All news in category “Security Advisory and Patch Watch”

⚠️ Microsoft has confirmed that its December 2025 security updates are breaking Message Queuing (MSMQ) on affected systems. Machines with KB5071546, KB5071544, or KB5071543 installed — including Windows 10 22H2, Windows Server 2019, and Windows Server 2016 — can experience inactive queues, IIS sites failing with 'insufficient resources', and applications unable to write to queues. Microsoft attributes the failures to security model and NTFS permission changes that require MSMQ users to have write access to C:\Windows\System32\MSMQ\storage; a timeline for a fix has not been provided.

⚠️ CISA has added a high-severity Sierra Wireless AirLink vulnerability, CVE-2018-4063, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. The flaw in the ACEManager upload.cgi function permits unrestricted file uploads that can lead to remote code execution, and ACEManager runs with root privileges. Federal agencies are advised to update affected devices to supported versions or discontinue use by January 2, 2026.

🔒 Apple released security updates across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari to address two WebKit vulnerabilities—CVE-2025-43529 and CVE-2025-14174—that have been exploited in the wild. One of the flaws was patched in Chrome earlier this week, and Apple credits Google TAG and its own SEAR team with discovery and reporting. The issues can lead to arbitrary code execution or memory corruption when processing malicious web content. Users and administrators should apply the listed OS and Safari updates immediately to mitigate active exploitation.

🔒 Apple released emergency updates to patch two zero-day WebKit vulnerabilities — CVE-2025-43529 (use-after-free) and CVE-2025-14174 (memory corruption) — that were exploited in an 'extremely sophisticated' attack against targeted individuals. Both bugs affect devices running WebKit on iPhone and iPad and were discovered by Google’s Threat Analysis Group and Apple. Apple fixed the issues across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari and urges users to install updates promptly.

🔒 Huntress warns attackers are exploiting hardcoded AES keys in Gladinet file‑sharing products CentreStack and Triofox, allowing decryption and forging of access tickets. Because the server uses a static GenerateSecKey() output — identical AES key and IV strings — adversaries can retrieve sensitive files like web.config, extract the ASP.NET machine key, and craft trusted ViewState payloads to achieve remote code execution. Gladinet released fixes on December 8 (build 16.12.10420.56791); Huntress advises immediate patching or temporary replacement of machine keys and notes active exploitation across customer environments.

⚠️GTIG reports active, widespread exploitation of a critical unauthenticated RCE in React Server Components (CVE-2025-55182, “React2Shell”) disclosed on Dec. 3, 2025. Attackers ranging from opportunistic cryptominers to suspected China-nexus espionage clusters have delivered payloads including MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, and XMRig miners. Exploits target vulnerable react-server-dom-* package versions and commonly use simple HTTP fetch-and-execute chains to establish persistence via cron, systemd, and shell profile modifications. Organizations are advised to patch immediately, deploy WAF rules, audit dependencies, and hunt for the supplied IOCs and YARA signatures.

🔒 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The listed issue, CVE-2018-4063, affects Sierra Wireless AirLink ALEOS and involves an unrestricted upload of files with dangerous types, a common attack vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by prescribed deadlines, and CISA urges all organizations to prioritize timely remediation to reduce exposure.

⚠ CISA added CVE-2025-14174, a Google Chromium out-of-bounds memory access vulnerability, to the Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw frequently enables memory corruption and can lead to code execution or information disclosure, posing significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates; CISA urges all organizations to prioritize timely remediation as part of their vulnerability management.

🔒 ACROS Security's 0Patch team has published free, unofficial micropatches for a newly discovered Windows RasMan zero-day that can crash the Remote Access Connection Manager (RasMan) service. The defect, found while investigating CVE-2025-59230, triggers a null-pointer read when RasMan mishandles circular linked lists and can be combined with an elevation-of-privilege bug to enable code execution. 0Patch provides an agent that applies the micropatch automatically across affected Windows versions until Microsoft issues an official fix, typically without requiring a restart.

⚠️ CISA has ordered U.S. federal agencies to patch an unauthenticated XML External Entity (XXE) vulnerability in GeoServer tracked as CVE-2025-58360, affecting GeoServer 2.26.1 and earlier and reachable via the /geoserver/wms GetMap XML input. The flaw allows attackers to retrieve arbitrary files, enable SSRF, or cause DoS and is being actively exploited. Agencies must remediate by Jan 1, 2026; CISA urges all network defenders to prioritize patching immediately.

⚠️ The React team released patches for three vulnerabilities affecting React Server Components that could enable pre-authentication denial-of-service and disclosure of Server Function source code. Two high-severity DoS issues arise from unsafe deserialization and an incomplete remediation, while a lower-severity information-leak bug can return function source when arguments are stringified. The flaws impact react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack across multiple 19.x releases. Users are urged to upgrade to 19.0.3, 19.1.4, or 19.2.3 immediately, especially given active exploration of a related critical bug.

