All news in category “Security Advisory and Patch Watch”

🔒 CISA added a critical vulnerability affecting the Sudo utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaw, CVE-2025-32463 (CVSS 9.3), impacts Sudo versions prior to 1.9.17p1 and can be abused via the -R (--chroot) option to execute arbitrary commands as root, bypassing sudoers. Four additional flaws were also added to the KEV list. Agencies and organizations are advised to apply mitigations and updates by October 20, 2025 and upgrade or implement compensating controls immediately.

⚠️ CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on Sept. 29, 2025, citing evidence of active exploitation. The newly listed issues are CVE-2021-21311 (Adminer SSRF), CVE-2025-20352 (Cisco IOS/IOS XE stack overflow), CVE-2025-10035 (Fortra GoAnywhere deserialization), CVE-2025-59689 (Libraesva command injection), and CVE-2025-32463 (sudo untrusted-control vulnerability). Federal Civilian Executive Branch agencies must remediate these under BOD 22-01, and CISA urges all organizations to prioritize timely fixes as part of standard vulnerability management.

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.

🔧 Microsoft is investigating a known issue that prevents users of the classic Outlook for Windows from opening OMEv2-encrypted emails sent from a different organization, producing the error message "Configuring your computer for Information Rights Management." As a temporary workaround, administrators can either exclude external users from Conditional Access requirements or enable cross-tenant trust for MFA claims in the Microsoft Entra admin center. Enabling cross-tenant trust is the recommended and easiest option, but both sending and receiving tenants must apply it for full cross-tenant compatibility.

⚠️ Fortra's GoAnywhere MFT is being exploited in the wild via a deserialization flaw tracked as CVE-2025-10035 in the License Servlet, enabling unauthenticated remote command injection when attackers supply a forged license response signature. WatchTowr Labs reports credible evidence of exploitation dating back to September 10, 2025, prior to Fortra's advisory published on September 18. Administrators should apply patches to 7.8.4 or 7.6.3, remove public Admin Console exposure, and search logs for the error string 'SignedObject.getObject'.

🔧 Microsoft released the final non-security preview update for Windows 10 22H2 (KB5066198), delivering fixes for the out-of-box experience and SMBv1 connectivity over NetBIOS over TCP/IP (NetBT). This optional cumulative update lets administrators test improvements before they roll into the next month’s Patch Tuesday and raises systems to build 19045.6396. KB5066198 also resolves an Autopilot Enrollment Status Page (ESP) OOBE loading issue and includes prior fixes for unexpected UAC prompts and NDI streaming performance regressions. Install via Windows Update by choosing 'Download and install' for optional updates or obtain the package from the Microsoft Update Catalog.

🔴 watchTowr Labs reports credible evidence that the critical unsafe deserialization flaw CVE-2025-10035 in Fortra GoAnywhere MFT was exploited in the wild as early as Sept 10, 2025, a week before public disclosure. The License Servlet vulnerability can permit unauthenticated command injection, earning a CVSS 10.0 rating. Fortra has released fixes (GoAnywhere 7.8.4 and Sustain 7.6.3); affected organizations should apply updates immediately and investigate for signs of compromise.

🛡️ The U.K. NCSC and Cisco confirmed active exploitation of recently disclosed vulnerabilities in Cisco Secure Firewall ASA devices that allowed deployment of previously undocumented malware families, notably RayInitiator and LINE VIPER. Cisco traced attacks beginning in May 2025 that targeted ASA 5500‑X appliances (running ASA 9.12/9.14 with VPN web services enabled), using multiple zero-day flaws to bypass authentication and execute code. Attackers employed a persistent GRUB bootkit, ROMMON modifications on non‑Secure Boot platforms, and extensive evasion techniques — disabling logging, intercepting CLI, and crashing devices — to maintain stealth and persistence. Organizations are urged to apply vendor fixes, migrate off end‑of‑support models, and monitor for indicators of compromise.

🛡️ Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS infostealer that has appeared in limited attacks and specifically targets Xcode projects. The variant expands capabilities to steal Firefox data using a modified HackBrowserData build, hijack the clipboard to replace cryptocurrency addresses, and employ new persistence techniques. It spreads by infecting shared Xcode project files so malicious code runs when a project is built. Microsoft says the campaign is not widespread and has notified Apple and GitHub while advising developers to inspect projects and keep macOS and apps up to date.

🔴 A critical zero-day vulnerability (CVE-2025-20363) in Cisco firewall and IOS families requires immediate patching, US CISA and the UK NCSC warned. Cisco says the flaw is caused by improper validation of user-supplied HTTP input and can allow remote arbitrary code execution as root when exploited. Affected products include Cisco Secure Firewall ASA, FTD, and certain IOS/IOS XE/IOS XR builds; Cisco has released fixes and advises there are no viable workarounds.

