All news in category "Security Advisory and Patch Watch"

Apple patches ImageIO zero-day, urges users to update

🛡️ Apple has released iOS 16.7.12 and iPadOS 16.7.12 to address a critical zero-day in the ImageIO framework (CVE-2025-43300) that can trigger memory corruption when processing crafted images. The vendor says the flaw is an out-of-bounds write and that it may have been exploited in targeted attacks against specific individuals. The fix improves bounds checking and was back-ported from the 18.6.2 updates to reach older devices. Users, particularly those on older iPhones and iPads, are advised to install the update immediately.

Vulnerabilities Found in Securam Prologic Electronic Safes

🔓 Two security researchers, Omo and Rowley, disclosed critical vulnerabilities in Securam Prologic electronic safe locks that can be abused to open many devices without specialized tools. One flaw exploits a legitimate locksmith unlock feature and, according to the researchers, can expose codes remotely or with trivial access. The pair delayed public disclosure after receiving legal threats from Securam and only proceeded after securing pro bono counsel from the EFF’s Coders’ Rights Project. Securam says it will update its locks by year’s end but will not patch units already sold.

Amazon RDS for MySQL: Extended Support minor 5.7.44

🔒 Amazon RDS for MySQL now supports the Extended Support minor release 5.7.44-RDS.20250818, and AWS recommends upgrading to this build to address known security vulnerabilities and bug fixes in earlier 5.7 releases. Extended Support provides up to three additional years of critical security and bug fixes after a major community end-of-support date. This coverage applies to MySQL databases running on both RDS and Aurora, and administrators can create or update instances in the Amazon RDS Management Console; see the Amazon RDS User Guide for upgrade details.

Critical Chaotic Deputy Bugs Risk Kubernetes Cluster Takeover

🔴 Researchers from JFrog disclosed critical command-injection vulnerabilities in Chaos-Mesh (tracked as CVE-2025-59358, CVE-2025-59360, CVE-2025-59361, and CVE-2025-59359) that allow an attacker with access to an unprivileged pod to execute shell commands via an exposed GraphQL API and the Chaos Daemon. Three of the flaws carry a CVSS score of 9.8 and can be exploited in default deployments, enabling denial-of-service or full cluster takeover. Users are advised to upgrade to Chaos-Mesh 2.7.3 or to disable the chaosctl tool and its port via the Helm chart as a workaround.

Chaos Mesh Flaws Enable Cluster Takeover via GraphQL

⚠️Security researchers disclosed multiple critical vulnerabilities in Chaos Mesh that allow minimally privileged in-cluster actors to execute fault injections and potentially take over Kubernetes clusters. The issues, grouped as Chaotic Deputy, include an unauthenticated GraphQL debugging endpoint and several operating-system command-injection flaws (CVE-2025-59358 through CVE-2025-59361). Chaos Mesh released a remediation in 2.7.3; administrators should patch immediately or restrict access to the daemon and API server if they cannot upgrade.

Apple Backports Zero-Day Fixes to Older iPhones and iPads

🔒 Apple has released security updates that backport a patch for CVE-2025-43300 to older iPhone, iPad and iPod touch builds. The flaw is an out-of-bounds write in the Image I/O framework that can cause memory corruption, crashes, or enable remote code execution when a device processes a malicious image file. Apple said the issue was exploited in an extremely sophisticated targeted attack and has added improved bounds checking; affected users should install the updates promptly.

Siemens OpenSSL ASN.1 Out-of-Bounds Read Affects Devices

🔒 Siemens products that include vulnerable OpenSSL libraries are affected by an out-of-bounds read (CVE-2021-3712) that may be exploited remotely and carries a CVSS v3.1 base score of 7.4. A broad set of industrial networking and automation devices — including SCALANCE, RUGGEDCOM, SIMATIC, SINEMA, SINUMERIK, TIA and Industrial Edge apps — are listed as impacted. OpenSSL fixes are available in 1.1.1l and 1.0.2za; Siemens has published product updates and mitigations where possible. CISA and Siemens recommend applying vendor-supplied updates, minimizing network exposure, isolating control networks, and using secure remote access until fixes are deployed.

