All news in category “Security Advisory and Patch Watch”

🔒 Ashlar-Vellum has released updates addressing two vulnerabilities—an Out-of-Bounds Write (CVE-2025-65084) and a Heap-based Buffer Overflow (CVE-2025-65085)—affecting Cobalt, Xenon, Argon, Lithium, and Cobalt Share up to version 12.6.1204.207. Both flaws could allow local attackers to disclose information or execute arbitrary code; vendor updates to 12.6.1204.208 or later are available. CISA assigns a CVSS v4 base score of 8.4, notes low attack complexity, and reports no known public exploitation; these issues are not remotely exploitable.

🔒 Rockwell Automation has released an update for Arena Simulation to address a stack-based buffer overflow (CWE-121) in the parsing of DOE files that could allow local attackers to execute arbitrary code. The issue, tracked as CVE-2025-11918 (CVSS v4 7.1), affects versions 16.20.10 and earlier and requires opening a malicious DOE file. Rockwell fixed the vulnerability in 16.20.11; users should upgrade or apply recommended mitigations to reduce exposure.

🔔 CISA released seven new Industrial Control Systems advisories addressing vulnerabilities across multiple vendors and product families. The advisories cover Ashlar-Vellum, Rockwell Automation, Zenitel, Opto 22, Festo, SiRcom, and an update for Mitsubishi Electric FA engineering software. Administrators are urged to review technical details and apply recommended mitigations promptly.

⚠️ Zenitel has disclosed multiple high‑severity vulnerabilities in the TCIV-3+ intercom device, including three OS command injection flaws, an out‑of‑bounds write, and a reflected XSS. The issues (CVE-2025-64126 through CVE-2025-64130) carry high CVSS ratings — several are scored CVSS v4 10.0 — and can be exploited remotely with low complexity. Zenitel advises upgrading to version 9.3.3.0 or later; CISA recommends isolating devices, minimizing Internet exposure, and applying defensive controls until patches are deployed.

⚠️ Festo has disclosed two critical vulnerabilities affecting multiple Compact Vision System, control block, controller, and operator unit products, with CVSS ratings up to 9.8. One issue stems from an insecure default that allows remote, unauthenticated access if passwords are not enabled; the other permits an authenticated attacker to read or modify configuration files. Festo and CERT@VDE recommend enabling password protection, using online user management where applicable, and minimizing network exposure of affected devices.

⚠️ Fluent Bit, a widely deployed log-processing agent used across containers, Kubernetes DaemonSets, and major cloud platforms, contains multiple critical vulnerabilities that can enable authentication bypass, arbitrary file writes, and full agent takeover. Oligo Security, in cooperation with AWS, disclosed five severe flaws impacting in_forward authentication and the tag-handling logic, plus path traversal and buffer-overflow defects. The project has released patches in v4.1.1 and v4.0.12; operators should update and validate configurations immediately to prevent log tampering, telemetry rerouting, and potential remote code execution.

🔐CISA warns that threat actors are actively using commercial spyware and remote-access trojans to target users of mobile messaging apps, combining technical exploits with tailored social engineering to gain unauthorized access. Recent campaigns include abuse of Signal's linked-device feature, Android spyware families ProSpy, ToSpy and ClayRat, a chained iOS/WhatsApp exploit (CVE-2025-43300, CVE-2025-55177) targeting a small number of users, and a Samsung flaw (CVE-2025-21042) used to deliver LANDFALL. CISA urges high-value individuals and organizations to adopt layered defenses: E2EE, FIDO phishing-resistant MFA instead of SMS, password managers, device updates, platform hardening (Lockdown Mode, iCloud Private Relay, app-permission audits, Google Play Protect), and to prefer modern hardware from vendors with strong security records.

⚠️ Researchers disclosed five vulnerabilities in Fluent Bit, the open-source telemetry agent, that can be chained to bypass authentication, write or overwrite files, execute code, corrupt logs, and cause denial-of-service conditions. CERT/CC noted many issues require network access, and fixes were released in Fluent Bit 4.1.1 and 4.0.12 with AWS participating in coordinated disclosure. Operators are urged to update immediately and apply mitigations such as avoiding dynamic tags, mounting configs read-only, and running the agent as a non-root user.

⚠️ Fluent Bit, a widely deployed telemetry agent, has multiple critical vulnerabilities disclosed by Oligo Security affecting inputs, tag processing and output handling. Patches are available in Fluent Bit v4.1.1 and v4.0.12 released in early October 2025; older releases remain at risk. Operators are advised to update immediately, avoid dynamic tags, lock down output file parameters, run with least privilege and mount configuration directories read-only to reduce exposure.

📱 CISA warns that multiple cyber threat actors are actively using commercial spyware to target users of mobile messaging applications. These actors employ phishing, malicious device-linking QR codes, zero-click exploits, and impersonation of platforms such as Signal and WhatsApp to gain unauthorized access and deploy additional malicious payloads. CISA urges users to review updated mobile communications guidance and mitigations to reduce spyware risk.

