All news in category “Security Advisory and Patch Watch”

🔴 A critical out-of-bounds write vulnerability (CVE-2025-9242) in WatchGuard Fireware OS could allow remote code execution via IKEv2 mobile VPN and Branch Office VPN when configured with dynamic gateway peers. Affected releases include Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3 and 2025.1, and WatchGuard warns devices previously configured with these peers may remain vulnerable. Shadowserver estimates over 71,000 potentially exposed devices; WatchGuard and the US NVD have published advisories and guidance, and a temporary workaround plus narrower BOVPN access policies are recommended if immediate upgrades are not possible.

🛡️ Cisco Talos warns that Microsoft 365 Exchange Online’s Direct Send feature, intended for legacy devices and line‑of‑business appliances, is being abused to bypass standard authentication and content inspection. Attackers are leveraging these unauthenticated SMTP flows in phishing and BEC campaigns by impersonating internal users and embedding obfuscated lures such as QR codes and empty‑body messages. Talos recommends a phased approach — inventorying dependencies, migrating devices to authenticated SMTP or partner connectors, and validating mailflows before enabling RejectDirectSend — to reduce risk without disrupting critical workflows.

🔧 Microsoft released an out-of-band cumulative update, KB5070773, to restore USB mouse and keyboard functionality in the Windows Recovery Environment (WinRE) after October 2025 security updates disabled USB input in recovery on affected client and server builds. The patch began rolling out on October 20, 2025 and Microsoft recommends installing the latest updates. If a device cannot boot to install the patch, workarounds include using a touchscreen’s touch keyboard, connecting PS/2 peripherals, or booting from a previously created USB recovery drive.

⚠ After installing the October 14, 2025 security update KB5066835, USB-wired mice and keyboards do not function in the Windows Recovery Environment (WinRE), Microsoft confirmed. The devices continue to operate normally inside the Windows OS, but WinRE navigation is blocked, affecting Windows 11 (24H2, 25H2) and Windows Server 2025. Microsoft is working on a fix expected in the coming days; meanwhile users can rely on Bluetooth peripherals or legacy PS/2 input devices as a workaround.

⚠️ CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming CVE-2025-61884 — an SSRF in the Runtime component of Oracle E-Business Suite — is being weaponized in the wild. The agency warns CVE-2025-61884 is remotely exploitable without authentication and follows active exploitation of CVE-2025-61882, a critical RCE bug. The KEV update also includes high-severity issues in Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple JavaScriptCore, and FCEB agencies must remediate them by November 10, 2025.

⚠️ Nearly 76,000 WatchGuard Firebox network appliances exposed on the public internet remain vulnerable to CVE-2025-9242, a critical (9.3) out-of-bounds write in the iked process that handles IKEv2 VPN negotiations. The flaw can be exploited without authentication by sending specially crafted IKEv2 packets to devices configured with dynamic gateway peers, potentially enabling remote code execution. WatchGuard has published patched releases and urges administrators to upgrade to supported versions immediately; 11.x is end-of-support and will not receive fixes.

🔒 CISA warns that threat actors are actively exploiting a high-severity Windows SMB vulnerability tracked as CVE-2025-33073, which can allow elevation to SYSTEM on unpatched machines. Microsoft patched the flaw in its June 2025 Patch Tuesday release, citing an improper access control weakness that can be abused over a network. The bug affects Windows Server, Windows 10 and Windows 11 up to 24H2. Federal agencies must remediate within three weeks under BOD 22-01, and all organizations are urged to apply the update immediately.

🔒 Microsoft warns the October 2025 Windows security updates are causing smart card authentication and certificate failures by switching RSA-based smart card certificates to use KSP instead of CSP. Affected systems may report errors such as "invalid provider type specified" or "CryptAcquireCertificatePrivateKey error" and Event ID 624 in the Smart Card Service log. Microsoft provides a manual workaround: set the DisableCapiOverrideForRSA registry value to 0, back up the registry first, then restart. This impacts Windows 10, Windows 11 and Windows Server releases; the company says the key will be removed in April 2026 and urges customers to work with application vendors to resolve compatibility.

🚨 CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation: CVE-2022-48503 (Apple), CVE-2025-2746 and CVE-2025-2747 (Kentico Xperience Staging Sync Server), CVE-2025-33073 (Microsoft Windows SMB Client), and CVE-2025-61884 (Oracle E-Business Suite SSRF). These flaws include authentication bypasses, improper access control, and SSRF, which are frequent attack vectors and pose significant risks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate identified KEV items by the required due dates; CISA strongly urges all organizations to prioritize timely remediation as part of their vulnerability management practice.

🔒 Enterprises' network edge devices — firewalls, VPNs, routers, and email gateways — are increasingly being exploited due to longstanding 1990s‑era flaws such as buffer overflows, command and SQL injections. Researchers tracked dozens of zero‑day exploits in 2024 and continuing into 2025 that affected vendors including Fortinet, Palo Alto Networks, Cisco, Ivanti, and others. These appliances are attractive targets because they are remotely accessible, often lack endpoint protections and centralized logging, and hold privileged credentials, making them common initial access vectors for state‑affiliated actors and ransomware groups.