Schneider Electric Altivar and ATVdPAC XSS Vulnerability

⚠️ Schneider Electric disclosed a cross-site scripting flaw (CWE-79) affecting numerous Altivar drives, the ATVdPAC communication module, and the ILC992 InterLink Converter. Tracked as CVE-2025-7746, the issue is remotely exploitable with low attack complexity and can allow an attacker to read or modify data via device web interfaces. Schneider has released a fix for the ATVdPAC (Version 25.0) and recommends disabling webservers when not needed, segmenting networks, blocking HTTP/port 80 access, and using VPNs until further patches are provided.

CISA Releases Eight ICS Advisories for September 16, 2025

🔔 CISA released eight Industrial Control Systems advisories on September 16, 2025, providing technical descriptions of vulnerabilities and vendor mitigations. The advisories affect products from Schneider Electric, Hitachi Energy, Siemens, and Delta Electronics, and include issues ranging from OpenSSL-related flaws to product-specific defects. One advisory is an update for Galaxy VS/VL/VXL (ICSA-25-140-07 Update A). Administrators are urged to review the advisories and apply recommended mitigations promptly to reduce operational risk.

Hitachi Energy RTU500 Series: Multiple DoS Vulnerabilities

⚠️ Hitachi Energy reported multiple vulnerabilities in the RTU500 series including null pointer dereference, XML parser flaws, heap and stack buffer overflows, integer overflow, and IEC 61850 message validation errors. Several CVEs have been assigned (e.g., CVE-2023-2953, CVE-2024-45490–45492, CVE-2024-28757, CVE-2025-39203, CVE-2025-6021) and the highest CVSS v4 score is 8.2. Exploitation could cause Denial-of-Service conditions such as device reboots or disconnects. Hitachi Energy provides firmware updates for affected 12.7.x–13.7.x releases and CISA recommends patching, minimizing network exposure, applying segmentation, and using secure remote access.

Siemens Products: Multiple Apache-related Vulnerabilities

🔒 Siemens ProductCERT disclosed multiple high-severity vulnerabilities affecting devices that use Apache HTTP Server components, including RUGGEDCOM, SINEC NMS, and SINEMA. CVE-2021-34798, CVE-2021-39275, and CVE-2021-40438 carry CVSSv3 scores up to 9.8 and can be exploited remotely with low attack complexity. Siemens has published updates for some products (for example, SINEC NMS V1.0.3 and SINEMA Remote Connect Server V3.1), while other platforms currently have no fix planned. CISA advises restricting access to affected systems and following Siemens ProductCERT guidance.

Delta DIALink Path Traversal Vulnerabilities (CVE-2025)

⚠️ Delta Electronics' DIALink contains multiple path traversal vulnerabilities that can be exploited remotely to bypass authentication, including at least one flaw rated CVSS v4 10.0. Affected releases include V1.6.0.0 and prior. An anonymous researcher working with Trend Micro's Zero Day Initiative reported the issues to CISA and Delta has released updates. Organizations should upgrade to v1.8.0.0 or later, segment devices from business networks, avoid exposing control equipment to the Internet, and use secure remote access methods.

Siemens Integer Overflow Vulnerabilities in Industrial Devices

🔔 Siemens ProductCERT and CISA report multiple integer overflow vulnerabilities (CVE-2021-41990, CVE-2021-41991) affecting a broad set of SIMATIC NET CP, SINEMA and SCALANCE devices. Exploitation can cause denial-of-service by triggering integer wraparound; remote code execution is considered unlikely. Siemens provides firmware fixes and workarounds; operators should apply vendor updates, restrict network exposure and follow Siemens operational security guidance.

Siemens OpenSSL Infinite Loop Vulnerability Advisory

🔒 CISA republished an advisory describing a Siemens-reported OpenSSL bug (CVE-2022-0778) that can cause an infinite loop during certificate parsing in many Siemens products. The issue affects multiple product families and has a CVSS v3.1 base score of 7.5, allowing remote denial-of-service with low attack complexity. Siemens has published firmware and software updates and recommends applying vendor updates, restricting network access to affected interfaces, and following product hardening guidance where fixes are not yet available.

