< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 64 of 104

Cisco: Zero-day Exploitation of Secure Email Appliances

⚠️ Cisco warns a China-linked actor is actively exploiting a previously unknown zero-day in its Secure Email appliances to gain persistent access when the Spam Quarantine feature is enabled and exposed to the internet. Cisco Talos reports activity since at least late November and says no patch is available. In confirmed compromises, Cisco advises wiping and rebuilding affected appliances to remove persistence; organizations should immediately restrict access to management ports and apply compensating controls while awaiting a fix.
read more →

Microsoft updates break Azure Virtual Desktop RemoteApp

⚠️ Microsoft has confirmed that recent Windows updates cause RemoteApp connection failures for Azure Virtual Desktop on Windows 11 24H2/25H2 and Windows Server 2025, triggered after the November 2025 non-security update KB5070311 or later. The issue affects RemoteApp streaming connections while full virtual desktop sessions remain functional and typically does not impact consumer Home or Pro devices. Microsoft advises a temporary mitigation — adding a registry DWORD (requires administrator privileges) and restarting the device — and has applied a Known Issue Rollback for Pro and Enterprise SKUs. Enterprise administrators can alternatively deploy the provided Group Policy MSI to apply the rollback centrally while Microsoft works on a permanent fix.
read more →

CISA Adds Critical ASUS Live Update Flaw to KEV Catalog

⚠️ CISA has added a critical vulnerability (CVE-2025-59374, CVSS 9.3) in ASUS Live Update to its Known Exploited Vulnerabilities catalog after identifying evidence of active exploitation tied to a supply-chain compromise. The flaw stems from trojanized installer builds distributed during the 2018 Operation ShadowHammer campaign that could make targeted devices perform unintended actions. ASUS previously remediated the issue in v3.6.8, but the vendor has since declared the client end-of-support; federal agencies are urged to discontinue use by January 7, 2026.
read more →

Cisco warns of exploited AsyncOS zero-day CVE-2025-20393

🚨 Cisco has warned of a maximum-severity zero-day in AsyncOS (CVE-2025-20393) that is actively exploited by a China-nexus APT tracked as UAT-9686. The flaw carries a CVSS score of 10.0 and can allow arbitrary command execution as root when the Spam Quarantine feature is enabled and reachable from the internet. Cisco observed attacks since late November 2025 and advises isolating affected appliances, restricting internet access, tightening authentication, monitoring web logs, and rebuilding compromised units until a patch is available.
read more →

Microsoft warns MSMQ may fail after December update

⚠️ Microsoft warns a December security update (KB5071546) can cause MSMQ to become inactive in enterprise and clustered environments, disrupting applications that rely on queued messaging. Reported symptoms include IIS failures with resource errors, applications unable to write to queues, and misleading log entries about disk space. Microsoft says a workaround exists but directs admins to contact Support for Business; community responders have recommended temporarily granting write access to C:\Windows\System32\msmq or rolling back the update until an official fix is issued. Affected systems include Windows Server 2012/2012 R2/2016/2019 and several Windows 10 builds.
read more →

Smashing Security 448: Kindle exploit, account and card risk

🎧 In episode #448 of Smashing Security, Graham Cluley and guest Danny Palmer discuss a Black Hat Europe disclosure showing how a boobytrapped audiobook could exploit an Amazon Kindle e‑reader. The research suggests a malformed audio file might let an attacker gain persistent access, break into an account and seize a saved credit card. The episode also revisits Ireland’s HSE ransomware fallout, where victims were reportedly offered €750 each, and includes a Pick of the Week. Listeners are urged to keep devices updated and monitor accounts for suspicious activity.
read more →

Cisco Talos: Libbiosig, Grassroot DiCoM, and step-ca Flaws

🔔 Cisco Talos disclosed multiple vulnerabilities affecting libbiosig, Grassroot DiCoM, and Smallstep step-ca. The issues include stack-based buffer overflows in libbiosig’s MFER parser that may allow arbitrary code execution, several out-of-bounds reads in DiCoM that can leak sensitive data, and an authentication bypass in step-ca enabling unauthorized certificate issuance. Vendors have released patches in accordance with Cisco’s disclosure policy; administrators should apply updates promptly and obtain the latest Snort rule sets to detect exploitation attempts.
read more →

SonicWall Fixes Actively Exploited SMA 100 Vulnerability

⚠ SonicWall released patches addressing CVE-2025-40602 (CVSS 6.6), a local privilege escalation in the Secure Mobile Access (SMA) 100 Appliance Management Console caused by insufficient authorization. Affected firmware builds prior to 12.4.3-03245 and 12.5.0-02283 have updates available to remediate the issue. SonicWall said the flaw has been actively exploited and has been observed chained with CVE-2025-23006 to achieve unauthenticated remote code execution with root privileges; users should apply fixes immediately.
read more →

SonicWall alerts on SMA1000 zero-day used in attacks

⚠️ SonicWall warns of a medium-severity local privilege escalation in the SonicWall SMA1000 Appliance Management Console (CVE-2025-40602), reported by Google Threat Intelligence researchers Clément Lecigne and Zander Work. The vendor says this LPE was chained in active zero-day attacks with a critical pre-auth deserialization bug (CVE-2025-23006) to execute OS commands and escalate to root. Administrators should apply the vendor hotfix and firmware updates immediately.
read more →

Motors WordPress Theme Flaw Allows Site Takeover at Scale

🔓 A critical arbitrary file upload vulnerability in the Motors WordPress theme could let low-privileged, logged-in users install and activate plugins, enabling remote code execution and full site takeover. The flaw, tracked as CVE-2025-64374, affects versions 5.6.81 and earlier and was discovered by Denver Jackson of the Patchstack Alliance community. The issue stems from an AJAX handler that relies on a nonce for validation but lacks a proper permission check, allowing Subscriber-level users to supply arbitrary plugin URLs. The vendor released a fix in version 5.6.82 on 3 November; site owners should update immediately to mitigate the risk.
read more →

