All news in category “Security Advisory and Patch Watch”

🔒 Samsung has released a patch for a critical remote code execution vulnerability tracked as CVE-2025-21043 that was actively exploited on Android devices. Reported by Meta and WhatsApp security teams on August 13, the flaw stems from an out-of-bounds write in libimagecodec.quram.so, a closed-source Quramsoft image parser, and affects devices running Android 13 and later. Samsung’s advisory notes an exploit was observed in the wild and that other messaging apps using the vulnerable library could also be at risk; users should apply the September SMR update promptly.

⚠ Cursor, an AI-powered fork of Visual Studio Code, ships with Workspace Trust disabled by default, enabling VS Code-style tasks configured with runOptions.runOn: 'folderOpen' to auto-execute when a folder is opened. Oasis Security showed a malicious .vscode/tasks.json can convert a casual repository browse into silent arbitrary code execution with the user's privileges. Users should enable Workspace Trust, audit untrusted projects, or open suspicious repos in other editors to mitigate risk.

🔓 Researchers at ETH Zurich disclosed VMScape, a Spectre-like speculative-execution attack that lets a malicious VM extract secrets from an unmodified QEMU hypervisor running on many modern AMD and some Intel CPUs. The exploit abuses shared branch-prediction structures and a FLUSH+RELOAD side channel to induce speculative disclosure. It works without host compromise and bypasses default mitigations; vendors and Linux developers released advisories and kernel patches to mitigate the issue.

🔐 Siemens has disclosed multiple vulnerabilities in the integrated User Management Component (UMC) that could allow unauthenticated remote attackers to execute arbitrary code or cause denial-of-service. A stack-based buffer overflow (CVE-2025-40795) and several out-of-bounds read issues (CVE-2025-40796–40798) are reported, with CVSS v4 scores up to 9.3. Siemens recommends updating UMC to V2.15.1.3 or later and, where feasible, blocking TCP ports 4002 and 4004; Siemens notes no fixes are planned for SIMATIC PCS neo V4.1 and V5.0.

🔒 Siemens reported a vulnerability in Apogee PXC and Talon TC devices that allows unauthorized actors to download device database files via BACnet. Affected devices permit unauthenticated access to encrypted .db files that can contain passwords; the issue is tracked as CVE-2025-40757 with a CVSS v4 base score of 6.3. Siemens and CISA recommend changing default passwords, hardening network access, and isolating control networks. Exploitation is remotely feasible with low complexity; no public exploitation has been reported to CISA.

⚠️ CISA published an advisory on two vulnerabilities in Schneider Electric EcoStruxure products that could enable a denial-of-service condition and the exposure of sensitive credentials. The issues are tracked as CVE-2025-8449 (uncontrolled resource consumption) and CVE-2025-8448 (sensitive information exposure). Affected Enterprise Server and Workstation versions should be updated to the fixed releases (for example 7.0.2.348, 6.0.4.10001 (CP8), 5.0.3.17009 (CP16)). If patches cannot be applied immediately, implement strong access controls, network segmentation, MFA where available, and continuous monitoring.

🔒 Schneider Electric disclosed a Files or Directories Accessible to External Parties vulnerability affecting Modicon M340 devices and the BMXNOE0100/BMXNOE0110 Ethernet modules that could allow remote actors to remove files, block firmware updates, and disrupt the device webserver. The issue is tracked as CVE-2024-5056 with a CVSS v4 base score of 6.9. Schneider released firmware fixes for BMXNOE0100 (SV3.60) and BMXNOE0110 (SV6.80) and recommends immediate mitigations including network segmentation, disabling FTP when not required, and configuring Access Control Lists per the device manual. CISA also advises isolating control networks, minimizing internet exposure, and using VPNs for remote access.

🛡️ Siemens reports a local privilege escalation vulnerability affecting SIMOTION Tools installers that use an affected NSIS setup component. The flaw (CWE-754) in Nullsoft Scriptable Install System (NSIS) before 3.11 can allow an unprivileged user to gain SYSTEM privileges during installation by exploiting a race condition. The issue is tracked as CVE-2025-43715 with a CVSS v3.1 base score of 8.1. No vendor fix is available yet; Siemens and CISA offer mitigations and hardening guidance.

⚠️ Siemens Industrial Edge Management OS (IEM-OS) contains an allocation-of-resources vulnerability in Apache Commons FileUpload that can be triggered remotely to cause a denial-of-service condition. The issue is tracked as CVE-2025-48976 with a CVSS v4 base score of 8.7 and a CVSS v3.1 vector indicating an availability-only impact. Siemens reports all IEM-OS versions affected and recommends migrating to IEM-V, limiting access to trusted systems, and following Siemens' operational security guidance. CISA reiterates minimizing network exposure, using network segmentation and firewalls, and employing secure remote access methods.

