< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 71 of 104

Critical King Addons WordPress Plugin Flaw Exploited

⚠️ A critical privilege-escalation vulnerability in the King Addons plugin for Elementor (CVE-2025-8489, CVSS 9.8) is being actively exploited to create administrative accounts. The flaw stems from an insecure handle_register_ajax() implementation that permits unauthenticated users to specify the administrator role during registration via the "/wp-admin/admin-ajax.php" endpoint. A patch is available in version 51.1.35 (released September 25, 2025); administrators should update immediately and audit for unauthorized admin users.
read more →

Microsoft mitigates Windows LNK zero-day exploited widely

🔒 Microsoft has quietly mitigated a high-severity Windows LNK vulnerability tracked as CVE-2025-9491, which attackers used to hide malicious command-line arguments inside .lnk files. The flaw relied on padding the Target field so Windows previously masked arguments beyond 260 characters, enabling persistence and malware delivery. Microsoft’s November update now shows the full Target string in Properties but does not remove malicious arguments or warn users. An unofficial 0Patch micropatch limits target strings and warns on unusually long values.
read more →

CISA Adds One CVE to Known Exploited Vulnerabilities Catalog

🚨 CISA added CVE-2021-26828 — an OpenPLC ScadaBR unrestricted file upload vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The flaw allows dangerous file types to be uploaded, a frequent attack vector that poses significant risks to federal networks. Under BOD 22-01 federal agencies must remediate cataloged CVEs by required dates; CISA also urges all organizations to prioritize remediation.
read more →

Picklescan Flaws Enable Malicious PyTorch Model Execution

⚠️ Picklescan, a Python pickle scanner, has three critical flaws that can be abused to execute arbitrary code when loading untrusted PyTorch models. Discovered by JFrog researchers, the issues — a file-extension bypass (CVE-2025-10155), a ZIP CRC bypass (CVE-2025-10156) and an unsafe-globals bypass (CVE-2025-10157) — let attackers present malicious models as safe. The vulnerabilities were responsibly disclosed on June 29, 2025 and fixed in Picklescan 0.0.31 on September 9; users should upgrade and review model-loading practices and downstream automation that accepts third-party models.
read more →

Cloudflare WAF Blocks Critical React Server Components RCE

🛡️ Cloudflare has deployed new WAF protections to mitigate a high‑severity RCE in React Server Components (CVE-2025-55182). All customers whose React traffic is proxied through the Cloudflare WAF are automatically protected — the rules are included in both the Free Managed Ruleset and the standard Managed Ruleset and default to Block. Rule IDs: Managed Ruleset 33aa8a8a948b48b28d40450c5fb92fba and Free Ruleset 2b5d06e34a814a889bee9a0699702280; Cloudflare Workers are immune. Customers on paid plans should verify Managed Rules are enabled and update to React 19.2.1 and the recommended Next.js releases (16.0.7, 15.5.7, 15.4.8).
read more →

Critical PickleScan Zero-Days Threaten AI Model Supply

🔒 Three critical zero-day vulnerabilities in PickleScan, a widely used scanner for Python pickle files and PyTorch models, could enable attackers to bypass model-scanning safeguards and distribute malicious machine learning models undetected. The JFrog Security Research Team published an advisory on 2 December after confirming all three flaws carry a CVSS score of 9.3. JFrog has advised upgrading to PickleScan 0.0.31, adopting layered defenses, and shifting to safer formats such as safetensors.
read more →

Google fixes two Android zero-days, 107 vulnerabilities

🔒 Google released its December 2025 Android security bulletin addressing 107 vulnerabilities, including two zero-days (CVE-2025-48633 and CVE-2025-48572) that are reported to be under limited targeted exploitation. The flaws affect Android 13–16 and include information-disclosure and privilege‑escalation issues; the most critical fix this month is CVE-2025-48631 (DoS). Updates also include critical kernel fixes for Qualcomm and closed‑source vendors, and Samsung has ported fixes. Users should apply updates, keep Play Protect active, or move to supported builds.
read more →

KB5070311 Causes Explorer to Flash White in Dark Mode

⚠️ Microsoft confirmed that the KB5070311 preview update can cause a brief bright white flash when launching File Explorer in dark mode on Windows 11 systems. The behavior is also triggered when navigating to or from Home or Gallery, creating a new tab, toggling the Details pane, or selecting 'More details' while copying files. Microsoft says it is working on a solution but has not provided a timeline; affected users are advised to disable dark mode as a temporary workaround.
read more →

CISA Adds Two Android Vulnerabilities to KEV Catalog

⚠️ CISA added two Android Framework vulnerabilities to the KEV Catalog: CVE-2025-48572 (privilege escalation) and CVE-2025-48633 (information disclosure). Both issues show evidence of active exploitation and pose significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by their due dates; CISA strongly urges all organizations to prioritize timely patching and other mitigations.
read more →

Code Injection Vulnerability in Longwatch Device Firmware

⚠️ Industrial Video & Control Longwatch versions 6.309–6.334 contain a code injection vulnerability that allows unauthenticated HTTP GET requests to execute arbitrary code, resulting in SYSTEM-level remote code execution. CISA assigns high severity (CVSS v4 9.3; CVSS v3.1 9.8) and recommends upgrading to version 6.335 or later. Reduce network exposure, isolate control networks behind firewalls, and use secure remote access methods while applying the vendor patch.
read more →