Microsoft advises admins to contact support over MSMQ bug

⚠ Microsoft has asked enterprise customers to contact support for guidance after a Message Queuing (MSMQ) change in recent December 2025 updates caused applications and IIS sites to fail. The bug, affecting Windows 10 22H2, Windows Server 2019, and 2016 systems with KB5071546/KB5071544/KB5071543 installed, alters NTFS permissions on C:\Windows\System32\MSMQ\storage, requiring write access and causing resource errors. Microsoft is investigating and advising businesses to seek tailored mitigations or consider rolling back updates.
read more →

CISA Adds Three CVEs to Known Exploited Vulnerabilities

🔔 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-20393 (Cisco multiple products, improper input validation), CVE-2025-40602 (SonicWall SMA1000, missing authorization), and CVE-2025-59374 (ASUS Live Update, embedded malicious code). These flaws are frequent attack vectors that pose significant risks to federal and nonfederal organizations. Agencies covered by BOD 22-01 must remediate by the required due dates; CISA urges all organizations to prioritize mitigation.
read more →

JumpCloud Remote Assist flaw allows local SYSTEM takeover

⚠️ The JumpCloud Remote Assist for Windows agent contains a critical local privilege escalation vulnerability (CVE-2025-34352) that can be exploited during uninstall or update flows. The uninstaller runs with NT AUTHORITY\SYSTEM and performs file operations in a user-writable %TEMP% subdirectory without validating or securing the path. Attackers with a local foothold can abuse link-following techniques (mount points and symlinks) to overwrite or delete protected files, yielding full system compromise or denial-of-service. Systems running Remote Assist before version 0.317.0 should be updated immediately.
read more →

FortiGate SSO Vulnerabilities Lead to Credential Theft

🔒 Security researchers and incident response teams warn that threat actors are rapidly exploiting newly disclosed authentication bypass vulnerabilities in Fortinet's FortiOS that affect FortiGate, FortiWeb, FortiProxy and FortiSwitchManager devices. Arctic Wolf reported seeing tens of intrusions since December 12, 2025, and advises that hashed credentials in exfiltrated configurations should be presumed compromised and rotated immediately. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities list and Fortinet has released patches; administrators are urged to disable FortiCloud SSO until devices are upgraded and to follow Fortinet's hardening guidance.
read more →

JumpCloud Windows Agent Flaw Enables SYSTEM Escalation

⚠️ Security researchers have identified a critical vulnerability (CVE-2025-34352) in the JumpCloud Remote Assist Windows agent that allows low-privileged local users to escalate to NT AUTHORITY\SYSTEM or trigger denial-of-service during uninstallation. The root cause is unsafe file operations in user-writable directories (notably %TEMP%), enabling link-following attacks that redirect privileged actions. XM Cyber reported the issue and JumpCloud has released version 0.317.0 to address it — administrators should update affected endpoints immediately.
read more →

Hackers Exploit Fortinet FortiCloud SSO Auth Bypass

🔒 Researchers report active exploitation of two critical FortiCloud SSO authentication bypasses (CVE-2025-59718, CVE-2025-59719) that can grant unauthenticated admin access to multiple Fortinet products. The flaws stem from improper verification of SAML cryptographic signatures, enabling forged assertions to bypass login controls. Attacks observed from December 12 targeted admin accounts and led to exfiltration of system configuration files. Administrators should disable FortiCloud SSO if unable to upgrade and apply vendor patches immediately.
read more →

Airbus A320 Software Rollback After Flight Control Fault

✈️ Airbus announced a software rollback after an A320 experienced an unexpected nose‑down maneuver on October 30, 2025, an event that sent multiple passengers to hospital and grounded aircraft for inspection. Airbus said intense solar radiation may have corrupted data critical to flight controls, but operators were able to mitigate many cases by reverting ELAC software from L104 to L103. The episode spotlights SDLC failings — notably test engineering, CI/CD, observability and supply‑chain integration — rather than merely cosmic rays.
read more →

CISA Adds Fortinet CVE to Known Exploited Vulnerabilities

🔔 CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The vulnerability is described as an improper verification of cryptographic signature affecting multiple Fortinet products and represents a high-risk attack vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by mandated due dates. CISA strongly urges all organizations to prioritize timely remediation and apply vendor fixes or mitigations promptly.
read more →

Güralp Web Interface DoS Vulnerability (CVE-2025-14466)

⚠️ A vulnerability in the web interface of Güralp Systems Fortimus, Minimus, and Certimus Series (CVE-2025-14466) allows an unauthenticated network attacker to send specially crafted HTTP requests that cause the web service process to restart. The restart produces a brief denial-of-service condition with a CVSS v3.1 base score of 5.3 (Medium). Güralp recommends operating affected systems behind a NAT or VPN firewall and contacting the vendor for further guidance. CISA advises minimizing network exposure, isolating control networks, and using secure, up-to-date remote access methods.
read more →

Johnson Controls PowerG Vulnerabilities and Mitigations

🔒 CISA warns that multiple vulnerabilities in Johnson Controls PowerG implementations could let attackers read, modify, or replay encrypted wireless traffic. Affected devices include IQPanel 4, legacy IQPanel 2/2+, and IQHub with referenced CVEs CVE-2025-61738, CVE-2025-61739, CVE-2025-26379, and CVE-2025-61740. Vendor fixes (IQPanel 4.6.1, PowerG v53.05+) and secure enrollment practices are recommended, and end-of-life hardware should be replaced.
read more →