All news in category “Security Advisory and Patch Watch”

⚠️ Schneider Electric disclosed a cross-site scripting flaw (CWE-79) affecting numerous Altivar drives, the ATVdPAC communication module, and the ILC992 InterLink Converter. Tracked as CVE-2025-7746, the issue is remotely exploitable with low attack complexity and can allow an attacker to read or modify data via device web interfaces. Schneider has released a fix for the ATVdPAC (Version 25.0) and recommends disabling webservers when not needed, segmenting networks, blocking HTTP/port 80 access, and using VPNs until further patches are provided.

🔔 CISA released eight Industrial Control Systems advisories on September 16, 2025, providing technical descriptions of vulnerabilities and vendor mitigations. The advisories affect products from Schneider Electric, Hitachi Energy, Siemens, and Delta Electronics, and include issues ranging from OpenSSL-related flaws to product-specific defects. One advisory is an update for Galaxy VS/VL/VXL (ICSA-25-140-07 Update A). Administrators are urged to review the advisories and apply recommended mitigations promptly to reduce operational risk.

🔔 Siemens ProductCERT and CISA report multiple integer overflow vulnerabilities (CVE-2021-41990, CVE-2021-41991) affecting a broad set of SIMATIC NET CP, SINEMA and SCALANCE devices. Exploitation can cause denial-of-service by triggering integer wraparound; remote code execution is considered unlikely. Siemens provides firmware fixes and workarounds; operators should apply vendor updates, restrict network exposure and follow Siemens operational security guidance.

🔒 Siemens products that include vulnerable OpenSSL libraries are affected by an out-of-bounds read (CVE-2021-3712) that may be exploited remotely and carries a CVSS v3.1 base score of 7.4. A broad set of industrial networking and automation devices — including SCALANCE, RUGGEDCOM, SIMATIC, SINEMA, SINUMERIK, TIA and Industrial Edge apps — are listed as impacted. OpenSSL fixes are available in 1.1.1l and 1.0.2za; Siemens has published product updates and mitigations where possible. CISA and Siemens recommend applying vendor-supplied updates, minimizing network exposure, isolating control networks, and using secure remote access until fixes are deployed.

🔒 Siemens ProductCERT disclosed multiple high-severity vulnerabilities affecting devices that use Apache HTTP Server components, including RUGGEDCOM, SINEC NMS, and SINEMA. CVE-2021-34798, CVE-2021-39275, and CVE-2021-40438 carry CVSSv3 scores up to 9.8 and can be exploited remotely with low attack complexity. Siemens has published updates for some products (for example, SINEC NMS V1.0.3 and SINEMA Remote Connect Server V3.1), while other platforms currently have no fix planned. CISA advises restricting access to affected systems and following Siemens ProductCERT guidance.

🔒 ESET researchers have identified a new ransomware strain named HybridPetya that mimics the Petya/NotPetya family while adding UEFI-targeting capabilities. The malware weaponizes CVE-2024-7344 to bypass UEFI Secure Boot on unpatched systems, enabling persistent bootkit-style compromise. HybridPetya is not currently observed spreading in the wild but represents at least the fourth known bootkit with Secure Boot bypass functionality.

🛡️ Apple has backported a fix for CVE-2025-43300, an ImageIO out-of-bounds write that can cause memory corruption and has been observed in an extremely sophisticated, targeted spyware campaign. The flaw (CVSS 8.8) was reportedly chained with a WhatsApp vulnerability (CVE-2025-55177, CVSS 5.4) in attacks against fewer than 200 individuals. Patches were issued for current releases and older OS builds — including iOS 16.7.12 and iOS 15.8.5 device backports — and distributed across macOS, tvOS, visionOS, watchOS, Safari, and Xcode. Users and administrators should install the available updates immediately to ensure protection.

⚠️ Researchers at ETH Zürich and Google disclosed a RowHammer variant named Phoenix (CVE-2025-6202) that reliably induces bit flips on SK Hynix DDR5 devices and bypasses on-die ECC and advanced TRR protections. The team demonstrated an end-to-end privilege escalation on a production desktop with default DDR5 settings in as little as 109 seconds. Phoenix takes advantage of refresh intervals that mitigation logic does not sample, enabling flips across DIMM stacks produced between 2021 and 2024. Because DRAM chips cannot be updated in the field, the researchers recommend increasing the DRAM refresh rate to 3× as an immediate mitigation and urge vendors to pursue firmware and hardware countermeasures.

🔒 Apple published iOS 26, iPadOS 26 and macOS 26 updates that patch multiple vulnerabilities but did not report active exploitation. The releases address 27 defects in iOS/iPadOS and 77 in macOS, and also include fixes across Safari, watchOS, visionOS and Xcode. Users who prefer not to upgrade to the year-numbered releases can apply security-only updates — iOS 18.7, iPadOS 18.7 or macOS 15.7 — while many devices from 2019 or earlier are not supported. Trend Micro’s Dustin Childs said he saw no sign of active exploitation in this batch, though macOS fixes for PackageKit and StorageKit are notable because exploitation could yield root privileges.

⚠ A critical remote code execution flaw, CVE-2025-5086, has been observed being exploited in the wild against Delmia Apriso, Dassault Systèmes' manufacturing operations platform. CISA added the issue to its Known Exploited Vulnerabilities catalog with a CVSS score of 9.0, yet the vendor has provided minimal public guidance. Researchers report exploit scans and a circulating sample that was detected by only one AV engine, underscoring urgent patching challenges for manufacturers.

