All news in category “Security Advisory and Patch Watch”

⚠ Microsoft has asked enterprise customers to contact support for guidance after a Message Queuing (MSMQ) change in recent December 2025 updates caused applications and IIS sites to fail. The bug, affecting Windows 10 22H2, Windows Server 2019, and 2016 systems with KB5071546/KB5071544/KB5071543 installed, alters NTFS permissions on C:\Windows\System32\MSMQ\storage, requiring write access and causing resource errors. Microsoft is investigating and advising businesses to seek tailored mitigations or consider rolling back updates.

🔔 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-20393 (Cisco multiple products, improper input validation), CVE-2025-40602 (SonicWall SMA1000, missing authorization), and CVE-2025-59374 (ASUS Live Update, embedded malicious code). These flaws are frequent attack vectors that pose significant risks to federal and nonfederal organizations. Agencies covered by BOD 22-01 must remediate by the required due dates; CISA urges all organizations to prioritize mitigation.

⚠️ The JumpCloud Remote Assist for Windows agent contains a critical local privilege escalation vulnerability (CVE-2025-34352) that can be exploited during uninstall or update flows. The uninstaller runs with NT AUTHORITY\SYSTEM and performs file operations in a user-writable %TEMP% subdirectory without validating or securing the path. Attackers with a local foothold can abuse link-following techniques (mount points and symlinks) to overwrite or delete protected files, yielding full system compromise or denial-of-service. Systems running Remote Assist before version 0.317.0 should be updated immediately.

🔒 Security researchers and incident response teams warn that threat actors are rapidly exploiting newly disclosed authentication bypass vulnerabilities in Fortinet's FortiOS that affect FortiGate, FortiWeb, FortiProxy and FortiSwitchManager devices. Arctic Wolf reported seeing tens of intrusions since December 12, 2025, and advises that hashed credentials in exfiltrated configurations should be presumed compromised and rotated immediately. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities list and Fortinet has released patches; administrators are urged to disable FortiCloud SSO until devices are upgraded and to follow Fortinet's hardening guidance.

⚠️ Security researchers have identified a critical vulnerability (CVE-2025-34352) in the JumpCloud Remote Assist Windows agent that allows low-privileged local users to escalate to NT AUTHORITY\SYSTEM or trigger denial-of-service during uninstallation. The root cause is unsafe file operations in user-writable directories (notably %TEMP%), enabling link-following attacks that redirect privileged actions. XM Cyber reported the issue and JumpCloud has released version 0.317.0 to address it — administrators should update affected endpoints immediately.

🔒 Researchers report active exploitation of two critical FortiCloud SSO authentication bypasses (CVE-2025-59718, CVE-2025-59719) that can grant unauthenticated admin access to multiple Fortinet products. The flaws stem from improper verification of SAML cryptographic signatures, enabling forged assertions to bypass login controls. Attacks observed from December 12 targeted admin accounts and led to exfiltration of system configuration files. Administrators should disable FortiCloud SSO if unable to upgrade and apply vendor patches immediately.

✈️ Airbus announced a software rollback after an A320 experienced an unexpected nose‑down maneuver on October 30, 2025, an event that sent multiple passengers to hospital and grounded aircraft for inspection. Airbus said intense solar radiation may have corrupted data critical to flight controls, but operators were able to mitigate many cases by reverting ELAC software from L104 to L103. The episode spotlights SDLC failings — notably test engineering, CI/CD, observability and supply‑chain integration — rather than merely cosmic rays.

🔔 CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The vulnerability is described as an improper verification of cryptographic signature affecting multiple Fortinet products and represents a high-risk attack vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by mandated due dates. CISA strongly urges all organizations to prioritize timely remediation and apply vendor fixes or mitigations promptly.

⚠️ A vulnerability in the web interface of Güralp Systems Fortimus, Minimus, and Certimus Series (CVE-2025-14466) allows an unauthenticated network attacker to send specially crafted HTTP requests that cause the web service process to restart. The restart produces a brief denial-of-service condition with a CVSS v3.1 base score of 5.3 (Medium). Güralp recommends operating affected systems behind a NAT or VPN firewall and contacting the vendor for further guidance. CISA advises minimizing network exposure, isolating control networks, and using secure, up-to-date remote access methods.

🛡️ CISA has published seven new Industrial Control Systems advisories detailing vulnerabilities and guidance for affected products. The advisories cover Güralp Systems, Johnson Controls, Hitachi Energy, Mitsubishi Electric, and Fuji Electric, including updates to previously released notices. Administrators are urged to review technical details, apply vendor mitigations, and implement compensating controls to reduce operational risk.

