All news in category "Security Advisory and Patch Watch"

Windows 11 September 2025 Updates KB5065426 & KB5065431

🔒 Microsoft has released cumulative updates KB5065426 (24H2) and KB5065431 (23H2) as the September 2025 Patch Tuesday rollup; these mandatory updates address security vulnerabilities and multiple reliability and UX issues. Install via Start > Settings > Windows Update or download from the Microsoft Update Catalog; Enterprise/Hotpatch systems receive KB5065474 reporting build 26100.6508. After updating, 24H2 moves to build 26100.6584 and 23H2 to build 226x1.5909, and Microsoft warns that support for 23H2 ends on November 11, 2025.

Adobe Patches Critical 'SessionReaper' Flaw in Magento

🔒 Adobe warns of a critical unauthenticated vulnerability, CVE-2025-54236 (SessionReaper), affecting Commerce and Magento Open Source. A patch has been released to remediate a flaw that can allow account takeover via the Commerce REST API without authentication. Adobe deployed a temporary WAF rule for Commerce on Cloud customers and says it is unaware of in-the-wild exploitation, though a leaked hotfix may accelerate attacks. Administrators are urged to test and apply the update immediately; the fix may disable some internal Magento functionality and break custom or external integrations.

SAP fixes critical NetWeaver remote command execution flaw

🔒 SAP released patches in its September security bulletin addressing 21 vulnerabilities, including three critical issues affecting SAP NetWeaver. The most severe, CVE-2025-42944 (10.0), is an insecure deserialization bug in the RMI-P4 module that can allow unauthenticated attackers to execute arbitrary OS commands by sending a malicious Java object to an open port. Two other critical flaws include an insecure file operations bug in Deploy Web Service (CVE-2025-42922, 9.9) that can allow file uploads by non-admin authenticated users, and a missing authentication check (CVE-2025-42958, 9.1) that exposes high-privilege actions and sensitive data. Administrators are advised to apply SAP’s patches and mitigation guidance available via SAP notes.

Rockwell Automation CompactLogix 5480 Code Execution Flaw

⚠️ Rockwell Automation's CompactLogix® 5480 controllers (versions 32–37.011 with Windows package 2.1.0 on Windows 10 v1607) contain a Missing Authentication for Critical Function vulnerability (CVE-2025-9160). An attacker with physical access could abuse the controller's maintenance menu to execute arbitrary code. CVSS scores are v3: 6.8 and v4: 7.0, and CISA reports the flaw is not remotely exploitable with no public exploitation reported. Rockwell and CISA recommend applying published security best practices and minimizing network exposure.

Rockwell 1783-NATR Memory Corruption Vulnerability

🔒 Rockwell Automation released a security update for 1783-NATR to remediate a memory corruption issue stemming from a Wind River VxWorks calloc() allocator flaw. The vulnerability (CVE-2020-28895) can produce smaller-than-expected allocations, enabling memory corruption and potential remote exploitation with low attack complexity. Rockwell published firmware 1.007 to correct the defect; customers unable to upgrade should follow Rockwell's security best practices and apply the network and access mitigations recommended by CISA.

CISA Releases Fourteen ICS Advisories — September 9, 2025

🔔 CISA released fourteen Industrial Control Systems (ICS) advisories on September 9, 2025, providing timely information on security issues, vulnerabilities, and potential exploits affecting critical industrial products. The set includes advisories for Rockwell Automation (ThinManager, Stratix IOS, FactoryTalk families, CompactLogix, ControlLogix, Analytics LogixAI, 1783-NATR), Mitsubishi Electric, Schneider Electric, ABB, and others. Administrators are urged to review the advisories for technical details, CVE references, and recommended mitigations, and to prioritize patching, configuration changes, and compensating controls to reduce operational risk.

