< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 62 of 104

MongoDB zlib Flaw Lets Unauthenticated Clients Read Heap

🔒 A high-severity vulnerability in MongoDB can allow unauthenticated clients to read uninitialized heap memory by exploiting mismatched length fields in zlib-compressed protocol headers. Tracked as CVE-2025-14847 with a CVSS score of 8.7, the flaw stems from improper handling of inconsistent length parameters. It affects a broad set of releases from 3.6 through 8.2, and MongoDB has published fixes (including 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32 and 4.4.30); administrators unable to upgrade immediately are advised to disable zlib compression or restrict compressors to snappy or zstd.
read more →

High-severity MongoDB zlib flaw risks memory leakage

⚠ MongoDB has issued an urgent advisory for CVE-2025-14847 after researchers identified a high-severity bug in zlib-compressed protocol headers that can cause mismatched length fields. The flaw allows unauthenticated attackers to read uninitialized heap memory and could be chained to execute arbitrary code and gain control of a server. MongoDB recommends immediate upgrades to patched releases and, if unable to update, disabling zlib compression as a temporary mitigation.
read more →

Critical LangChain Core Vulnerability Allows Secret Theft

⚠️ A critical serialization injection flaw in LangChain Core (CVE-2025-68664, CVSS 9.3) can let attackers inject object structures via unescaped 'lc' keys and steal secrets or influence LLM outputs through prompt injection. Reported by Yarden Porat on December 4, 2025 and dubbed LangGrinch, the bug affects dumps()/dumpd() and improper deserialization paths. LangChain released patches that add an allowed_objects allowlist, disable Jinja2 templates by default, and set secrets_from_env to false; users should upgrade immediately.
read more →

Fortinet: Active Exploitation of SSL VPN Auth Bypass

⚠️ Fortinet warned on December 24, 2025 that attackers are actively abusing a five‑year‑old FortiOS SSL VPN flaw, CVE-2020-12812 (CVSS 5.2), to bypass two‑factor authentication under specific configurations. The issue stems from inconsistent case sensitivity between FortiGate local users and LDAP directories: if a username's case does not exactly match the local entry, FortiGate may fall back to LDAP and accept credentials without 2FA. Fortinet reiterated prior patches and published configuration mitigations and commands to disable username case sensitivity, and advised customers to contact support and reset credentials if unauthorized 2FA bypass is detected.
read more →

CISA Flags Exploited Digiever NVR Flaw; Urges Mitigation

⚠️ CISA has added a vulnerability affecting Digiever DS-2105 Pro network video recorders to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. Tracked as CVE-2023-52163 (CVSS 8.8), the issue is a post-authentication command injection via time_tzsetup.cgi that can enable remote code execution. The device is end-of-life and unpatched; vendors and researchers note attacks delivering botnets like Mirai and ShadowV2. Users are advised to avoid exposing affected NVRs to the internet, change default credentials, apply compensating controls, and follow agency guidance ahead of the January 12, 2025 FCEB mitigation deadline.
read more →

MacSync macOS Stealer Uses Signed, Notarized Swift Installer

🛡️ Researchers have uncovered a new macOS information stealer, MacSync, delivered as a code-signed and notarized Swift installer masquerading as a messaging app. The signed DMG bypasses Gatekeeper and XProtect, and the installer prompts users to right-click to run — a common social-engineering tactic. Apple has revoked the signing certificate. The dropper enforces rate limits, removes quarantine attributes, and downloads a Base64-encoded payload that resolves to the rebranded Mac.c/MacSync strain.
read more →

MongoDB urges immediate patch for high-severity zlib flaw

⚠️ MongoDB warns administrators to immediately patch a high-severity memory-read vulnerability (CVE-2025-14847) in the Server's zlib implementation that may return uninitialized heap memory to unauthenticated remote actors. The issue can be exploited in low-complexity, no-interaction attacks. MongoDB strongly recommends upgrading to a fixed release right away; if you cannot, disable zlib compression by omitting it from networkMessageCompressors or net.compression.compressors when starting mongod or mongos.
read more →

MongoDB warns admins to patch critical RCE bug immediately

🔔 MongoDB warned IT administrators to immediately apply fixes for a high-severity remote code execution vulnerability tracked as CVE-2025-14847. The flaw is caused by improper handling of a zlib compressed protocol header length, enabling unauthenticated attackers to execute arbitrary code in low-complexity attacks. MongoDB lists numerous affected releases and recommends upgrading to fixed versions such as 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. If an immediate upgrade is not possible, administrators should disable zlib compression by starting mongod or mongos with networkMessageCompressors or net.compression.compressors options that omit zlib.
read more →

Observed Abuse of FG-IR-19-283: LDAP Username Case Issue

🔐 Fortinet has observed active abuse of FG-IR-19-283 (CVE-2020-12812) in environments where FortiGate and LDAP username case handling differ. In these configurations, a username entered with any case variation that does not exactly match the local FortiGate entry can bypass local 2FA and instead authenticate via an LDAP group fallback. Administrators should enable the appropriate username sensitivity setting or remove unnecessary secondary LDAP groups to block this bypass.
read more →

CISA Issues Mitsubishi Electric ICS Advisory Update

⚠️ CISA has published an updated Industrial Control Systems advisory, ICSA-25-177-01 (Update B), addressing multiple vulnerabilities affecting Mitsubishi Electric air conditioning systems and associated operational components. The advisory outlines technical findings, potential impacts to building automation and HVAC control networks, and prioritized mitigation steps. Administrators and operators should review the guidance promptly, apply vendor updates where available, and implement network segmentation and enhanced monitoring to reduce risk.
read more →

