All news in category “Security Advisory and Patch Watch”

🔴 A critical vulnerability in the n8n workflow automation platform (CVE-2025-68613, CVSS 9.9) allows expressions supplied by authenticated users to be evaluated in an execution context that is not sufficiently isolated from the runtime. An attacker able to create or edit workflows could abuse this behavior to execute arbitrary code with the privileges of the n8n process, risking full instance compromise, data exposure, and workflow tampering. The flaw affects versions from 0.211.0 up to, but not including, 1.120.4 and has been patched in 1.120.4, 1.121.1, and 1.122.0; apply these updates or restrict workflow editing and harden deployments.

🔒 Microsoft is deprecating the legacy RC4 cipher in Windows, ending a 26-year presence that left servers accepting RC4-based authentication responses by default. The company cited RC4’s vulnerability to Kerberoasting, an attack class linked to last year’s breach at Ascension that disrupted hospital operations and exposed millions of medical records. Security and regulatory scrutiny, including calls from Senator Ron Wyden, helped force the change.

⚠️ CISA has added CVE-2023-52163 — a missing authorization flaw in Digiever DS-2105 Pro — to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate cataloged vulnerabilities by specified due dates, and CISA emphasizes this entry represents a common and significant attack vector. While the binding directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation and incorporate this KEV into their vulnerability management processes.

🛡️ CISA's addition of CVE-2025-59374 to the KEV catalog documents a historical ASUS Live Update supply‑chain compromise rather than a new, active campaign. The CVE formalizes the 2018–2019 'ShadowHammer' incident in which maliciously modified Live Update binaries were selectively delivered to targeted systems, and the client reached End‑of‑Support in October 2021. ASUS's December 2025 FAQ appears to be a documentation update clarifying upgrade paths to the last Live Update release (3.6.15), and CISA emphasized that KEV inclusion does not necessarily indicate ongoing exploitation. Security teams should apply context‑aware triage and ensure supported software is up to date.

📌 The CVE-2025-59374 record documents the 2018–2019 ShadowHammer supply‑chain compromise of ASUS Live Update, a client that reached End‑of‑Support in October 2021. The entry, now rated 9.3, formalizes a historical incident and does not indicate current active exploitation for supported devices. Security teams should verify systems are running the latest supported software but avoid treating the KEV listing as an immediate, new threat.

🛡️ ESET researchers re-examine CVE-2025-50165, a critical Windows Imaging Component vulnerability that can lead to remote code execution when a specially crafted JPG is re-encoded. Their analysis identifies uninitialized precision-specific function pointers in WindowsCodecs.dll (libjpeg-turbo based) as the root cause and reproduces the crash with 12‑ and 16‑bit JPEG samples. ESET concludes exploitation is technically challenging and unlikely in the wild, requiring re-encoding, an address leak and heap manipulation; patches in updated builds initialize and validate these pointers.

⚠️WatchGuard released patches for a critical remote code execution vulnerability, CVE-2025-14733, affecting Firebox devices running Fireware OS 11.x, 12.x and 2025.1 up to 2025.1.3. The flaw permits unauthenticated attackers to execute arbitrary code on devices configured for IKEv2 VPN, and may also be reachable via certain Branch Office VPN setups. Shadowserver reported more than 115,000 exposed instances online. CISA added the issue to its KEV catalog and ordered federal agencies to patch under BOD 22-01.

🛡️ WatchGuard has released emergency patches for a critical zero-day (CVE-2025-14733) in its Firebox appliances that allows remote, unauthenticated attackers to execute arbitrary code via the iked process handling IKEv2. The flaw, rated 9.3 CVSS, was exploited in the wild before a December 18 patch, making it a confirmed zero-day. Administrators should urgently check appliances for indicators of compromise, apply the fixed Fireware OS versions, and rotate any locally stored secrets if compromise is confirmed.

🔒 Researchers disclosed a UEFI firmware flaw affecting some ASUS, Gigabyte, MSI, and ASRock motherboards that can falsely report DMA protections as active even when the IOMMU has not initialized, enabling pre-boot DMA attacks. The issue, tracked under multiple CVEs, allows a malicious PCIe device with physical access to read or modify system memory before the operating system loads and before security tooling can detect anything. Vendors have published advisories and firmware updates; users should verify affected models, back up important data, and apply vendor patches promptly.

🔒 Shadowserver has identified more than 25,000 Fortinet devices online with FortiCloud SSO enabled, amid active exploitation of a critical authentication bypass (CVE-2025-59718/CVE-2025-59719). Researchers report attackers send malicious SAML messages to perform unauthorized SSO, gain admin-level access, and download system configuration files containing hashed credentials, exposed services, and network details. CISA added the flaw to its list of actively exploited vulnerabilities and ordered U.S. agencies to patch within a week; Fortinet notes FortiCloud SSO is only enabled after device registration, but many management interfaces remain publicly reachable.

