All news in category "Security Advisory and Patch Watch"

Ubia Ubox: Insufficiently Protected Credentials Advisory

🔒 CISA warns that Ubia's Ubox firmware (v1.1.124) exposes API credentials, potentially allowing remote attackers to access backend services. Successful exploitation could permit viewing live camera feeds or modifying device settings. The issue is tracked as CVE-2025-12636 with a CVSS v4 base score of 7.1. Users should minimize network exposure, isolate devices behind firewalls, use secure remote-access methods such as VPNs, and contact Ubia support for guidance.

CISA Releases Four Industrial Control Systems Advisories

🔔 CISA released four Industrial Control Systems (ICS) advisories covering Advantech DeviceOn iEdge, Ubia Ubox, ABB FLXeon Controllers, and an update for Hitachi Energy Asset Suite. Each advisory provides technical details on identified vulnerabilities and recommended mitigations. Users and administrators are urged to review the advisories and apply mitigations promptly.

Critical Post SMTP WordPress Plugin Flaw Enables Takeover

⚠️ A critical vulnerability in the popular Post SMTP WordPress plugin, which has more than 400,000 active installations, allowed unauthenticated attackers to read email logs — including password reset messages — and change any user password, enabling full account and site takeover. Wordfence reported active exploitation and urged immediate updates after detecting thousands of automated attacks. Administrators should install the patched release or disable the plugin immediately to prevent compromise.

CISA Warns of Critical CentOS Web Panel RCE Exploit

⚠️ CISA warns that a critical remote command execution vulnerability, tracked as CVE-2025-48703, is being exploited in the wild against CentOS Web Panel (CWP). The flaw impacts all CWP versions before 0.9.8.1204 and allows unauthenticated attackers who know a valid username to inject shell commands via the file-manager changePerm t_total parameter. The vendor fixed the issue in 0.9.8.1205, and federal agencies have until Nov 25 under BOD 22-01 to remediate or stop using the product.

Prompt Injection Flaw in Anthropic Claude Desktop Exts

🔒Anthropic's official Claude Desktop extensions for Chrome, iMessage and Apple Notes were found vulnerable to web-based prompt injection that could enable remote code execution. Koi Security reported unsanitized command injection in the packaged Model Context Protocol (MCP) servers, which run unsandboxed on users' devices with full system permissions. Unlike browser extensions, these connectors can read files, execute commands and access credentials. Anthropic released a fix in v0.1.9, verified by Koi Security on September 19.

October Windows Updates Can Trigger BitLocker Recovery

🔒 Microsoft warned that installing Windows security updates released on or after October 14, 2025 can cause some systems to boot into BitLocker recovery, prompting users to enter their recovery key on first restart. The issue mainly affects Intel devices that support Connected Standby (Modern Standby) and occurs during restart or startup on Windows 11 24H2/25H2 and Windows 10 22H2. Microsoft says devices should boot normally after the key is entered and offers a Group Policy mitigation via Known Issue Rollback (KIR), with affected customers advised to contact Microsoft Support for Business.

CISA Adds Gladinet, CWP Flaws to KEV After Exploits

🚨 CISA added two vulnerabilities affecting Gladinet CentreStack/Triofox and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation. CVE-2025-11371 (CVSS 7.5) can expose files or directories to external parties, while CVE-2025-48703 (CVSS 9.0) is an OS command injection enabling remote code execution via the t_total parameter. Huntress reported live reconnaissance activity against Gladinet, and Federal civilian agencies must remediate by November 25, 2025.

Hackers Exploit Post SMTP Plugin to Hijack Admin Accounts

⚠️ WordPress sites using Post SMTP (≤3.6.0) are under active attack after disclosure of CVE-2025-11833, a critical (9.8) email log disclosure that lets unauthenticated actors read password-reset messages and hijack administrator accounts. A vendor patch, Post SMTP 3.6.1, was released Oct 29, but roughly 210,000 sites remain unpatched. Wordfence observed exploitation beginning Nov 1 and has blocked over 4,500 attempts; site owners should update or disable the plugin immediately.

Talos Discloses TruffleHog, Fade In, and BSAFE Flaws

🔒 Cisco Talos’ Vulnerability Discovery & Research team disclosed multiple vulnerabilities affecting TruffleHog, Fade In, and Dell BSAFE Crypto-C, including arbitrary code execution, out-of-bounds write/use-after-free, and integer/stack overflow issues. The issues were reported by Talos researchers and external collaborators and vendors have issued patches following Cisco’s disclosure policy. Users should apply vendor updates, deploy updated detection rules such as Snort signatures, and consult Talos advisories for indicators and recommended mitigations.

Critical React Native CLI Flaw Enables Remote OS Commands

⚠ A critical vulnerability in the @react-native-community/cli ecosystem could let remote, unauthenticated attackers execute arbitrary OS commands on machines running the React Native development server. JFrog researcher Or Peles reported that the Metro dev server binds to external interfaces by default and exposes a vulnerable /open-url endpoint that passes user input to the unsafe open() call. The flaw (CVE-2025-11953, CVSS 9.8) affected versions 4.8.0–20.0.0-alpha.2 and is fixed in 20.0.0.

