All news in category "Security Advisory and Patch Watch"

Rockwell Automation Verve Asset Manager Access Control Flaw

🔒 Rockwell Automation disclosed an Incorrect Authorization vulnerability in Verve Asset Manager that allows unauthorized read‑only users to read, update, and delete user accounts via the product API. The issue is tracked as CVE-2025-11862 and CISA reports a CVSS v4 base score of 8.4, noting remote exploitability and low attack complexity. Affected releases include versions 1.33 through 1.41.3; Rockwell fixed the flaw in 1.41.4 and 1.42. Administrators should prioritize updates and apply network mitigations to limit exposure.

Rockwell FactoryTalk Policy Manager DoS Vulnerability

⚠ Rockwell Automation reported a remotely exploitable vulnerability (CVE-2024-22019) in FactoryTalk Policy Manager that can lead to resource exhaustion and denial of service. The issue stems from Node.js HTTP handling of chunked transfer encoding (CWE-404) that permits unbounded reads from a single connection. Affected releases include Version 6.51.00 and earlier; Rockwell corrected the issue in Version 6.60.00. CISA assigns a high severity rating (CVSS v4 8.7) and recommends upgrading, minimizing network exposure, and isolating control networks behind firewalls.

Siemens COMOS: Critical RCE and Data Exposure Fixes

⚠ Siemens warns that COMOS contains two high‑severity vulnerabilities — CVE-2023-45133 (CVSS 9.3) and CVE-2024-0056 (CVSS 8.7) — which can enable remote code execution or expose sensitive information. Siemens has released a patch in COMOS V10.4.5 and advises operators to update promptly. Implement network segmentation, avoid direct internet exposure of control systems, and follow Siemens and CISA guidance for secure remote access and system hardening.

Critical Flaws in General Industrial Controls Lynx+ Gateway

⚠️ CISA reports multiple high-severity vulnerabilities affecting General Industrial Controls Lynx+ Gateway, including weak password requirements, missing authentication for critical functions, and cleartext transmission of sensitive data. These issues carry CVSS v4 scores up to 9.2 and permit remote exploitation with low attack complexity, potentially enabling unauthorized access, device resets, information disclosure, or denial-of-service. Affected firmware versions include R08, V03, V05, and V18; the findings were disclosed in November 2025. CISA recommends minimizing network exposure, isolating control devices behind firewalls, and using secure remote access methods such as updated VPNs while coordinating with the vendor.

Siemens DLL Hijacking in Software Center and Solid Edge

⚠ Siemens disclosed a DLL hijacking vulnerability (CVE-2025-40827) affecting Siemens Software Center and Solid Edge SE2025. The issue is an uncontrolled search path element (CWE-427) that could permit arbitrary code execution if a crafted DLL is placed on a system. Siemens has published fixes (Software Center v3.5+, Solid Edge V225.0 Update 10+) and recommends network isolation, access controls, and following its industrial security guidance to reduce risk.

AVEVA Edge cryptographic weakness enables password recovery

🔒 AVEVA has released advisory ICSA-25-317-03 addressing a cryptographic weakness in AVEVA Edge (formerly InduSoft Web Studio) that could allow a local actor with read access to project or offline cache files to brute-force user or Active Directory passwords. The issue is tracked as CVE-2025-9317 and carries a CVSS v4 base score of 8.3. AVEVA provides a 2023 R2 P01 Security Update and recommends project migration, password resets, and tightened file access controls. This vulnerability is not remotely exploitable according to CISA.

CISA, FBI and Partners Issue Guidance on Akira Ransomware

🛡️ CISA, FBI, DC3, HHS and international partners released updated guidance to help organizations mitigate the evolving Akira ransomware threat. The advisory details new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by the group, which primarily targets small and medium-sized businesses but has also struck larger organizations across multiple sectors. It strongly urges immediate actions such as regular backups, enforcing multifactor authentication, and prioritizing remediation of known exploited vulnerabilities.

Siemens SICAM P850/P855: CSRF and Session Token Flaws

🔒 Siemens reported Cross-Site Request Forgery and incorrect permission assignment vulnerabilities affecting SICAM P850 and P855 devices (versions prior to 3.11). Exploitation could allow attackers to perform actions as authenticated users or impersonate sessions. Siemens recommends updating to v3.11+, restricting TCP/443 to trusted IPs, and hardening network access; CISA advises isolating control networks and avoiding internet exposure.

Siemens Altair Grid Engine Vulnerabilities Advisory Notice

⚠️ Siemens Altair Grid Engine contains multiple local vulnerabilities that can enable privilege escalation and arbitrary code execution with superuser rights. One issue discloses password hashes in error messages (CWE-209, CVE-2025-40760, CVSS 5.5) and another allows library path hijacking via uncontrolled environment variables (CWE-427, CVE-2025-40763, CVSS 7.8). Siemens and CISA recommend updating to V2026.0.0 and applying mitigations such as removing setuid bits from affected binaries where appropriate.

Siemens Solid Edge: Improper Certificate Validation

⚠️ Siemens disclosed an improper certificate validation vulnerability in Solid Edge SE2025 that could enable unauthenticated remote man-in-the-middle attacks against the product's license service connections. The issue is tracked as CVE-2025-40744 and carries a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.7, indicating high impact and low attack complexity. Siemens recommends updating to V225.0 Update 11 or later and restricting network access to licensing endpoints; CISA also advises network segmentation, use of secure remote access, and standard anti-phishing protections. No known public exploitation targeting this vulnerability has been reported.

