All news in category "Security Advisory and Patch Watch"

Siemens UMC: Remote Code Execution and Denial-of-Service

🔐 Siemens has disclosed multiple vulnerabilities in the integrated User Management Component (UMC) that could allow unauthenticated remote attackers to execute arbitrary code or cause denial-of-service. A stack-based buffer overflow (CVE-2025-40795) and several out-of-bounds read issues (CVE-2025-40796–40798) are reported, with CVSS v4 scores up to 9.3. Siemens recommends updating UMC to V2.15.1.3 or later and, where feasible, blocking TCP ports 4002 and 4004; Siemens notes no fixes are planned for SIMATIC PCS neo V4.1 and V5.0.

Daikin Security Gateway: Weak Password Recovery Flaw

🔓 CISA published an advisory describing an authorization bypass in Daikin Security Gateway devices that abuses a weak password recovery mechanism. The vulnerability, tracked as CVE-2025-10127, is remotely exploitable with low complexity and carries a CVSS v4 score of 8.8; public proof‑of‑concept code exists. Daikin has indicated it will not issue a vendor-wide patch and will handle customer inquiries directly; CISA recommends isolating affected devices, placing them behind firewalls, and using secure, up-to-date VPNs or other hardened remote access controls.

Schneider Electric Modicon M340: Files Accessible Issue

🔒 Schneider Electric disclosed a Files or Directories Accessible to External Parties vulnerability affecting Modicon M340 devices and the BMXNOE0100/BMXNOE0110 Ethernet modules that could allow remote actors to remove files, block firmware updates, and disrupt the device webserver. The issue is tracked as CVE-2024-5056 with a CVSS v4 base score of 6.9. Schneider released firmware fixes for BMXNOE0100 (SV3.60) and BMXNOE0110 (SV6.80) and recommends immediate mitigations including network segmentation, disabling FTP when not required, and configuring Access Control Lists per the device manual. CISA also advises isolating control networks, minimizing internet exposure, and using VPNs for remote access.

Siemens SIMOTION Tools Privilege Escalation Advisory

🛡️ Siemens reports a local privilege escalation vulnerability affecting SIMOTION Tools installers that use an affected NSIS setup component. The flaw (CWE-754) in Nullsoft Scriptable Install System (NSIS) before 3.11 can allow an unprivileged user to gain SYSTEM privileges during installation by exploiting a race condition. The issue is tracked as CVE-2025-43715 with a CVSS v3.1 base score of 8.1. No vendor fix is available yet; Siemens and CISA offer mitigations and hardening guidance.

Patch SessionReaper: Critical Adobe Commerce/Magento Flaw

🔒 Adobe issued an emergency out-of-band patch for a critical vulnerability in Magento Open Source and Adobe Commerce, tracked as CVE-2025-54236 and dubbed SessionReaper. The flaw permits unauthenticated attackers to hijack user accounts and, when file-based session storage is used, can enable remote code execution. Adobe notified Commerce customers on Sept. 4 but Magento Open Source users may not have received the same advance warning. Organizations operating Magento sites should apply the patch immediately.

Cursor AI IDE auto-runs tasks, exposing developers worldwide

⚠️ A default configuration in Cursor, an AI-powered fork of VS Code, automatically executes tasks when a project folder is opened because Workspace Trust is disabled. Oasis Security demonstrated that a malicious .vscode/tasks.json can run arbitrary commands without user action, risking credential theft and environment takeover. Cursor intends to keep the autorun behavior and advises enabling Workspace Trust manually or using a different editor for untrusted repos.

Microsoft fixes NDI streaming issues from August updates

🔧 Microsoft has resolved severe lag and stuttering issues affecting NDI streaming on Windows 10 and Windows 11 that appeared after the August 2025 cumulative security updates. The root cause was tied to KB5063878 and KB5063709 and manifested as dropped NDI traffic and degraded performance specifically over RUDP connections, while UDP and Single-TCP streams were unaffected. On September 9, 2025, Microsoft released fixes (KB5065426 and KB5065429) and recommends applying those updates; NDI also published a temporary workaround to switch Receive Mode to Single TCP or UDP in the NDI Tools Access Manager for systems that cannot immediately update.

Cursor autorun flaw lets repos auto-execute code silently

⚠ Cursor's autorun feature can allow repositories to execute code automatically when a folder is opened in Visual Studio Code with Cursor installed. Oasis Security researchers demonstrated that attackers can embed hidden instructions that trigger commands tied to workspace events without a developer's consent. With Workspace Trust disabled by default in Cursor, opening a project can enable token theft, file tampering or persistent malware. Developers should treat unknown repositories cautiously and enable available trust controls.

Cursor autorun flaw lets repos execute arbitrary code

🔓 Oasis Security disclosed a flaw in Cursor that allows malicious repositories to execute code when a developer opens a folder. The vulnerability stems from Workspace Trust being disabled by default, permitting crafted .vscode/tasks.json entries set to run on folder open to autorun without prompting. Successful exploitation can expose API keys, cloud credentials and local secrets, risking organization-wide compromise.

Microsoft Fixes UAC Prompts and App Install Issues

🔧 Microsoft has issued a fix for an August 2025 update that caused unexpected User Account Control (UAC) prompts and blocked MSI app installations for non-administrative users across multiple Windows client and server releases. The behavior resulted from a security patch addressing CVE-2025-50173, which introduced broader elevation checks to mitigate privilege escalation. Microsoft’s September 2025 update narrows when UAC is required for MSI repairs and lets IT administrators add specific MSI packages to an allowlist via new SecureRepairPolicy and SecureRepairWhitelist registry keys. The company also resolved a separate bug that caused severe lag and stuttering in NDI streaming software on Windows 10 and Windows 11.