⚠️ The critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) enables remote, unauthenticated code execution via unsafe deserialization in the React Server Components Flight protocol. Since disclosure on December 3, 2025, multiple actors have exploited it to deliver miners, botnets, and other malware, targeting Next.js and containerized cloud workloads. CISA has accelerated mitigation deadlines and is urging agencies to patch by December 12, 2025; defenders should apply vendor fixes, enable WAF protections, and review logs for indicators of compromise.

🛡️ CISA added a high‑severity XML External Entity (XXE) flaw, CVE-2025-58360 (CVSS 8.2), affecting OSGeo GeoServer to its Known Exploited Vulnerabilities catalog after evidence of in‑the‑wild exploitation. The unauthenticated vulnerability impacts releases up to and including 2.25.5 and versions 2.26.0–2.26.1 and was reported by the AI platform XBOW. GeoServer has published patches (2.25.6, 2.26.2, 2.27.0, 2.28.0, 2.28.1); operators should upgrade or apply vendor mitigations and review the /geoserver/wms GetMap endpoint and XML processing to mitigate XXE, SSRF, and DoS risks.

🔐 Hackers are exploiting an undocumented cryptographic flaw in Gladinet's CentreStack and Triofox products that exposes hardcoded AES keys and enables remote code execution. Huntress researchers found static 100-byte strings in GladCtrl64.dll that produce identical encryption keys and IVs across installations, allowing attackers to decrypt or forge access tickets. Attackers have used this to retrieve web.config and abuse the machineKey with a ViewState deserialization flaw for RCE. Gladinet released patches and IoCs; customers should upgrade immediately and rotate machine keys.

🛡️ Notepad++ released version 8.8.9 to address a weakness in its WinGUp updater after reports that the updater retrieved and executed malicious binaries instead of legitimate update packages. The issue surfaced in community forums where a spawned %Temp%\AutoUpdater.exe executed reconnaissance commands and exfiltrated data to a public paste service. Version 8.8.9 now enforces code-signature verification for downloaded installers and aborts updates that fail signature checks.

🔍 ReversingLabs discovered a stealthy campaign of 19 malicious VSCode Marketplace extensions that bundled dependencies to run a trojan hidden inside a faux PNG file. The packages included modified 'path-is-absolute' or '@actions/io' modules which auto-execute code via an added class in index.js, decoding an obfuscated JavaScript dropper stored in a file named 'lock'. A fake 'banner.png' archive contained two payloads — a living-off-the-land binary 'cmstp.exe' and a Rust-based trojan — and Microsoft removed the extensions after being notified.

🔓Researchers revealed new XML-parsing exploits that severely weaken SAML-based SSO, demonstrating full authentication bypass against popular Ruby and PHP SAML libraries. PortSwigger researcher Zak Fedotkin presented these techniques at Black Hat Europe and published an open-source toolkit to identify and reproduce affected deployments. The work highlights attack vectors such as attribute pollution, namespace confusion, and a new class of void canonicalization that can circumvent XML signature validation. While fixes (including updates to Ruby-SAML) have been released, Fedotkin warns that only a foundational rework of SAML libraries will eliminate these systemic weaknesses.

🔓 Researchers at KU Leuven built a $50 DDR4 interposer that subverts confidential computing protections such as Intel SGX and AMD SEV, demonstrated at Black Hat Europe. The runtime attack, called Battering RAM, manipulates memory address mapping to gain arbitrary plaintext read/write and extract SGX provisioning keys, circumventing recent boot-time mitigations. The team warns that compromised memory modules in the supply chain could enable persistent backdoors on vulnerable cloud VMs.

🚨 Cloudflare's Cloudforce One team observed rapid scanning and exploitation attempts immediately after the public disclosure of React2Shell (CVE-2025-55182) on 2025-12-03. Attackers quickly integrated the unauthenticated RCE into automated reconnaissance using public asset discovery, Nuclei templates, and custom scanners to find exposed React Server Components. Cloudflare deployed Free and Paid WAF rules (default Block) and Worker-level protections while urging immediate patching. Telemetry showed millions of hits, diverse User-Agent fingerprints, and broad payload experimentation.

⚠️ An unpatched zero-day in Gogs enables remote code execution on Internet-facing instances by exploiting a path traversal weakness in the PutContents API (CVE-2025-8110). Attackers abuse symbolic links to overwrite files outside repositories and modify Git configuration values such as sshCommand, forcing arbitrary command execution. Researchers found over 1,400 exposed servers and more than 700 with compromise indicators. Administrators should disable open registration and restrict access immediately.