All news in category “Security Advisory and Patch Watch”

⚠️ Recent investigations show a wave of active attacks against WordPress plugins and themes, including Gravity Forms, the Alone and Motors themes, and Post SMTP. Exploits have enabled remote code execution, administrator account takeover, and mass site compromise, while the Efimer trojan has been distributed from some infected sites. Vendors have issued patches, but many sites remain unpatched—site owners should update immediately and follow hardening best practices.

🔍 Microsoft says its August 2025 security update, KB5063878, is not connected to recent reports of SSD and HDD failures. After internal testing and telemetry analysis, Redmond said it could not reproduce the corruption or drive losses and found no increase in disk failures following the Windows 11 24H2 update. Microsoft is working with storage partners and controller vendors and will continue to monitor customer feedback while investigating any new reports.

⚠️ CISA added CVE-2025-57819, an authentication bypass in Sangoma FreePBX, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The vulnerability is a frequent attack vector that poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by required due dates. CISA urges all organizations to prioritize timely remediation.

🔒 Click Studios released Passwordstate 9.9 (Build 9972) on August 28, 2025, to remediate a high-severity authentication bypass that could be triggered via a carefully crafted URL against the product's Emergency Access page. The update also introduces enhanced safeguards in the web interface and browser extension to mitigate DOM-based clickjacking attacks. The company noted that no CVE has been assigned yet and emphasized that customers should apply the update promptly. Passwordstate is used by thousands of organizations globally, increasing the urgency of patching.

🚨 The Sangoma FreePBX project has issued an advisory for an actively exploited zero-day (CVE-2025-57819) that allows unauthenticated access to the Administrator control panel, enabling arbitrary database manipulation and remote code execution. The flaw stems from insufficiently sanitized user input in the commercial endpoint module and impacts FreePBX 15, 16, and 17 prior to their listed patched releases. Administrators should apply the emergency updates immediately, restrict public ACP access, and scan for indicators of compromise.

🔍 Researchers at ReversingLabs found a loophole in the Visual Studio Code Marketplace that permits threat actors to republish removed extensions under the same visible names. The new malicious package, ahbanC.shiba, mirrors earlier flagged extensions and acts as a downloader for a PowerShell payload that encrypts files in a folder named "testShiba" and demands a Shiba Inu token ransom. Investigation revealed that extension uniqueness is enforced by the combination of publisher and name, not the visible name alone, enabling attackers to reuse names once an extension is removed. Organizations should audit extension IDs, enforce whitelists, and run automated supply-chain scanning to reduce exposure.

🔔 Amazon RDS Custom for SQL Server now supports new General Distribution Releases for Microsoft SQL Server 2019 (RDS version 15.00.4435.7.v1) and 2022 (RDS version 16.00.4200.1.v1). The new GDRs address vulnerabilities tracked as CVE-2025-49717, CVE-2025-49718, and CVE-2025-49719 and correspond to Microsoft's KB5058722 and KB5058721 release notes. AWS recommends upgrading affected Amazon RDS Custom for SQL Server instances using the Amazon RDS Management Console, or programmatically via the AWS SDK or CLI, and consulting the Amazon RDS Custom User Guide for upgrade procedures.

⚠️ GE Vernova's CIMPLICITY HMI/SCADA software is affected by an Uncontrolled Search Path Element vulnerability (CVE-2025-7719) in versions 2024, 2023, 2022, and 11.0. CISA reports this flaw could enable a low-privileged local attacker to escalate privileges; a CVSS v4 score of 7.0 and a CVSS v3.1 score of 7.8 were calculated. The issue is not remotely exploitable and no public exploitation has been reported; GE Vernova recommends upgrading to CIMPLICITY 2024 SIM 4 and following the Secure Deployment Guide while CISA advises network isolation and secure remote access.

🔔 On August 28, 2025, CISA released nine Industrial Control Systems (ICS) advisories that detail vulnerabilities, impacts, and recommended mitigations for multiple vendors and product families. The advisories cover Mitsubishi Electric, Schneider Electric, Delta Electronics, GE Vernova, and Hitachi Energy, and include several updates to prior notices. Operators and administrators are encouraged to review each advisory for affected versions, vendor patches, and configuration mitigations, and to prioritize remediation and monitoring to reduce operational risk.

⚠ Schneider Electric disclosed an improper privilege management vulnerability (CVE-2025-8453, CVSS 6.7) affecting Saitel DR and Saitel DP Remote Terminal Units that could allow an authenticated privileged engineer with console access to escalate privileges and potentially execute arbitrary code. Schneider released HUe firmware 11.06.30 for Saitel DR to remediate the issue; a remediation plan for Saitel DP is pending. CISA notes the vulnerability is not remotely exploitable and recommends limiting physical and console access, enforcing root ownership and restrictive permissions on configuration files, and following ICS defensive guidance.