🧨 Researchers have developed Phoenix, a new Rowhammer variant that defeats DDR5 TRR protections on SK Hynix modules by synchronizing and self-correcting against missed refresh intervals. After reverse-engineering TRR behavior, the team identified refresh slots that were not sampled and used precise hammering patterns covering 128 and 2,608 refresh intervals to flip bits. In tests they flipped bits across all tested DIMMs and produced a working privilege-escalation exploit, achieving a root shell on commodity DDR5 systems in under two minutes. The authors published an academic paper and an FPGA-based repository with experiments and proof-of-concept code.

🔬 Google funded and collaborated on open-source DDR5 Rowhammer test platforms and academic research to evaluate current in-DRAM mitigations. Working with Antmicro and ETH Zurich, the team produced FPGA-based RDIMM and SO‑DIMM testers and used them to discover the Phoenix attack family, which includes a self-correcting refresh synchronization technique that can bypass enhanced TRR on some DDR5 modules. Google also led JEDEC standardization work on PRAC to enable deterministic row-activation counting and continues to share tools and findings to improve defenses.

🔧 Microsoft has removed a safeguard hold that blocked upgrades to Windows 11 24H2 on devices running Dirac audio enhancement software after reports that the component cridspapo.dll caused integrated speakers and Bluetooth audio devices to stop working. A new driver is available via Windows Update and Microsoft recommends installing the latest security update; restarting the device may speed the offering. The safeguard hold was lifted on September 11, 2025, but other upgrade blocks remain for unrelated driver and software incompatibilities.

⚠️Microsoft confirmed that the September 2025 Windows security updates can break connections to SMBv1 shares when NetBIOS over TCP/IP (NetBT) is used. The issue affects client releases (Windows 11 24H2/23H2/22H2, Windows 10 22H2/21H2) and server releases (Windows Server 2025, 2022) and may occur if either the SMB client or server has the update. As a temporary workaround, administrators are advised to allow SMB traffic on TCP port 445 so Windows can switch from NetBT to TCP. Microsoft is investigating and developing a fix.

📸 Samsung disclosed a critical remote code execution vulnerability in a closed-source image-parsing library, libimagecodec.quram.so, supplied by Quramsoft that affects devices running Android 13–16. The out-of-bounds write (CVE-2025-21043, CVSS 8.8) can be triggered by a specially crafted image and has been exploited in the wild. Messaging apps are a likely vector and the flaw can operate as a zero-click backdoor. Samsung released an SMR Sep-2025 Release 1 patch; enterprises should prioritize deployment.

🔒 Researchers have demonstrated VMScape, a Spectre-like branch target injection attack that breaks guest-to-host isolation on AMD and Intel CPUs in virtualized environments. The proof-of-concept targeted KVM/QEMU in its default configuration and extracted host disk encryption keys from an AMD Zen 4 system. Tracked as CVE-2025-40300, mitigations include inserting an Indirect Branch Prediction Barrier (IBPB) on VMEXIT, which maintainers report causes only marginal performance impact. The vulnerability highlights that existing Spectre-BTI defenses and microcode updates are insufficient in some virtualized deployments, particularly on AMD Zen microarchitectures.

⚠ CISA has added a critical remote code execution flaw in DELMIA Apriso to its Known Exploited Vulnerabilities list as CVE-2025-5086, warning that attackers are actively exploiting the issue. The vulnerability is a deserialization of untrusted data that can lead to RCE when vulnerable endpoints process crafted SOAP requests containing a Base64-encoded, GZIP-compressed .NET executable embedded in XML. Dassault Systèmes confirmed the bug affects Releases 2020–2025; CISA has given federal agencies until October 2 to apply updates or mitigations or to cease using the product.

⚠️ Samsung released its monthly Android security update addressing a critical zero-day, CVE-2025-21043, a high-severity (CVSS 8.8) out-of-bounds write in libimagecodec.quram.so that can enable remote arbitrary code execution. The company says the flaw affects Android 13–16 and was privately disclosed on August 13, 2025. The affected library is a closed-source image parser from Quramsoft and the patch corrects an incorrect implementation. Samsung acknowledged an exploit exists in the wild but did not provide attack specifics.

🔒 ESET researchers identified HybridPetya, a new ransomware strain that blends Petya-style MFT encryption with a UEFI bootkit that can bypass Secure Boot by abusing a patched flaw (CVE-2024-7344) in the Howyar Reloader EFI component. The malware installs a malicious EFI application, uses a three-state flag to track encryption and ransom status, displays a fake CHKDSK screen, and demands $1,000 in Bitcoin. Select variants load a cloak.dat payload into reloader.efi to evade integrity checks; Microsoft revoked the vulnerable binary via dbx updates. ESET found no evidence of widespread active abuse but warned Secure Boot bypasses are increasingly common and urged prompt patching and boot integrity monitoring.

⚠️ CISA added a critical deserialization vulnerability, CVE-2025-5086, affecting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) releases 2020–2025 to its KEV catalog following evidence of active exploitation. The flaw can allow remote code execution via the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint when attackers send a Base64 payload that decodes to a GZIP-compressed Windows DLL. Observed attacks delivered a DLL identified by Kaspersky as Trojan.MSIL.Zapchast.gen, capable of spying and exfiltrating data. FCEB agencies are urged to apply updates by October 2, 2025, to secure their networks.