All news in category “Security Advisory and Patch Watch”

🔒 Rockwell Automation released a security update for 1783-NATR to remediate a memory corruption issue stemming from a Wind River VxWorks calloc() allocator flaw. The vulnerability (CVE-2020-28895) can produce smaller-than-expected allocations, enabling memory corruption and potential remote exploitation with low attack complexity. Rockwell published firmware 1.007 to correct the defect; customers unable to upgrade should follow Rockwell's security best practices and apply the network and access mitigations recommended by CISA.

🔒 A cryptographic implementation error in Rockwell Automation's FactoryTalk Activation Manager v5.00 can allow attackers to decrypt communications, enabling data exposure, session hijacking, or full communication compromise. The issue is tracked as CVE-2025-7970 with a CVSS v4 base score of 8.7 and is exploitable remotely with low attack complexity. Users should update to Version 5.02 or later and follow vendor security guidance.

🔒 Rockwell Automation disclosed a vulnerability in Analytics LogixAI (versions 3.00 and 3.01) caused by an over-permissive Redis instance that can expose sensitive system information to an intranet attacker. Tracked as CVE-2025-9364, the issue carries a CVSS v3.1 score of 8.8 and a CVSS v4 score of 8.7 and may permit data access and modification when exploited from an adjacent network with low attack complexity. Rockwell has published fixes in versions 3.02 and later and advises customers to apply updates where possible; CISA reiterates standard mitigations such as minimizing network exposure, isolating control networks behind firewalls, and maintaining secure remote access practices.

🔒 Rockwell Automation’s ThinManager contains a server-side request forgery (SSRF) vulnerability (CVE-2025-9065) affecting versions 13.0 through 14.0 that can expose the ThinServer service account NTLM hash. Authenticated attackers can trigger SMB authentication by specifying external SMB paths, causing NTLM challenge/response data to be leaked. Rockwell addressed the issue in ThinManager 14.1 and recommends upgrading; temporary mitigations include blocking NTLM over SMB, isolating control networks, and using secure remote access.

🔔 Microsoft’s September 2025 update addresses 84 vulnerabilities, including two publicly disclosed zero-days and eight Critical issues. CrowdStrike’s analysis identifies elevation of privilege, remote code execution and information disclosure as the top exploitation vectors and notes many critical flaws require some user interaction. Key affected components include Windows, Extended Security Updates (ESU) and Microsoft Office, with notable CVEs in SMB, NTLM, Hyper-V and graphics subsystems. Organizations should prioritize patching, apply mitigations for unpatchable issues, and plan for Windows 10 end of support in October 2025.

⚠ Security teams must urgently patch SAP S/4HANA after a critical code-injection flaw, CVE-2025-42957 (CVSS 9.9), was fixed by the vendor on August 12 and is now being exploited in the wild. The vulnerability allows a low-privilege user to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks and enabling admin-level control and potential OS interference. No workaround exists; timely patching across complex SAP landscapes is essential to prevent data theft, credential harvesting, backdoors, ransomware and operational disruption.

🔒 Amazon Relational Database Service (RDS) for Microsoft SQL Server now supports the latest General Distribution Release (GDR) updates for SQL Server 2016 SP3, 2017 CU31, 2019 CU32, and 2022 CU20. The supported RDS engine versions map to KB5063762, KB5063759, KB5063757, and KB5063814 respectively. These GDRs address vulnerabilities tracked as CVE-2025-49758, CVE-2025-24999, CVE-2025-49759, CVE-2025-53727, and CVE-2025-47954. We recommend that customers upgrade their RDS instances via the RDS Management Console, AWS SDK, or AWS CLI and follow the RDS SQL Server upgrade guidance.

🔒 CISA has ordered immediate patching of a critical deserialization vulnerability in Sitecore (CVE-2025-53690), rated 9.0, after active exploitation was observed. The flaw arises from exposed ASP.NET machine keys—some copied from older deployment guides—and allows ViewState deserialization that leads to remote code execution. Agencies must rotate machine keys, harden configurations, and scan for compromise indicators by September 25, 2025, to mitigate further intrusions.

🔒 A critical Argo CD vulnerability (CVE-2025-55190) allows API tokens with even low project-level get permissions to access API endpoints and retrieve repository credentials. Rated CVSS v3 10.0, the flaw bypasses isolation protections and can expose usernames and passwords used to access Git repositories. The issue affects all versions up to 2.13.0 and was fixed in 3.1.2, 3.0.14, 2.14.16, and 2.13.9; administrators should upgrade immediately.

⚠️ SAP released a patch for a critical S/4HANA vulnerability, CVE-2025-42957 (CVSS 9.9), after researchers observed a live exploit that allows low-privilege ABAP code injection and full system takeover. The flaw affects all S/4HANA deployments, including private cloud and on-premises, and can be weaponized easily because ABAP source is publicly viewable. Administrators should apply the update immediately and review account privileges, default credentials, encryption settings, and monitoring to limit risks such as data tampering, account creation with SAP_ALL, and password-hash exfiltration.