Mirion Medical EC2 NMIS BioDose: High-Risk Vulnerabilities

⚠️ Mirion Medical's EC2 Software NMIS BioDose versions prior to 23.0 contain multiple high-severity vulnerabilities (CVSS v4: 8.7) that are remotely exploitable and can enable code execution, data disclosure, and unauthorized access. The issues include incorrect permission assignment, client-side authentication, and hard-coded credentials affecting installed executables, the embedded SQL Server, and database accounts. Mirion recommends updating to v23.0 or later; CISA advises isolating control networks, minimizing exposure, and using secure remote access while performing impact analysis.
read more →

CISA Issues Five New Industrial Control System Advisories

🛡️ CISA released five Industrial Control Systems (ICS) advisories detailing vulnerabilities, impacts, and recommended mitigations for affected products. Affected vendors include Industrial Video & Control (Longwatch), Iskra (iHUB/iHUB Lite), Mirion Medical (EC2 NMIS BioDose), and two updates for Mitsubishi Electric products. Administrators and operators are urged to review the advisories and apply recommended mitigations promptly to reduce operational and safety risks.
read more →

Iskra iHUB/iHUB Lite: Unauthenticated Web Interface Alert

🔒 CISA reports a high‑severity Missing Authentication for Critical Function vulnerability (CVE-2025-13510) affecting all versions of Iskra’s iHUB and iHUB Lite smart metering gateways, where the web management interface requires no credentials. With a CVSS v4 base score of 9.3, an unauthenticated remote attacker could reconfigure devices, update firmware, and manipulate connected systems. Iskra did not respond to coordination requests; CISA recommends isolating devices from the Internet, placing them behind firewalls, and using secure remote access methods such as VPNs while recognizing their limitations.
read more →

Windows 11 KB5070311 Preview Fixes Explorer Freezes

🔧 Microsoft has published the optional KB5070311 preview cumulative update for Windows 11, delivering 49 non-security fixes and quality improvements. The November preview resolves an explorer.exe and taskbar hang triggered by certain notifications, corrects File Explorer search issues affecting some SMB shares, and addresses an LSASS access-violation instability. Install via Settings → Windows Update or download from the Microsoft Update Catalog; this update advances 25H2 and 24H2 builds to 26200.7309 and 26100.7309 respectively.
read more →

Google patches 107 Android zero-days and critical flaws

🔒 In its December Android Security Bulletin, Google disclosed 107 zero-day vulnerabilities affecting Android and AOSP-based systems, publishing fixes for 51 issues on December 1 and promising the remaining 56 on December 5. Among the patched flaws, two high-severity framework bugs (CVE-2025-48633 and CVE-2025-48572) may be under limited targeted exploitation and affect Android 13–16. The bulletin also lists a critical framework vulnerability (CVE-2025-48631) that can cause a remote denial-of-service without additional privileges. Patches for kernel and third-party components from vendors such as Arm, MediaTek, Qualcomm and others will follow.
read more →

Google Issues December Patch for 107 Android Flaws

🔒 Google released its December 2025 Android security update addressing 107 vulnerabilities across Framework, System, Kernel and components from Arm, Imagination Technologies, MediaTek, Qualcomm, and Unison. Two high-severity Framework defects — CVE-2025-48633 (information disclosure) and CVE-2025-48572 (privilege elevation) — are reported as exploited in the wild. A separate critical Framework issue, CVE-2025-48631, could enable remote DoS without added privileges. Google published two patch levels, 2025-12-01 and 2025-12-05, and users should update promptly when vendors release device-specific builds.
read more →

Microsoft: New Outlook Fails to Open Some Excel Attachments

🔧 Microsoft is addressing a bug that prevents some users from opening Excel email attachments in the new Outlook client when filenames contain non‑ASCII characters. The company says the root cause is a missing encoding in the file‑open requests and that a fix has been developed and deployed for validation. While the rollout is still in progress, affected users are advised to use Outlook on the web or download the file to open it locally as a temporary workaround.
read more →

CISA Adds Actively Exploited XSS Bug in OpenPLC ScadaBR

⚠️ CISA has added an actively exploited cross-site scripting flaw, CVE-2021-26829, to its Known Exploited Vulnerabilities catalog after reports of operational abuse against OpenPLC ScadaBR. The XSS affects Windows 1.12.4 and Linux 0.9.1 via system_settings.shtm and was used to deface HMI pages and disable logs. Federal civilian agencies must remediate by December 19, 2025; operators should apply vendor fixes, change default credentials, enable logging and monitor for web-layer manipulation and outbound callbacks.
read more →

Windows updates hide password icon on lock screen issue

🔒 Microsoft warned that updates to Windows 11 released since August may make the password sign‑in icon invisible on the lock screen for systems with multiple sign‑in options. The button remains functional — hovering over the blank space reveals the password control. The issue is tied to the non‑security preview KB5064081 and later releases on 24H2/25H2. Microsoft has provided no timeline for a fix and offers no workaround beyond the hover action.
read more →

Legacy Python bootstrap scripts enable PyPI takeover risk

🔍 ReversingLabs discovered legacy bootstrap code in Python packages that fetches and executes an installer from the unclaimed domain python-distribute.org. The zc.buildout bootstrap.py pulls distribute_setup.py, and because the domain is for sale an attacker could acquire it and serve malicious payloads. Packages including tornado and slapos.core still contain the script; it targets Python 2 and is not executed automatically during installation, but its presence increases the supply-chain attack surface if developers run it.
read more →