All news in category "Security Advisory and Patch Watch"

Fortra warns and patches max-severity GoAnywhere MFT flaw

🔒 Fortra has released security updates to address a maximum-severity deserialization vulnerability in the License Servlet of GoAnywhere MFT (CVE-2025-10035) that can lead to command injection when a forged license response is accepted. The vendor issued patched builds — GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 — and advised administrators to remove public access to the Admin Console if immediate patching is not possible. Shadowserver is monitoring over 470 instances, and Fortra emphasized that exploitation is highly dependent on the Admin Console being internet-exposed.

Fortra issues critical GoAnywhere MFT patch for RCE

🔒 Fortra has released an urgent patch for GoAnywhere MFT to address a critical deserialization flaw (CVE-2025-10035, CVSS 10.0) in the License Servlet that can allow execution of arbitrary commands when an attacker supplies a forged license response signature. The vendor recommends updating to v7.8.4 or the Sustain Release 7.6.3. If patching cannot be applied immediately, ensure the Admin Console is not publicly accessible. No active exploitation has been reported.

Entra ID Actor Token Flaw Lets Attackers Impersonate Admins

🔒 Researchers disclosed a max-severity vulnerability in Microsoft Entra ID that allowed attackers to request and reuse internal Actor tokens to impersonate any user, including Global Administrators, across tenants. The issue stemmed from a legacy Azure AD Graph API that failed to validate the originating tenant, enabling cross-tenant impersonation without triggering MFA, Conditional Access, or audit logs. Microsoft patched the flaw, tracked as CVE-2025-55241, and rolled a global fix but experts warn that lack of historical visibility leaves uncertainty about past exploitation.

CISA Details Two Java Loaders Exploiting Ivanti EPMM Flaws

🔒 CISA released details of two malicious toolsets found on an organization's server after attackers chained zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Each set contains a Java loader that installs an HTTP listener to decode, decrypt and execute arbitrary payloads and maintain persistence. CISA urges updating EPMM, monitoring for suspicious activity, and restricting access to MDM systems.

New Phoenix Rowhammer Bypass Elevates DDR5 Privilege Risk

⚠ The new Phoenix Rowhammer technique reverse-engineers TRR in SK Hynix DDR5 DIMMs to induce controlled bit flips previously believed mitigated. Researchers from ETH Zurich and Google report Phoenix reliably triggers flips across all 15 tested modules, enabling practical exploits such as forged Page Table Entries, RSA-2048 key leakage from co-located VMs, and a sudo-based root escalation. The issue is tracked as CVE-2025-6202.

WatchGuard patches critical IKEv2 VPN flaw in Fireboxes

🔒 WatchGuard has patched a critical IKEv2 "iked out of bounds write" vulnerability (CVE-2025-9242) that affects nearly three dozen current and legacy Firebox models. The flaw can enable remote code execution and authentication bypass via VPN ports UDP 500 and UDP 4500 and carries a CVSS score of 9.3, making prompt updates essential. Administrators should update to the vendor-supplied Fireware releases or apply the provided mitigations for environments that cannot upgrade immediately.

Dover ProGauge MagLink LX Vulnerabilities and Fixes

⚠️ Dover Fueling Solutions disclosed critical vulnerabilities in its ProGauge MagLink LX4, LX4 Plus, and LX4 Ultimate tank monitors that may be exploited remotely. Identified issues include an integer overflow (CVE-2025-55068), a hard-coded cryptographic signing key (CVE-2025-54807), and non‑changeable weak default root credentials (CVE-2025-30519), with ratings up to CVSS v4 9.3. Affected firmware must be updated to 4.20.3 for LX4/LX4 Plus or 5.20.3 for LX4 Ultimate; operators are urged to minimize network exposure and place devices behind firewalls.

Schneider Electric Saitel RTU OS Command Injection

⚠️ Schneider Electric disclosed OS command injection vulnerabilities in Saitel DR and Saitel DP RTUs that could allow execution of arbitrary shell commands when BLMon is invoked in an SSH session. Two issues (CVE-2025-9996, CVE-2025-9997) carry a CVSS v4 base score of 5.8 (v3.1 6.6). Affected firmware versions are Saitel DR <= 11.06.29 and Saitel DP <= 11.06.33; fixed firmware releases are available and require a reboot. Schneider recommends restricting BLMon access, firewalling SSH, and following standard patching and ICS best practices.

Westermo WeOS 5 OS Command Injection Vulnerability

⚠️ Westermo disclosed an OS command injection vulnerability in WeOS 5 (CVE-2025-46418) affecting versions 5.24 and later. The flaw arises from unsafe handling of media definitions and can allow an authenticated administrator to inject OS commands and potentially exceed intended privileges. CVSS scores include 7.6 (v3.1) and 8.7 (v4). Vendor and CISA recommend restricting admin access, segmenting networks, and using secure remote access practices as mitigations.

CISA Issues Nine New ICS Advisories on Sep 18, 2025

🛡️ CISA released nine Industrial Control Systems (ICS) advisories on September 18, 2025, detailing vulnerabilities, exploits, and mitigations affecting multiple vendors and products. The advisories cover Westermo WeOS, Schneider Electric Saitel RTUs, Hitachi Energy Asset and Service Suites, Cognex In‑Sight devices, Dover Fueling Solutions ProGauge MagLink LX4 devices, plus updates for rail linking protocols and Mitsubishi FA engineering tools. Administrators and operators are urged to review the technical details and apply recommended mitigations promptly to reduce operational and safety risk.

