All news in category “Security Advisory and Patch Watch”

⚠ Three high-severity vulnerabilities in the runc container runtime allow attackers to escape containers and gain host-level privileges by abusing masked paths, console bind-mounts, and redirected writes to procfs. Aleksa Sarai of SUSE and the OCI described logic flaws that let runc mount or write to sensitive /proc targets, including /proc/sys/kernel/core_pattern and /proc/sysrq-trigger. Patches are available in runc 1.2.8, 1.3.3 and 1.4.0-rc.3; administrators should update promptly, favor rootless containers where feasible, and monitor for suspicious symlink behaviour.

⚠️ Three newly disclosed vulnerabilities in runC (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could allow attackers to bypass container isolation and obtain root write access on the host. The issues involve manipulated bind mounts and redirected writes to /proc, and one flaw affects runC releases back to 1.0.0-rc3. Patches are available in recent runC releases; administrators should update, monitor for suspicious symlink/mount activity, and consider enabling user namespaces or running rootless containers as mitigations.

🛡️ If you’re still running Windows 10, enroll in Microsoft’s Extended Security Updates (ESU) program before the next Patch Tuesday to continue receiving security fixes. Consumers can get one year of ESU for free by signing into a Microsoft account and enabling Windows settings backup, or alternatively pay $30 or redeem 1,000 Microsoft Rewards points. Enrollment is available via Settings > Update & Security > Windows Update and should confirm coverage through October 13, 2026.

🔒 QNAP has released patches for seven zero-day vulnerabilities that were exploited to hack NAS devices during the Pwn2Own Ireland 2025 contest. The flaws affect QTS/QuTS hero and several bundled apps, including Hyper Data Protector, Malware Remover, and HBS 3, and are tracked under multiple CVEs. Fixed firmware and app builds are available and administrators are advised to update via Control Panel > System > Firmware Update and the App Center, then change all passwords. Regularly checking product support status and applying updates promptly are recommended to maintain security.

🔒 A threat actor exploited a Samsung Android image-processing zero-day, CVE-2025-21042, to deliver a previously unknown spyware called LandFall using malicious DNG images sent over WhatsApp. Researchers link activity back to at least July 23, 2024, and say the campaign targeted select Galaxy models in the Middle East. Unit 42 found a loader and a SELinux policy manipulator in the DNG files that enabled privilege escalation, persistence, and data exfiltration. Users are advised to apply patches promptly, disable automatic media downloads, and enable platform protection features.

🔒 A now-patched out-of-bounds write in libimagecodec.quram.so (CVE-2025-21042, CVSS 8.8) was used as a zero-click vector to deliver commercial-grade Android spyware known as LANDFALL. The campaign appears to have used malicious DNG images sent via WhatsApp to extract and load a shared library that installs the spyware. Unit 42 links activity to targets in Iraq, Iran, Turkey, and Morocco and notes samples dating back to July 2024. The exploit also deployed a secondary module to modify SELinux policy for persistence and elevated privileges.

⚠️ Cisco warned that two recently patched firewall vulnerabilities (CVE-2025-20362 and CVE-2025-20333) — previously leveraged in zero-day intrusions — are now being abused to force ASA and FTD devices into unexpected reboot loops, causing denial-of-service. The vendor issued updates on September 25 and strongly urged customers to apply fixes immediately. CISA issued an emergency 24-hour directive for U.S. federal agencies and ordered EoS ASA devices to be disconnected. Shadowserver still reports tens of thousands of internet-exposed, unpatched devices.

🔍 Unit 42 disclosed LANDFALL, a previously unknown commercial-grade Android spyware family that abused a Samsung DNG parsing zero-day (CVE-2025-21042) to run native payloads embedded in malformed DNG files. The campaign targeted Samsung Galaxy models and enabled microphone and call recording, location tracking, and exfiltration of photos, contacts and databases via native loaders and SELinux manipulation. Apply vendor firmware updates and contact Unit 42 for incident response.

🔒 Cisco has released security updates for Unified Contact Center Express (CCX) to address two critical vulnerabilities that can enable authentication bypass and remote code execution as root. The company issued software updates 15.0 ES01 and 12.5 SU3 ES07 and urged customers to apply them immediately. Cisco also fixed four medium-severity issues across CCX, CCE and UIC, and warned of a new attack variant affecting ASA and FTD devices tied to earlier patches.

⚠️ Cisco disclosed a new attack variant that targets devices running Cisco Secure Firewall ASA and FTD software that are vulnerable to CVE-2025-20333 and CVE-2025-20362. The exploit can cause unpatched devices to unexpectedly reload, creating denial-of-service conditions, and follows prior zero-day campaigns that delivered malware such as RayInitiator and LINE VIPER, per the U.K. NCSC. Cisco additionally released patches for critical Unified CCX flaws and a high-severity DoS bug in ISE, and urges customers to apply updates immediately.