⚠️ The Cybersecurity and Infrastructure Security Agency (CISA) added a critical pre-authenticated remote code execution flaw in Oracle Identity Manager (CVE-2025-61757) to its Known Exploited Vulnerabilities catalog after active exploitation was observed. Searchlight Cyber reported that a flawed authentication filter combined with matrix/query parameters lets attackers bypass auth and reach a Groovy compile endpoint, enabling RCE through compile-time annotation processing. Oracle fixed the issue in its October 2025 Critical Patch Update; federal agencies must remediate by December 12, 2025.

🔴 Oracle Identity Manager is affected by a critical unauthenticated remote code execution flaw, CVE-2025-61757, impacting versions 12.2.1.4.0 and 14.1.2.1.0. Disclosed by Searchlight Cyber on 20 November and reported by Oracle on 21 November, the bug was added to the CISA KEV catalog the same day. The issue resides in the REST WebServices component and carries a CVSS score of 9.8, enabling HTTP access to execute arbitrary code and potentially allowing full takeover. CISA urges immediate patching or isolation of affected services from the public internet.

⚠️ Microsoft confirmed a Windows 11, version 24H2 bug in cumulative updates released since July 2025 that causes XAML dependency packages not to register in time, leading Explorer, StartMenuExperienceHost, ShellHost.exe and other shell components to crash or fail to initialize. Microsoft provided three PowerShell Add-AppxPackage commands as a temporary workaround and says a restart is required after running them. Organizations using non-persistent VDI should run a logon script to provision the packages before Explorer launches; a permanent fix is in development with no timeline.

🛡️ A recently patched WSUS deserialization flaw, CVE-2025-59287, has been weaponized to install the ShadowPad backdoor on Windows servers. AhnLab's ASEC reports attackers used PowerCat to spawn a CMD shell and then leveraged certutil and curl to retrieve payloads from 149.28.78.189:42306. ShadowPad was deployed via DLL side-loading of ETDApix.dll by ETDCtrlHelper.exe and runs as an in-memory loader with plugin support, anti-detection, and persistence.

⚠️ CISA has added CVE-2025-61757 to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation targeting Oracle Identity Manager. The flaw, a missing-authentication issue with a CVSS score of 9.8, affects versions 12.2.1.4.0 and 14.1.2.1.0 and was addressed in Oracle's recent quarterly updates. Searchlight Cyber researchers demonstrated that an allow-list bypass using URI tricks such as ?WSDL or ;.wadl can expose protected API endpoints and enable pre-authenticated remote code execution via the groovyscriptstatus endpoint. Federal civilian agencies must apply the patch by December 12, 2025.

🚨 CISA has added CVE-2025-61757, a pre-authentication remote code execution vulnerability in Oracle Identity Manager, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by December 12 under BOD 22-01. The flaw, disclosed by Searchlight Cyber, abuses an authentication bypass in REST APIs by appending parameters such as ?WSDL or ;.wadl to URL paths, exposing a Groovy compilation endpoint. Researchers showed that Groovy's annotation-processing can execute code at compile time, enabling pre-auth RCE. Oracle released a fix on October 21, 2025; CISA warned the issue is being actively exploited.

🔧 Nvidia released the GeForce Hotfix Display Driver 581.94 to address gaming performance regressions reported after the October 2025 Windows update (KB5066835 [5561605]) affecting Windows 11 24H2 and 25H2 systems. The company notes this is a beta hotfix with an abbreviated QA cycle and is provided as-is to deliver targeted fixes more quickly. The driver is available from Nvidia Customer Care for Windows 10 x64 and Windows 11 x64 PCs.

🔁 Microsoft released the KB5072753 out-of-band cumulative update to resolve a known issue that caused the November 2025 hotpatch KB5068966 to repeatedly reinstall on Windows 11, version 25H2 systems. The update is rolling out via Windows Update and supersedes earlier hotpatches, so administrators should deploy KB5072753 instead of KB5068966 if they have not yet applied the November update. Microsoft said the reinstall behavior did not affect system functionality and was mainly noticeable in update-history timestamps.

⚠️ Grafana Labs has disclosed a maximum-severity vulnerability (CVE-2025-41115) in Grafana Enterprise that can allow new SCIM-provisioned users to be treated as administrators or used for privilege escalation. The flaw is only exploitable when SCIM provisioning is enabled and both the 'enableSCIM' feature flag and 'user_sync_enabled' option are true, because numeric SCIM externalId values were mapped directly to internal user.uid values. Affected self-managed Enterprise releases include 12.0.0 through 12.2.1; administrators should upgrade to a patched release (12.3.0, 12.2.1, 12.1.3, or 12.0.6) or disable SCIM. Grafana Cloud and managed services have already received patches.

🔒 Grafana has released security updates to address a maximum-severity flaw (CVE-2025-41115) in its SCIM provisioning component that can enable user impersonation or privilege escalation under specific configurations. The issue allows a malicious or compromised SCIM client to provision a user with a numeric externalId that may be mapped to an internal user ID. It affects Grafana Enterprise 12.0.0–12.2.1 and was fixed in 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01 and 12.3.0. Grafana discovered the bug during an audit on November 4, 2025 and urges immediate patching.