All news in category “Security Advisory and Patch Watch”

⚠️ Honeywell's OneWireless Wireless Device Manager (WDM) contains multiple high‑severity vulnerabilities in the Control Data Access (CDA) component — including buffer overread, sensitive resource reuse, integer underflow, and wrong handler deployment (CVE‑2025‑2521, CVE‑2025‑2522, CVE‑2025‑2523, CVE‑2025‑3946). These issues can enable information disclosure, denial of service, or remote code execution. Honeywell advises updating affected WDM releases to R322.5 or R331.1; CISA recommends minimizing network exposure and isolating control networks to reduce exploitation risk.

⚠️ Microsoft says the August 2025 security updates are causing unexpected User Account Control (UAC) credential prompts and preventing application installations and MSI repair operations for non‑admin users across supported Windows client and server releases. The behavior stems from a patch addressing CVE-2025-50173, a Windows Installer privilege escalation vulnerability that now enforces elevated UAC prompts during MSI repair and related operations. Affected scenarios include MSI repair commands, ConfigMgr deployments relying on per‑user advertising, Secure Desktop enablement, and launching certain Autodesk applications. Microsoft plans a fix allowing admins to exempt specific apps and recommends running affected apps as administrator or applying a Known Issue Rollback via support as a temporary mitigation.

🔔 CISA has added two TP-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing in-the-wild exploitation activity. The flaws—CVE-2023-50224 (CVSS 6.5), an authentication bypass via spoofing in the httpd service exposing stored credentials at /tmp/dropbear/dropbearpwd, and CVE-2025-9377 (CVSS 8.6), an OS command injection enabling remote code execution—affect multiple TL-WR841 and Archer C7 models. TP-Link says several affected models are End-of-Life, released firmware updates in November 2024, and recommends upgrading hardware; CISA urges federal agencies to apply mitigations by September 24, 2025.

🔒 Google has released the September 2025 Android security update addressing 84 vulnerabilities, including two zero-day flaws observed in limited, targeted exploitation: CVE-2025-38352 (Linux kernel) and CVE-2025-48543 (Android Runtime). The bulletin also patches four critical issues — including an RCE in the System component and three Qualcomm vulnerabilities affecting modem and data stacks. Users are urged to install security patch level 2025-09-01 or 2025-09-05 via Settings > System > Software updates > System update.

🔒 Mandiant and Sitecore investigated an active ViewState deserialization exploit that allowed remote code execution on internet-facing Sitecore instances that used publicly exposed sample ASP.NET machine keys. Tracked as CVE-2025-53690, the vulnerability enabled attackers to craft malicious __VIEWSTATE payloads, deploy a reconnaissance backdoor (WEEPSTEEL), and stage tunneling and remote access tooling. Sitecore has updated deployments to auto-generate unique machine keys and notified affected customers; Mandiant recommends rotating keys, enabling ViewState MAC, and encrypting secrets in web.config to mitigate similar attacks.

⚠️ CISA has added two TP-Link vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation: CVE-2023-50224 (TL-WR841N authentication bypass) and CVE-2025-9377 (Archer C7(EU) and TL-WR841N/ND(MS) OS command injection). The agency notes these flaw types are frequent attack vectors and impose significant risk to the federal enterprise under BOD 22-01. Although the directive binds Federal Civilian Executive Branch agencies, CISA urges all organizations to prioritize remediation and reduce exposure.

🔒 Google has released its September 2025 Android security updates addressing 120 vulnerabilities, including two issues that Google says have been exploited in limited, targeted attacks. The two highlighted flaws are CVE-2025-38352 (CVSS 7.4), affecting the Linux Kernel, and CVE-2025-48543, impacting the Android Runtime; both can enable local privilege escalation with no user interaction. Google issued patch levels 2025-09-01 and 2025-09-05 to let partners deploy common fixes more quickly and credited Benoît Sevens of TAG with reporting the kernel issue.

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high‑severity flaw in TP‑Link TL‑WA855RE Wi‑Fi range extenders (CVE‑2020‑24363, CVSS 8.8) to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The missing authentication issue lets an unauthenticated attacker on the same network submit a TDDP_RESET request to factory‑reset the device and set a new administrative password. CISA also added a WhatsApp vulnerability (CVE‑2025‑55177, CVSS 5.4) that was chained with an Apple platform flaw in a targeted spyware campaign; federal agencies must apply mitigations by September 23, 2025.

⚠️ Security firm Armis disclosed 10 vulnerabilities, dubbed Frostbyte10, in Copeland LP E2 and E3 controllers used in heating, cooling, and refrigeration that could let attackers disable or remotely control equipment. Copeland issued firmware 2.31F01; organizations should deploy the update promptly to mitigate exposure. Combined flaws can enable unauthenticated remote code execution with root privileges; specific issues include a predictable default admin account (CVE-2025-6519), API endpoints that expose credential hashes, and unauthenticated file operations. Copeland says engineers acted quickly and that there are no known exploits to date.

