with low complexity and no user interaction to run code as SYSTEM, raising wormable concerns. Microsoft released out-of-band patches for all affected Windows Server versions and advised immediate installation or temporary disabling of the WSUS Server role; public proof-of-concept code and active scanning have been observed in the wild.

Microsoft Releases Out-of-Band WSUS Patch for CVE-2025-59287

⚠ Microsoft released an out-of-band security update (October 23, 2025) to remediate a critical Windows Server Update Service (WSUS) remote code execution vulnerability, CVE-2025-59287, after a prior fix proved incomplete. The flaw affects WSUS on Windows Server 2012, 2016, 2019, 2022, and 2025 and could allow an unauthenticated actor to execute code with SYSTEM privileges. CISA urges organizations to identify affected WSUS servers, apply the update and reboot, or temporarily disable the WSUS Server Role or block inbound TCP ports 8530/8531 as mitigations until the patch is installed.

CISA Adds Two Vulnerabilities to Known Exploited Catalog

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation: CVE-2025-54236, affecting Adobe Commerce and Magento, and CVE-2025-59287, affecting Microsoft Windows Server Update Services (WSUS). The issues—an improper input validation flaw and a deserialization of untrusted data vulnerability—are common attack vectors that pose significant risk to enterprise networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by required due dates, and CISA strongly urges all organizations to prioritize timely remediation as part of their vulnerability management.

Microsoft issues emergency WSUS updates for critical RCE

⚠️ Microsoft has released out-of-band security updates to remediate a critical WSUS vulnerability tracked as CVE-2025-59287. The flaw affects only Windows servers with the WSUS Server Role enabled and allows remote, unauthenticated attackers to execute code as SYSTEM in low-complexity attacks without user interaction. Microsoft published cumulative KB updates for all affected Server builds and requires a reboot; administrators who cannot patch immediately are advised to disable the WSUS role or block TCP ports 8530/8531 as temporary mitigations.

WhatsApp $1M Zero-Click Hack Mystery: Pwn2Own Outcome

🔐 A high-profile entry by a hacker known as ‘Eugene’ at Pwn2Own Ireland 2025 withdrew a claimed zero-click remote code execution exploit targeting WhatsApp, forfeiting the event’s $1 million top prize. Organizers Trend Micro ZDI say Team Z3 is sharing findings privately for coordinated disclosure to Meta, while WhatsApp reports no viable exploit was publicly demonstrated. The cancellation has fueled speculation about exploit readiness and underscores the role of responsible disclosure and rigorous triage before public demonstrations.

CISA Warns of Critical Lanscope Endpoint Manager Flaw

⚠️ CISA warns that attackers are exploiting a critical flaw (CVE-2025-61932) in Motex's Lanscope Endpoint Manager, enabling unauthenticated remote code execution via specially crafted packets. The issue affects client components in versions 9.4.7.2 and earlier; Motex has released patched client builds and noted managers do not require updates. No mitigations are available—install the vendor updates; CISA added the flaw to its KEV with a Nov. 12 remediation deadline for federal agencies.

Microsoft Disables Explorer Preview for Internet Files

🔒 Microsoft has updated File Explorer to disable the preview pane by default for files downloaded from the Internet or marked with the Mark of the Web. The change, included in Windows security updates released on and after October 14, 2025, is designed to block exploits that can leak NTLM hashes when previewed documents reference external resources. When preview is blocked, File Explorer shows a warning and users can manually unblock trusted files via Properties > Unblock or add the location to Trusted sites/Local intranet; a sign-out may be required for the change to take effect.

Veeder-Root TLS4B: Remote Command Injection and 2038 Bug

🔒 Veeder-Root's TLS4B Automatic Tank Gauge System contains two serious vulnerabilities: a SOAP-based command injection (CVE-2025-58428) that allows remote authenticated attackers to execute system-level commands, and an integer overflow/2038 time wraparound (CVE-2025-55067) that can disrupt authentication and core functions. The command injection carries very high severity (CVSS v3.1 9.9 / CVSS v4 9.4); Veeder-Root recommends upgrading to Version 11.A. For the time-related overflow, Veeder-Root is developing a patch and advises applying network-security best practices, isolating devices, and restricting access until a fix is available.

NIHON KOHDEN CNS-6201 NULL Pointer DoS Advisory Update

⚠️ A remote NULL pointer dereference in NIHON KOHDEN CNS-6201 central monitors can be triggered by a specially crafted UDP packet, causing the monitoring process to terminate and producing a denial-of-service. The issue is unauthenticated, reproducible when UDP is reachable, and is tracked as CVE-2025-59668 with CVSS v4 8.7. Vendor support for affected versions has ended; users should migrate to successor products or apply strict network-level mitigations such as isolation, boundary devices, and careful traffic monitoring.

ASKI Energy ALS-Mini S4/S8: Missing Authentication Flaw

⚠ An unauthenticated access vulnerability in the embedded web server of ASKI Energy ALS‑Mini‑S4 and ALS‑Mini‑S8 IP controllers allows remote actors to read and modify device configuration, potentially yielding full control. Tracked as CVE-2025-9574, the issue is a Missing Authentication for Critical Function (CWE‑306) with a CVSS v4 base score of 9.9. ABB reports these products reached end of life in 2022 and will not be patched; operators should remove internet exposure, place devices behind firewalls or secure proxies that enforce authentication and logging, restrict access to whitelisted IPs, monitor for unauthorized access with IDS/IPS, or physically disconnect the Ethernet port if web features are not required.

AutomationDirect Productivity Suite: Multiple High-Risk Flaws

⚠️ AutomationDirect's Productivity Suite and several Productivity PLC models contain multiple high-severity vulnerabilities — including relative path traversal (ZipSlip), a weak password recovery mechanism, incorrect permission assignment, and binding to an unrestricted IP address. Exploitation could allow remote attackers to read, write, or delete files, execute arbitrary code, or gain full control of projects. AutomationDirect has released updates (Productivity Suite v4.5.0.x and newer) and recommends applying the latest firmware and implementing network isolation and firewall/NAC controls if immediate upgrades are not possible.