< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2058 articles · page 81 of 103

Critical Flaws in King Addons for Elementor Risk Takeover

⚠️ King Addons for Elementor, installed on over 10,000 WordPress sites, contains two unauthenticated critical vulnerabilities that can enable full site takeover. Patchstack identified an arbitrary file upload (CVE-2025-6327) and a registration-based privilege escalation (CVE-2025-6325) that allow remote attackers to place files in web-accessible directories and create administrative accounts. The vendor released version 51.1.37 to add a role allowlist, input sanitization, upload permission checks and stricter file-type validation — administrators should update immediately and verify whether the 'King Addons Login | Register Form' widget is active.
read more →

CISA and NSA Issue Hardening Guidance for Exchange

🔒 CISA and the NSA, joined by the Australian Cyber Security Centre and the Canadian Centre for Cyber Security, released guidance to harden on-premises and hybrid Microsoft Exchange servers against attacks. The advisory emphasizes stronger authentication, minimized application attack surfaces, robust TLS configurations, and decommissioning unsupported servers after migration to Microsoft 365. It also recommends enabling emergency mitigations and built-in anti-spam and anti-malware protections and restricting administrative access to authorized workstations.
read more →

Brash Exploit Crashes Chromium Browsers via Title API

⚠️ Security researcher Jose Pino disclosed "Brash", a severe flaw in the Blink rendering engine that can crash many Chromium-based browsers within 15–60 seconds via a single malicious URL. The root cause is missing rate limiting on the document.title API, enabling attackers to inject millions of DOM mutations per second and saturate the browser UI thread. Pino describes a three-phase technique — hash generation, burst injection, and UI-thread saturation — and warns the code can be time-triggered to act like a logic bomb. Affected products include Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Arc, Dia, and some AI browser interfaces; Firefox and Safari are not vulnerable.
read more →

Atlas browser CSRF flaw lets attackers poison ChatGPT memory

⚠️ Researchers at LayerX disclosed a vulnerability in ChatGPT Atlas that can let attackers inject hidden instructions into a user's memory via a CSRF vector, contaminating stored context and persisting across sessions and devices. The exploit works by tricking an authenticated user to visit a malicious page which issues a CSRF request to silently write memory entries that later influence assistant responses. Detection requires behavioral hunting—correlating browser logs, exported chats and timestamped memory changes—since there are no file-based indicators. Administrators are advised to limit Atlas in enterprise pilots, export and review chat histories, and treat affected accounts as compromised until memory is cleared and credentials rotated.
read more →

Chromium Blink flaw crashes Chrome, Edge; exploit published

⚠ A researcher, Jose Pino, published a proof-of-concept on October 29 demonstrating a Blink rendering-engine flaw that can crash Chrome, Microsoft Edge and several other Chromium-based browsers within seconds by flooding document.title updates. Pino says he reported the issue to Google on August 28 and, after no response, released the PoC to force public attention. The exploit saturates the main thread with millions of DOM mutations per second, producing rapid CPU spikes, tab freezes and eventual process termination, and it raises particular concern for headless and automated enterprise workflows.
read more →

CISA Adds Two CVEs to Known Exploited Vulnerabilities

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-24893 (XWiki Platform eval injection) and CVE-2025-41244 (Broadcom VMware Aria Operations and VMware Tools privilege-defined unsafe actions). Evidence indicates active exploitation and substantial risk to the federal enterprise. Under BOD 22-01, affected FCEB agencies must remediate by required due dates. CISA urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

CISA Releases Microsoft Exchange Server Security Guide

🔐 Today, CISA, in collaboration with the National Security Agency and international partners, published Microsoft Exchange Server Security Best Practices to help defenders harden on-premises Exchange servers against ongoing exploitation. The guidance emphasizes strengthening user authentication and access controls, enforcing robust network encryption, and reducing application attack surfaces through configuration and feature management. CISA also urges organizations to decommission end-of-life or hybrid 'last Exchange' servers after migrating to Microsoft 365 to reduce exposure to continued exploitation.
read more →

Blueprint for Hardening Microsoft Exchange Servers

🔒 CISA, the NSA, and international partners released the Microsoft Exchange Server Security Best Practices blueprint to help administrators of on‑premises and hybrid Exchange environments strengthen defenses against persistent cyber threats. The guidance builds on CISA’s Emergency Directive 25‑02 and emphasizes restricting administrative access, implementing multifactor authentication, enforcing strict transport security, and adopting zero trust principles. It also urges organizations to remediate or replace end‑of‑life Exchange versions, apply recommended mitigations, and consider migrating to cloud-based email to reduce operational complexity and exposure.
read more →

CISA Releases Two ICS Advisories on ISO 15118-2 and TropOS

🛡️ CISA released two Industrial Control Systems advisories addressing the International Standards Organization ISO 15118-2 standard and Hitachi Energy TropOS. The advisories provide timely information on security issues, vulnerabilities, and potential exploits affecting ICS components. Administrators and operators are urged to review the advisories for technical details and recommended mitigations to protect operational environments.
read more →

Hitachi Energy TropOS Command Injection and Privilege Issues

⚠️ Hitachi Energy's TropOS wireless devices contain multiple vulnerabilities — including OS command injection and improper privilege management — that can be exploited remotely by authenticated users to obtain root access. Affected 4th Gen firmware versions up to 8.9.6.0 are vulnerable (CVE-2025-1036, CVE-2025-1037, CVE-2025-1038); CVSS v4 scores reach 8.7. Hitachi Energy advises immediate update to version 8.9.7.0, and CISA recommends isolating devices, minimizing network exposure, and following ICS security best practices.
read more →

