All news in category "Security Advisory and Patch Watch"

CISA, NSA, and Cyber Centre Warn of BRICKSTORM Malware

🔒 CISA, NSA, and the Canadian Centre for Cyber Security released a joint malware analysis on BRICKSTORM, a sophisticated backdoor targeting VMware vSphere (vCenter) and Windows environments used by PRC state-sponsored actors. The report provides indicators of compromise (IOCs), detection signatures, and CISA-developed YARA and SIGMA rules to help critical infrastructure owners identify compromises. Recommended mitigations include scanning with the provided rules, inventorying and monitoring edge devices, enforcing network segmentation, and adopting Cross-Sector Cybersecurity Performance Goals; organizations are urged to report suspected activity to CISA immediately.

Sunbird DCIM dcTrack and Power IQ: Critical Flaws (2025)

🔒 CISA warns of two critical vulnerabilities in Sunbird DCIM dcTrack and Power IQ appliances that could enable unauthorized access or credential theft. One is an authentication bypass via alternate remote-access channels (CVE-2025-66238); the other involves hard‑coded/default credentials (CVE-2025-66237) with a CVSS v4 high score of 8.4. Sunbird has released fixes (dcTrack 9.2.3, Power IQ 9.2.1); until systems are updated, CISA recommends restricting SSH and nonessential ports, changing deployment passwords, isolating control networks behind firewalls, and using secure VPNs for remote access.

CISA Releases Nine ICS Advisories for Multiple Vendors

🔔 On December 4, 2025, CISA published nine Industrial Control Systems advisories addressing vulnerabilities in products from Mitsubishi Electric, MAXHUB, Johnson Controls, Sunbird, SolisCloud, and Advantech. The release also includes updated advisories for Consilium Safety CS5000 and Johnson Controls FX families. Each advisory provides technical details, affected versions, and recommended mitigations. Administrators are encouraged to review the advisories and apply vendor guidance promptly.

Mitsubishi Electric GX Works2 Cleartext Credential Risk

🔒 CISA warns that Mitsubishi Electric GX Works2 contains a cleartext storage vulnerability (CVE-2025-3784) that can expose credentials stored in project files. The issue affects all versions and may allow a local attacker with file access to open password-protected projects and read or modify project data. A vendor fix is under development; organizations should restrict access, block untrusted remote logins, and follow the mitigations recommended by Mitsubishi Electric and CISA.

Urgent: Patch React 19 and Next.js to Mitigate RCE

⚠️ Developers must immediately upgrade React 19 and affected frameworks such as Next.js after researchers at Wiz disclosed a critical deserialization vulnerability in the React Server Components (RSC) Flight protocol that can enable remote code execution. The flaw exists in default configurations and impacts React 19.0.0, 19.1.0, 19.1.1 and 19.2.0, while Next.js 15.x and 16.x App Router deployments received a related CVE. Upgrade to the latest vendor-recommended releases now and follow the React blog's guidance.

RCE Flaw in OpenAI's Codex CLI Elevates Dev Risks Globally

⚠️Researchers from CheckPoint disclosed a critical remote code execution vulnerability in OpenAI's Codex CLI that allowed project-local .env files to redirect the CODEX_HOME environment variable and load attacker-controlled MCP servers. By adding a malicious mcp_servers entry in a repo-local .codex/config.toml, an attacker with commit or PR access could cause Codex to execute commands silently whenever a developer runs the tool. OpenAI addressed the issue in Codex CLI v0.23.0 by blocking project-local redirection of CODEX_HOME, but the flaw demonstrates how automated LLM-powered developer tools can expand the attack surface and enable persistent supply-chain backdoors.

Google Cloud guidance on CVE-2025-55182 for React/Next.js

🔒 Meta and Vercel disclosed a critical remote code execution vulnerability in React Server Components (CVE-2025-55182) that also affected some Next.js releases. Google Cloud rolled out a preconfigured Cloud Armor WAF rule (cve-canary), is enforcing protections for Firebase Hosting, and recommends testing the rule in preview while enabling ALB request logging to consume telemetry. Customers should promptly update dependencies to React 19.2.1 and the patched Next.js releases and redeploy services to remove the vulnerability.

Critical Privilege-Escalation Flaw in King Addons for WP

⚠️ A critical privilege-escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor plugin is being actively exploited to create administrative accounts during registration. Attacks began on October 31, a day after public disclosure, and Wordfence reports blocking more than 48,400 exploit attempts. Site owners should upgrade to King Addons 51.1.35 immediately and check logs for suspicious IPs and unexpected admin accounts.

Critical RSC Deserialization Flaw in React and Next.js

🚨 A maximum-severity remote code execution vulnerability in React Server Components (CVE-2025-55182, CVSS 10.0) allows unauthenticated attackers to execute arbitrary JavaScript by sending crafted payloads to Server Function endpoints. Affected npm packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in specific 19.x releases; fixes are available in 19.0.1, 19.1.2, and 19.2.1. The issue also impacts Next.js (CVE-2025-66478, CVSS 10.0) across multiple releases and has been patched in a series of 15.x and 16.x updates. Security firm Wiz reports roughly 39% of cloud environments host vulnerable instances; apply patches immediately.

Microsoft Quietly Patches Long-Exploited Windows LNK Bug

🔒 Microsoft has quietly fixed CVE-2025-9491, a Windows Shortcut (.LNK) UI misinterpretation flaw that enabled remote code execution and has been abused since 2017 by multiple state-affiliated and criminal groups. The change, deployed in November 2025, forces the Properties dialog to display the full Target command string regardless of length, removing the truncation that hid malicious arguments. Vendors including 0patch and ACROS Security noted alternative mitigations — a UI change by Microsoft and a warning-based micropatch — that together reduce user exposure.