⚠️ A critical vulnerability (CVE-2024-3596, CVSS 9.0) in Hitachi Energy AFS/AFR/AFF series RADIUS implementations allows a local attacker to forge valid RADIUS responses by exploiting an MD5 chosen-prefix collision against the response authenticator. Successful exploitation can compromise product data integrity and disrupt availability. Hitachi Energy recommends immediately enabling the RADIUS message authenticator option; vendor-specific CLI commands and MIB objects vary by product family.

🔒 CISA warns that multiple vulnerabilities in Johnson Controls PowerG implementations could let attackers read, modify, or replay encrypted wireless traffic. Affected devices include IQPanel 4, legacy IQPanel 2/2+, and IQHub with referenced CVEs CVE-2025-61738, CVE-2025-61739, CVE-2025-26379, and CVE-2025-61740. Vendor fixes (IQPanel 4.6.1, PowerG v53.05+) and secure enrollment practices are recommended, and end-of-life hardware should be replaced.

🔒 Mitsubishi Electric's GT Designer3 (Version1 for GOT2000 and GOT1000) stores project credentials in cleartext (CVE-2025-11009), allowing an attacker with access to a project file to recover plaintext credentials and illegitimately operate affected GOT devices. The issue is classified as Cleartext Storage of Sensitive Information (CWE-312) and has a CVSS v3.1 base score of 5.1 (Medium). Mitsubishi recommends limiting use to trusted LANs, blocking remote logins, using firewalls, VPNs, and antivirus, and avoiding untrusted files or links; CISA advises isolating control networks and minimizing internet exposure.

🔒 Arctic Wolf observed active intrusions on December 12, 2025 exploiting two critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). The flaws, both scored 9.8, permit unauthenticated bypass of SSO login via crafted SAML messages when FortiCloud SSO is enabled; Fortinet published patches for FortiOS, FortiWeb, FortiProxy and FortiSwitchManager last week. Attackers used hosting IPs tied to providers such as The Constant Company llc, Bl Networks and Kaopu Cloud Hk Limited to log in as "admin" and export device configurations. Organizations should apply updates immediately, disable FortiCloud SSO until systems are patched, restrict management access and assume compromise if IoCs are present.

🔒 Researchers warn that the React2Shell flaw (CVE-2025-55182) is being actively exploited to deploy sophisticated Linux backdoors and harvest credentials. Palo Alto Networks Unit 42 and NTT Security report active use of KSwapDoor and ZnDoor, which provide interactive shells, file operations, lateral scanning, and stealthy mesh networking. Attackers are also abusing Cloudflare Tunnels and secret-scraping tools to extract cloud and AI tokens. Organizations should prioritize discovery, credential rotation, and removal of dropped backdoors and follow vendor mitigations immediately.

🔒 Microsoft Defender researchers describe CVE-2025-55182 (React2Shell), a critical pre-authentication remote code execution vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, a single crafted HTTP POST can result in server-side deserialization of attacker-controlled payloads and arbitrary code execution without authentication. Exploitation was observed beginning December 5, 2025, with attackers delivering coin miners, RATs, and other payloads across Windows and Linux environments. Microsoft urges immediate patching to published fixes, enabling Defender telemetry, and applying Azure WAF rules as compensating controls while broader detection coverage is deployed.

🔧 Microsoft warns that recent Windows 11 updates, starting with the KB5067036 October 28, 2025 non-security update and including later releases such as KB5072033, can break VPN networking for enterprise users running WSL with mirrored mode enabled. Affected users report "No route to host" errors inside WSL because some third-party VPN virtual interfaces (for example OpenVPN and Cisco Secure Client) do not respond to ARP requests and so fail to resolve IP-to-MAC mappings. Microsoft is investigating the issue but has not provided a workaround or ETA for a fix.

🔒 FreePBX has released patches addressing several high‑severity vulnerabilities, including an authentication bypass that may be triggered when the legacy AUTHTYPE is set to webserver. Horizon3.ai reported authenticated SQL injection flaws and an arbitrary file upload that can be used to deploy a PHP web shell and achieve remote code execution. Administrators should apply the provided updates, ensure Authorization Type is set to usermanager, remove the legacy AUTHTYPE option from Advanced Settings, rotate credentials, and perform forensic checks if legacy settings were enabled.

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-14611 (Gladinet CentreStack and Triofox hard coded cryptographic vulnerability) and CVE-2025-43529 (Apple multiple products use-after-free in WebKit). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate listed KEV items by the specified due dates, and CISA strongly urges all organizations to prioritize timely remediation.

🚨 CISA has ordered federal agencies to immediately patch GeoServer to address a critical unauthenticated XML External Entity (XXE) flaw, tracked as CVE-2025-58360. The vulnerability (CVSS 9.8) enables attackers to retrieve arbitrary files, trigger SSRF, or cause denial-of-service against affected GeoServer instances. Exploit code has circulated since late November and CISA added the issue to its Known Exploited Vulnerabilities catalog, urging remediation before December 26, 2025.