🔔 CISA added CVE-2025-5086 — a Dassault Systèmes DELMIA Apriso deserialization of untrusted data vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog on September 11, 2025, based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed issues by required due dates. CISA urges all organizations to prioritize timely remediation as part of vulnerability management and will continue updating the catalog with vulnerabilities that meet its criteria.

🔔 CISA released eleven Industrial Control Systems (ICS) advisories on September 11, 2025, offering timely technical details about vulnerabilities, exploits, and mitigations. The advisories span multiple vendors and product families, including Siemens (SIMOTION Tools, SIMATIC SIVaaS, SINAMICS, SINEC OS, Industrial Edge, UMC, Apogee PXC/Talon TC), Schneider Electric (EcoStruxure, Modicon M340 variants), and Daikin (Security Gateway). Administrators and asset owners are urged to review the advisories, apply vendor patches or recommended mitigations, and strengthen segmentation and monitoring to reduce operational risk.

🔓 CISA published an advisory describing an authorization bypass in Daikin Security Gateway devices that abuses a weak password recovery mechanism. The vulnerability, tracked as CVE-2025-10127, is remotely exploitable with low complexity and carries a CVSS v4 score of 8.8; public proof‑of‑concept code exists. Daikin has indicated it will not issue a vendor-wide patch and will handle customer inquiries directly; CISA recommends isolating affected devices, placing them behind firewalls, and using secure, up-to-date VPNs or other hardened remote access controls.

🛡️ CISA republished information from Siemens ProductCERT regarding two vulnerabilities affecting the RUGGEDCOM RST2428P (6GK6242-6PA00). The issues — uncontrolled resource consumption (CVE-2025-40802) and exposure of sensitive information (CVE-2025-40803) — are exploitable from an adjacent network and have low CVSS scores (v3.1=3.1; v4=2.3). Siemens recommends firewalling UDP discovery ports and following industrial security guidance; CISA advises minimizing network exposure and isolating control networks.

⚠️A critical vulnerability (CVE-2025-40804) affects Siemens SIMATIC Virtualization as a Service (SIVaaS), exposing a network share without authentication and allowing remote actors to access or modify sensitive data. Calculated scores are CVSS v4 9.3 and CVSS v3.1 9.1 with low attack complexity. Siemens advises contacting Technical Support; CISA recommends isolating control systems, minimizing internet exposure, and using layered defenses.

🔒 Siemens SINAMICS drive firmware contains an Improper Privilege Management vulnerability (CVE-2025-40594) that can allow local network users to escalate privileges and perform a factory reset without required rights. A CVSS v3.1 base score of 6.3 and a CVSS v4 base score of 6.9 were calculated. Siemens provides updates for S210 and G220 (V6.4 HF2); S200 V6.4 currently has no fix. CISA and Siemens recommend minimizing network exposure, isolating control networks, and using secure remote access methods.

🔒 Adobe issued an emergency out-of-band patch for a critical vulnerability in Magento Open Source and Adobe Commerce, tracked as CVE-2025-54236 and dubbed SessionReaper. The flaw permits unauthenticated attackers to hijack user accounts and, when file-based session storage is used, can enable remote code execution. Adobe notified Commerce customers on Sept. 4 but Magento Open Source users may not have received the same advance warning. Organizations operating Magento sites should apply the patch immediately.

⚠️ A default configuration in Cursor, an AI-powered fork of VS Code, automatically executes tasks when a project folder is opened because Workspace Trust is disabled. Oasis Security demonstrated that a malicious .vscode/tasks.json can run arbitrary commands without user action, risking credential theft and environment takeover. Cursor intends to keep the autorun behavior and advises enabling Workspace Trust manually or using a different editor for untrusted repos.

🔧 Microsoft has resolved severe lag and stuttering issues affecting NDI streaming on Windows 10 and Windows 11 that appeared after the August 2025 cumulative security updates. The root cause was tied to KB5063878 and KB5063709 and manifested as dropped NDI traffic and degraded performance specifically over RUDP connections, while UDP and Single-TCP streams were unaffected. On September 9, 2025, Microsoft released fixes (KB5065426 and KB5065429) and recommends applying those updates; NDI also published a temporary workaround to switch Receive Mode to Single TCP or UDP in the NDI Tools Access Manager for systems that cannot immediately update.

⚠ Cursor's autorun feature can allow repositories to execute code automatically when a folder is opened in Visual Studio Code with Cursor installed. Oasis Security researchers demonstrated that attackers can embed hidden instructions that trigger commands tied to workspace events without a developer's consent. With Workspace Trust disabled by default in Cursor, opening a project can enable token theft, file tampering or persistent malware. Developers should treat unknown repositories cautiously and enable available trust controls.

🔓 Oasis Security disclosed a flaw in Cursor that allows malicious repositories to execute code when a developer opens a folder. The vulnerability stems from Workspace Trust being disabled by default, permitting crafted .vscode/tasks.json entries set to run on folder open to autorun without prompting. Successful exploitation can expose API keys, cloud credentials and local secrets, risking organization-wide compromise.