< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2054 articles · page 96 of 103

Phoenix RowHammer Bypasses DDR5 Protections in 109s

⚠️ Researchers at ETH Zürich and Google disclosed a RowHammer variant named Phoenix (CVE-2025-6202) that reliably induces bit flips on SK Hynix DDR5 devices and bypasses on-die ECC and advanced TRR protections. The team demonstrated an end-to-end privilege escalation on a production desktop with default DDR5 settings in as little as 109 seconds. Phoenix takes advantage of refresh intervals that mitigation logic does not sample, enabling flips across DIMM stacks produced between 2021 and 2024. Because DRAM chips cannot be updated in the field, the researchers recommend increasing the DRAM refresh rate to 3× as an immediate mitigation and urge vendors to pursue firmware and hardware countermeasures.
read more →

Apple releases September 2025 OS updates with patches

🔒 Apple published iOS 26, iPadOS 26 and macOS 26 updates that patch multiple vulnerabilities but did not report active exploitation. The releases address 27 defects in iOS/iPadOS and 77 in macOS, and also include fixes across Safari, watchOS, visionOS and Xcode. Users who prefer not to upgrade to the year-numbered releases can apply security-only updates — iOS 18.7, iPadOS 18.7 or macOS 15.7 — while many devices from 2019 or earlier are not supported. Trend Micro’s Dustin Childs said he saw no sign of active exploitation in this batch, though macOS fixes for PackageKit and StorageKit are notable because exploitation could yield root privileges.
read more →

Critical RCE in Delmia Apriso Triggers Urgent Patching

⚠ A critical remote code execution flaw, CVE-2025-5086, has been observed being exploited in the wild against Delmia Apriso, Dassault Systèmes' manufacturing operations platform. CISA added the issue to its Known Exploited Vulnerabilities catalog with a CVSS score of 9.0, yet the vendor has provided minimal public guidance. Researchers report exploit scans and a circulating sample that was detected by only one AV engine, underscoring urgent patching challenges for manufacturers.
read more →

Phoenix Rowhammer Bypass Targets DDR5 TRR Defenses

🧨 Researchers have developed Phoenix, a new Rowhammer variant that defeats DDR5 TRR protections on SK Hynix modules by synchronizing and self-correcting against missed refresh intervals. After reverse-engineering TRR behavior, the team identified refresh slots that were not sampled and used precise hammering patterns covering 128 and 2,608 refresh intervals to flip bits. In tests they flipped bits across all tested DIMMs and produced a working privilege-escalation exploit, achieving a root shell on commodity DDR5 systems in under two minutes. The authors published an academic paper and an FPGA-based repository with experiments and proof-of-concept code.
read more →

Supporting Rowhammer Research to Strengthen DDR5 Mitigations

🔬 Google funded and collaborated on open-source DDR5 Rowhammer test platforms and academic research to evaluate current in-DRAM mitigations. Working with Antmicro and ETH Zurich, the team produced FPGA-based RDIMM and SO‑DIMM testers and used them to discover the Phoenix attack family, which includes a self-correcting refresh synchronization technique that can bypass enhanced TRR on some DDR5 modules. Google also led JEDEC standardization work on PRAC to enable deterministic row-activation counting and continues to share tools and findings to improve defenses.
read more →

Microsoft removes upgrade block for Windows 11 audio

🔧 Microsoft has removed a safeguard hold that blocked upgrades to Windows 11 24H2 on devices running Dirac audio enhancement software after reports that the component cridspapo.dll caused integrated speakers and Bluetooth audio devices to stop working. A new driver is available via Windows Update and Microsoft recommends installing the latest security update; restarting the device may speed the offering. The safeguard hold was lifted on September 11, 2025, but other upgrade blocks remain for unrelated driver and software incompatibilities.
read more →

Microsoft: September Windows Updates Break SMBv1 Shares

⚠️Microsoft confirmed that the September 2025 Windows security updates can break connections to SMBv1 shares when NetBIOS over TCP/IP (NetBT) is used. The issue affects client releases (Windows 11 24H2/23H2/22H2, Windows 10 22H2/21H2) and server releases (Windows Server 2025, 2022) and may occur if either the SMB client or server has the update. As a temporary workaround, administrators are advised to allow SMB traffic on TCP port 445 so Windows can switch from NetBT to TCP. Microsoft is investigating and developing a fix.
read more →

Samsung image library flaw enables zero-click RCE exploit

📸 Samsung disclosed a critical remote code execution vulnerability in a closed-source image-parsing library, libimagecodec.quram.so, supplied by Quramsoft that affects devices running Android 13–16. The out-of-bounds write (CVE-2025-21043, CVSS 8.8) can be triggered by a specially crafted image and has been exploited in the wild. Messaging apps are a likely vector and the flaw can operate as a zero-click backdoor. Samsung released an SMR Sep-2025 Release 1 patch; enterprises should prioritize deployment.
read more →

VMScape: Spectre-BTI Variant Breaks VM Isolation in VMs

🔒 Researchers have demonstrated VMScape, a Spectre-like branch target injection attack that breaks guest-to-host isolation on AMD and Intel CPUs in virtualized environments. The proof-of-concept targeted KVM/QEMU in its default configuration and extracted host disk encryption keys from an AMD Zen 4 system. Tracked as CVE-2025-40300, mitigations include inserting an Indirect Branch Prediction Barrier (IBPB) on VMEXIT, which maintainers report causes only marginal performance impact. The vulnerability highlights that existing Spectre-BTI defenses and microcode updates are insufficient in some virtualized deployments, particularly on AMD Zen microarchitectures.
read more →

