All news in category “Security Advisory and Patch Watch”

🛡️ CISA issued Emergency Directive 25-03 directing federal civilian agencies to identify and mitigate exploitation of a zero-day affecting Cisco Adaptive Security Appliances (ASA). Agencies must inventory in-scope devices, collect forensic data, and assess compromises using CISA-provided procedures and tools. End-of-support devices must be disconnected and remaining appliances upgraded by 11:59 PM EST on September 26, 2025; CISA will monitor compliance and provide assistance.

🚨 CISA issued Emergency Directive ED 25-03 directing federal agencies to identify, analyze, and mitigate potential compromises of Cisco ASA and Cisco Firepower devices after adding CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog. Agencies must inventory all devices (all versions) and collect memory/core dump files for forensic analysis, transmitting them to CISA by 11:59 p.m. EST on Sept. 26. CISA published supplemental guidance, an Eviction Strategies Tool template, and referenced Cisco and UK NCSC analyses to support containment, eviction, and remediation.

🔒 Cisco has issued an urgent advisory about a high-severity SNMP vulnerability (CVE-2025-20352, CVSS 7.7) in IOS and IOS XE Software that has been exploited in the wild. The flaw is a stack overflow in the SNMP subsystem that can allow an authenticated remote attacker to cause a denial-of-service or, with higher privileges, execute arbitrary code as root. Exploitation requires SNMP community strings or valid SNMPv3 credentials and, for code execution, administrative (privilege 15) access. Cisco called out affected devices including Meraki MS390 and Catalyst 9300 series running Meraki CS 17 and earlier, and issued a fix in IOS XE 17.15.4a. There are no full workarounds; administrators should restrict SNMP access, monitor with "show snmp host", and consider excluding affected OIDs where supported.

🔐 Researchers from Binarly disclosed multiple firmware vulnerabilities in Supermicro Baseboard Management Controllers (BMCs) that allow attackers to load unofficial images and install persistent backdoors. A bypass for a previously patched issue (CVE-2024-10237) and a new flaw (CVE-2025-6198) let adversaries manipulate signed regions so digests and signatures still validate. A related confirmed issue is tracked as CVE-2025-7937. Supermicro has released firmware updates; administrators must identify affected models and apply fixes promptly.

🛡️ Cisco released security updates addressing a high-severity zero-day, tracked as CVE-2025-20352, in IOS and IOS XE. The flaw is a stack-based buffer overflow in the SNMP subsystem that allows authenticated remote attackers with low privileges to trigger DoS, and high-privileged actors to execute code as root on affected devices. Cisco reports exploitation in the wild after Administrator credentials were compromised and urges customers to upgrade; as a temporary mitigation it recommends limiting SNMP access to trusted users.

🔒 Rapid7 disclosed an unpatched vulnerability in OnePlus's OxygenOS (CVE-2025-10184) that allows any installed app to access SMS content and metadata without SMS permissions. The fault arises from modified Telephony content providers whose manifests omit a required write permission and accept unsanitized input. By abusing a blind SQL-injection vector an attacker can infer SMS text one character at a time. OnePlus has acknowledged the report and is investigating; users should minimize installed apps and avoid SMS-based 2FA.

⚠️ Trend Micro disclosed two critical authentication-bypass vulnerabilities in Wondershare RepairIt that exposed private user files, AI models, and build artifacts due to embedded overly permissive cloud tokens and unencrypted storage. The flaws, tracked as CVE-2025-10643 (CVSS 9.1) and CVE-2025-10644 (CVSS 9.4), allow attackers to circumvent authentication and potentially execute arbitrary code via supply-chain tampering. Trend Micro reported the issues through ZDI in April 2025 and warns users to restrict interaction with the product until a vendor fix is issued.

🔒 Researchers disclosed two critical vulnerabilities in Lovense remote-control software that exposed real user email addresses and allowed attackers to generate authentication tokens using only an email, without passwords. Combined, these flaws enabled account takeover across multiple products including Lovense Remote, Lovense Connect and streaming extensions. Reported in spring 2025, fixes were delayed and fully applied only after public disclosure; users should consider separate emails and strong, unique passwords.

🔒 Wiz has observed in-the-wild exploitation attempts of CVE-2025-51591, an SSRF in Pandoc that renders iframe tags and can direct them at the AWS Instance Metadata Service (IMDS). Attackers submitted crafted HTML aiming to access 169.254.169.254 to exfiltrate temporary IAM metadata and EC2 credentials. Attempts seen from August and continuing for weeks were blocked where IMDSv2 was enforced. Administrators should mitigate by using Pandoc's -f html+raw_html or --sandbox options, enforce IMDSv2, and apply least-privilege roles.

