< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2054 articles · page 94 of 103

Microsoft Entra ID Flaw Could Allow Tenant-Wide Hijack

🔒 A critical token validation flaw in Microsoft Entra ID could permit full tenant compromise by abusing undocumented, unsigned actor tokens issued by a legacy Access Control Service. Researcher Dirk-jan Mollema showed that when paired with a vulnerability in the deprecated Azure AD Graph API (CVE-2025-55241) those tokens could impersonate any user — including Global Administrators — across tenants without leaving tenant logs. Microsoft confirmed a fix after the July report and later patched the CVE.
read more →

ShadowLeak: Zero-click flaw exposes Gmail via ChatGPT

🔓 Radware disclosed ShadowLeak, a zero-click vulnerability in OpenAI's ChatGPT Deep Research agent that can exfiltrate sensitive Gmail inbox data when a single crafted email is present. The technique hides indirect prompt injections in email HTML using tiny fonts, white-on-white text and CSS/layout tricks so a human user is unlikely to notice the commands while the agent reads and follows them. In Radware's proof-of-concept the agent, once granted Gmail integration, parses the hidden instructions and uses browser tools to send extracted data to an external server. OpenAI addressed the issue in early August after a responsible disclosure on June 18, and Radware warned the approach could extend to many other connectors, expanding the attack surface.
read more →

Fortra patches critical GoAnywhere MFT deserialization bug

⚠ Users of GoAnywhere MFT are urged to install an urgent patch for a critical insecure deserialization vulnerability tracked as CVE-2025-10035, rated CVSS 10. The flaw resides in the License Servlet and can allow an attacker with access to the Admin Console to submit a forged license response that deserializes an arbitrary, actor-controlled object, enabling remote command execution. Fortra released fixes in versions 7.8.4 and 7.6.3 and advises customers not to expose the Admin Console directly to the internet. The issue closely mirrors a 2023 vulnerability that was widely exploited by ransomware groups, elevating the risk of rapid exploitation.
read more →

CISA Details Malware Kits Used in Ivanti EPMM Attacks

🔍 CISA released a technical analysis of malware used in attacks exploiting two Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2025-4427 and CVE-2025-4428. The agency details two distinct malware sets that used a common web-install.jar loader and malicious listener classes to inject and execute code, exfiltrate data, and maintain persistence. Attackers targeted the /mifs/rs/api/v2/ endpoint via HTTP GET requests with a ?format= parameter, delivering segmented, Base64-encoded payloads. CISA published IOCs, YARA and SIGMA rules and advises immediate patching and treating MDM systems as high-value assets.
read more →

Fortra warns and patches max-severity GoAnywhere MFT flaw

🔒 Fortra has released security updates to address a maximum-severity deserialization vulnerability in the License Servlet of GoAnywhere MFT (CVE-2025-10035) that can lead to command injection when a forged license response is accepted. The vendor issued patched builds — GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 — and advised administrators to remove public access to the Admin Console if immediate patching is not possible. Shadowserver is monitoring over 470 instances, and Fortra emphasized that exploitation is highly dependent on the Admin Console being internet-exposed.
read more →

Fortra issues critical GoAnywhere MFT patch for RCE

🔒 Fortra has released an urgent patch for GoAnywhere MFT to address a critical deserialization flaw (CVE-2025-10035, CVSS 10.0) in the License Servlet that can allow execution of arbitrary commands when an attacker supplies a forged license response signature. The vendor recommends updating to v7.8.4 or the Sustain Release 7.6.3. If patching cannot be applied immediately, ensure the Admin Console is not publicly accessible. No active exploitation has been reported.
read more →

Entra ID Actor Token Flaw Lets Attackers Impersonate Admins

🔒 Researchers disclosed a max-severity vulnerability in Microsoft Entra ID that allowed attackers to request and reuse internal Actor tokens to impersonate any user, including Global Administrators, across tenants. The issue stemmed from a legacy Azure AD Graph API that failed to validate the originating tenant, enabling cross-tenant impersonation without triggering MFA, Conditional Access, or audit logs. Microsoft patched the flaw, tracked as CVE-2025-55241, and rolled a global fix but experts warn that lack of historical visibility leaves uncertainty about past exploitation.
read more →

CISA Details Two Java Loaders Exploiting Ivanti EPMM Flaws

🔒 CISA released details of two malicious toolsets found on an organization's server after attackers chained zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Each set contains a Java loader that installs an HTTP listener to decode, decrypt and execute arbitrary payloads and maintain persistence. CISA urges updating EPMM, monitoring for suspicious activity, and restricting access to MDM systems.
read more →

New Phoenix Rowhammer Bypass Elevates DDR5 Privilege Risk

⚠ The new Phoenix Rowhammer technique reverse-engineers TRR in SK Hynix DDR5 DIMMs to induce controlled bit flips previously believed mitigated. Researchers from ETH Zurich and Google report Phoenix reliably triggers flips across all 15 tested modules, enabling practical exploits such as forged Page Table Entries, RSA-2048 key leakage from co-located VMs, and a sudo-based root escalation. The issue is tracked as CVE-2025-6202.
read more →

WatchGuard patches critical IKEv2 VPN flaw in Fireboxes

🔒 WatchGuard has patched a critical IKEv2 "iked out of bounds write" vulnerability (CVE-2025-9242) that affects nearly three dozen current and legacy Firebox models. The flaw can enable remote code execution and authentication bypass via VPN ports UDP 500 and UDP 4500 and carries a CVSS score of 9.3, making prompt updates essential. Administrators should update to the vendor-supplied Fireware releases or apply the provided mitigations for environments that cannot upgrade immediately.
read more →