Cognex In-Sight Firmware: Multiple High-Risk Flaws

🔒 Cognex disclosed multiple high-severity vulnerabilities in In-Sight Explorer and firmware for the In-Sight 2000/7000/8000/9000 series (versions 5.x through 6.5.1). Identified issues include hard-coded credentials, cleartext management protocols (including telnet and a proprietary TCP 1069 service), weak default permissions, authentication bypass via capture-replay, and insufficient server-side enforcement. CISA assigns high CVSS scores (up to 8.8 v3.1 and 8.6 v4), warns of credential disclosure, configuration manipulation, and potential denial-of-service, and recommends migration to newer In-Sight Vision Suite systems and network isolation.

Hitachi Energy Service Suite Deserialization Vulnerability

⚠️ Hitachi Energy disclosed a critical deserialization-of-untrusted-data vulnerability affecting Service Suite (versions prior to 9.6.0.4 EP4) that permits unauthenticated remote access via IIOP or T3 to compromise Oracle WebLogic Server. The issue is tracked as CVE-2020-2883 with a CVSS v4 base score of 9.3 and is characterized as remotely exploitable with low attack complexity. Hitachi Energy advises updating affected instances to version 9.8.2 or the latest release and applying vendor mitigation guidance immediately. CISA additionally recommends minimizing network exposure, isolating control networks behind firewalls, using up-to-date VPNs for remote access, and performing risk and impact assessments prior to deploying defensive changes.

Malware Analysis: Ivanti EPMM Exploitation and Loaders

🔍 CISA analyzed malicious artifacts deployed after threat actors exploited CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The report details two distinct loader/listener sets written to /tmp that enable arbitrary code execution through crafted HTTP requests. CISA provides IOCs, YARA and SIGMA detection rules, and recommends immediate patching and treating MDM systems as high-value assets.

CISA Malware Analysis: Malicious Listener for Ivanti EPMM

🛡️ CISA released a Malware Analysis Report analyzing two malware families recovered from an organization compromised via CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. The report, titled Malicious Listener for Ivanti EPMM Systems, provides indicators of compromise and detection content including YARA and SIGMA rules to support hunting and response. Recommended mitigations stress upgrading Ivanti EPMM to the latest versions and treating mobile device management systems as high-value assets with enhanced monitoring, access controls, and restrictions.

Hitachi Energy Asset Suite: Multiple High-Risk Flaws

⚠️ Hitachi Energy has disclosed multiple high-severity vulnerabilities in Asset Suite, affecting versions 9.6.4.5 and earlier. The issues include SSRF, deserialization of untrusted data, cleartext password exposure, uncontrolled resource consumption, open redirect, and improper authentication that can lead to remote code execution. Customers should apply vendor-provided mitigations and upgrades immediately to reduce exposure.

Westermo WeOS 5 IPSec Denial-of-Service Fix Released

🔔 A vulnerability in Westermo WeOS 5 when IPSec is enabled can allow a specially crafted ESP packet to trigger an immediate device reboot. Westermo reported the flaw and released WeOS 5 version 5.24.0 to address the issue. CISA rates the vulnerability as remotely exploitable with a CVSS v4 score of 8.2 and notes high attack complexity.

WatchGuard warns of critical Firebox RCE in IKEv2 VPN

🔒 WatchGuard has released security updates to address a remote code execution vulnerability affecting its Firebox firewalls. Tracked as CVE-2025-9242, the flaw stems from an out-of-bounds write in the iked process and can be exploited remotely when devices are configured to use IKEv2 VPN. Patches are available for Fireware OS 12.x, 2025.1, and select 11.x builds, and WatchGuard offers a temporary workaround for environments using branch office VPNs to static peers.

Google patches sixth Chrome zero-day exploited in 2025

🔒Google has released emergency security updates to address a high-severity Chrome zero-day, CVE-2025-10585, which a public exploit indicates is being used in the wild. The vulnerability is a type confusion weakness in Chrome's V8 JavaScript engine and was reported by Google's Threat Analysis Group. Google issued emergency Stable Desktop releases — Chrome 140.0.7339.185/.186 for Windows and macOS and 140.0.7339.185 for Linux — and recommends users update immediately via Chrome menu > Help > About Google Chrome and click 'Relaunch' once the update finishes. The company also said it may withhold technical details until a majority of users have applied the fix.

Google Issues Chrome Security Update for V8 Zero-Day

⚠️ Google released security updates for Chrome to address four vulnerabilities, including a zero-day (CVE-2025-10585) in the V8 JavaScript and WebAssembly engine that is reported to be exploited in the wild. The issue is a type confusion bug discovered and reported by Google's Threat Analysis Group on September 16, 2025, and can enable arbitrary code execution or crashes. Users should update to Chrome 140.0.7339.185/.186 (Windows/macOS) or 140.0.7339.185 (Linux) and apply vendor patches for other Chromium-based browsers when available.

Critical Code-Execution CVEs Found in Chaos-Mesh Platform

⚠️ JFrog Security Research disclosed multiple CVEs in Chaos-Mesh, including three critical flaws that permit in-cluster attackers to execute arbitrary code on any pod. The Chaos Controller Manager exposes an unauthenticated ClusterIP GraphQL /query endpoint on port 10082 by default, enabling mutations such as killProcesses and cleanTcs. The critical issues (CVSS 9.8) arise from unsafe command construction in resolvers and an ExecBypass routine that allows OS command injection. Operators should upgrade to Chaos-Mesh 2.7.3 immediately; as a temporary mitigation redeploy the Helm chart with the control server disabled.