< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 65 of 104

Hitachi Energy RADIUS MD5 Vulnerability (CVE-2024-3596)

⚠️ A critical vulnerability (CVE-2024-3596, CVSS 9.0) in Hitachi Energy AFS/AFR/AFF series RADIUS implementations allows a local attacker to forge valid RADIUS responses by exploiting an MD5 chosen-prefix collision against the response authenticator. Successful exploitation can compromise product data integrity and disrupt availability. Hitachi Energy recommends immediately enabling the RADIUS message authenticator option; vendor-specific CLI commands and MIB objects vary by product family.
read more →

CISA Releases Seven ICS Advisories on Multiple Products

🛡️ CISA has published seven new Industrial Control Systems advisories detailing vulnerabilities and guidance for affected products. The advisories cover Güralp Systems, Johnson Controls, Hitachi Energy, Mitsubishi Electric, and Fuji Electric, including updates to previously released notices. Administrators are urged to review technical details, apply vendor mitigations, and implement compensating controls to reduce operational risk.
read more →

Mitsubishi GT Designer3 Cleartext Credential Exposure

🔒 Mitsubishi Electric's GT Designer3 (Version1 for GOT2000 and GOT1000) stores project credentials in cleartext (CVE-2025-11009), allowing an attacker with access to a project file to recover plaintext credentials and illegitimately operate affected GOT devices. The issue is classified as Cleartext Storage of Sensitive Information (CWE-312) and has a CVSS v3.1 base score of 5.1 (Medium). Mitsubishi recommends limiting use to trusted LANs, blocking remote logins, using firewalls, VPNs, and antivirus, and avoiding untrusted files or links; CISA advises isolating control networks and minimizing internet exposure.
read more →

Active Attacks Exploit Fortinet FortiGate SSO Flaws

🔒 Arctic Wolf observed active intrusions on December 12, 2025 exploiting two critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). The flaws, both scored 9.8, permit unauthenticated bypass of SSO login via crafted SAML messages when FortiCloud SSO is enabled; Fortinet published patches for FortiOS, FortiWeb, FortiProxy and FortiSwitchManager last week. Attackers used hosting IPs tied to providers such as The Constant Company llc, Bl Networks and Kaopu Cloud Hk Limited to log in as "admin" and export device configurations. Organizations should apply updates immediately, disable FortiCloud SSO until systems are patched, restrict management access and assume compromise if IoCs are present.
read more →

React2Shell Exploits Deliver Backdoors, Credential Theft

🔒 Researchers warn that the React2Shell flaw (CVE-2025-55182) is being actively exploited to deploy sophisticated Linux backdoors and harvest credentials. Palo Alto Networks Unit 42 and NTT Security report active use of KSwapDoor and ZnDoor, which provide interactive shells, file operations, lateral scanning, and stealthy mesh networking. Attackers are also abusing Cloudflare Tunnels and secret-scraping tools to extract cloud and AI tokens. Organizations should prioritize discovery, credential rotation, and removal of dropped backdoors and follow vendor mitigations immediately.
read more →

Defending Against CVE-2025-55182 (React2Shell) RCE Threat

🔒 Microsoft Defender researchers describe CVE-2025-55182 (React2Shell), a critical pre-authentication remote code execution vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, a single crafted HTTP POST can result in server-side deserialization of attacker-controlled payloads and arbitrary code execution without authentication. Exploitation was observed beginning December 5, 2025, with attackers delivering coin miners, RATs, and other payloads across Windows and Linux environments. Microsoft urges immediate patching to published fixes, enabling Defender telemetry, and applying Azure WAF rules as compensating controls while broader detection coverage is deployed.
read more →

Recent Windows Updates Disrupt VPN Access for WSL Enterprise

🔧 Microsoft warns that recent Windows 11 updates, starting with the KB5067036 October 28, 2025 non-security update and including later releases such as KB5072033, can break VPN networking for enterprise users running WSL with mirrored mode enabled. Affected users report "No route to host" errors inside WSL because some third-party VPN virtual interfaces (for example OpenVPN and Cisco Secure Client) do not respond to ARP requests and so fail to resolve IP-to-MAC mappings. Microsoft is investigating the issue but has not provided a workaround or ETA for a fix.
read more →

FreePBX Fixes Critical SQLi, Upload, AUTH Bypass Flaws

🔒 FreePBX has released patches addressing several high‑severity vulnerabilities, including an authentication bypass that may be triggered when the legacy AUTHTYPE is set to webserver. Horizon3.ai reported authenticated SQL injection flaws and an arbitrary file upload that can be used to deploy a PHP web shell and achieve remote code execution. Administrators should apply the provided updates, ensure Authorization Type is set to usermanager, remove the legacy AUTHTYPE option from Advanced Settings, rotate credentials, and perform forensic checks if legacy settings were enabled.
read more →

CISA Adds Two Vulnerabilities to KEV Catalog After Evidence

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-14611 (Gladinet CentreStack and Triofox hard coded cryptographic vulnerability) and CVE-2025-43529 (Apple multiple products use-after-free in WebKit). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate listed KEV items by the specified due dates, and CISA strongly urges all organizations to prioritize timely remediation.
read more →