Rockwell Stratix IOS Injection Vulnerability Advisory

⚠️ Rockwell Automation has published an advisory for an injection vulnerability in Stratix IOS (≤15.2(8)E5) that could allow an attacker to upload and run malicious configurations without authentication. The issue is tracked as CVE-2025-7350 and carries a CVSS v4 base score of 8.6, with remote exploitability and low attack complexity. Rockwell released an update; users should upgrade to 15.2(8)E6 or later. If updating is not immediately possible, follow vendor best practices and CISA's network-segmentation and access-control recommendations.

ABB Cylon Aspect BMS/BAS: High-Risk Firmware Flaws

🛡️ ABB has disclosed critical vulnerabilities in its ASPECT, NEXUS, and MATRIX building management and automation products that permit authentication bypass, unauthenticated critical functions, and a classic buffer overflow. Assigned CVEs include CVE-2025-53187, CVE-2025-7677, and CVE-2025-7679 with CVSS v4 scores up to 9.3. ABB resolved CVE-2025-53187 in firmware 3.08.04-s01 and recommends updating affected devices, avoiding direct Internet exposure, restricting network access segments, requiring VPN-based remote access, and changing default credentials to reduce risk.

Rockwell Automation FactoryTalk Optix MQTT RCE Vulnerability

⚠️ Rockwell Automation disclosed an input-validation defect in the FactoryTalk Optix MQTT broker that can enable remote code execution by loading remote Mosquitto plugins due to lack of URI sanitization. The issue affects versions 1.5.0 through 1.5.7; Rockwell recommends upgrading to 1.6.0 or later. CISA assigned CVE-2025-9161, reports a CVSS v4 base score of 7.3, and advises network segmentation and access restrictions; no public exploitation has been reported.

Rockwell Automation FactoryTalk Authentication Flaw

🔒 A cryptographic implementation error in Rockwell Automation's FactoryTalk Activation Manager v5.00 can allow attackers to decrypt communications, enabling data exposure, session hijacking, or full communication compromise. The issue is tracked as CVE-2025-7970 with a CVSS v4 base score of 8.7 and is exploitable remotely with low attack complexity. Users should update to Version 5.02 or later and follow vendor security guidance.

Rockwell Analytics LogixAI Redis Exposure Vulnerability

🔒 Rockwell Automation disclosed a vulnerability in Analytics LogixAI (versions 3.00 and 3.01) caused by an over-permissive Redis instance that can expose sensitive system information to an intranet attacker. Tracked as CVE-2025-9364, the issue carries a CVSS v3.1 score of 8.8 and a CVSS v4 score of 8.7 and may permit data access and modification when exploited from an adjacent network with low attack complexity. Rockwell has published fixes in versions 3.02 and later and advises customers to apply updates where possible; CISA reiterates standard mitigations such as minimizing network exposure, isolating control networks behind firewalls, and maintaining secure remote access practices.

Rockwell ThinManager SSRF Exposes NTLM Hashes Remotely

🔒 Rockwell Automation’s ThinManager contains a server-side request forgery (SSRF) vulnerability (CVE-2025-9065) affecting versions 13.0 through 14.0 that can expose the ThinServer service account NTLM hash. Authenticated attackers can trigger SMB authentication by specifying external SMB paths, causing NTLM challenge/response data to be leaked. Rockwell addressed the issue in ThinManager 14.1 and recommends upgrading; temporary mitigations include blocking NTLM over SMB, isolating control networks, and using secure remote access.

Rockwell ControlLogix 5580 NULL Pointer DoS Vulnerability

⚠️ A NULL pointer dereference vulnerability (CVE-2025-9166) in Rockwell Automation ControlLogix 5580 version 35.013 can cause the controller to enter a major, nonrecoverable fault resulting in denial of service. CISA reports a CVSS v4 base score of 8.2 and notes remote exploitability with low attack complexity. Rockwell recommends updating to version 35.014 or later and applying security best practices; CISA advises minimizing network exposure, isolating control networks, and using secure remote access methods.