⚠️ Delta Electronics has identified two critical vulnerabilities in COMMGR (v2.9.0 and earlier) — a stack-based buffer overflow (CVE-2025-53418) and a code injection flaw (CVE-2025-53419) — that can enable arbitrary code execution via crafted .isp files. Delta and CISA rate the combined risk as high (CISA lists CVSS v4 8.8) and recommend upgrading to v2.10.0 or later. Additional mitigations include network segmentation, limiting Internet exposure, and using secure remote access methods. CISA reports no known public exploitation at this time.

⚠️ Mitsubishi Electric's MELSEC iQ-F Series CPU modules are affected by a Missing Authentication for Critical Function vulnerability (CVE-2025-7405) in Modbus/TCP that can allow remote attackers to read and write device values and potentially halt program execution. CISA assigns a CVSS v4 base score of 6.9 and notes the issue is remotely exploitable with low attack complexity. Mitsubishi reports many FX5U/FX5UC/FX5UJ/FX5S variants affected and currently has no fixed version planned. Recommended mitigations include network segmentation, VPNs or firewalls, IP filtering, and restricting physical access.

🔒 Mitsubishi Electric disclosed a MELSEC iQ-F Series CPU module vulnerability (CVE-2025-7731) that transmits sensitive authentication data in cleartext over SLMP, enabling remote attackers to intercept credentials and read or write device values or halt program execution. Assigned CVSS v4 8.7 and described as remotely exploitable with low attack complexity, the issue affects many FX5U/FX5UC/FX5UJ/FX5S variants — Mitsubishi reports no planned patch. Mitsubishi and CISA recommend mitigations such as encrypting SLMP traffic with a VPN, restricting LAN access, isolating control networks behind firewalls, and following ICS hardening best practices.

⚠️ Delta Electronics disclosed an CNCSoft-G2 out‑of‑bounds write vulnerability (CVE-2025-47728) in DPAX file parsing that can cause memory corruption and enable arbitrary code execution in the affected process. CISA assigns a CVSS v4 base score of 8.5 and notes low attack complexity but requires user interaction such as opening a malicious file or visiting a malicious page. Affected versions include v2.1.0.20 and earlier; Delta recommends updating to v2.1.0.27 or later per advisory Delta-PCSA-2025-00007. CISA advises applying the update, isolating control systems, avoiding untrusted attachments, and following ICS recommended practices; no public exploitation has been reported to date.

⚠️ Citrix has warned of multiple zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway, highlighting CVE-2025-7775 as being actively exploited. The critical issue is a memory overflow that can lead to denial of service or remote code execution on appliances meeting specific configuration preconditions. Citrix provides CLI checks to identify affected devices but reports no mitigations or workarounds, and researchers estimate a large percentage of appliances remain unpatched. Administrators are urged to prioritize patching immediately.

🔒 Cisco Talos disclosed multiple vulnerabilities affecting libbiosig, Tenda AC6, SAIL, PDF‑XChange Editor, and Foxit PDF Reader. The flaws include integer overflows, heap and stack buffer overflows, out‑of‑bounds reads, authentication and firmware validation weaknesses, and other memory corruption issues that can lead to remote code execution or information disclosure. Vendors have released patches in coordination with Talos and Snort coverage is available to detect exploitation attempts. Apply vendor updates and detection rules immediately to reduce exposure.

🔒 Researchers demonstrated BadCam, a BadUSB-style attack presented at BlackHat that reflashes a webcam's firmware so a standard camera can act as a programmable HID device. The proof-of-concept targeted Lenovo 510 FHD and Lenovo Performance FHD models using a SigmaStar SoC, exploiting lack of cryptographic firmware verification and Linux USB Gadget support to present keyboard/network interfaces. Standard scans and OS reinstalls won't remove such implants, so organizations should apply firmware patches, USB control policies, and HID monitoring to mitigate the risk.

🔒Citrix has released patches for three critical zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424), including pre-auth remote code execution observed in the wild. The vendor provided fixes for affected 14.1, 13.1 and 12.1-FIPS/NDcPP builds and said no workaround is available. Security researchers and CISA urged immediate patching and forensic checks for potential backdoors.

🔒 Citrix has issued patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway, and confirmed active exploitation of CVE-2025-7775. The flaws include two memory overflow issues (CVSS 9.2 and 8.8) that can lead to remote code execution or denial-of-service, and an improper access-control bug (CVSS 8.7) affecting the management interface. Fixes are available in multiple 12.x–14.x releases with no workarounds; Citrix credited external researchers for reporting the issues.

🔍 A research team at SUTD's ASSET group released Sni5Gect, an open-source over-the-air toolkit that passively sniffs early 5G signaling and injects crafted payloads before NAS security is established. The framework can crash UE modems, fingerprint devices, bypass some authentication flows, and force downgrades from 5G to 4G without deploying a rogue gNB, with reported injection success rates of 70–90% at up to 20 m. GSMA recorded the issue as CVD-2024-0096.