🔒 Cisco has released updates to address a critical vulnerability in Unified Contact Center Express (UCCX) — CVE-2025-20354 — found in the Java RMI process that can let unauthenticated attackers execute arbitrary commands as root. A separate CCX Editor flaw allows authentication bypass and script execution with admin privileges. Administrators should upgrade to the first fixed releases (12.5 SU3 ES07 or 15.0 ES01) immediately; Cisco has not yet observed active exploitation.

⚠️ A critical remote-code execution vulnerability in @react-native-community/cli and its cli-server-api component lets attackers run arbitrary OS commands via the Metro development server. The flaw stems from a /open-url endpoint that forwards a supplied URL directly to the open() package and, despite console messages, the server can bind to 0.0.0.0 rather than localhost. JFrog demonstrated Windows exploitation and the issue is fixed in cli-server-api version 20.0.0; users should update or bind the server to 127.0.0.1.

🔒 CISA warns that Ubia's Ubox firmware (v1.1.124) exposes API credentials, potentially allowing remote attackers to access backend services. Successful exploitation could permit viewing live camera feeds or modifying device settings. The issue is tracked as CVE-2025-12636 with a CVSS v4 base score of 7.1. Users should minimize network exposure, isolate devices behind firewalls, use secure remote-access methods such as VPNs, and contact Ubia support for guidance.

🔔 CISA released four Industrial Control Systems (ICS) advisories covering Advantech DeviceOn iEdge, Ubia Ubox, ABB FLXeon Controllers, and an update for Hitachi Energy Asset Suite. Each advisory provides technical details on identified vulnerabilities and recommended mitigations. Users and administrators are urged to review the advisories and apply mitigations promptly.

⚠️ Advantech DeviceOn/iEdge versions 2.0.2 and earlier contain multiple remotely exploitable vulnerabilities, including XSS and several path-traversal flaws assigned CVE-2025-64302, CVE-2025-62630, CVE-2025-59171, and CVE-2025-58423. Successful exploitation may lead to denial-of-service, arbitrary file disclosure, or remote code execution with system-level permissions. CISA notes the products are EOL and recommends upgrading to DeviceOn, isolating devices from the internet, and using secure remote access methods to reduce risk.

⚠ ABB FLXeon devices are affected by multiple high-severity vulnerabilities, including hard-coded credentials, MD5 password hashing without proper salt, and improper input validation that can enable remote code execution. Combined CVSS v4 scores reach up to 8.7 and successful exploitation could allow remote control, arbitrary code execution, or device crashes. ABB and CISA advise disconnecting Internet-exposed units, applying the latest firmware, enforcing physical access controls, and using secure remote-access methods such as properly configured VPNs.

⚠️ A critical vulnerability in the popular Post SMTP WordPress plugin, which has more than 400,000 active installations, allowed unauthenticated attackers to read email logs — including password reset messages — and change any user password, enabling full account and site takeover. Wordfence reported active exploitation and urged immediate updates after detecting thousands of automated attacks. Administrators should install the patched release or disable the plugin immediately to prevent compromise.

⚠️ CISA warns that a critical remote command execution vulnerability, tracked as CVE-2025-48703, is being exploited in the wild against CentOS Web Panel (CWP). The flaw impacts all CWP versions before 0.9.8.1204 and allows unauthenticated attackers who know a valid username to inject shell commands via the file-manager changePerm t_total parameter. The vendor fixed the issue in 0.9.8.1205, and federal agencies have until Nov 25 under BOD 22-01 to remediate or stop using the product.

🔒Anthropic's official Claude Desktop extensions for Chrome, iMessage and Apple Notes were found vulnerable to web-based prompt injection that could enable remote code execution. Koi Security reported unsanitized command injection in the packaged Model Context Protocol (MCP) servers, which run unsandboxed on users' devices with full system permissions. Unlike browser extensions, these connectors can read files, execute commands and access credentials. Anthropic released a fix in v0.1.9, verified by Koi Security on September 19.

🔒 Microsoft warned that installing Windows security updates released on or after October 14, 2025 can cause some systems to boot into BitLocker recovery, prompting users to enter their recovery key on first restart. The issue mainly affects Intel devices that support Connected Standby (Modern Standby) and occurs during restart or startup on Windows 11 24H2/25H2 and Windows 10 22H2. Microsoft says devices should boot normally after the key is entered and offers a Group Policy mitigation via Known Issue Rollback (KIR), with affected customers advised to contact Microsoft Support for Business.