< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 66 of 104

React fixes RSC DoS and code-leak flaws in server components

⚠️ The React team released patches for three vulnerabilities affecting React Server Components that could enable pre-authentication denial-of-service and disclosure of Server Function source code. Two high-severity DoS issues arise from unsafe deserialization and an incomplete remediation, while a lower-severity information-leak bug can return function source when arguments are stringified. The flaws impact react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack across multiple 19.x releases. Users are urged to upgrade to 19.0.3, 19.1.4, or 19.2.3 immediately, especially given active exploration of a related critical bug.
read more →

React2Shell Zero-Day Sparks Global Exploitation Surge

⚠️ The critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) enables remote, unauthenticated code execution via unsafe deserialization in the React Server Components Flight protocol. Since disclosure on December 3, 2025, multiple actors have exploited it to deliver miners, botnets, and other malware, targeting Next.js and containerized cloud workloads. CISA has accelerated mitigation deadlines and is urging agencies to patch by December 12, 2025; defenders should apply vendor fixes, enable WAF protections, and review logs for indicators of compromise.
read more →

CISA Adds GeoServer XXE Flaw to Known Exploited List

🛡️ CISA added a high‑severity XML External Entity (XXE) flaw, CVE-2025-58360 (CVSS 8.2), affecting OSGeo GeoServer to its Known Exploited Vulnerabilities catalog after evidence of in‑the‑wild exploitation. The unauthenticated vulnerability impacts releases up to and including 2.25.5 and versions 2.26.0–2.26.1 and was reported by the AI platform XBOW. GeoServer has published patches (2.25.6, 2.26.2, 2.27.0, 2.28.0, 2.28.1); operators should upgrade or apply vendor mitigations and review the /geoserver/wms GetMap endpoint and XML processing to mitigate XXE, SSRF, and DoS risks.
read more →

Attackers Exploit Gladinet CentreStack AES Key Flaw

🔐 Hackers are exploiting an undocumented cryptographic flaw in Gladinet's CentreStack and Triofox products that exposes hardcoded AES keys and enables remote code execution. Huntress researchers found static 100-byte strings in GladCtrl64.dll that produce identical encryption keys and IVs across installations, allowing attackers to decrypt or forge access tickets. Attackers have used this to retrieve web.config and abuse the machineKey with a ViewState deserialization flaw for RCE. Gladinet released patches and IoCs; customers should upgrade immediately and rotate machine keys.
read more →

Notepad++ 8.8.9 fixes updater flaw allowing malicious files

🛡️ Notepad++ released version 8.8.9 to address a weakness in its WinGUp updater after reports that the updater retrieved and executed malicious binaries instead of legitimate update packages. The issue surfaced in community forums where a spawned %Temp%\AutoUpdater.exe executed reconnaissance commands and exfiltrated data to a public paste service. Version 8.8.9 now enforces code-signature verification for downloaded installers and aborts updates that fail signature checks.
read more →

Malicious VSCode Marketplace Extensions Hid Trojan Campaign

🔍 ReversingLabs discovered a stealthy campaign of 19 malicious VSCode Marketplace extensions that bundled dependencies to run a trojan hidden inside a faux PNG file. The packages included modified 'path-is-absolute' or '@actions/io' modules which auto-execute code via an added class in index.js, decoding an obfuscated JavaScript dropper stored in a file named 'lock'. A fake 'banner.png' archive contained two payloads — a living-off-the-land binary 'cmstp.exe' and a Rust-based trojan — and Microsoft removed the extensions after being notified.
read more →

SAML Authentication Under New XML Parsing Flaws Exposed

🔓Researchers revealed new XML-parsing exploits that severely weaken SAML-based SSO, demonstrating full authentication bypass against popular Ruby and PHP SAML libraries. PortSwigger researcher Zak Fedotkin presented these techniques at Black Hat Europe and published an open-source toolkit to identify and reproduce affected deployments. The work highlights attack vectors such as attribute pollution, namespace confusion, and a new class of void canonicalization that can circumvent XML signature validation. While fixes (including updates to Ruby-SAML) have been released, Fedotkin warns that only a foundational rework of SAML libraries will eliminate these systemic weaknesses.
read more →

Battering RAM: DDR4 Interposer Breaks CPU Enclaves

🔓 Researchers at KU Leuven built a $50 DDR4 interposer that subverts confidential computing protections such as Intel SGX and AMD SEV, demonstrated at Black Hat Europe. The runtime attack, called Battering RAM, manipulates memory address mapping to gain arbitrary plaintext read/write and extract SGX provisioning keys, circumventing recent boot-time mitigations. The team warns that compromised memory modules in the supply chain could enable persistent backdoors on vulnerable cloud VMs.
read more →

React2Shell and RSC Vulnerabilities: Rapid Exploitation

🚨 Cloudflare's Cloudforce One team observed rapid scanning and exploitation attempts immediately after the public disclosure of React2Shell (CVE-2025-55182) on 2025-12-03. Attackers quickly integrated the unauthenticated RCE into automated reconnaissance using public asset discovery, Nuclei templates, and custom scanners to find exposed React Server Components. Cloudflare deployed Free and Paid WAF rules (default Block) and Worker-level protections while urging immediate patching. Telemetry showed millions of hits, diverse User-Agent fingerprints, and broad payload experimentation.
read more →

Unpatched Gogs zero-day RCE exploited across servers

⚠️ An unpatched zero-day in Gogs enables remote code execution on Internet-facing instances by exploiting a path traversal weakness in the PutContents API (CVE-2025-8110). Attackers abuse symbolic links to overwrite files outside repositories and modify Git configuration values such as sshCommand, forcing arbitrary command execution. Researchers found over 1,400 exposed servers and more than 700 with compromise indicators. Administrators should disable open registration and restrict access immediately.
read more →