September 2025 Patch Tuesday: Microsoft Vulnerabilities

🔔 Microsoft’s September 2025 update addresses 84 vulnerabilities, including two publicly disclosed zero-days and eight Critical issues. CrowdStrike’s analysis identifies elevation of privilege, remote code execution and information disclosure as the top exploitation vectors and notes many critical flaws require some user interaction. Key affected components include Windows, Extended Security Updates (ESU) and Microsoft Office, with notable CVEs in SMB, NTLM, Hyper-V and graphics subsystems. Organizations should prioritize patching, apply mitigations for unpatchable issues, and plan for Windows 10 end of support in October 2025.

Critical Code-Injection Vulnerability in SAP S/4HANA

⚠ Security teams must urgently patch SAP S/4HANA after a critical code-injection flaw, CVE-2025-42957 (CVSS 9.9), was fixed by the vendor on August 12 and is now being exploited in the wild. The vulnerability allows a low-privilege user to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks and enabling admin-level control and potential OS interference. No workaround exists; timely patching across complex SAP landscapes is essential to prevent data theft, credential harvesting, backdoors, ransomware and operational disruption.

Amazon RDS Adds Latest Microsoft SQL Server GDR Updates

🔒 Amazon Relational Database Service (RDS) for Microsoft SQL Server now supports the latest General Distribution Release (GDR) updates for SQL Server 2016 SP3, 2017 CU31, 2019 CU32, and 2022 CU20. The supported RDS engine versions map to KB5063762, KB5063759, KB5063757, and KB5063814 respectively. These GDRs address vulnerabilities tracked as CVE-2025-49758, CVE-2025-24999, CVE-2025-49759, CVE-2025-53727, and CVE-2025-47954. We recommend that customers upgrade their RDS instances via the RDS Management Console, AWS SDK, or AWS CLI and follow the RDS SQL Server upgrade guidance.

CISA Orders Immediate Patch for Critical Sitecore Flaw

🔒 CISA has ordered immediate patching of a critical deserialization vulnerability in Sitecore (CVE-2025-53690), rated 9.0, after active exploitation was observed. The flaw arises from exposed ASP.NET machine keys—some copied from older deployment guides—and allows ViewState deserialization that leads to remote code execution. Agencies must rotate machine keys, harden configurations, and scan for compromise indicators by September 25, 2025, to mitigate further intrusions.

Max Severity Argo CD API Flaw Exposes Repo Credentials

🔒 A critical Argo CD vulnerability (CVE-2025-55190) allows API tokens with even low project-level get permissions to access API endpoints and retrieve repository credentials. Rated CVSS v3 10.0, the flaw bypasses isolation protections and can expose usernames and passwords used to access Git repositories. The issue affects all versions up to 2.13.0 and was fixed in 3.1.2, 3.0.14, 2.14.16, and 2.13.9; administrators should upgrade immediately.

Critical S/4HANA Code Injection Flaw Actively Exploited

⚠️ SAP released a patch for a critical S/4HANA vulnerability, CVE-2025-42957 (CVSS 9.9), after researchers observed a live exploit that allows low-privilege ABAP code injection and full system takeover. The flaw affects all S/4HANA deployments, including private cloud and on-premises, and can be weaponized easily because ABAP source is publicly viewable. Administrators should apply the update immediately and review account privileges, default credentials, encryption settings, and monitoring to limit risks such as data tampering, account creation with SAP_ALL, and password-hash exfiltration.

Critical SAP S/4HANA Code Injection Flaw Actively Exploited

⚠️ A critical ABAP code injection flaw, tracked as CVE-2025-42957, in an RFC-exposed function of SAP S/4HANA is being exploited in the wild to breach exposed servers. The bug allows low-privileged authenticated users to inject arbitrary code, bypass authorization checks, and take full control of affected systems. SAP issued a fix on August 11, 2025 (CVSS 9.9), but SecurityBridge reports active, limited exploitation and urges immediate patching.