Critical King Addons WordPress Plugin Flaw Exploited

⚠️ A critical privilege-escalation vulnerability in the King Addons plugin for Elementor (CVE-2025-8489, CVSS 9.8) is being actively exploited to create administrative accounts. The flaw stems from an insecure handle_register_ajax() implementation that permits unauthenticated users to specify the administrator role during registration via the "/wp-admin/admin-ajax.php" endpoint. A patch is available in version 51.1.35 (released September 25, 2025); administrators should update immediately and audit for unauthorized admin users.

Microsoft mitigates Windows LNK zero-day exploited widely

🔒 Microsoft has quietly mitigated a high-severity Windows LNK vulnerability tracked as CVE-2025-9491, which attackers used to hide malicious command-line arguments inside .lnk files. The flaw relied on padding the Target field so Windows previously masked arguments beyond 260 characters, enabling persistence and malware delivery. Microsoft’s November update now shows the full Target string in Properties but does not remove malicious arguments or warn users. An unofficial 0Patch micropatch limits target strings and warns on unusually long values.

CISA Adds One CVE to Known Exploited Vulnerabilities Catalog

🚨 CISA added CVE-2021-26828 — an OpenPLC ScadaBR unrestricted file upload vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The flaw allows dangerous file types to be uploaded, a frequent attack vector that poses significant risks to federal networks. Under BOD 22-01 federal agencies must remediate cataloged CVEs by required dates; CISA also urges all organizations to prioritize remediation.

Picklescan Flaws Enable Malicious PyTorch Model Execution

⚠️ Picklescan, a Python pickle scanner, has three critical flaws that can be abused to execute arbitrary code when loading untrusted PyTorch models. Discovered by JFrog researchers, the issues — a file-extension bypass (CVE-2025-10155), a ZIP CRC bypass (CVE-2025-10156) and an unsafe-globals bypass (CVE-2025-10157) — let attackers present malicious models as safe. The vulnerabilities were responsibly disclosed on June 29, 2025 and fixed in Picklescan 0.0.31 on September 9; users should upgrade and review model-loading practices and downstream automation that accepts third-party models.

Cloudflare WAF Blocks Critical React Server Components RCE

🛡️ Cloudflare has deployed new WAF protections to mitigate a high‑severity RCE in React Server Components (CVE-2025-55182). All customers whose React traffic is proxied through the Cloudflare WAF are automatically protected — the rules are included in both the Free Managed Ruleset and the standard Managed Ruleset and default to Block. Rule IDs: Managed Ruleset 33aa8a8a948b48b28d40450c5fb92fba and Free Ruleset 2b5d06e34a814a889bee9a0699702280; Cloudflare Workers are immune. Customers on paid plans should verify Managed Rules are enabled and update to React 19.2.1 and the recommended Next.js releases (16.0.7, 15.5.7, 15.4.8).

Critical PickleScan Zero-Days Threaten AI Model Supply

🔒 Three critical zero-day vulnerabilities in PickleScan, a widely used scanner for Python pickle files and PyTorch models, could enable attackers to bypass model-scanning safeguards and distribute malicious machine learning models undetected. The JFrog Security Research Team published an advisory on 2 December after confirming all three flaws carry a CVSS score of 9.3. JFrog has advised upgrading to PickleScan 0.0.31, adopting layered defenses, and shifting to safer formats such as safetensors.

Google fixes two Android zero-days, 107 vulnerabilities

🔒 Google released its December 2025 Android security bulletin addressing 107 vulnerabilities, including two zero-days (CVE-2025-48633 and CVE-2025-48572) that are reported to be under limited targeted exploitation. The flaws affect Android 13–16 and include information-disclosure and privilege‑escalation issues; the most critical fix this month is CVE-2025-48631 (DoS). Updates also include critical kernel fixes for Qualcomm and closed‑source vendors, and Samsung has ported fixes. Users should apply updates, keep Play Protect active, or move to supported builds.

KB5070311 Causes Explorer to Flash White in Dark Mode

⚠️ Microsoft confirmed that the KB5070311 preview update can cause a brief bright white flash when launching File Explorer in dark mode on Windows 11 systems. The behavior is also triggered when navigating to or from Home or Gallery, creating a new tab, toggling the Details pane, or selecting 'More details' while copying files. Microsoft says it is working on a solution but has not provided a timeline; affected users are advised to disable dark mode as a temporary workaround.

Code Injection Vulnerability in Longwatch Device Firmware

⚠️ Industrial Video & Control Longwatch versions 6.309–6.334 contain a code injection vulnerability that allows unauthenticated HTTP GET requests to execute arbitrary code, resulting in SYSTEM-level remote code execution. CISA assigns high severity (CVSS v4 9.3; CVSS v3.1 9.8) and recommends upgrading to version 6.335 or later. Reduce network exposure, isolate control networks behind firewalls, and use secure remote access methods while applying the vendor patch.

CISA Adds Two Android Vulnerabilities to KEV Catalog

⚠️ CISA added two Android Framework vulnerabilities to the KEV Catalog: CVE-2025-48572 (privilege escalation) and CVE-2025-48633 (information disclosure). Both issues show evidence of active exploitation and pose significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by their due dates; CISA strongly urges all organizations to prioritize timely patching and other mitigations.