All news in category "Security Advisory and Patch Watch"

Critical WatchGuard Fireware VPN Bug Allows Pre-Auth RCE

🔒 Researchers disclosed a recently patched critical vulnerability in WatchGuard Fireware (CVE-2025-9242, CVSS 9.3) that can allow unauthenticated attackers to execute arbitrary code via an out-of-bounds write in the iked process. The flaw affects multiple Fireware branches, including 11.10.2 through 11.12.4_Update1 (EOL noted for 11.x), 12.0 through 12.11.3 and 2025.1, and has been fixed across several updates such as 2025.1.1 and 12.11.4. Administrators are urged to apply the vendor updates immediately, limit internet exposure of VPN interfaces, and follow vendor mitigation guidance until patches are deployed.

Windows 11 updates break localhost HTTP/2 (127.0.0.1)

⚠️ Microsoft’s October Windows 11 updates (notably KB5066835 and the September preview KB5065789) have disrupted HTTP/2 connections to localhost (127.0.0.1), preventing local services and developer tools from completing requests. Users report errors such as "ERR_CONNECTION_RESET" and "ERR_HTTP2_PROTOCOL_ERROR" when applications attempt to connect to the loopback interface. Affected software includes Visual Studio debugging, SSMS Entra ID authentication, and Duo Desktop; community workarounds include disabling HTTP/2 via Registry entries or uninstalling the problematic updates.

Hackers Deploy Rootkit via Cisco SNMP Zero-Day on Switches

⚠️Threat actors exploited a recently patched SNMP remote code execution flaw (CVE-2025-20352) in older Cisco IOS and IOS XE devices to deploy a persistent Linux rootkit. Trend Micro reports the campaign targeted unprotected 9400, 9300 and legacy 3750G switches and has been tracked as Operation Zero Disco, named for the universal password that contains 'disco'. The implant can disable logging, bypass AAA and VTY ACLs, hide running-configuration items and enable lateral movement; researchers recommend low-level firmware and ROM-region checks when compromise is suspected.

Gladinet patches zero-day in CentreStack file sharing

🔒 Gladinet released an urgent update for its CentreStack business solution to fix a local file inclusion flaw tracked as CVE-2025-11371, which was abused in the wild as a zero-day. The LFI allowed attackers to read Web.config, extract the ASP.NET machine key, and then leverage a prior deserialization RCE (CVE-2025-30406) to achieve remote code execution. Administrators should upgrade to CentreStack version 16.10.10408.56683 immediately; if patching is not possible, disable the temp handler in Web.config for the UploadDownloadProxy component as a temporary mitigation.

Cisco SNMP Rootkit Campaign Targets Network Devices

🔒 Trend Micro detailed a campaign exploiting CVE-2025-20352 that installed Linux rootkits on exposed Cisco switches and routers, enabling persistent unauthorized access. The attackers combined an SNMP remote code execution with a modified Telnet flaw (based on CVE-2017-3881) to read and write device memory and deploy fileless backdoors. Affected models include Cisco 9400, 9300 and legacy 3750G series. Device owners should apply Cisco patches, disable or harden SNMP and restrict management access.

CISA Warns: Critical Adobe AEM Flaw Actively Exploited

🚨 CISA has added a maximum-severity vulnerability in Adobe Experience Manager (AEM) Forms to its Known Exploited Vulnerabilities Catalog after confirming active exploitation. Tracked as CVE-2025-54253, the flaw is an authentication bypass via Struts DevMode that can result in unauthenticated remote code execution on AEM JEE 6.5.23 and earlier. Adobe released fixes on August 9 after public proof-of-concept code appeared; CISA requires federal agencies to remediate by November 5 and urges all organizations to prioritize patching, apply vendor mitigations, or restrict Internet access to affected AEM Forms deployments.

Rockwell ArmorStart AOP: Uncaught Exception Causes DoS

⚠️ A remotely exploitable uncaught exception in Rockwell Automation's ArmorStart AOP for Studio 5000 Logix Designer can trigger a denial-of-service on versions V2.05.07 and earlier. The issue arises from invalid inputs to COM methods and is tracked as CVE-2025-9437 with a CVSS v4 base score of 8.7 (high). Rockwell reports no fix is available; users should apply vendor best practices and minimize network exposure.