Cognex In-Sight Firmware: Multiple High-Risk Flaws

🔒 Cognex disclosed multiple high-severity vulnerabilities in In-Sight Explorer and firmware for the In-Sight 2000/7000/8000/9000 series (versions 5.x through 6.5.1). Identified issues include hard-coded credentials, cleartext management protocols (including telnet and a proprietary TCP 1069 service), weak default permissions, authentication bypass via capture-replay, and insufficient server-side enforcement. CISA assigns high CVSS scores (up to 8.8 v3.1 and 8.6 v4), warns of credential disclosure, configuration manipulation, and potential denial-of-service, and recommends migration to newer In-Sight Vision Suite systems and network isolation.
read more →

Westermo WeOS 5 IPSec Denial-of-Service Fix Released

🔔 A vulnerability in Westermo WeOS 5 when IPSec is enabled can allow a specially crafted ESP packet to trigger an immediate device reboot. Westermo reported the flaw and released WeOS 5 version 5.24.0 to address the issue. CISA rates the vulnerability as remotely exploitable with a CVSS v4 score of 8.2 and notes high attack complexity.
read more →

Hitachi Energy Asset Suite: Multiple High-Risk Flaws

⚠️ Hitachi Energy has disclosed multiple high-severity vulnerabilities in Asset Suite, affecting versions 9.6.4.5 and earlier. The issues include SSRF, deserialization of untrusted data, cleartext password exposure, uncontrolled resource consumption, open redirect, and improper authentication that can lead to remote code execution. Customers should apply vendor-provided mitigations and upgrades immediately to reduce exposure.
read more →

Westermo WeOS 5 OS Command Injection Vulnerability

⚠️ Westermo disclosed an OS command injection vulnerability in WeOS 5 (CVE-2025-46418) affecting versions 5.24 and later. The flaw arises from unsafe handling of media definitions and can allow an authenticated administrator to inject OS commands and potentially exceed intended privileges. CVSS scores include 7.6 (v3.1) and 8.7 (v4). Vendor and CISA recommend restricting admin access, segmenting networks, and using secure remote access practices as mitigations.
read more →

Schneider Electric Saitel RTU OS Command Injection

⚠️ Schneider Electric disclosed OS command injection vulnerabilities in Saitel DR and Saitel DP RTUs that could allow execution of arbitrary shell commands when BLMon is invoked in an SSH session. Two issues (CVE-2025-9996, CVE-2025-9997) carry a CVSS v4 base score of 5.8 (v3.1 6.6). Affected firmware versions are Saitel DR <= 11.06.29 and Saitel DP <= 11.06.33; fixed firmware releases are available and require a reboot. Schneider recommends restricting BLMon access, firewalling SSH, and following standard patching and ICS best practices.
read more →

Hitachi Energy Service Suite Deserialization Vulnerability

⚠️ Hitachi Energy disclosed a critical deserialization-of-untrusted-data vulnerability affecting Service Suite (versions prior to 9.6.0.4 EP4) that permits unauthenticated remote access via IIOP or T3 to compromise Oracle WebLogic Server. The issue is tracked as CVE-2020-2883 with a CVSS v4 base score of 9.3 and is characterized as remotely exploitable with low attack complexity. Hitachi Energy advises updating affected instances to version 9.8.2 or the latest release and applying vendor mitigation guidance immediately. CISA additionally recommends minimizing network exposure, isolating control networks behind firewalls, using up-to-date VPNs for remote access, and performing risk and impact assessments prior to deploying defensive changes.
read more →

CISA Malware Analysis: Malicious Listener for Ivanti EPMM

🛡️ CISA released a Malware Analysis Report analyzing two malware families recovered from an organization compromised via CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile. The report, titled Malicious Listener for Ivanti EPMM Systems, provides indicators of compromise and detection content including YARA and SIGMA rules to support hunting and response. Recommended mitigations stress upgrading Ivanti EPMM to the latest versions and treating mobile device management systems as high-value assets with enhanced monitoring, access controls, and restrictions.
read more →

CISA Issues Nine New ICS Advisories on Sep 18, 2025

🛡️ CISA released nine Industrial Control Systems (ICS) advisories on September 18, 2025, detailing vulnerabilities, exploits, and mitigations affecting multiple vendors and products. The advisories cover Westermo WeOS, Schneider Electric Saitel RTUs, Hitachi Energy Asset and Service Suites, Cognex In‑Sight devices, Dover Fueling Solutions ProGauge MagLink LX4 devices, plus updates for rail linking protocols and Mitsubishi FA engineering tools. Administrators and operators are urged to review the technical details and apply recommended mitigations promptly to reduce operational and safety risk.
read more →

Malware Analysis: Ivanti EPMM Exploitation and Loaders

🔍 CISA analyzed malicious artifacts deployed after threat actors exploited CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The report details two distinct loader/listener sets written to /tmp that enable arbitrary code execution through crafted HTTP requests. CISA provides IOCs, YARA and SIGMA detection rules, and recommends immediate patching and treating MDM systems as high-value assets.
read more →

Dover ProGauge MagLink LX Vulnerabilities and Fixes

⚠️ Dover Fueling Solutions disclosed critical vulnerabilities in its ProGauge MagLink LX4, LX4 Plus, and LX4 Ultimate tank monitors that may be exploited remotely. Identified issues include an integer overflow (CVE-2025-55068), a hard-coded cryptographic signing key (CVE-2025-54807), and non‑changeable weak default root credentials (CVE-2025-30519), with ratings up to CVSS v4 9.3. Affected firmware must be updated to 4.20.3 for LX4/LX4 Plus or 5.20.3 for LX4 Ultimate; operators are urged to minimize network exposure and place devices behind firewalls.
read more →