🔒 Researchers have published details of two high-severity vulnerabilities in Supermicro BMC firmware — CVE-2025-7937 and CVE-2025-6198 — each rated CVSS 7.2. Both flaws weaken firmware validation and the implementation of the Root of Trust, allowing an attacker with administrative access to install or manipulate signed firmware and gain persistent, low-level control of affected servers. Binarly found one issue while testing Supermicro’s January patch for a related flaw and advises prompt patching, strict firmware integrity checks, and enabling hardware RoT where available to mitigate risk.

⚠️ Cisco has warned of a stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE software identified as CVE-2025-20352. A low-privileged authenticated attacker can send a crafted SNMP packet to cause a system reload and a denial-of-service, while a high-privileged actor could achieve root-level arbitrary code execution. Administrators are urged to apply vendor patches immediately and restrict SNMP access until systems are updated.

⚠️ Cisco is urging customers to immediately patch two zero-day vulnerabilities affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) and FTD software after observing exploitation in the wild. CVE-2025-20333 (CVSS 9.9) allows an authenticated VPN user to execute arbitrary code as root; CVE-2025-20362 (CVSS 6.5) permits unauthenticated access to restricted URL endpoints. CISA has issued Emergency Directive ED 25-03, added both flaws to the Known Exploited Vulnerabilities catalog with a 24-hour mitigation requirement, and warned of a widespread campaign linked to the ArcaneDoor/UAT4356 cluster that can modify ASA ROM to persist.

🔔 CISA has issued Emergency Directive 25-03 requiring Federal Civilian Executive Branch agencies to remediate two actively exploited Cisco vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in ASA and FTD devices. Agencies must inventory appliances, collect forensics, disconnect compromised and end-of-support devices, and apply patches by the stated deadlines. Cisco links the exploitation to the ArcaneDoor campaign, which leverages ROMMON manipulation and in-memory backdoors to maintain persistence.

⚠️ Cisco has warned customers of two actively exploited zero-day vulnerabilities affecting Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software. CVE-2025-20333 enables authenticated attackers to execute arbitrary code remotely, while CVE-2025-20362 allows remote access to restricted URL endpoints without authentication. Cisco's PSIRT reported attempted exploitation and strongly recommends upgrading to fixed software releases.

⚠️ Researchers at Noma Security disclosed a critical 9.4-severity vulnerability called ForcedLeak that affected Salesforce's AI agent platform AgentForce. The chain used indirect prompt injection via Web-to-Lead form fields to hide malicious instructions within CRM data, enabling potential theft of contact records and pipeline details. Salesforce has patched the issue by enforcing Trusted URLs and reclaiming an expired domain used in the attack proof-of-concept. Organizations are advised to apply updates, audit lead data for suspicious entries, and strengthen real-time prompt-injection detection and tool-calling guardrails.

⚠️ Salesforce has released patches for a critical prompt-injection vulnerability dubbed ForcedLeak that could allow exfiltration of CRM data from Agentforce. Discovered and reported by Noma Security on July 28, 2025 and assigned a CVSS score of 9.4, the flaw affects instances using Web-to-Lead when input validation and URL controls are lax. Researchers demonstrated a five-step chain that coerces the Description field into executing hidden instructions, queries sensitive lead records, and transmits the results to an attacker-controlled, formerly allowlisted domain. Salesforce has re-secured the expired domain and implemented a Trusted URL allowlist to block untrusted outbound requests and mitigate similar prompt-injection vectors.

🔒 A critical vulnerability in Salesforce Agentforce allowed malicious text placed in Web-to-Lead forms to act as an indirect prompt injection, tricking the AI agent into executing hidden instructions and potentially exfiltrating CRM data. Researchers at Noma Security showed attackers could embed multi-step payloads in a 42,000-character description field and even reuse an expired whitelisted domain as a data channel. Salesforce patched the issue on September 8, 2025, by enforcing Trusted URL allowlists, but experts warn that robust guardrails, input mediation, and ongoing agent inventorying are needed to mitigate similar AI-specific risks.

🔔 CISA released one Industrial Control Systems advisory on September 25, 2025 addressing Dingtian DT-R002. The advisory, ICSA-25-268-01, provides technical details on identified vulnerabilities and recommended mitigations for affected ICS devices. Administrators and operators are encouraged to review the advisory promptly and apply mitigations to reduce operational risk. This product is provided subject to CISA's Notification and Privacy & Use policies.

⚠️ CISA warns that the Dingtian DT-R002 relay board contains two Insufficiently Protected Credentials vulnerabilities (CVE-2025-10879, CVE-2025-10880) that allow unauthenticated attackers to retrieve a username and extract the proprietary protocol password. Both flaws affect all versions, are remotely exploitable with low complexity, and carry CVSS v4 base scores of 8.7. Dingtian has not engaged with CISA; users should restrict HTTP (TCP/80) and the Dingtian protocol on UDP/60000–60001, isolate devices from the internet, and follow ICS defensive best practices.