Siemens TeleControl Server Basic: Remote Auth Bypass

🔒 Siemens TeleControl Server Basic V3.1 contains a critical missing-authentication vulnerability (CVE-2025-40765) that allows unauthenticated remote attackers to obtain user password hashes and perform authenticated database operations. The issue carries a CVSS v3.1 score of 9.8 and a CVSS v4 score of 9.3, with network attack vector and low attack complexity. Siemens advises updating to V3.1.2.3 or later and restricting access to port 8000; CISA emphasizes isolating control networks and minimizing internet exposure. Tenable reported the issue and, to date, CISA has not received reports of public exploitation.

CISA Issues Thirteen ICS Advisories on October 16, 2025

🔔 CISA released thirteen Industrial Control Systems (ICS) advisories on October 16, 2025, providing details on vulnerabilities and mitigations affecting multiple vendors. The advisories cover products from Rockwell Automation (FactoryTalk View Machine Edition, Linx, ViewPoint, ArmorStart AOP), Siemens (Solid Edge, SiPass Integrated, SIMATIC ET 200SP Communication Processors, SINEC NMS, TeleControl Server Basic, HyperLynx and Industrial Edge App Publisher), Hitachi Energy (MACH GWS), and updates for Schneider Electric and Delta Electronics. Administrators and operators are urged to review the technical details and apply recommended mitigations to reduce exposure and maintain operational continuity.

Siemens SiPass integrated vulnerabilities and update

🔒 Siemens released security updates for SiPass integrated to address four vulnerabilities—an Accusoft ImageGear heap-based buffer overflow, stored cross-site scripting, an authorization bypass via user-controlled keys, and recoverable password storage. Exploitation could enable account compromise, data manipulation, impersonation, or arbitrary code execution on affected servers. Siemens recommends updating to V3.0, restricting access to trusted personnel, and avoiding untrusted image uploads; CISA advises isolating devices and using secure remote access.

Siemens HyperLynx and Industrial Edge Publisher Security

⚠️ Siemens disclosed a type confusion vulnerability (CVE-2025-6554) affecting HyperLynx and Industrial Edge App Publisher, which can enable remote arbitrary read/write and potential code execution via crafted HTML. The issue carries a CVSS v4 base score of 7.0 and a v3.1 score up to 8.1 depending on context. Siemens has released v1.23.5 for App Publisher; no fix is available yet for HyperLynx. Organizations should restrict network exposure, isolate control systems, use secure remote access, and follow Siemens and CISA guidance to mitigate risk.

Siemens Solid Edge: Multiple PRT Parsing Vulnerabilities

🔒 Siemens' Solid Edge CAD applications contain multiple vulnerabilities in PRT file parsing—two out‑of‑bounds writes (CWE‑787) and two out‑of‑bounds reads (CWE‑125)—tracked as CVE‑2025‑40809 through CVE‑2025‑40812. Affected releases include SE2024 versions prior to V224.0 Update 14 and SE2025 versions prior to V225.0 Update 6. Exploitation could crash the application or enable code execution in the context of the current process; Siemens and CISA recommend applying the listed updates, avoiding untrusted PRT files, and limiting network exposure.

Rockwell Automation PanelView and FactoryTalk ME Flaws

🔒 Rockwell Automation disclosed vulnerabilities in FactoryTalk View Machine Edition and PanelView Plus 7 that can allow unauthorized access to device file systems and diagnostic data. CVE-2025-9064 is a network-exploitable path traversal issue; CVE-2025-9063 is an improper-authorization flaw tied to an ActiveX control. Rockwell recommends installing provided firmware and software updates, and CISA advises minimizing network exposure, isolating control networks, and using secure remote access.

