All news in category "Security Advisory and Patch Watch"

Unity runtime vulnerability forces game updates worldwide

⚠ A critical vulnerability in the Unity Runtime, introduced in engine version 2017.01, can allow attackers to pass crafted startup parameters that cause games to load arbitrary native libraries on Windows, macOS, Linux and Android. Exploitation may execute malicious code or expose device data, and the risk depends on game and OS settings. Vendors Valve and Microsoft advise blocking or removing affected titles while Unity urges developers to update, recompile and republish builds; Unity also provides an application patcher for unmaintained games.

Microsoft: Critical GoAnywhere Flaw Used in Ransomware

⚠️ Microsoft warns that a critical deserialization vulnerability, CVE-2025-10035, in Fortra's GoAnywhere MFT License Servlet Admin Console is being actively exploited in ransomware campaigns. The flaw (CVSS 10.0) enables attackers to bypass signature verification and deserialize attacker-controlled objects, potentially resulting in command injection and remote code execution on internet-exposed instances. Customers are urged to apply Fortra's patch, harden perimeter controls and run endpoint defenses in block mode to detect and stop post-breach activity.

Redis 13-Year Use-After-Free Flaw Rated CVSS 10.0 Severity

⚠️ Redis disclosed a maximum-severity vulnerability, CVE-2025-49844 (RediShell), a use-after-free bug in its Lua scripting implementation that has been assigned a CVSS score of 10.0. An authenticated user can submit crafted Lua scripts to manipulate the garbage collector, trigger a use-after-free, and potentially achieve remote code execution on the host. The issue affects all Redis versions with Lua and was fixed in 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 (released Oct 3, 2025). Administrators should immediately restrict EVAL/EVALSHA via ACLs, avoid exposing Redis instances to the internet, enforce strong authentication, and apply the patches without delay.

Microsoft Links Storm-1175 to GoAnywhere Flaw, Medusa

🔒 Microsoft attributed active exploitation of a critical Fortra GoAnywhere vulnerability (CVE-2025-10035, CVSS 10.0) to the cybercriminal group Storm-1175, which has been observed deploying Medusa ransomware. The flaw is a deserialization bug that can permit unauthenticated command injection when a forged license response signature is accepted. Fortra released fixes in GoAnywhere 7.8.4 and Sustain Release 7.6.3; organizations should apply updates immediately and hunt for indicators such as dropped RMM tools, .jsp web shells, Cloudflare tunnels and Rclone usage.

Oracle issues emergency patch for EBS zero-day RCE

🔴 Oracle has released an emergency patch addressing a critical zero-day remote code execution flaw, CVE-2025-61882, in the E-Business Suite BI Publisher Integration component. The vulnerability (affecting versions 12.2.3–12.2.14) is rated 9.8 on the CVSS scale and is exploitable remotely without authentication. Cl0p actors are linked to active exploitation and high-value extortion demands; Oracle published IoCs and strongly urges immediate patching and aggressive compromise hunting.

Active Exploitation of GoAnywhere CVE-2025-10035 Observed

🔒 Microsoft Threat Intelligence warns of active exploitation of a critical deserialization vulnerability in GoAnywhere MFT License Servlet (CVE-2025-10035, CVSS 10.0) that can allow forged license responses to trigger arbitrary object deserialization and potential remote code execution. Activity attributed to Storm-1175 included initial access via this flaw, deployment of RMM tools (SimpleHelp, MeshAgent), and at least one Medusa ransomware incident. Customers should upgrade per Fortra guidance, run EDR in block mode, restrict outbound connections, and use the provided Defender detections and IoCs for hunting and response.

Redis warns of critical Lua RCE flaw in many instances

🔒 The Redis security team has released patches for CVE-2025-49844, a maximum-severity use-after-free in the bundled Lua interpreter that can enable remote code execution when an attacker supplies a specially crafted Lua script. Wiz researchers, who disclosed the issue at Pwn2Own Berlin and dubbed it RediShell, found approximately 330,000 Redis instances exposed online and at least 60,000 requiring no authentication. Administrators should apply the published fixes (for example, 7.22.2-12 and later; OSS/CE/Stack variants also updated) immediately and implement mitigations such as enabling authentication, disabling Lua scripting where possible, running Redis as a non-root user, and restricting network access.