Ivanti EPM XSS Flaw Lets Attackers Hijack Admin Sessions

🔒 Ivanti has released a critical patch for an unauthenticated Cross-Site Scripting (XSS) flaw in EPM that can allow attackers to inject malicious device scan data via the incoming API and execute JavaScript in administrator dashboards, enabling full admin-session takeover. The vendor shipped EPM 2024 SU4 SR1 to address CVE-2025-10573 (CVSS 9.6) and other arbitrary-code and file-write vulnerabilities; Ivanti said it had not observed customer exploitation at disclosure.
read more →

Siemens IAM Client TLS Certificate Validation Flaw

⚠️ The Siemens IAM client used across several engineering products contains an improper certificate validation flaw (CVE-2025-40800) that can enable unauthenticated remote man-in-the-middle attacks. CISA lists a CVSS v4 score of 9.1, indicating severe impact and remote exploitability, and also reports a CVSS v3.1 score of 7.4. Affected products include COMOS V10.6, NX (pre-2412.8700 / pre-2506.6000), Simcenter 3D, Simcenter Femap, and Solid Edge SE2025/SE2026; Siemens has issued patched versions for most items, though COMOS V10.6 currently has no fix. CISA and Siemens recommend applying available updates, isolating control networks, and minimizing direct internet exposure.
read more →

Siemens SALT TLS Certificate Validation Vulnerability

🔒The Siemens SALT SDK used by multiple engineering and simulation products fails to validate server TLS certificates, creating a risk of man-in-the-middle attacks by unauthenticated remote actors. Assigned CVE-2025-40801 with a CVSS v4 base score of 9.2, the issue affects COMOS, NX, Simcenter, Tecnomatix and others. Siemens has published updates for some versions while several products currently have no available fix; affected systems should be isolated, patched where possible, and protected behind properly configured firewalls and secure remote access solutions.
read more →

Siemens SINEMA Remote Connect Server Vulnerabilities

⚠️ Siemens has released a security advisory for SINEMA Remote Connect Server, affecting all versions prior to V3.2 SP4. Two vulnerabilities allow authenticated users with local or network access to read private TLS keys (incorrect permission assignment) and to bypass license enforcement via direct database modification (incorrect authorization). CISA lists CVE-2025-40818 (CVSS 3.3) and CVE-2025-40819 (CVSS 4.3). Apply the vendor update to V3.2 SP4 or later and follow recommended network-hardening measures.
read more →

Siemens Energy Services G5 Authentication Bypass Advisory

🔒 Siemens Energy Services Elspec G5 devices (firmware up to 1.2.2.19) contain an authentication bypass that lets an attacker with physical access reset the Admin password by inserting a USB drive with a documented reset string. The flaw is tracked as CVE-2025-59392 (CVSS v4: 7.0; CVSS v3.1: 6.8) and is not remotely exploitable. Siemens recommends updating to V1.2.3.13 or later and following operational security guidance.
read more →

Varex AJAT Panoramic Dental Imaging DLL Hijack Vulnerability

⚠️ CISA warns of a DLL hijacking (Uncontrolled Search Path Element, CWE-427) in AJAT Panoramic Dental Imaging Software from Varex Imaging (CVE-2024-22774). Versions prior to 6.6.1.490 may allow a local, low-complexity exploit that lets a standard user escalate to NT AUTHORITY\SYSTEM. Varex has released a patch; administrators should run AJAT_DENTAL_IMAGING_9.4.55.9888.exe on affected workstations and contact the vendor for assistance.
read more →

Siemens ACC-AP Firmware Signature Verification Flaw

🔒 Siemens' Building X - Security Manager Edge Controller (ACC-AP) contains an improper verification of cryptographic signature in its firmware update process that could permit installation of maliciously modified firmware. Tracked as CVE-2022-31807 and affecting all ACC-AP versions, the flaw may be exploited by a local attacker or by an adversary able to intercept firmware transfers. Siemens reports no planned fix for this product; operators should use the ACC Firmware App, validate firmware hashes, restrict controller access, and isolate devices from untrusted networks as compensating controls.
read more →

CISA Releases 12 ICS Advisories Covering Multiple Vendors

🔔 CISA released 12 Industrial Control Systems (ICS) advisories detailing vulnerabilities and mitigation guidance across multiple vendors, including Johnson Controls, Siemens, and AzeoTech. The notices call out specific products such as iSTAR, SINEMA Remote Connect Server, and DAQFactory, plus open-source and medical-imaging components. Administrators and operators are encouraged to review the technical details and apply recommended mitigations to reduce exploitation risk.
read more →

CISA Adds GeoServer XXE (CVE-2025-58360) to KEV Catalog

🔔 CISA has added CVE-2025-58360 — an OSGeo GeoServer XML External Entity (XXE) vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The issue involves improper restriction of XML External Entity references, a common vector attackers use to access sensitive data or cause service disruption. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates; CISA also urges all organizations to prioritize timely patching, mitigations, and monitoring. CISA will continue updating the KEV Catalog as additional exploited CVEs meet its criteria.
read more →

Out-of-Bounds Write in GDCM DICOM Library (CVE-2025-11266)

🔒 A vulnerability in the Grassroots DICOM (GDCM) library (CVE-2025-11266) allows an out-of-bounds write when parsing malformed encapsulated PixelData fragments. Exploitation can trigger a segmentation fault and a denial-of-service simply by opening a crafted DICOM file. Affected projects include GDCM (<=3.0.24), SimpleITK (<=2.5.2) and medInria (<=4.0). Users should update GDCM to v3.2.2 or later and apply vendor fixes; CISA also recommends isolating systems and minimizing network exposure.
read more →