🛡️ Today, CISA, the NSA, and the Canadian Centre for Cyber Security released an update to the Malware Analysis Report for the BRICKSTORM backdoor. The update adds indicators of compromise (IOCs) and two new YARA detection signatures to cover additional samples, including Rust-based variants. Analysts observed advanced persistence and defense-evasion behaviors (including running as background services) and improved command-and-control via encrypted WebSocket channels. Organizations are strongly urged to deploy the updated IOCs and signatures, follow the detection guidance to scan and remediate affected systems, and report suspected infections to CISA’s 24/7 Operations Center.

🔔 CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-14733, an Out-of-Bounds Write vulnerability affecting WatchGuard Firebox. The agency says there is evidence of active exploitation and highlights that BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV entries by their due dates. CISA also urges all organizations to prioritize timely remediation to reduce exposure to active threats.

🔒 WatchGuard has released updates to remediate a critical vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS that enables remote unauthenticated code execution via an out-of-bounds write in the iked process. The flaw impacts IKEv2 mobile user VPNs and branch office VPNs configured with dynamic gateway peers, and the vendor reports observed exploitation attempts in the wild. WatchGuard published fixed releases, IoCs, and temporary mitigations; administrators should apply updates immediately.

⚠️ Cisco Talos has identified an active campaign exploiting a zero-day in AsyncOS, impacting Cisco Secure Email Gateway, Cisco Secure Email and Web Manager. The flaw targets systems with the spam quarantine feature enabled and has been active since at least late November; a vendor patch is not yet available. Cisco currently recommends wiping and rebuilding compromised devices, and analysts urge restricting access to management ports and deploying compensating controls while organizations plan remediation.

🔒 WatchGuard has issued an urgent advisory for a critical remote code execution vulnerability (CVE-2025-14733) affecting Firebox appliances running Fireware OS 11.x, 12.x and 2025.1 releases. The flaw enables unauthenticated attackers to execute code via an out-of-bounds write when IKEv2 VPN is enabled. WatchGuard reports active exploitation in the wild and provides a temporary workaround for Branch Office VPN configurations where immediate patching is not possible. Administrators are urged to apply vendor updates and review provided indicators of compromise.

⚠️ Certain motherboard models from vendors including ASRock, ASUS, GIGABYTE, and MSI are affected by a firmware flaw that reports DMA protection as active but fails to initialize the IOMMU during early boot. That discrepancy allows a physically present attacker with a DMA-capable PCIe device to read or modify system memory and potentially enable pre-boot code injection before OS protections load. CERT/CC warned the gap undermines boot integrity and access to sensitive memory. Affected vendors have released firmware updates to correct the IOMMU initialization sequence; users and administrators should apply patches promptly.

🚨 React2Shell (CVE-2025-55182) is a critical pre-authentication remote code execution flaw affecting React Server Components, Next.js and related frameworks. Exploitable with a single crafted HTTP request that targets the Flight protocol, the bug lets attackers inject and execute arbitrary server-side components, enabling backdoors, crypto miners and ransomware deployment. Researchers at S-RM and the Microsoft Defender team warn default configurations are vulnerable and note some early patches were incomplete; organizations should urgently verify fully patched versions and run forensic checks.

🔴 HPE has issued an urgent advisory for HPE OneView after disclosure of a maximum-severity remote code execution flaw, CVE-2025-37164, that can be triggered by unauthenticated remote actors. The vulnerability affects OneView versions 5.20 through 10.20 and requires an immediate security hotfix. HPE provides separate hotfixes for the virtual appliance and for HPE Synergy Composer; administrators should apply the fixes promptly and, until remediation, restrict management-interface access to trusted administrative networks.

🔧Microsoft released an out-of-band update (KB5074976) via the Update Catalog to address issues introduced by the December 9, 2025 Windows 10 security update that broke Message Queuing (MSMQ). Affected systems may see inactive queues, resource errors, and failures writing to queues, particularly in clustered or high-load enterprise environments. The OOB is not distributed via Windows Update or WSUS; only devices enrolled for Windows 10 ESU should install it if impacted.

🚨 HPE has released patches for a critical remote code execution vulnerability in OneView Software, tracked as CVE-2025-37164 with a CVSS score of 10.0. The flaw affects all versions prior to 11.00; HPE published version 11.00 and hotfixes for 5.20–10.20 to mitigate it. Administrators should apply the update or hotfix promptly; certain hotfixes must be reapplied after specific upgrades or Synergy Composer reimaging.