Steam, Microsoft Warn of Unity Flaw Exposing Gamers

⚠️ A code execution vulnerability in Unity's Runtime (CVE-2025-59489) can allow unsafe file loading and local file inclusion, enabling code execution on Android and privilege escalation on Windows. Valve/Steam issued a Client update to block launching custom URI schemes and urges publishers to rebuild with a safe Unity version or replace the UnityPlayer.dll. Microsoft published guidance recommending users uninstall vulnerable games until patched, and Unity advises developers to update the Editor, recompile, and redeploy.

Gemini Trifecta: Prompt Injection Exposes New Attack Surface

🔒 Researchers at Tenable disclosed three distinct vulnerabilities in Gemini's Cloud Assist, Search personalization, and Browsing Tool. The flaws let attackers inject prompts via logs (for example by manipulating the HTTP User-Agent), poison search context through scripted history entries, and exfiltrate data by causing the Browser Tool to send sensitive content to an attacker-controlled server. Google has patched the issues, but Tenable and others warn this highlights the risks of granting agents too much autonomy without runtime guardrails.

CISA Adds Seven CVEs to Known Exploited Vulnerabilities

🔒 CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The newly listed entries include CVE-2010-3765, CVE-2010-3962, CVE-2011-3402, CVE-2013-3918, CVE-2021-22555, CVE-2021-43226, and CVE-2025-61882, impacting Mozilla, Microsoft, the Linux Kernel, and Oracle E-Business Suite. Federal Civilian Executive Branch agencies must remediate these vulnerabilities under BOD 22-01, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

Zimbra XSS Zero-Day Used to Target Brazilian Military

⚠️A stored cross-site scripting vulnerability in the Zimbra Classic Web Client (CVE-2025-27915) was exploited in targeted attacks and has since been patched. The flaw allowed embedded JavaScript in ICS calendar entries to execute via an ontoggle event, enabling attackers to create mail filters, redirect messages, and exfiltrate mailbox data. Zimbra released fixes on January 27, 2025; administrators should apply updates and audit mailbox filters and logs for indicators of compromise.

Oracle issues emergency patch for CVE-2025-61882 exploit

🔒 Oracle has released an emergency update to address CVE-2025-61882, a critical (CVSS 9.8) vulnerability in the E-Business Suite Concurrent Processing component that can be exploited over HTTP without authentication. Oracle warned the flaw may allow remote code execution and issued additional fixes after discovering further potential exploitation vectors. Indicators shared with the advisory point to activity linked to Cl0p and a group associated with Scattered LAPSUS$ Hunters; organizations are urged to apply the patch and hunt for signs of compromise.

Zero-day XSS in Zimbra abused via malicious .ICS files

📅 Researchers found a zero-day XSS in Zimbra Collaboration Suite exploited through malicious .ICS (iCalendar) attachments that delivered obfuscated JavaScript. The vulnerability, tracked as CVE-2025-27915, affects ZCS 9.0, 10.0 and 10.1 and was patched by Zimbra on January 27 with releases ZCS 9.0.0 P44, 10.0.13 and 10.1.5. StrikeReady determined attacks began in early January and involved a spoofed Libyan Navy email targeting a Brazilian military organization. The injected script is capable of stealing credentials, emails, contacts and shared folders, manipulating filters to forward mail, and using the Zimbra SOAP API to exfiltrate data.

