All news in category "Security Advisory and Patch Watch"

CISA Publishes Ten New ICS Advisories — Sept 30, 2025

🔔 On September 30, 2025, CISA released ten Industrial Control Systems advisories summarizing current security issues, vulnerabilities, and known exploits affecting a range of ICS products. The advisories cover MegaSys Enterprises, multiple Festo devices, OpenPLC_V3, National Instruments Circuit Design Suite, LG Innotek cameras, and updates for Keysight Ixia, HEIDENHAIN, and Rockwell Automation. Administrators are urged to review the technical details and apply recommended mitigations promptly to reduce operational risk.

NI Circuit Design Suite Vulnerabilities — Patches Available

⚠️ CISA reports high-severity vulnerabilities in National Instruments' Circuit Design Suite that could cause memory corruption, information disclosure, or enable arbitrary code execution. Two flaws—a type confusion (CVE-2025-6033) and an out-of-bounds read (CVE-2025-6034)—affect versions 14.3.1 and earlier and carry CVSS v4 base scores of 8.4. Both issues require local access but have low attack complexity. National Instruments has released version 14.3.2 and CISA advises updating and reducing network exposure for control-system devices.

LG Innotek Cameras Authentication Bypass Vulnerability

🔒 An authentication bypass vulnerability (CVE-2025-10538) affects LG Innotek camera models LND7210 and LNV7210R (all versions). CISA rates the issue as remotely exploitable with low attack complexity — CVSS v4 base score 8.8 — and warns an attacker could gain administrative access and access user account information. LG Innotek has classified these models as end-of-life and no patch is available; CISA recommends reducing network exposure, isolating devices behind firewalls, and using secure remote access methods such as VPNs while performing risk assessments.

Festo CECC Controller Firmware Vulnerabilities and Fixes

⚠️ Festo firmware for Controller CECC-S, -LK, and -D families contains multiple vulnerabilities (aggregate CVSS up to 9.8) in the integrated CODESYS V3 runtime and related components. Affected releases include R05 (2.3.8.0) and R06 (2.3.8.1); Festo advises updating affected units to firmware 2.4.2.0 where fixes are provided. Exploitable issues may enable remote code execution, denial-of-service, privilege escalation, or unauthorized access. CISA recommends isolating control networks, restricting remote exposure, and applying vendor guidance and mitigations while performing appropriate risk analysis.

OpenPLC_V3 Denial-of-Service Vulnerability (CVE-2025-54811)

⚠️ CISA published an advisory for OpenPLC_V3 describing a denial-of-service vulnerability (CVE-2025-54811) caused by a missing return in the enipThread function that can trigger an illegal instruction and crash the PLC runtime. The flaw affects versions prior to pull request #292 and can stop PLCs under certain conditions. A patch is available in PR #292; administrators should update and isolate affected devices.

Festo CPX-CEC-C1 and CPX-CMXX Privilege Flaw — Remote

⚠️ Festo CPX-CEC-C1 and CPX-CMXX devices contain an improper privilege management vulnerability (CWE-269) that permits unauthenticated remote access to critical webserver functions and may cause a denial of service. The issue is identified as CVE-2022-3079 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/A:H). Festo currently has no firmware fix planned; recommended mitigations include restricting access to TCP port 80 and replacing affected units with specified follow-up products.

Festo EtherNet/IP Firmware Vulnerabilities — High Risk

⚠️ Festo devices running affected EtherNet/IP firmware are vulnerable to multiple remotely exploitable issues, including incorrect numeric conversions, out-of-bounds reads, and reachable assertions that can lead to denial-of-service or data disclosure. Combined CVSS scores reach up to 8.2, and successful exploitation requires low attack complexity. Festo reports no planned fixes; CISA advises minimizing network exposure, disabling EtherNet/IP when unused, isolating control networks, and using secure remote access such as up-to-date VPNs. Organizations should limit exposure, monitor EtherNet/IP activity, and report suspected incidents.

China-linked UNC5174 exploiting VMware Tools zero-day

⚠️ NVISO Labs says China-linked UNC5174 has been exploiting a newly patched local privilege escalation bug, CVE-2025-41244, in Broadcom VMware Tools and VMware Aria Operations since mid-October 2024. The vulnerability (CVSS 7.8) stems from a vulnerable get_version() regex that can match non-system binaries in writable directories (for example, /tmp/httpd) and cause metrics collection to execute them with elevated privileges. VMware and Broadcom have released fixes and mitigations; affected organizations should apply vendor patches and follow VMware's guidance, and Linux distributions will receive patched open-vm-tools packages from vendors.

CISA Adds Critical Sudo Vulnerability to KEV Catalog

🔒 CISA added a critical vulnerability affecting the Sudo utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaw, CVE-2025-32463 (CVSS 9.3), impacts Sudo versions prior to 1.9.17p1 and can be abused via the -R (--chroot) option to execute arbitrary commands as root, bypassing sudoers. Four additional flaws were also added to the KEV list. Agencies and organizations are advised to apply mitigations and updates by October 20, 2025 and upgrade or implement compensating controls immediately.

CISA Adds Five Vulnerabilities to KEV Catalog; Federal Risk

⚠️ CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on Sept. 29, 2025, citing evidence of active exploitation. The newly listed issues are CVE-2021-21311 (Adminer SSRF), CVE-2025-20352 (Cisco IOS/IOS XE stack overflow), CVE-2025-10035 (Fortra GoAnywhere deserialization), CVE-2025-59689 (Libraesva command injection), and CVE-2025-32463 (sudo untrusted-control vulnerability). Federal Civilian Executive Branch agencies must remediate these under BOD 22-01, and CISA urges all organizations to prioritize timely fixes as part of standard vulnerability management.

