< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 73 of 104

Pre-auth RCE in Oracle Identity Manager Forces Patching

⚠️ The Cybersecurity and Infrastructure Security Agency (CISA) added a critical pre-authenticated remote code execution flaw in Oracle Identity Manager (CVE-2025-61757) to its Known Exploited Vulnerabilities catalog after active exploitation was observed. Searchlight Cyber reported that a flawed authentication filter combined with matrix/query parameters lets attackers bypass auth and reach a Groovy compile endpoint, enabling RCE through compile-time annotation processing. Oracle fixed the issue in its October 2025 Critical Patch Update; federal agencies must remediate by December 12, 2025.
read more →

CISA Adds Critical Oracle Identity Manager RCE to KEV

🔴 Oracle Identity Manager is affected by a critical unauthenticated remote code execution flaw, CVE-2025-61757, impacting versions 12.2.1.4.0 and 14.1.2.1.0. Disclosed by Searchlight Cyber on 20 November and reported by Oracle on 21 November, the bug was added to the CISA KEV catalog the same day. The issue resides in the REST WebServices component and carries a CVSS score of 9.8, enabling HTTP access to execute arbitrary code and potentially allowing full takeover. CISA urges immediate patching or isolation of affected services from the public internet.
read more →

Windows 11 24H2 Bug Crashes Explorer and Start Menu

⚠️ Microsoft confirmed a Windows 11, version 24H2 bug in cumulative updates released since July 2025 that causes XAML dependency packages not to register in time, leading Explorer, StartMenuExperienceHost, ShellHost.exe and other shell components to crash or fail to initialize. Microsoft provided three PowerShell Add-AppxPackage commands as a temporary workaround and says a restart is required after running them. Organizations using non-persistent VDI should run a logon script to provision the packages before Explorer launches; a permanent fix is in development with no timeline.
read more →

ShadowPad Delivered via WSUS Exploits CVE-2025-59287

🛡️ A recently patched WSUS deserialization flaw, CVE-2025-59287, has been weaponized to install the ShadowPad backdoor on Windows servers. AhnLab's ASEC reports attackers used PowerCat to spawn a CMD shell and then leveraged certutil and curl to retrieve payloads from 149.28.78.189:42306. ShadowPad was deployed via DLL side-loading of ETDApix.dll by ETDCtrlHelper.exe and runs as an in-memory loader with plugin support, anti-detection, and persistence.
read more →

CISA Adds Oracle Identity Manager Flaw to KEV List

⚠️ CISA has added CVE-2025-61757 to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation targeting Oracle Identity Manager. The flaw, a missing-authentication issue with a CVSS score of 9.8, affects versions 12.2.1.4.0 and 14.1.2.1.0 and was addressed in Oracle's recent quarterly updates. Searchlight Cyber researchers demonstrated that an allow-list bypass using URI tricks such as ?WSDL or ;.wadl can expose protected API endpoints and enable pre-authenticated remote code execution via the groovyscriptstatus endpoint. Federal civilian agencies must apply the patch by December 12, 2025.
read more →

CISA Warns: Oracle Identity Manager RCE Actively Exploited

🚨 CISA has added CVE-2025-61757, a pre-authentication remote code execution vulnerability in Oracle Identity Manager, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by December 12 under BOD 22-01. The flaw, disclosed by Searchlight Cyber, abuses an authentication bypass in REST APIs by appending parameters such as ?WSDL or ;.wadl to URL paths, exposing a Groovy compilation endpoint. Researchers showed that Groovy's annotation-processing can execute code at compile time, enabling pre-auth RCE. Oracle released a fix on October 21, 2025; CISA warned the issue is being actively exploited.
read more →

Nvidia issues hotfix driver for Windows October update

🔧 Nvidia released the GeForce Hotfix Display Driver 581.94 to address gaming performance regressions reported after the October 2025 Windows update (KB5066835 [5561605]) affecting Windows 11 24H2 and 25H2 systems. The company notes this is a beta hotfix with an abbreviated QA cycle and is provided as-is to deliver targeted fixes more quickly. The driver is available from Nvidia Customer Care for Windows 10 x64 and Windows 11 x64 PCs.
read more →

Microsoft fixes Windows 11 hotpatch reinstall loop

🔁 Microsoft released the KB5072753 out-of-band cumulative update to resolve a known issue that caused the November 2025 hotpatch KB5068966 to repeatedly reinstall on Windows 11, version 25H2 systems. The update is rolling out via Windows Update and supersedes earlier hotpatches, so administrators should deploy KB5072753 instead of KB5068966 if they have not yet applied the November update. Microsoft said the reinstall behavior did not affect system functionality and was mainly noticeable in update-history timestamps.
read more →

Grafana warns of critical admin-spoofing flaw in Enterprise

⚠️ Grafana Labs has disclosed a maximum-severity vulnerability (CVE-2025-41115) in Grafana Enterprise that can allow new SCIM-provisioned users to be treated as administrators or used for privilege escalation. The flaw is only exploitable when SCIM provisioning is enabled and both the 'enableSCIM' feature flag and 'user_sync_enabled' option are true, because numeric SCIM externalId values were mapped directly to internal user.uid values. Affected self-managed Enterprise releases include 12.0.0 through 12.2.1; administrators should upgrade to a patched release (12.3.0, 12.2.1, 12.1.3, or 12.0.6) or disable SCIM. Grafana Cloud and managed services have already received patches.
read more →

Grafana fixes critical SCIM flaw enabling user impersonation

🔒 Grafana has released security updates to address a maximum-severity flaw (CVE-2025-41115) in its SCIM provisioning component that can enable user impersonation or privilege escalation under specific configurations. The issue allows a malicious or compromised SCIM client to provision a user with a numeric externalId that may be mapped to an internal user ID. It affects Grafana Enterprise 12.0.0–12.2.1 and was fixed in 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01 and 12.3.0. Grafana discovered the bug during an audit on November 4, 2025 and urges immediate patching.
read more →