Missing Authentication in Siemens SIMATIC ET 200SP Modules

⚠️ Siemens ProductCERT and CISA report a Missing Authentication for Critical Function vulnerability (CVE-2025-40771) affecting SIMATIC ET 200SP CP modules. The flaw allows an unauthenticated remote actor to access device configuration data and is rated highly severe (CVSS v4 9.3; CVSS v3.1 9.8). Siemens advises updating affected modules to V2.4.24 or later and restricting access to trusted IP addresses; CISA recommends minimizing network exposure, isolating control networks, and using secure remote access methods.

SINEC NMS SQL Injection (CVE-2025-40755) — Siemens Advisory

🛡️ This advisory details an SQL injection vulnerability in Siemens SINEC NMS (versions prior to V4.0 SP1) affecting the getTotalAndFilterCounts endpoint. Assigned CVE-2025-40755 with high severity (CVSS v3.1 8.8 / CVSS v4 8.7), an authenticated low-privilege attacker could inject SQL to insert data and escalate privileges. Siemens advises updating to V4.0 SP1 or later and applying network protections such as segmentation and firewalls; CISA reports no known public exploitation.

Rockwell FactoryTalk Linx MSI Privilege Chaining Flaw

⚠️ Rockwell Automation disclosed two privilege-chaining vulnerabilities in FactoryTalk Linx (versions 6.40 and prior) that allow authenticated Windows users to escalate to SYSTEM privileges by hijacking MSI repair console windows. The issues are tracked as CVE-2025-9067 and CVE-2025-9068 and carry a CVSS v4 base score of 8.5 (CVSS v3.1 7.8). Rockwell recommends applying the Microsoft MSI patch and upgrading to FactoryTalk Linx 6.50 or later; CISA notes these flaws are not remotely exploitable and no public exploitation has been reported.

Hitachi Energy MACH GWS Vulnerabilities — Patch Alert

⚠️ Hitachi Energy reported three vulnerabilities in MACH GWS (versions 3.0.0.0–3.4.0.0) that could enable local tampering, denial-of-service via IEC 61850 message handling, or remote man-in-the-middle attacks. The issues are categorized as Incorrect Default Permissions, Improper Validation of Integrity Check Value, and Improper Certificate Validation and carry CVSS v4 scores up to 7.1. Hitachi Energy recommends updating to MACH GWS 3.5 immediately and following deployment guidance such as network segregation, minimal exposed ports, scanning removable media, and enforcing strong password policies. CISA notes no known public exploitation at this time.

Rockwell FactoryTalk ViewPoint XML External Entity Flaw

🔒 Rockwell Automation reported a FactoryTalk ViewPoint XML External Entity (XXE) vulnerability (CVE-2025-9066) that can be exploited remotely with low attack complexity to induce a temporary denial-of-service via crafted SOAP requests. Affected devices include PanelView Plus 7 terminals (version 14 and prior). Rockwell released firmware fixes and patches, and CISA recommends minimizing network exposure, isolating control networks, and applying vendor updates promptly. The vulnerability is scored CVSS v4 8.7 (CVSS v3.1 7.5).

Attackers Use Cisco SNMP Flaw to Deploy Linux Rootkits

🛡️ Researchers disclosed a campaign, Operation Zero Disco, that exploited a recently patched SNMP stack overflow (CVE-2025-20352) in Cisco IOS and IOS XE devices to deploy Linux rootkits on older, unprotected switches. The attackers achieved remote code execution and persistence by installing hooks into IOSd memory and setting universal passwords that include the string "disco." Targets included legacy 3750G and 9300/9400 series devices lacking EDR protections.

CrowdStrike Falcon Blocks Git Vulnerability CVE-2025-48384

🔒 CrowdStrike has identified active exploitation of Git vulnerability CVE-2025-48384 and confirms that Falcon detections can block the observed attack chain. The vulnerability, which affects macOS and Linux, arises from inconsistent handling of carriage return characters in configuration and submodule path parsing and can enable arbitrary file writes during a recursive clone. Observed attacks combined social engineering with malicious repositories that place crafted .gitmodules entries and submodule hooks to execute post-checkout scripts. CrowdStrike urges organizations to patch Git, enable layered protections, deploy provided detection rules and hunting queries, and use Falcon Insight XDR prevention settings to reduce exposure.