Rockwell Studio 5000 Simulation Interface Vulnerabilities

⚠️ Rockwell Automation disclosed two local vulnerabilities in Studio 5000 Simulation Interface (version 2.02 and earlier) that allow path traversal–based local code execution (CVE-2025-11696) and a local SSRF that can trigger outbound SMB requests for NTLM hash capture (CVE-2025-11697). Both issues carry high severity (CVSS v4: 9.3 and 8.8) and are exploitable by low-complexity local attackers. Rockwell recommends upgrading to version 3.0.0 or later; CISA advises isolating control system networks, minimizing exposure, and following secure remote-access practices.

AVEVA Application Server IDE Cross-Site Scripting Risk

⚠ AVEVA reported a basic cross-site scripting vulnerability (CVE-2025-8386) in the Application Server IDE affecting versions 2023 R2 SP1 P02 and earlier. An authenticated user with the aaConfigTools privilege can modify App Objects' help files to persist XSS that may execute in other users' sessions, potentially enabling horizontal or vertical privilege escalation. AVEVA provides a fix in System Platform 2023 R2 SP1 P03; CISA advises auditing permissions, minimizing network exposure, and using secure remote access methods.

CISA Updates Advisory: Akira Ransomware Evolution Update

🔐 CISA and partner agencies published an updated advisory on Nov. 13, 2025, detailing new indicators, tactics, and detection guidance related to Akira ransomware. The update documents expanded targeting across Manufacturing, Education, IT, Healthcare, Financial, and Food and Agriculture, and links activity to groups such as Storm-1567 and Punk Spider. Key findings include exploitation of edge and backup vulnerabilities, use of remote management tools for defense evasion, and a faster, more destructive Akira_v2 variant that complicates recovery.

Rockwell Automation FactoryTalk DataMosaix Vulnerabilities

🔒 Rockwell Automation disclosed multiple vulnerabilities in FactoryTalk DataMosaix Private Cloud that can enable MFA bypass and persistent cross-site scripting. The issues, tracked as CVE-2025-11084 and CVE-2025-11085, affect 7.11 and selected 8.x releases and carry CVSS v4 scores up to 8.6, indicating high severity. Rockwell has released patches and CISA advises applying updates, minimizing network exposure, and isolating control networks to reduce remote exploitation risk.

CISA Alerts Agencies to Exploited WatchGuard Firewall Flaw

🔔 CISA has warned federal agencies to patch a critical, actively exploited vulnerability in WatchGuard Firebox firewalls that permits remote code execution through an out-of-bounds write in Fireware OS 11.x (EOL), 12.x, and 2025.1. The agency added CVE-2025-9242 to its Known Exploited Vulnerabilities catalog and imposed a three-week remediation deadline under BOD 22-01. WatchGuard released patches on September 17 but only marked the flaw as exploited on October 21. Internet scans tracked over 75,000 vulnerable appliances before counts fell to roughly 54,000.

CISA Adds Critical WatchGuard Fireware Flaw to KEV

🔒 CISA has added a critical WatchGuard Fireware vulnerability, CVE-2025-9242 (CVSS 9.3), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The out-of-bounds write in the OS iked process affects Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3 and 2025.1 and can allow remote unauthenticated code execution. Researchers at watchTowr Labs attribute the flaw to a missing length check on an identification buffer used during the IKE handshake, which permits a pre‑authentication code path before certificate validation. Shadowserver scans show over 54,300 vulnerable Firebox instances worldwide (about 18,500 in the U.S.), and Federal Civilian Executive Branch agencies are directed to apply WatchGuard patches by December 3, 2025.

Canon TTF Printer Vulnerability Allows Remote Code Execution

🖨️ Independent researcher Peter Geissler disclosed a critical vulnerability (CVE-2024-12649) in certain Canon printers that can be triggered simply by printing an XPS document containing a malicious TTF font. The exploit abuses TTF hinting instructions to overflow a virtual-machine stack in the printer’s font engine, allowing code execution on devices running Canon’s DryOS. Canon has issued firmware updates, but organizations should promptly patch, restrict printer exposure, and segment printers to reduce risk.

Microsoft fixes false Windows 10 end-of-support alerts

🔧 Microsoft resolved a bug that caused incorrect end-of-support warnings to appear in Windows Update settings after the October 2025 updates. The cosmetic issue affected Windows 10 22H2 devices enrolled in the Extended Security Updates (ESU) program as well as LTSC 2021 editions that remain supported, but affected systems continued to receive security updates. Microsoft issued a cloud configuration fix and on Nov 11, 2025 released KB5068781; admins can also apply a Known Issue Rollback policy if immediate deployment is required.

Amazon: APT Exploits Cisco ISE and Citrix Zero‑Days

🔒 Amazon Threat Intelligence identified an advanced threat actor exploiting undisclosed zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix products. The actor achieved pre-authentication remote code execution via a newly tracked Cisco deserialization flaw (CVE-2025-20337) and earlier Citrix Bleed Two activity (CVE-2025-5777). Following exploitation, a custom in-memory web shell disguised as IdentityAuditAction was deployed, demonstrating sophisticated evasion using Java reflection, Tomcat request listeners, and DES with nonstandard Base64. Amazon recommends limiting external access to management endpoints and implementing layered defenses and detection coverage.

Amazon: Threat Actor Exploited Cisco and Citrix Zero-Days

⚠️ Amazon's threat intelligence team disclosed that it observed an advanced threat actor exploiting two zero-day vulnerabilities in Citrix NetScaler ADC (CVE-2025-5777) and Cisco Identity Services Engine (CVE-2025-20337) to deploy a custom web shell. The backdoor, disguised as an IdentityAuditAction component, operates entirely in memory, uses Java reflection to inject into running threads, and registers a Tomcat listener to monitor HTTP traffic. Amazon observed the activity via its MadPot honeypot, called the actor highly resourced, and noted both flaws were later patched by the vendors.