Microsoft Teams Bugs Enable Message and Caller Spoofing

🔒 Check Point researchers disclosed four vulnerabilities in Microsoft Teams that let attackers alter message content, spoof senders, and manipulate notifications to impersonate colleagues. The issues were reported in March 2024 and remediated across multiple updates beginning with an August 2024 fix for CVE-2024-38197, followed by patches in September 2024 and October 2025. Exploitable by external guests and internal actors alike, the flaws could trick users into clicking malicious links, sharing sensitive data, or accepting fraudulent calls by making messages and caller notifications appear to originate from trusted executives or coworkers.

Windows 10 update bug shows incorrect end-of-support alerts

⚠️Microsoft says installing the October 2025 updates can cause some Windows 10 systems with active coverage to display an incorrect "Your version of Windows has reached the end of support" message in Windows Update settings. The cosmetic issue affects Windows 10 Enterprise LTSC 2021, Windows 10 IoT Enterprise LTSC 2021, and Windows 10 22H2 devices enrolled in ESU. Microsoft has deployed a cloud configuration update to correct the message automatically, but devices that are offline or block dynamic updates may not receive it. Administrators can use Known Issue Rollback (KIR) by setting the KB5066791 251020_20401 value to Disabled to remove the alert on managed systems until a permanent fix ships in a future Windows update.

Microsoft Teams Vulnerabilities Expose Trust Abuse Today

🔒 Check Point Research identified multiple vulnerabilities in Microsoft Teams that could let attackers impersonate executives, manipulate message content, and spoof in-app notifications. The flaws exploit trust mechanisms built into real-time collaboration features used by more than 320 million monthly active users, turning expectations of authenticity into an attack vector. Researchers emphasize that trust alone isn’t a security strategy and urge rapid remediation by vendors and mitigations by organizations. Administrators should prioritize updates, review messaging policies, and increase user awareness to reduce exposure.

Fuji Electric Monitouch V-SFT-6 Buffer Overflow Advisory

⚠️ Fuji Electric Monitouch V-SFT-6 (v6.2.7.0) contains two buffer overflow vulnerabilities — a heap-based and a stack-based overflow — triggered by specially crafted project files. Identified as CVE-2025-54496 and CVE-2025-54526, both carry CVSS v3.1 scores of 7.8 and CVSS v4 scores of 8.4. Successful exploitation could crash the HMI and may permit code execution; the vendor issued fixes in V6.2.8.0 and recommends updating to V6.2.9.0 or later.

IDIS ICM Viewer Argument Injection Vulnerability Reported

🔒 An argument injection vulnerability (CWE-88) in ICM Viewer v1.6.0.10 (CVE-2025-12556) could allow remote attackers to execute arbitrary code on the host system. CISA assigns a CVSS v3 score of 8.8 and a CVSS v4 score of 8.7, noting remote exploitability with low attack complexity and limited privileges required. IDIS requires immediate upgrade to v1.7.1 or uninstallation; Claroty Team82 researchers reported the issue and CISA reports no known public exploitation to date.

CISA Releases Five Industrial Control Systems Advisories

🔔 CISA released five Industrial Control Systems (ICS) advisories on November 4, 2025, providing timely information on vulnerabilities, impacts, and mitigations for affected products. The advisories address Fuji Electric Monitouch V-SFT-6, Survision License Plate Recognition Camera, Delta Electronics CNCSoft-G2, Radiometrics VizAir, and IDIS ICM Viewer. Users and administrators are urged to review the technical details and implement recommended mitigations and compensating controls to reduce exposure and protect operational systems.

CISA Adds Two Vulnerabilities to KEV Catalog — Nov 2025

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-11371 affecting Gladinet CentreStack and Triofox (files or directories exposed to external parties), and CVE-2025-48703 affecting CWP Control Web Panel (OS command injection). These entries reflect evidence of active exploitation and elevated risk. CISA urges timely remediation under BOD 22-01 and recommends organizations prioritize patching, mitigations, and compensating controls.

Delta Electronics CNCSoft-G2 Stack Overflow Advisory

⚠️ Delta Electronics and CISA warn of a stack-based buffer overflow in CNCSoft-G2 (CVE-2025-58317) affecting versions 2.1.0.27 and earlier. When a user opens a specially crafted file, an attacker could execute arbitrary code in the context of the affected process; the vulnerability received a CVSS v4 base score of 8.5 and is characterized by low attack complexity. Delta recommends updating to Version 2.1.0.34 or later. CISA advises minimizing network exposure for control systems, isolating control networks, and using secure remote access methods.

CISA: Survision LPR Camera Missing Authentication Flaw

⚠️ Survision's License Plate Recognition (LPR) Camera contains a missing authentication for critical function, allowing unauthenticated access to the configuration wizard. The issue affects all versions and is tracked as CVE-2025-12108 with a CVSS v4 base score of 9.3 and a CVSS v3.1 score of 9.8, indicating remote, low-complexity exploitation with high impact. Survision released firmware v3.5 to address the vulnerability and recommends enabling configuration passwords, defining minimal-right user roles, and enforcing client certificate authentication where possible.

Radiometrics VizAir: Critical Authentication Flaws

⚠️ CISA warns that Radiometrics VizAir systems (versions prior to 08/2025) contain multiple critical vulnerabilities — including missing authentication for admin functions and an exposed REST API key — assigned CVE-2025-61945, CVE-2025-54863, and CVE-2025-61956 and rated CVSS v4 10.0. Remote attackers could alter weather parameters, disable alerts, manipulate runway settings, and extract sensitive meteorological data, potentially disrupting airport operations. Radiometrics has deployed updates to affected systems; CISA recommends minimizing network exposure, isolating control networks, and using secure remote access methods.