HybridPetya: Petya/NotPetya Copycat Adds UEFI Bypass Threat

🔒 ESET researchers have identified a new ransomware strain named HybridPetya that mimics the Petya/NotPetya family while adding UEFI-targeting capabilities. The malware weaponizes CVE-2024-7344 to bypass UEFI Secure Boot on unpatched systems, enabling persistent bootkit-style compromise. HybridPetya is not currently observed spreading in the wild but represents at least the fourth known bootkit with Secure Boot bypass functionality.

Apple Backports Patch for CVE-2025-43300 Exploited Spyware

🛡️ Apple has backported a fix for CVE-2025-43300, an ImageIO out-of-bounds write that can cause memory corruption and has been observed in an extremely sophisticated, targeted spyware campaign. The flaw (CVSS 8.8) was reportedly chained with a WhatsApp vulnerability (CVE-2025-55177, CVSS 5.4) in attacks against fewer than 200 individuals. Patches were issued for current releases and older OS builds — including iOS 16.7.12 and iOS 15.8.5 device backports — and distributed across macOS, tvOS, visionOS, watchOS, Safari, and Xcode. Users and administrators should install the available updates immediately to ensure protection.

Phoenix RowHammer Bypasses DDR5 Protections in 109s

⚠️ Researchers at ETH Zürich and Google disclosed a RowHammer variant named Phoenix (CVE-2025-6202) that reliably induces bit flips on SK Hynix DDR5 devices and bypasses on-die ECC and advanced TRR protections. The team demonstrated an end-to-end privilege escalation on a production desktop with default DDR5 settings in as little as 109 seconds. Phoenix takes advantage of refresh intervals that mitigation logic does not sample, enabling flips across DIMM stacks produced between 2021 and 2024. Because DRAM chips cannot be updated in the field, the researchers recommend increasing the DRAM refresh rate to 3× as an immediate mitigation and urge vendors to pursue firmware and hardware countermeasures.

Apple releases September 2025 OS updates with patches

🔒 Apple published iOS 26, iPadOS 26 and macOS 26 updates that patch multiple vulnerabilities but did not report active exploitation. The releases address 27 defects in iOS/iPadOS and 77 in macOS, and also include fixes across Safari, watchOS, visionOS and Xcode. Users who prefer not to upgrade to the year-numbered releases can apply security-only updates — iOS 18.7, iPadOS 18.7 or macOS 15.7 — while many devices from 2019 or earlier are not supported. Trend Micro’s Dustin Childs said he saw no sign of active exploitation in this batch, though macOS fixes for PackageKit and StorageKit are notable because exploitation could yield root privileges.

Critical RCE in Delmia Apriso Triggers Urgent Patching

⚠ A critical remote code execution flaw, CVE-2025-5086, has been observed being exploited in the wild against Delmia Apriso, Dassault Systèmes' manufacturing operations platform. CISA added the issue to its Known Exploited Vulnerabilities catalog with a CVSS score of 9.0, yet the vendor has provided minimal public guidance. Researchers report exploit scans and a circulating sample that was detected by only one AV engine, underscoring urgent patching challenges for manufacturers.

Phoenix Rowhammer Bypass Targets DDR5 TRR Defenses

🧨 Researchers have developed Phoenix, a new Rowhammer variant that defeats DDR5 TRR protections on SK Hynix modules by synchronizing and self-correcting against missed refresh intervals. After reverse-engineering TRR behavior, the team identified refresh slots that were not sampled and used precise hammering patterns covering 128 and 2,608 refresh intervals to flip bits. In tests they flipped bits across all tested DIMMs and produced a working privilege-escalation exploit, achieving a root shell on commodity DDR5 systems in under two minutes. The authors published an academic paper and an FPGA-based repository with experiments and proof-of-concept code.