Adobe issues emergency patch for critical Commerce flaw

🔒 Adobe has issued an emergency patch for a critical input-validation vulnerability dubbed SessionReaper in Adobe Commerce and Magento. The flaw, tracked as CVE-2025-542360 with a CVSS score of 9.1, affects multiple 2.4.x releases and earlier. Sansec researchers said the bug can enable session hijacking and, according to the original finder, may allow unauthenticated remote code execution in some circumstances. Administrators are advised to deploy APSB25-88 immediately or enable a WAF as a temporary mitigation.

Microsoft Patches 80 Flaws, Including SMB Elevation

🔒 Microsoft released fixes for 80 security flaws across its products, including one publicly disclosed SMB privilege-escalation issue (CVE-2025-55234). Eight flaws are rated Critical and 72 Important, with a high proportion of elevation-of-privilege bugs. The update also includes a CVSS 10.0 Azure Networking fix and new auditing options to help administrators assess Windows SMB signing and Extended Protection compatibility before hardening.

Two Zero-Days Among Microsoft Patch Tuesday Fixes This Month

⚠️ Microsoft released its monthly Patch Tuesday addressing 81 vulnerabilities, including two disclosed zero-days affecting SQL Server and SMB. The first, CVE-2024-21907, involves improper handling in Newtonsoft.Json used by SQL Server and can cause denial of service via deeply nested JSON. The second, CVE-2025-55234, is a remotely exploitable SMB elevation-of-privilege that can be mitigated by hardening features like SMB Server Signing and Extended Protection for Authentication; Microsoft also offers audit tools to check compatibility before enabling them.

Critical SessionReaper Vulnerability in Adobe Commerce

⚠️ Adobe has disclosed a critical flaw, CVE-2025-54236 (SessionReaper), in Adobe Commerce and Magento Open Source that can enable attackers to take over customer accounts through the Commerce REST API. The issue, rated 9.1 by CVSS, stems from improper input validation and affects multiple product versions and a third-party module. Adobe published a hotfix and deployed WAF rules for cloud-hosted merchants while e-commerce security firm Sansec reproduced an exploitation path involving session manipulation and nested deserialization. Merchants should apply fixes, review session storage settings, and monitor for suspicious activity.

SAP Patches Critical NetWeaver Flaws, Urges Updates

🔒 SAP on Tuesday released security updates addressing multiple vulnerabilities, including three critical flaws in SAP NetWeaver that could enable remote code execution and arbitrary file uploads (notably CVE-2025-42944, CVE-2025-42922 and CVE-2025-42958). The company also fixed a high-severity input-validation issue in SAP S/4HANA (CVE-2025-42916). Security researchers recommend immediate patching and temporary mitigations such as P4 port filtering to limit exposure.

Patch Tuesday: Critical SAP NetWeaver and Microsoft Fixes

🔔 CISOs with SAP NetWeaver AS Java deployments should urgently patch two critical flaws: CVE-2025-42944, a CVSS 10.0 insecure deserialization in the RMI-P4 module, and a CVSS 9.9 insecure file-upload vulnerability that can lead to full system compromise. As an immediate mitigation, admins can apply P4 port filtering at the ICM level until patches are installed. Microsoft released fixes for 13 critical bugs this month, including Hyper‑V guest-to-host escalation issues and an NTLM elevation flaw (CVE-2025-54918) marked Exploitation More Likely; teams should prioritize domain controllers and virtualization hosts.

Microsoft Patch Tuesday: September 2025 Security Fixes

🔒 Microsoft today released Patch Tuesday updates addressing more than 80 vulnerabilities across Windows and related products, including 13 rated critical. There are no known zero‑day or actively exploited flaws in this bundle, but Microsoft patched several high‑risk issues such as CVE-2025-54918 (Windows NTLM), CVE-2025-55234 (SMB client), and CVE-2025-54916 (NTFS). Researchers warn many fixes are for privilege‑escalation bugs — some remotely exploitable — and note that Apple and Google recently patched zero‑days in their platforms as well.

Microsoft September 2025 Patch Tuesday: 86 Fixes Guidance

🔒Microsoft released its September 2025 security update addressing 86 vulnerabilities across Windows, Office, DirectX, Hyper-V and related components. Microsoft reported no active in-the-wild exploitation but identified eight flaws where exploitation is more likely, including a network RCE in NTFS (CVE-2025-54916). Talos published Snort rules to detect attempts and recommends administrators prioritize patches and update IDS/IPS signatures promptly.

Windows 10 KB5065429 — 14 Fixes for UAC and NDI Issues

🔧Microsoft has released the KB5065429 cumulative update for Windows 10 22H2 and 21H2, delivering fourteen fixes and improvements, including remedies for unexpected UAC prompts and severe lag with NDI streaming software. This update is mandatory as it bundles the September 2025 Patch Tuesday security fixes, addressing two publicly disclosed zero-days and 81 additional vulnerabilities. Systems will update to build 19045.6332 (22H2) or 19044.6332 (21H2) and can be installed via Windows Update or the Microsoft Update Catalog. Microsoft reports no known issues with this release.

Microsoft Sep 2025 Patch Tuesday: 81 fixes, two zero-days

🔒 Microsoft released its September 2025 Patch Tuesday addressing 81 vulnerabilities, including two publicly disclosed zero-days affecting Windows SMB Server and the Newtonsoft.Json library bundled with SQL Server. The update bundle contains nine Critical fixes — five remote code execution issues — and a total of 41 elevation-of-privilege vulnerabilities across Windows, Azure, and related components. Administrators are advised to apply patches promptly, enable and test SMB Server signing and Extended Protection for Authentication, enable auditing to check compatibility, and ensure SQL Server receives the patched Newtonsoft.Json to mitigate the disclosed flaws.