⚠️ Fuji Electric's FRENIC-Loader 4 (versions prior to 1.4.0.1) contains a deserialization of untrusted data vulnerability (CVE-2025-9365) that can allow arbitrary code execution when a crafted file is imported. CISA assigns a CVSS v4 base score of 8.4 and reports the issue has low attack complexity but is not remotely exploitable. Researcher kimiya, working with Trend Micro ZDI, reported the flaw. Fuji Electric advises updating to v1.4.0.1 and CISA recommends network segmentation, minimizing exposure, using up-to-date VPNs, and performing impact analysis.

⚠️ CISA added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog: CVE-2020-24363 affecting the TP-Link TL-WA855RE (missing authentication for a critical function) and CVE-2025-55177 affecting Meta Platforms' WhatsApp (incorrect authorization). These entries reflect evidence of active exploitation and significant risk to federal networks. Under BOD 22-01, FCEB agencies must remediate listed KEVs by the specified due dates. CISA urges all organizations to prioritize timely remediation.

🔒 CISA warns of a high-severity vulnerability in SunPower PVS6 inverters (CVE-2025-9696) caused by hard-coded credentials in the Bluetooth Low Energy (BLE) interface. An attacker within Bluetooth range can exploit published protocol details and fixed encryption parameters to gain full device access, and CISA reports a CVSS v4 base score of 9.4. Successful exploitation could allow firmware replacement, disabling power production, modifying grid or firewall settings, creating SSH tunnels, and manipulating attached devices. SunPower did not respond to coordination; CISA advises minimizing network exposure, isolating control systems, using secure remote access methods such as up-to-date VPNs, and applying targeted intrusion detection and ICS best practices.

🛡️ CISA released four Industrial Control Systems (ICS) advisories on September 2, 2025, detailing vulnerabilities and recommended mitigations for Delta Electronics EIP Builder, Fuji Electric FRENIC-Loader 4, SunPower PVS6, and an update to Hitachi Energy Relion 670/650 and SAM600-IO Series. Each advisory includes technical analysis, affected versions, and practical guidance to reduce exploitation risk. Administrators and asset owners are urged to review the notices, prioritize affected systems, and apply vendor-recommended mitigations promptly.

🔒 Delta Electronics' EIP Builder (versions 1.11 and earlier) contains an XML External Entity (XXE, CWE-611) vulnerability tracked as CVE-2025-57704 with a CVSS v4 base score of 6.7 and low attack complexity. The flaw can allow processing of malicious external entities and potential disclosure of sensitive information; exploitation requires local access and user interaction. Delta has released v1.12 to address the issue, and CISA recommends applying the update and following ICS defensive practices.

🔒 A critical unauthenticated SQL injection vulnerability (CVE-2025-49870) was discovered in the WordPress Paid Memberships Subscriptions plugin affecting versions up to 2.15.1, used by over 10,000 sites. Patchstack Alliance researcher ChuongVN reported the flaw, which stems from unsafe handling of PayPal IPN payment IDs. The vendor released 2.15.2 to enforce numeric validation of payment IDs, adopt prepared statements and strengthen input handling; administrators should update immediately.

🔒 WhatsApp has patched a critical zero-day (CVE-2025-55177) affecting linked-device synchronization that could allow processing of content from an arbitrary URL on a target device. The vendor says the flaw, when combined with an Apple OS-level out-of-bounds write (CVE-2025-43300), may have been exploited in a targeted, sophisticated zero-click attack. Apple patched the related OS issue on August 20. Users should apply the updated WhatsApp and WhatsApp Business iOS and Mac clients immediately.

🔒 WhatsApp has issued emergency updates for iOS and macOS to fix CVE-2025-55177, a high-severity authorization flaw that may have been exploited alongside an Apple ImageIO zero-day (CVE-2025-43300). The bug could allow processing of content from an arbitrary URL on a target device and affects specific iOS, Business iOS, and Mac app versions. Users are urged to update immediately; confirmed targets were advised to perform a full factory reset.

🔧 Microsoft has addressed a known issue that produced false CertificateServicesClient (CertEnroll) error events after the July 2025 non-security preview (KB5062660) and subsequent Windows 11 24H2 updates. The events referenced the Microsoft Pluton Cryptographic Provider not being loaded but were benign and caused by a partially integrated feature still under development. The fix is rolling out automatically and requires no user action.

🔒 Three vulnerabilities affecting the Sitecore Experience Platform can be chained to escalate from HTML cache poisoning to remote code execution. Researchers describe a pre-auth HTML cache reflection (CVE-2025-53693) combined with an insecure deserialization RCE (CVE-2025-53691) and an ItemService API information-disclosure bug (CVE-2025-53694) that permits cache key enumeration and poisoned HTML injection. Sitecore issued patches in June and July 2025; administrators should apply updates, restrict ItemService exposure to trusted networks, and consider WAF rules and other mitigations to reduce the chaining risk.

🔒 WhatsApp has patched a zero-click vulnerability (CVE-2025-55177) impacting WhatsApp for iOS prior to 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The flaw involved incomplete authorization of linked-device synchronization messages that could trigger processing of content from an arbitrary URL on a target device. WhatsApp said the bug may have been chained with an Apple OS-level zero-day (CVE-2025-43300) and exploited in targeted, sophisticated attacks. Potentially impacted users have been urged to perform a factory reset and keep their operating systems and apps up to date.