⚠️ Libraesva has released an urgent update to address a command injection vulnerability in its ESG email security product that is being exploited by state‑sponsored actors. Tracked as CVE-2025-59689 with a CVSS score of 6.1, the flaw is triggered by a malicious compressed attachment and can execute arbitrary commands as a non‑privileged user. Users should upgrade affected versions (4.5–5.5.x before 5.5.7) to the patched releases immediately.

🔒SolarWinds has issued a third patch for a critical Java deserialization vulnerability in its Web Help Desk product. The vendor describes the new advisory as a patch bypass of CVE-2024-28988, which itself bypassed CVE-2024-28986, and has designated the latest issue CVE-2025-26399. The underlying unsafe Java deserialization flaw in the AjaxProxy component can permit unauthenticated remote code execution and is rated 9.8/10 on the CVSS scale.

🔒 Cybersecurity researchers disclosed two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware that allow crafted images to bypass signature verification and install malicious firmware. The issues, tracked as CVE-2025-7937 (CVSS 6.6) and CVE-2025-6198 (CVSS 6.4), exploit manipulation of embedded validation tables — fwmap and sig_table — to trick the verification logic into accepting unsigned regions. Binarly reported the findings, detailed how the auth_bmc_sig flow on an X13SEM-F board can be subverted, and recommends rotating signing keys, hardening validation logic, and applying vendor firmware updates promptly.

⚠ Libraesva issued an emergency update for ESG to fix a command injection vulnerability (CVE-2025-59689) triggered by a specially crafted compressed email attachment. The flaw allowed arbitrary shell commands to run as a non-privileged user and was confirmed exploited by actors believed to be state-sponsored. Fixed releases were auto-deployed to cloud and on-premise customers; end-of-life versions require manual upgrades.

🔒 SolarWinds has released a hotfix addressing a critical unauthenticated remote code execution vulnerability in Web Help Desk tracked as CVE-2025-26399. The flaw affects WHD 12.8.7 and is caused by unsafe deserialization in the AjaxProxy component, described as a patch bypass of earlier CVE-2024-28986/28988 fixes. Administrators should obtain the hotfix from the SolarWinds Customer Portal and follow the vendor’s JAR replacement steps promptly.

🛡️ SonicWall has released firmware 10.2.2.2-92sv for the SMA 100 series that adds additional file checking and the ability to remove known user‑mode rootkit malware. The update targets the OVERSTEP rootkit observed by Google's GTIG and is recommended for SMA 210, 410, and 500v customers. SonicWall urges immediate upgrade and adherence to earlier mitigations, including credential resets and forensic review.

🔧 SolarWinds has released a hotfix to address a critical deserialization vulnerability in Web Help Desk that affects versions up to 12.8.7, tracked as CVE-2025-26399 (CVSS 9.8). The unauthenticated AjaxProxy flaw can enable remote command execution on vulnerable hosts if exploited. An anonymous researcher working with the Trend Micro Zero Day Initiative reported the issue. SolarWinds recommends immediate upgrade to 12.8.7 HF1 to mitigate risk.

⚠️ CISA has added CVE-2025-10585, a Google Chromium V8 type confusion vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is a common browser attack vector and poses substantial risk to browsers and systems that embed V8. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged vulnerabilities by required due dates; CISA strongly urges all organizations to prioritize timely remediation and continued vigilance.

🔒 AutomationDirect has disclosed multiple vulnerabilities in the CLICK PLUS series affecting firmware releases prior to v3.71. Issues include cleartext credential storage, a hard-coded AES key, an insecure RSA implementation, a predictable PRNG seed, authorization bypasses, and resource exhaustion flaws. CVSS v4 severity reaches 8.7 for the most critical cryptographic and key-generation weaknesses. AutomationDirect and CISA recommend updating to v3.80 and applying network isolation, access restrictions, logging, and endpoint protections until patches are deployed.

⚠ Schneider Electric has released an update addressing a link‑following vulnerability (CVE‑2025‑5296) in SESU that could allow an authenticated, low‑privileged actor to write arbitrary data to protected locations. The issue, rated CVSS v3.1 base score 7.3, affects SESU versions prior to 3.0.12 and numerous Schneider Electric products that bundle SESU. Version 3.0.12 contains the fix; apply the update or restrict access to the installation directory and follow CISA mitigation guidance.

🔒 CISA published an advisory summarizing lessons learned from an incident response engagement after its endpoint detection and response tool detected potential malicious activity. The guidance emphasizes expedited patching—highlighting exploitation of GeoServer CVE-2024-36401—alongside strengthened incident response planning and enhanced threat monitoring. Organizations are urged to prioritize fixes for public-facing systems, test response playbooks, and implement centralized logging to improve detection and reduce exposure.