Phoenix Rowhammer: DDR5 Bypass Exploits and Practical Risks

🧪 In September 2025, researchers at ETH Zurich published Phoenix, a Rowhammer variant that targets DDR5 memory by exploiting weaknesses in Target Row Refresh (TRR) logic. The team validated the technique across 15 tested SK Hynix modules and demonstrated practical capabilities including arbitrary read/write primitives, theft of an RSA‑2048 private key, and a Linux sudo bypass in constrained scenarios. Phoenix works by inducing timed access "windows" after 128 and after 2608 refresh intervals that momentarily degrade TRR responses, allowing precise bit flips. The authors recommend mitigations such as reduced refresh intervals, deployment of ECC memory, and adoption of Fine Granularity Refresh to harden platforms.

Hackers Target Unpatched Oracle E-Business Suite Flaws

⚠️ Oracle has warned customers that attackers may be exploiting unpatched instances of Oracle E-Business Suite, following alerts from the Google Threat Intelligence Group and reports of extortion emails sent to company executives. The vendor’s investigation points to vulnerabilities addressed in the July 2025 Critical Patch Update, and it urges organizations to apply those fixes immediately. The July update fixed nine EBS flaws, including three critical issues and several that can be exploited remotely without authentication, raising urgent remediation priorities for affected deployments. Security teams should verify patch status, hunt for indicators of compromise, and validate account integrity.

CISA Adds Meteobridge Command Injection CVE-2025-4008

⚠️ CISA has added a high-severity command injection flaw, CVE-2025-4008, affecting Smartbedded Meteobridge to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands as root via a vulnerable /cgi-bin/template.cgi endpoint that improperly uses eval calls. ONEKEY reported the issue and Meteobridge issued a fix in version 6.2 on May 13, 2025.

DrayTek warns of RCE vulnerability in Vigor routers

🔒 DrayTek has issued an advisory for Vigor routers after a researcher reported a remotely triggerable vulnerability (CVE-2025-10547) that can cause memory corruption and may allow arbitrary code execution via crafted HTTP/HTTPS requests to the device WebUI. Reported on July 22 by ChapsVision researcher Pierre-Yves Maes, the root cause is an uninitialized stack value that can be abused to force an arbitrary free() and achieve RCE, and Maes successfully tested an exploit. DrayTek provides firmware versions to mitigate the issue and recommends applying updates promptly while reducing WAN exposure by disabling or restricting remote WebUI/SSL VPN access.

Critical RBAC Flaw in Red Hat OpenShift AI Risks Clusters

⚠ Red Hat has patched a design flaw in OpenShift AI (CVE-2025-10725) with a CVSS score of 9.9 that can let an authenticated low-privilege user escalate to full cluster administrator and fully compromise clusters and hosted applications. The vulnerability stems from an overly permissive ClusterRole binding that grants broad permissions to system:authenticated. Red Hat advises removing the kueue-batch-user-role ClusterRoleBinding, tightening job-creation permissions to follow least privilege, and upgrading to fixed RHOAI images (2.19 and 2.21). Administrators should audit affected environments and apply the recommended fixes promptly.

CISA Issues Two ICS Advisories for Raise3D and Hitachi Energy

🔔 CISA released two Industrial Control Systems advisories on October 2, 2025, covering Raise3D Pro2 Series 3D printers (ICSA-25-275-01) and the Hitachi Energy MSM product (ICSA-25-275-02). Each advisory provides technical details on reported vulnerabilities, potential impacts to device confidentiality, integrity, or availability, and recommended mitigations including configuration changes and firmware updates where available. CISA encourages operators and administrators to review the advisories promptly, implement vendor recommendations, and apply compensating controls to reduce operational risk.

Hitachi Energy MSM: XSS and Assertion Vulnerabilities

⚠️ Hitachi Energy reports multiple vulnerabilities in the MSM product that are exploitable remotely with low attack complexity. An XSS flaw in the EmbedThis GoAhead goform/formTest endpoint (name parameter) can allow HTML injection, while an assertion in open62541's fuzz_binary_decode can cause a crash. CVE-2023-53155 (CVSS 7.2) and CVE-2024-53429 (CVSS 7.5) are assigned. Vendors and CISA recommend disconnecting affected devices from internet-facing networks and following product-specific guidance.