September 2025 Zero-Day Exploits Impact Cisco ASA/FTD

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.

Microsoft temporary fix for Outlook encrypted errors

🔧 Microsoft is investigating a known issue that prevents users of the classic Outlook for Windows from opening OMEv2-encrypted emails sent from a different organization, producing the error message "Configuring your computer for Information Rights Management." As a temporary workaround, administrators can either exclude external users from Conditional Access requirements or enable cross-tenant trust for MFA claims in the Microsoft Entra admin center. Enabling cross-tenant trust is the recommended and easiest option, but both sending and receiving tenants must apply it for full cross-tenant compatibility.

Maximum-severity GoAnywhere MFT zero-day exploited

⚠️ Fortra's GoAnywhere MFT is being exploited in the wild via a deserialization flaw tracked as CVE-2025-10035 in the License Servlet, enabling unauthenticated remote command injection when attackers supply a forged license response signature. WatchTowr Labs reports credible evidence of exploitation dating back to September 10, 2025, prior to Fortra's advisory published on September 18. Administrators should apply patches to 7.8.4 or 7.6.3, remove public Admin Console exposure, and search logs for the error string 'SignedObject.getObject'.

Microsoft issues final Windows 10 22H2 preview update

🔧 Microsoft released the final non-security preview update for Windows 10 22H2 (KB5066198), delivering fixes for the out-of-box experience and SMBv1 connectivity over NetBIOS over TCP/IP (NetBT). This optional cumulative update lets administrators test improvements before they roll into the next month’s Patch Tuesday and raises systems to build 19045.6396. KB5066198 also resolves an Autopilot Enrollment Status Page (ESP) OOBE loading issue and includes prior fixes for unexpected UAC prompts and NDI streaming performance regressions. Install via Windows Update by choosing 'Download and install' for optional updates or obtain the package from the Microsoft Update Catalog.

Active Exploitation of Fortra GoAnywhere CVE-2025-10035

🔴 watchTowr Labs reports credible evidence that the critical unsafe deserialization flaw CVE-2025-10035 in Fortra GoAnywhere MFT was exploited in the wild as early as Sept 10, 2025, a week before public disclosure. The License Servlet vulnerability can permit unauthenticated command injection, earning a CVSS 10.0 rating. Fortra has released fixes (GoAnywhere 7.8.4 and Sustain 7.6.3); affected organizations should apply updates immediately and investigate for signs of compromise.

Cisco ASA Zero-Days Enable Bootkit and Loader Attacks

🛡️ The U.K. NCSC and Cisco confirmed active exploitation of recently disclosed vulnerabilities in Cisco Secure Firewall ASA devices that allowed deployment of previously undocumented malware families, notably RayInitiator and LINE VIPER. Cisco traced attacks beginning in May 2025 that targeted ASA 5500‑X appliances (running ASA 9.12/9.14 with VPN web services enabled), using multiple zero-day flaws to bypass authentication and execute code. Attackers employed a persistent GRUB bootkit, ROMMON modifications on non‑Secure Boot platforms, and extensive evasion techniques — disabling logging, intercepting CLI, and crashing devices — to maintain stealth and persistence. Organizations are urged to apply vendor fixes, migrate off end‑of‑support models, and monitor for indicators of compromise.

Microsoft: New XCSSET macOS Variant Targets Xcode Developers

🛡️ Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS infostealer that has appeared in limited attacks and specifically targets Xcode projects. The variant expands capabilities to steal Firefox data using a modified HackBrowserData build, hijack the clipboard to replace cryptocurrency addresses, and employ new persistence techniques. It spreads by infecting shared Xcode project files so malicious code runs when a project is built. Microsoft says the campaign is not widespread and has notified Apple and GitHub while advising developers to inspect projects and keep macOS and apps up to date.

Critical Cisco Firewall Zero-Day Demands Immediate Patch

🔴 A critical zero-day vulnerability (CVE-2025-20363) in Cisco firewall and IOS families requires immediate patching, US CISA and the UK NCSC warned. Cisco says the flaw is caused by improper validation of user-supplied HTTP input and can allow remote arbitrary code execution as root when exploited. Affected products include Cisco Secure Firewall ASA, FTD, and certain IOS/IOS XE/IOS XR builds; Cisco has released fixes and advises there are no viable workarounds.

New Supermicro BMC Flaws Expose Firmware Validation

🔒 Researchers have published details of two high-severity vulnerabilities in Supermicro BMC firmware — CVE-2025-7937 and CVE-2025-6198 — each rated CVSS 7.2. Both flaws weaken firmware validation and the implementation of the Root of Trust, allowing an attacker with administrative access to install or manipulate signed firmware and gain persistent, low-level control of affected servers. Binarly found one issue while testing Supermicro’s January patch for a related flaw and advises prompt patching, strict firmware integrity checks, and enabling hardware RoT where available to mitigate risk.

Cisco IOS/IOS XE SNMP Stack Overflow — Patch Immediately

⚠️ Cisco has warned of a stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE software identified as CVE-2025-20352. A low-privileged authenticated attacker can send a crafted SNMP packet to cause a system reload and a denial-of-service, while a high-privileged actor could achieve root-level arbitrary code execution. Administrators are urged to apply vendor patches immediately and restrict SNMP access until systems are updated.