CISA Orders Immediate Patching for Critical GeoServer XXE

🚨 CISA has ordered federal agencies to immediately patch GeoServer to address a critical unauthenticated XML External Entity (XXE) flaw, tracked as CVE-2025-58360. The vulnerability (CVSS 9.8) enables attackers to retrieve arbitrary files, trigger SSRF, or cause denial-of-service against affected GeoServer instances. Exploit code has circulated since late November and CISA added the issue to its Known Exploited Vulnerabilities catalog, urging remediation before December 26, 2025.
read more →

Microsoft December Updates Break Message Queuing Functionality

⚠️ Microsoft has confirmed that its December 2025 security updates are breaking Message Queuing (MSMQ) on affected systems. Machines with KB5071546, KB5071544, or KB5071543 installed — including Windows 10 22H2, Windows Server 2019, and Windows Server 2016 — can experience inactive queues, IIS sites failing with 'insufficient resources', and applications unable to write to queues. Microsoft attributes the failures to security model and NTFS permission changes that require MSMQ users to have write access to C:\Windows\System32\MSMQ\storage; a timeline for a fix has not been provided.
read more →

CISA Adds Actively Exploited Sierra Wireless Issue

⚠️ CISA has added a high-severity Sierra Wireless AirLink vulnerability, CVE-2018-4063, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. The flaw in the ACEManager upload.cgi function permits unrestricted file uploads that can lead to remote code execution, and ACEManager runs with root privileges. Federal agencies are advised to update affected devices to supported versions or discontinue use by January 2, 2026.
read more →

Apple Issues Security Updates for Two WebKit Zero-Days

🔒 Apple released security updates across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari to address two WebKit vulnerabilities—CVE-2025-43529 and CVE-2025-14174—that have been exploited in the wild. One of the flaws was patched in Chrome earlier this week, and Apple credits Google TAG and its own SEAR team with discovery and reporting. The issues can lead to arbitrary code execution or memory corruption when processing malicious web content. Users and administrators should apply the listed OS and Safari updates immediately to mitigate active exploitation.
read more →

Apple patches two WebKit zero-days used in targeted attacks

🔒 Apple released emergency updates to patch two zero-day WebKit vulnerabilities — CVE-2025-43529 (use-after-free) and CVE-2025-14174 (memory corruption) — that were exploited in an 'extremely sophisticated' attack against targeted individuals. Both bugs affect devices running WebKit on iPhone and iPad and were discovered by Google’s Threat Analysis Group and Apple. Apple fixed the issues across iOS, iPadOS, macOS, tvOS, watchOS, visionOS and Safari and urges users to install updates promptly.
read more →

Gladinet hardcoded keys enable remote code execution

🔒 Huntress warns attackers are exploiting hardcoded AES keys in Gladinet file‑sharing products CentreStack and Triofox, allowing decryption and forging of access tickets. Because the server uses a static GenerateSecKey() output — identical AES key and IV strings — adversaries can retrieve sensitive files like web.config, extract the ASP.NET machine key, and craft trusted ViewState payloads to achieve remote code execution. Gladinet released fixes on December 8 (build 16.12.10420.56791); Huntress advises immediate patching or temporary replacement of machine keys and notes active exploitation across customer environments.
read more →

React2Shell RCE exploited widely: GTIG findings Dec 2025

⚠️GTIG reports active, widespread exploitation of a critical unauthenticated RCE in React Server Components (CVE-2025-55182, “React2Shell”) disclosed on Dec. 3, 2025. Attackers ranging from opportunistic cryptominers to suspected China-nexus espionage clusters have delivered payloads including MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, and XMRig miners. Exploits target vulnerable react-server-dom-* package versions and commonly use simple HTTP fetch-and-execute chains to establish persistence via cron, systemd, and shell profile modifications. Organizations are advised to patch immediately, deploy WAF rules, audit dependencies, and hunt for the supplied IOCs and YARA signatures.
read more →

CISA Adds One Vulnerability to Known Exploited Catalog

🔒 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The listed issue, CVE-2018-4063, affects Sierra Wireless AirLink ALEOS and involves an unrestricted upload of files with dangerous types, a common attack vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by prescribed deadlines, and CISA urges all organizations to prioritize timely remediation to reduce exposure.
read more →

CISA Adds Chromium Out-of-Bounds Vulnerability to KEV

⚠ CISA added CVE-2025-14174, a Google Chromium out-of-bounds memory access vulnerability, to the Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw frequently enables memory corruption and can lead to code execution or information disclosure, posing significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates; CISA urges all organizations to prioritize timely remediation as part of their vulnerability management.
read more →

New Windows RasMan zero-day gets free unofficial patches

🔒 ACROS Security's 0Patch team has published free, unofficial micropatches for a newly discovered Windows RasMan zero-day that can crash the Remote Access Connection Manager (RasMan) service. The defect, found while investigating CVE-2025-59230, triggers a null-pointer read when RasMan mishandles circular linked lists and can be combined with an elevation-of-privilege bug to enable code execution. 0Patch provides an agent that applies the micropatch automatically across affected Windows versions until Microsoft issues an official fix, typically without requiring a restart.
read more →

CISA Orders Federal Patch for Exploited GeoServer XXE

⚠️ CISA has ordered U.S. federal agencies to patch an unauthenticated XML External Entity (XXE) vulnerability in GeoServer tracked as CVE-2025-58360, affecting GeoServer 2.26.1 and earlier and reachable via the /geoserver/wms GetMap XML input. The flaw allows attackers to retrieve arbitrary files, enable SSRF, or cause DoS and is being actively exploited. Agencies must remediate by Jan 1, 2026; CISA urges all network defenders to prioritize patching immediately.
read more →