🔒 ConnectWise released a security update for Automate to fix two vulnerabilities including a critical 9.6-severity flaw (CVE-2025-11492) that can cause agents to use cleartext HTTP, enabling adversary-in-the-middle (AiTM) interception or modification of commands, credentials, and update payloads. A second 8.8-severity issue (CVE-2025-11493) omits integrity verification for update packages, allowing substituted malicious files. Cloud instances are patched to release 2025.9; on-premise administrators are urged to install the update within days.

🔒 Microsoft patched a critical HTTP request smuggling vulnerability (CVE-2025-55315) in the Kestrel ASP.NET Core web server, which Microsoft described as the highest-severity ASP.NET Core flaw ever. An authenticated attacker could smuggle an additional HTTP request to hijack other users' credentials, bypass front-end security controls, or impact integrity and availability. Microsoft released updates for Visual Studio 2022, ASP.NET Core 2.3, 8.0 and 9.0 and advised developers to apply updates, recompile where required, and restart or redeploy affected applications.

🔧 Microsoft has fixed a known issue that broke HTTP/2 connections to localhost (127.0.0.1) and caused IIS sites to fail after recent Windows security updates. Affected systems included Windows 11 and Windows Server 2025, producing errors like “ERR_CONNECTION_RESET” and “ERR_HTTP2_PROTOCOL_ERROR”. Microsoft recommends checking Windows Update and restarting; it also enabled a Known Issue Rollback (KIR) for most home and non-managed devices, while enterprise admins can deploy a KIR group policy until a permanent update ships.

⚠️Microsoft patched a critical ASP.NET Core vulnerability in the built‑in Kestrel web server and assigned it a CVSS score of 9.9, the highest rating the vendor has ever issued. Tracked as CVE-2025-55315, the flaw enables authenticated attackers to use HTTP request smuggling to bypass security checks and could allow actions such as logging in as another user, bypassing CSRF protections, or performing injection attacks. Microsoft advises updating affected runtimes or rebuilding and redeploying self‑contained apps, while noting that reverse proxies or gateways may already mitigate exposure.

🔒 Researchers disclosed a recently patched critical vulnerability in WatchGuard Fireware (CVE-2025-9242, CVSS 9.3) that can allow unauthenticated attackers to execute arbitrary code via an out-of-bounds write in the iked process. The flaw affects multiple Fireware branches, including 11.10.2 through 11.12.4_Update1 (EOL noted for 11.x), 12.0 through 12.11.3 and 2025.1, and has been fixed across several updates such as 2025.1.1 and 12.11.4. Administrators are urged to apply the vendor updates immediately, limit internet exposure of VPN interfaces, and follow vendor mitigation guidance until patches are deployed.

⚠️ Microsoft’s October Windows 11 updates (notably KB5066835 and the September preview KB5065789) have disrupted HTTP/2 connections to localhost (127.0.0.1), preventing local services and developer tools from completing requests. Users report errors such as "ERR_CONNECTION_RESET" and "ERR_HTTP2_PROTOCOL_ERROR" when applications attempt to connect to the loopback interface. Affected software includes Visual Studio debugging, SSMS Entra ID authentication, and Duo Desktop; community workarounds include disabling HTTP/2 via Registry entries or uninstalling the problematic updates.

⚠️Threat actors exploited a recently patched SNMP remote code execution flaw (CVE-2025-20352) in older Cisco IOS and IOS XE devices to deploy a persistent Linux rootkit. Trend Micro reports the campaign targeted unprotected 9400, 9300 and legacy 3750G switches and has been tracked as Operation Zero Disco, named for the universal password that contains 'disco'. The implant can disable logging, bypass AAA and VTY ACLs, hide running-configuration items and enable lateral movement; researchers recommend low-level firmware and ROM-region checks when compromise is suspected.

🔒 Gladinet released an urgent update for its CentreStack business solution to fix a local file inclusion flaw tracked as CVE-2025-11371, which was abused in the wild as a zero-day. The LFI allowed attackers to read Web.config, extract the ASP.NET machine key, and then leverage a prior deserialization RCE (CVE-2025-30406) to achieve remote code execution. Administrators should upgrade to CentreStack version 16.10.10408.56683 immediately; if patching is not possible, disable the temp handler in Web.config for the UploadDownloadProxy component as a temporary mitigation.

🔒 Trend Micro detailed a campaign exploiting CVE-2025-20352 that installed Linux rootkits on exposed Cisco switches and routers, enabling persistent unauthorized access. The attackers combined an SNMP remote code execution with a modified Telnet flaw (based on CVE-2017-3881) to read and write device memory and deploy fileless backdoors. Affected models include Cisco 9400, 9300 and legacy 3750G series. Device owners should apply Cisco patches, disable or harden SNMP and restrict management access.

🚨 CISA has added a maximum-severity vulnerability in Adobe Experience Manager (AEM) Forms to its Known Exploited Vulnerabilities Catalog after confirming active exploitation. Tracked as CVE-2025-54253, the flaw is an authentication bypass via Struts DevMode that can result in unauthenticated remote code execution on AEM JEE 6.5.23 and earlier. Adobe released fixes on August 9 after public proof-of-concept code appeared; CISA requires federal agencies to remediate by November 5 and urges all organizations to prioritize patching, apply vendor mitigations, or restrict Internet access to affected AEM Forms deployments.