CISA Adds Oracle Fusion Middleware CVE to KEV Catalog

🔒 CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-61757, a Missing Authentication for Critical Function issue affecting Oracle Fusion Middleware. The entry was added based on evidence of active exploitation and is identified as a common attack vector that poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the specified due date; CISA strongly urges all organizations to prioritize timely remediation and other risk-reduction measures.
read more →

Fortinet Criticized for Silent Patching of Two Zero-Days

⚠️Fortinet has faced criticism for quietly patching two zero-day vulnerabilities in its FortiWeb WAFs before publicly disclosing them. The first, CVE-2025-64446, is rated critical (CVSS 9.4) and involves a GUI path-traversal plus an authentication-bypass flaw; the second, CVE-2025-58034 (CVSS 6.7), is an OS command injection that may allow authenticated code execution. Both fixes were included in the 8.0.2 update on October 28 and have been observed exploited in the wild, prompting calls for greater transparency and urgent patching.
read more →

New SonicWall SonicOS Flaw Lets Attackers Crash Firewalls

⚠️ SonicWall has released patches for a high-severity SonicOS SSLVPN vulnerability (CVE-2025-40601) that can trigger a stack-based buffer overflow and remotely crash Gen7 and Gen8 firewalls. The company says the flaw allows a remote unauthenticated attacker to cause a DoS but reports no active exploitation or public PoC. Fixed versions are 7.3.1-7013+ for Gen7 and 8.0.3-8011+ for Gen8; admins unable to patch should disable SSLVPN or restrict access.
read more →

D-Link Warns of Remote Code Flaws in DIR-878 Routers

⚠️ D-Link has issued an advisory for remotely exploitable command-execution vulnerabilities in its end-of-life DIR-878 router. A researcher using the name Yangyifan (GitHub: yifan20020708) published technical details and proof-of-concept code demonstrating the issues. Four CVEs are listed—three allow unauthenticated remote command execution and one is a USB/physical-access overflow. D-Link recommends replacing EOL units and disabling WAN/remote management until devices are replaced.
read more →

Comet AI Browser's Embedded API Permits Device Access

⚠️ Security firm SquareX disclosed a previously undocumented MCP API inside the AI browser Comet that enables embedded extensions to execute arbitrary commands and launch applications — capabilities mainstream browsers normally block. The API can be triggered covertly from pages such as perplexity.ai, creating an execution channel exploitable via compromised extensions, XSS, MITM, or phishing. SquareX highlights that the analytics and agentic extensions are hidden and cannot be uninstalled, leaving devices exposed by default.
read more →

Festo Didactic: TIA Portal Path Traversal Vulnerability

🔒 Festo reported a path traversal vulnerability in Siemens TIA Portal (V15–V18) as deployed on Festo Didactic hardware. Tracked as CVE-2023-26293 with a CVSS v3.1 base score of 7.8, the flaw can allow creation or overwriting of arbitrary files and could lead to arbitrary code execution if a user opens a crafted project file. The issue requires user interaction and is not remotely exploitable; Festo and CISA recommend applying Siemens updates and following standard protections against malicious files and social engineering.
read more →

iCam365 P201/QC021 Camera: Unauthenticated ONVIF/RTSP Access

🔒 CISA reports that iCam365 ROBOT PT Camera P201 and Night Vision Camera QC021 (versions 43.4.0.0 and prior) allow unauthenticated access to ONVIF and RTSP services. Successful exploitation could expose live video streams and camera configuration data. Two CVEs were assigned (CVE-2025-64770 and CVE-2025-62674), with CISA-calculated CVSS v4 base scores of 7.0 and CVSS v3.1 scores of 6.8. iCam365 did not respond to CISA; recommended mitigations include network isolation, firewalling, and use of secure remote access methods.
read more →

Opto 22 GRV-EPIC and groov RIO: Remote RCE Vulnerability

⚠️ A remotely exploitable OS command injection in the Opto 22 Groov Manage REST API allows attackers with administrative credentials to inject shell commands that execute as root on affected GRV-EPIC and groov RIO devices. The issue is tracked as CVE-2025-13087 and carries a CVSS v4 base score of 7.5. Opto 22 has released firmware 4.0.3 to address the flaw; users should apply the update promptly. CISA also recommends isolating control networks, minimizing Internet exposure, and monitoring API and system logs for suspicious activity.
read more →

Festo MSE6 Devices: Hidden Test-Mode Vulnerability

⚠️ Festo disclosed a hidden test‑mode vulnerability in the MSE6 product family that could be abused by a remote, authenticated low‑privileged attacker. The issue, tracked as CVE-2023-3634, carries a CVSS v3.1 score of 8.8 and may permit complete loss of confidentiality, integrity, and availability. Festo plans documentation updates in the next product release; CISA recommends isolating devices, minimizing network exposure, and using firewalls and secured VPNs as mitigations.
read more →

CISA Issues Six New Industrial Control Systems Advisories

⚠️ CISA released six Industrial Control Systems (ICS) Advisories on 20 November 2025 to inform operators and administrators about current security issues, vulnerabilities, and potential exploits affecting ICS products. The advisories cover affected products including Automated Logic WebCTRL Premium Server, ICAM365 CCTV camera models, Opto 22 GRV‑EPIC/GRV‑RIO, Festo MSE6 and Festo Didactic lines, and Emerson Appleton UPSMON‑PRO. Administrators are encouraged to review each advisory for technical details and mitigations and to apply vendor guidance promptly to reduce operational and safety risk.
read more →