All news in category “Security Advisory and Patch Watch”

⚠️ Inductive Automation Ignition contains a Python scripting vulnerability (CVE-2025-13911) that can allow direct SYSTEM-level code execution on Windows hosts running the Ignition Gateway. The issue stems from insufficient controls on which Python libraries and scripts can be imported and executed, and the Ignition service account running with excessive SYSTEM privileges. A malicious project uploaded by an authenticated administrator can execute bind shells or similar payloads with Gateway process privileges. Inductive Automation identifies affected releases as 8.1.x and 8.3.x and provides mitigations on its Trust Portal; CISA rates the flaw CVSS 3.1 6.4 and recommends network segmentation and reduced exposure.

⚠️Siemens warns of a TCP sequence validation flaw in the Interniche IP-Stack (CVE-2025-40820) that can allow unauthenticated remote actors to interfere with TCP connection setup and cause denial of service. The defect accepts a broad range of sequence values, permitting precisely timed spoofed packets to disrupt TCP-based services. Siemens has released fixes for many affected SKUs and recommends updating to the published firmware versions; where fixes are not yet available, follow the vendor’s countermeasures and apply network controls to limit exposure.

🔒 CISA warns of two denial-of-service vulnerabilities in Rockwell Automation Micro820, Micro850, and Micro870 controllers (CVE-2025-13823, CVE-2025-13824) that can render devices unresponsive. One flaw is in the IPv6 stack and the other stems from improper handling of malformed CIP packets; both can cause faults that impact availability. Rockwell Automation has released firmware updates (Micro820 L20E V23.011 or later; Micro850/870 V12.013 or later) and advises disabling IPv6 if not required. CISA recommends minimizing network exposure, isolating control networks behind firewalls, and using secure remote access methods.

⚠️ Schneider Electric warns that a Microsoft WSUS vulnerability (CVE-2025-59287, CWE-502) impacts EcoStruxure™ Foxboro DCS Advisor and may allow remote code execution with system-level privileges (CVSS 3.1 9.8). Microsoft fixes (KB5070882, KB5070884) are available via WSUS and may require a reboot to complete installation. Apply the patches promptly, verify installation with Schneider Electric Global Customer Support, and follow recommended network isolation and access-control measures to reduce exposure.

🔒 CISA disclosed multiple vulnerabilities in Advantech WebAccess/SCADA affecting version 9.2.1 that could allow an authenticated attacker to read, modify, or delete remote database files. Reported issues include path traversal, unrestricted file upload, absolute path traversal, and SQL injection across several CVEs. Advantech has released WebAccess/SCADA 9.2.2 to address these flaws; operators should prioritize applying the update and hardening network access.

⚠️ CISA warns of critical vulnerabilities in AXIS Camera Station products, including AXIS Camera Station Pro and AXIS Device Manager. Successful exploitation could allow remote code execution, authentication bypass, man-in-the-middle attacks, or local privilege escalation; CVEs include CVE-2025-30023, -30024, -30025, and -30026 (maximum CVSS v3 base score 9.0). Vendor-identified affected releases are older than Pro 6.9, Camera Station 5.58, and Device Manager 5.32; upgrades to these versions or later are the recommended fixes and administrators should minimize network exposure.

⚠️ CISA reports CVE-2025-11774, a high-severity vulnerability in the software 'keypad' function of ICONICS Suite, GENESIS64, MobileHMI, and MC Works64. An attacker who tampers with the keypad configuration file can trigger execution of arbitrary EXE files when a legitimate user uses the keypad, enabling information disclosure, tampering, deletion, or a denial-of-service. The issue is rated CVSS 3.1 8.2 (CWE-78). Upgrade affected ICONICS products to GENESIS64 v10.97.3 or V11; MC Works64 users should migrate per vendor guidance.

🔔 CISA published nine Industrial Control Systems (ICS) advisories on 2025-12-18 that detail current security issues, vulnerabilities, and known exploits affecting a range of vendors and products. The advisories cover Inductive Automation Ignition, Schneider Electric EcoStruxure Foxboro DCS Advisor, National Instruments LabView, Mitsubishi Electric components, Siemens IP-Stack, Advantech WebAccess/SCADA, Rockwell Automation Micro controllers, Axis Communications Camera Station offerings, and an updated notice for Mitsubishi Electric CNC Series (Update C). Each advisory provides technical details, impact assessments, and recommended mitigations for administrators and asset owners. CISA urges users to review the advisories promptly and implement the suggested mitigations to reduce operational risk.

⚠ National Instruments released patches addressing multiple vulnerabilities in LabVIEW that could allow information disclosure and arbitrary code execution if a user opens a specially crafted VI file. The flaws include out-of-bounds read/write, use-after-free, and a stack-based buffer overflow across several LabVIEW releases up to 2025_Q3. Administrators should apply the vendor Q3 patch updates and minimize exposure of LabVIEW files while performing risk assessments.

⚠️ HPE has released patches for a maximum-severity remote code execution vulnerability, CVE-2025-37164, in OneView that affects all versions prior to v11.00. Reported by Nguyen Quoc Khanh (brocked200), the flaw permits unauthenticated, low-complexity code injection leading to RCE on unpatched systems. There are no vendor-provided workarounds or mitigations, so administrators should upgrade to OneView v11.00 or apply the appropriate hotfixes without delay. Separate hotfix packages are available for virtual appliance and Synergy deployments.