Critical n8n RCE Flaw (CVE-2025-68613) Requires Patch

🔴 A critical vulnerability in the n8n workflow automation platform (CVE-2025-68613, CVSS 9.9) allows expressions supplied by authenticated users to be evaluated in an execution context that is not sufficiently isolated from the runtime. An attacker able to create or edit workflows could abuse this behavior to execute arbitrary code with the privileges of the n8n process, risking full instance compromise, data exposure, and workflow tampering. The flaw affects versions from 0.211.0 up to, but not including, 1.120.4 and has been patched in 1.120.4, 1.121.1, and 1.122.0; apply these updates or restrict workflow editing and harden deployments.
read more →

Microsoft Finally Deprecates RC4 in Windows After 26 Years

🔒 Microsoft is deprecating the legacy RC4 cipher in Windows, ending a 26-year presence that left servers accepting RC4-based authentication responses by default. The company cited RC4’s vulnerability to Kerberoasting, an attack class linked to last year’s breach at Ascension that disrupted hospital operations and exposed millions of medical records. Security and regulatory scrutiny, including calls from Senator Ron Wyden, helped force the change.
read more →

CISA Adds One KEV: CVE-2023-52163 for Digiever DS-2105

⚠️ CISA has added CVE-2023-52163 — a missing authorization flaw in Digiever DS-2105 Pro — to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate cataloged vulnerabilities by specified due dates, and CISA emphasizes this entry represents a common and significant attack vector. While the binding directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation and incorporate this KEV into their vulnerability management processes.
read more →

ASUS Live Update CVE-2025-59374: Historical, Not New

📌 The CVE-2025-59374 record documents the 2018–2019 ShadowHammer supply‑chain compromise of ASUS Live Update, a client that reached End‑of‑Support in October 2021. The entry, now rated 9.3, formalizes a historical incident and does not indicate current active exploitation for supported devices. Security teams should verify systems are running the latest supported software but avoid treating the KEV listing as an immediate, new threat.
read more →

CISA Flags ASUS Live Update CVE, But Attack Is Years Old

🛡️ CISA's addition of CVE-2025-59374 to the KEV catalog documents a historical ASUS Live Update supply‑chain compromise rather than a new, active campaign. The CVE formalizes the 2018–2019 'ShadowHammer' incident in which maliciously modified Live Update binaries were selectively delivered to targeted systems, and the client reached End‑of‑Support in October 2021. ASUS's December 2025 FAQ appears to be a documentation update clarifying upgrade paths to the last Live Update release (3.6.15), and CISA emphasized that KEV inclusion does not necessarily indicate ongoing exploitation. Security teams should apply context‑aware triage and ensure supported software is up to date.
read more →

Revisiting CVE-2025-50165: Windows Imaging Component Flaw

🛡️ ESET researchers re-examine CVE-2025-50165, a critical Windows Imaging Component vulnerability that can lead to remote code execution when a specially crafted JPG is re-encoded. Their analysis identifies uninitialized precision-specific function pointers in WindowsCodecs.dll (libjpeg-turbo based) as the root cause and reproduces the crash with 12‑ and 16‑bit JPEG samples. ESET concludes exploitation is technically challenging and unlikely in the wild, requiring re-encoding, an address leak and heap manipulation; patches in updated builds initialize and validate these pointers.
read more →

RCE Flaw Exposes Over 115,000 WatchGuard Firewalls

⚠️WatchGuard released patches for a critical remote code execution vulnerability, CVE-2025-14733, affecting Firebox devices running Fireware OS 11.x, 12.x and 2025.1 up to 2025.1.3. The flaw permits unauthenticated attackers to execute arbitrary code on devices configured for IKEv2 VPN, and may also be reachable via certain Branch Office VPN setups. Shadowserver reported more than 115,000 exposed instances online. CISA added the issue to its KEV catalog and ordered federal agencies to patch under BOD 22-01.
read more →

WatchGuard fixes critical zero-day in Firebox appliances

🛡️ WatchGuard has released emergency patches for a critical zero-day (CVE-2025-14733) in its Firebox appliances that allows remote, unauthenticated attackers to execute arbitrary code via the iked process handling IKEv2. The flaw, rated 9.3 CVSS, was exploited in the wild before a December 18 patch, making it a confirmed zero-day. Administrators should urgently check appliances for indicators of compromise, apply the fixed Fireware OS versions, and rotate any locally stored secrets if compromise is confirmed.
read more →

UEFI Flaw Enables Pre-boot DMA Attacks on Motherboards

🔒 Researchers disclosed a UEFI firmware flaw affecting some ASUS, Gigabyte, MSI, and ASRock motherboards that can falsely report DMA protections as active even when the IOMMU has not initialized, enabling pre-boot DMA attacks. The issue, tracked under multiple CVEs, allows a malicious PCIe device with physical access to read or modify system memory before the operating system loads and before security tooling can detect anything. Vendors have published advisories and firmware updates; users should verify affected models, back up important data, and apply vendor patches promptly.
read more →

Over 25,000 FortiCloud SSO Devices Exposed Online

🔒 Shadowserver has identified more than 25,000 Fortinet devices online with FortiCloud SSO enabled, amid active exploitation of a critical authentication bypass (CVE-2025-59718/CVE-2025-59719). Researchers report attackers send malicious SAML messages to perform unauthorized SSO, gain admin-level access, and download system configuration files containing hashed credentials, exposed services, and network details. CISA added the flaw to its list of actively exploited vulnerabilities and ordered U.S. agencies to patch within a week; Fortinet notes FortiCloud SSO is only enabled after device registration, but many management interfaces remain publicly reachable.
read more →