ISO 15118-2 SLAC Vulnerability in EV Charging Protocol

🔒 ISO 15118-2-compliant EV charging implementations using the SLAC protocol are vulnerable to spoofed measurements that can enable man‑in‑the‑middle attacks between vehicles and chargers, tracked as CVE-2025-12357 (CVSS v4 7.2). The issue is an improper restriction of communication channel (CWE-923) and may be exploitable wirelessly at close range via electromagnetic induction. ISO recommends using TLS (required in ISO 15118-20) with certificate chaining; CISA advises minimizing network exposure, isolating control networks, and using secure remote access methods.
read more →

Plugin Flaw Lets Subscribers Read Any Server File Now

⚠️ The Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions up to 4.23.81) contains a vulnerability (CVE-2025-11705) that allows low-privileged subscribers to read arbitrary files on the server. The issue is caused by missing capability checks in the GOTMLS_ajax_scan() AJAX handler, enabling attackers who can obtain a nonce to access sensitive files like wp-config.php. The developer released v4.23.83 on October 15, which adds a proper capability check via a new GOTMLS_kill_invalid_user() function; administrators of membership sites should update immediately.
read more →

Microsoft fixes Media Creation Tool on affected PCs again

🛠 Microsoft has restored the Windows 11 Media Creation Tool after reports it failed to run on some up-to-date Windows 10 22H2, Windows 11 25H2 and Arm64 systems following the Windows 11 2025 Update. Microsoft says the issue was resolved in the optional KB5067036 preview update published October 28, 2025, and the updated tool is now available for download. As before, users can also obtain Windows ISO files directly to create bootable media.
read more →

Microsoft fixes 0x800F081F Windows Update failures

🔧 Microsoft has resolved a known issue that caused Windows updates to fail with error code 0x800F081F on Windows 11 24H2 devices. The problem affected systems that installed the KB5050094 January 2025 preview cumulative update and subsequent updates, and Microsoft traced the failures to missing language packs and feature payloads removed by ACR/MCR cleanup. Microsoft acknowledged the issue on October 15 and fixed it in the KB5067036 October 2025 preview update. Administrators who cannot install the optional preview immediately can perform an In‑Place Upgrade via Windows installation media or the Settings > System > Recovery workflow to restore missing components without losing files or apps.
read more →

BSI: Tens of Thousands of German Exchange Servers Vulnerable

⚠️ The German Federal Office for Information Security (BSI) warns that the majority of an estimated 33,000 publicly reachable Microsoft Exchange Server 2016 and 2019 installations still operate without vendor support after 14 October 2025. Without security updates, new critical Exchange vulnerabilities cannot be patched and affected systems may need to be taken offline to avoid compromise. The BSI highlights rapid network-wide compromise and ransomware risk and urges prompt upgrades, migrations, or protective measures such as VPNs or IP restrictions.
read more →

Defending QUIC Against Acknowledgement-Based DDoS Attacks

🔒 Cloudflare patched two QUIC ACK-handling vulnerabilities (CVE-2025-4820, CVE-2025-4821) affecting its open-source quiche library and services using it. The flaws—missing ACK range validation and an Optimistic ACK attack—could let a malicious peer inflate server send rates, driving CPU and network amplification. Cloudflare implemented ACK range enforcement and a dynamic, CWND-aware skip frequency; quiche versions prior to 0.24.4 were affected.
read more →

Active Exploits Target DELMIA Apriso and XWiki — CISA

⚠️ CISA and researchers report active exploitation of critical vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki, including code injection, missing authorization, and eval injection flaws. Dassault addressed CVE-2025-6204 and CVE-2025-6205 for 2020–2025 releases in August and these issues were added to CISA’s Known Exploited Vulnerabilities catalog. The XWiki flaw (CVE-2025-24893) is being abused in a two-stage chain that stages and later executes a downloader to deliver a cryptocurrency miner. Organizations should apply vendor updates immediately and meet federal remediation deadlines where applicable.
read more →

Windows 11 KB5067036 Preview Adds Administrator Protection

🔒 Microsoft has released the KB5067036 preview cumulative update for Windows 11 24H2 and 25H2, introducing the new Administrator Protection feature alongside a refreshed Start menu. Administrator Protection requires users to verify identity with Windows Hello before permitting actions that require administrative privileges; it is off by default and can be enabled via OMA-URI in Microsoft Intune or Group Policy. The preview also delivers File Explorer and UI enhancements plus a range of bug fixes across authentication, graphics, accessibility and Windows Update reliability. Microsoft reports no known issues with this update.
read more →

TEE.Fail: DDR5 physical interposition exposes CPU TEE keys

🔓 A team of researchers from Georgia Tech, Purdue University and security firm Synkhronix disclosed TEE.Fail, a side‑channel that inspects DDR5 memory traffic to extract secrets from processor TEEs. Using an inexpensive interposition device built from off‑the‑shelf parts for under $1,000, the technique can recover attestation and signing keys from Intel SGX/TDX and AMD SEV‑SNP with Ciphertext Hiding, and can be used to undermine GPU confidential computing. Vendors assert that physical bus attacks remain out of scope.
read more →

CISA Warns of Two Actively Exploited DELMIA Flaws Now

⚠️ CISA has confirmed active exploitation of two vulnerabilities in Dassault Systèmes' DELMIA Apriso: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Both flaws were patched by the vendor in early August 2025 and affect Releases 2020 through 2025. Federal agencies must remediate within three weeks under BOD 22-01, and CISA urges all organizations to prioritize vendor mitigations or discontinue use if no fixes exist.
read more →