⚠️ Cisco warns a China-linked actor is actively exploiting a previously unknown zero-day in its Secure Email appliances to gain persistent access when the Spam Quarantine feature is enabled and exposed to the internet. Cisco Talos reports activity since at least late November and says no patch is available. In confirmed compromises, Cisco advises wiping and rebuilding affected appliances to remove persistence; organizations should immediately restrict access to management ports and apply compensating controls while awaiting a fix.

⚠️ Microsoft has confirmed that recent Windows updates cause RemoteApp connection failures for Azure Virtual Desktop on Windows 11 24H2/25H2 and Windows Server 2025, triggered after the November 2025 non-security update KB5070311 or later. The issue affects RemoteApp streaming connections while full virtual desktop sessions remain functional and typically does not impact consumer Home or Pro devices. Microsoft advises a temporary mitigation — adding a registry DWORD (requires administrator privileges) and restarting the device — and has applied a Known Issue Rollback for Pro and Enterprise SKUs. Enterprise administrators can alternatively deploy the provided Group Policy MSI to apply the rollback centrally while Microsoft works on a permanent fix.

⚠️ CISA has added a critical vulnerability (CVE-2025-59374, CVSS 9.3) in ASUS Live Update to its Known Exploited Vulnerabilities catalog after identifying evidence of active exploitation tied to a supply-chain compromise. The flaw stems from trojanized installer builds distributed during the 2018 Operation ShadowHammer campaign that could make targeted devices perform unintended actions. ASUS previously remediated the issue in v3.6.8, but the vendor has since declared the client end-of-support; federal agencies are urged to discontinue use by January 7, 2026.

🚨 Cisco has warned of a maximum-severity zero-day in AsyncOS (CVE-2025-20393) that is actively exploited by a China-nexus APT tracked as UAT-9686. The flaw carries a CVSS score of 10.0 and can allow arbitrary command execution as root when the Spam Quarantine feature is enabled and reachable from the internet. Cisco observed attacks since late November 2025 and advises isolating affected appliances, restricting internet access, tightening authentication, monitoring web logs, and rebuilding compromised units until a patch is available.

⚠️ Microsoft warns a December security update (KB5071546) can cause MSMQ to become inactive in enterprise and clustered environments, disrupting applications that rely on queued messaging. Reported symptoms include IIS failures with resource errors, applications unable to write to queues, and misleading log entries about disk space. Microsoft says a workaround exists but directs admins to contact Support for Business; community responders have recommended temporarily granting write access to C:\Windows\System32\msmq or rolling back the update until an official fix is issued. Affected systems include Windows Server 2012/2012 R2/2016/2019 and several Windows 10 builds.

🎧 In episode #448 of Smashing Security, Graham Cluley and guest Danny Palmer discuss a Black Hat Europe disclosure showing how a boobytrapped audiobook could exploit an Amazon Kindle e‑reader. The research suggests a malformed audio file might let an attacker gain persistent access, break into an account and seize a saved credit card. The episode also revisits Ireland’s HSE ransomware fallout, where victims were reportedly offered €750 each, and includes a Pick of the Week. Listeners are urged to keep devices updated and monitor accounts for suspicious activity.

🔔 Cisco Talos disclosed multiple vulnerabilities affecting libbiosig, Grassroot DiCoM, and Smallstep step-ca. The issues include stack-based buffer overflows in libbiosig’s MFER parser that may allow arbitrary code execution, several out-of-bounds reads in DiCoM that can leak sensitive data, and an authentication bypass in step-ca enabling unauthorized certificate issuance. Vendors have released patches in accordance with Cisco’s disclosure policy; administrators should apply updates promptly and obtain the latest Snort rule sets to detect exploitation attempts.

⚠ SonicWall released patches addressing CVE-2025-40602 (CVSS 6.6), a local privilege escalation in the Secure Mobile Access (SMA) 100 Appliance Management Console caused by insufficient authorization. Affected firmware builds prior to 12.4.3-03245 and 12.5.0-02283 have updates available to remediate the issue. SonicWall said the flaw has been actively exploited and has been observed chained with CVE-2025-23006 to achieve unauthenticated remote code execution with root privileges; users should apply fixes immediately.

⚠️ SonicWall warns of a medium-severity local privilege escalation in the SonicWall SMA1000 Appliance Management Console (CVE-2025-40602), reported by Google Threat Intelligence researchers Clément Lecigne and Zander Work. The vendor says this LPE was chained in active zero-day attacks with a critical pre-auth deserialization bug (CVE-2025-23006) to execute OS commands and escalate to root. Administrators should apply the vendor hotfix and firmware updates immediately.

🔓 A critical arbitrary file upload vulnerability in the Motors WordPress theme could let low-privileged, logged-in users install and activate plugins, enabling remote code execution and full site takeover. The flaw, tracked as CVE-2025-64374, affects versions 5.6.81 and earlier and was discovered by Denver Jackson of the Patchstack Alliance community. The issue stems from an AJAX handler that relies on a nonce for validation but lacks a proper permission check, allowing Subscriber-level users to supply arbitrary plugin URLs. The vendor released a fix in version 5.6.82 on 3 November; site owners should update immediately to mitigate the risk.