⚠️ A critical ABAP code injection flaw, tracked as CVE-2025-42957, in an RFC-exposed function of SAP S/4HANA is being exploited in the wild to breach exposed servers. The bug allows low-privileged authenticated users to inject arbitrary code, bypass authorization checks, and take full control of affected systems. SAP issued a fix on August 11, 2025 (CVSS 9.9), but SecurityBridge reports active, limited exploitation and urges immediate patching.

⚠️ SAP patched a critical command injection in SAP S/4HANA tracked as CVE-2025-42957 (CVSS 9.9) that allows low-privileged users to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks. SecurityBridge and NVD report active exploitation affecting both on-premise and Private Cloud editions, with potential for full system compromise. Organizations are urged to apply SAP's monthly fixes immediately, monitor for suspicious RFC calls or new admin accounts, implement network segmentation and backups, adopt SAP UCON to restrict RFC usage, and review access to authorization object S_DMIS activity 02.

🔔 Amazon RDS Custom for SQL Server now supports the latest Microsoft GDR updates, including SQL Server 2019 CU32 (KB5063757) — RDS version 15.00.4440.1.v1 — and SQL Server 2022 CU20 (KB5063814) — RDS version 16.00.4210.1.v1. These GDRs remediate multiple vulnerabilities (CVE-2025-49758, CVE-2025-24999, CVE-2025-49759, CVE-2025-53727, CVE-2025-47954). We recommend upgrading instances via the Amazon RDS Management Console or programmatically with the AWS SDK/CLI, and following the Amazon RDS Custom User Guide for detailed upgrade instructions.

⚠️ A critical code injection vulnerability in SAP S/4HANA (CVE-2025-42957, CVSS 9.9) is being actively exploited in the wild, researchers warn. The flaw allows a low-privileged user to inject ABAP code and gain full system and operating system access across all S/4HANA releases. SecurityBridge confirmed practical abuse and noted the exploit was straightforward to develop because ABAP code is openly viewable. Organizations that have not yet applied the August 11 patch should install it immediately to prevent complete data compromise and unauthorized administrative access.

⚠️ Mandiant reports attackers are actively exploiting a leaked ASP.NET machineKey sample from old Sitecore deployment guides to carry out ViewState code-injection attacks that execute arbitrary .NET assemblies in server memory. The issue, tracked as CVE-2025-53690, affects multi-instance deployments of Sitecore XM, XP, and XC that used the static sample key, and may also impact some Sitecore Managed Cloud Standard container configurations. After initial access, adversaries deploy tools Mandiant calls WEEPSTEEL and EARTHWORM, escalate to SYSTEM, create administrative accounts, dump SYSTEM/SAM hives, and move laterally. Sitecore customers are advised to inspect environments for indicators of compromise, rotate and encrypt <machineKey> entries, and follow Microsoft ASP.NET ViewState guidance.

🔒TP-Link has confirmed an unpatched zero-day in its CWMP implementation that can enable remote code execution on multiple routers. Independent researcher Mehrun (ByteRay) reported the issue to TP-Link on May 11, 2024; the flaw is a stack-based buffer overflow in the SOAP SetParameterValues handler caused by unbounded strncpy calls. TP-Link says a patch exists for some European firmware builds and that fixes for U.S. and other global versions are in development; users should update firmware, change default admin credentials, and disable CWMP if it is not required.

🔒 Mandiant disrupted an active exploitation of a critical zero-day in Sitecore's Experience Manager and Experience Platform that permits remote code execution via ViewState deserialization. Publicly disclosed on September 3 as CVE-2025-53690 (CVSS 9.0), the flaw affects Sitecore versions up to 9.0 when deployments retained the sample ASP.NET machine key published in older deployment guides. Attackers used the vulnerability to deliver WEEPSTEEL and other tooling, harvest credentials and perform lateral movement. Sitecore has issued a security advisory, notified impacted customers and says recent deployments now auto-generate unique machine keys.

🔒 Researchers demonstrated SNI5GECT, an over‑the‑air injection attack targeting unencrypted initial exchanges in 5G that can crash device modems or force a fallback to 4G. By observing the plain‑text handshake and injecting a crafted information block at precise timing, an attacker within roughly 20 meters can trigger a reboot or downgrade. The technique enabled 4G‑based tracking and spoofing on multiple handsets across different modem vendors, and arises from protocol characteristics rather than a single vendor implementation.

⚠ CISA released five Industrial Control Systems (ICS) advisories on September 4, 2025, detailing vulnerabilities, impacts, and recommended mitigations for multiple OT products and protocols. The advisories address Honeywell OneWireless WDM, Mitsubishi Electric/ICONICS products, Delta Electronics COMMGR, Honeywell Experion PKS, and the End-of-Train/Head-of-Train Remote Linking Protocol. Several notices are updates (A/B) that include revised technical analysis and vendor-supplied mitigations. Administrators are urged to review the advisories promptly and apply recommended controls.

🔔 CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-38352 (Linux kernel TOCTOU race condition), CVE-2025-48543 (Android Runtime unspecified vulnerability), and CVE-2025-53690 (Sitecore multiple-products deserialization). Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by the required due dates. Although the directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation, patching, and vulnerability management to reduce exposure to active exploitation.