CISA Warns of Active Exploitation of Dassault RCE Now

⚠ CISA has added a critical remote code execution flaw in DELMIA Apriso to its Known Exploited Vulnerabilities list as CVE-2025-5086, warning that attackers are actively exploiting the issue. The vulnerability is a deserialization of untrusted data that can lead to RCE when vulnerable endpoints process crafted SOAP requests containing a Base64-encoded, GZIP-compressed .NET executable embedded in XML. Dassault Systèmes confirmed the bug affects Releases 2020–2025; CISA has given federal agencies until October 2 to apply updates or mitigations or to cease using the product.
read more →

Samsung fixes libimagecodec zero-day CVE-2025-21043

⚠️ Samsung released its monthly Android security update addressing a critical zero-day, CVE-2025-21043, a high-severity (CVSS 8.8) out-of-bounds write in libimagecodec.quram.so that can enable remote arbitrary code execution. The company says the flaw affects Android 13–16 and was privately disclosed on August 13, 2025. The affected library is a closed-source image parser from Quramsoft and the patch corrects an incorrect implementation. Samsung acknowledged an exploit exists in the wild but did not provide attack specifics.
read more →

HybridPetya Bootkit Bypasses Secure Boot on UEFI Systems

🔒 ESET researchers identified HybridPetya, a new ransomware strain that blends Petya-style MFT encryption with a UEFI bootkit that can bypass Secure Boot by abusing a patched flaw (CVE-2024-7344) in the Howyar Reloader EFI component. The malware installs a malicious EFI application, uses a three-state flag to track encryption and ransom status, displays a fake CHKDSK screen, and demands $1,000 in Bitcoin. Select variants load a cloak.dat payload into reloader.efi to evade integrity checks; Microsoft revoked the vulnerable binary via dbx updates. ESET found no evidence of widespread active abuse but warned Secure Boot bypasses are increasingly common and urged prompt patching and boot integrity monitoring.
read more →

DELMIA Apriso critical CVE-2025-5086 enables RCE in the wild

⚠️ CISA added a critical deserialization vulnerability, CVE-2025-5086, affecting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) releases 2020–2025 to its KEV catalog following evidence of active exploitation. The flaw can allow remote code execution via the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint when attackers send a Base64 payload that decodes to a GZIP-compressed Windows DLL. Observed attacks delivered a DLL identified by Kaspersky as Trojan.MSIL.Zapchast.gen, capable of spying and exfiltrating data. FCEB agencies are urged to apply updates by October 2, 2025, to secure their networks.
read more →

Samsung patches actively exploited zero-day in image codec

🔒 Samsung has released a patch for a critical remote code execution vulnerability tracked as CVE-2025-21043 that was actively exploited on Android devices. Reported by Meta and WhatsApp security teams on August 13, the flaw stems from an out-of-bounds write in libimagecodec.quram.so, a closed-source Quramsoft image parser, and affects devices running Android 13 and later. Samsung’s advisory notes an exploit was observed in the wild and that other messaging apps using the vulnerable library could also be at risk; users should apply the September SMR update promptly.
read more →

Cursor Code Editor Flaw Enables Silent Code Execution

⚠ Cursor, an AI-powered fork of Visual Studio Code, ships with Workspace Trust disabled by default, enabling VS Code-style tasks configured with runOptions.runOn: 'folderOpen' to auto-execute when a folder is opened. Oasis Security showed a malicious .vscode/tasks.json can convert a casual repository browse into silent arbitrary code execution with the user's privileges. Users should enable Workspace Trust, audit untrusted projects, or open suspicious repos in other editors to mitigate risk.
read more →

VMScape: Spectre-like VM-to-host data leak on CPUs

🔓 Researchers at ETH Zurich disclosed VMScape, a Spectre-like speculative-execution attack that lets a malicious VM extract secrets from an unmodified QEMU hypervisor running on many modern AMD and some Intel CPUs. The exploit abuses shared branch-prediction structures and a FLUSH+RELOAD side channel to induce speculative disclosure. It works without host compromise and bypasses default mitigations; vendors and Linux developers released advisories and kernel patches to mitigate the issue.
read more →

Daikin Security Gateway: Weak Password Recovery Flaw

🔓 CISA published an advisory describing an authorization bypass in Daikin Security Gateway devices that abuses a weak password recovery mechanism. The vulnerability, tracked as CVE-2025-10127, is remotely exploitable with low complexity and carries a CVSS v4 score of 8.8; public proof‑of‑concept code exists. Daikin has indicated it will not issue a vendor-wide patch and will handle customer inquiries directly; CISA recommends isolating affected devices, placing them behind firewalls, and using secure, up-to-date VPNs or other hardened remote access controls.
read more →

Siemens IEM-OS DoS Vulnerability (CVE-2025-48976) Advisory

⚠️ Siemens Industrial Edge Management OS (IEM-OS) contains an allocation-of-resources vulnerability in Apache Commons FileUpload that can be triggered remotely to cause a denial-of-service condition. The issue is tracked as CVE-2025-48976 with a CVSS v4 base score of 8.7 and a CVSS v3.1 vector indicating an availability-only impact. Siemens reports all IEM-OS versions affected and recommends migrating to IEM-V, limiting access to trusted systems, and following Siemens' operational security guidance. CISA reiterates minimizing network exposure, using network segmentation and firewalls, and employing secure remote access methods.
read more →

Siemens SIMOTION Tools Privilege Escalation Advisory

🛡️ Siemens reports a local privilege escalation vulnerability affecting SIMOTION Tools installers that use an affected NSIS setup component. The flaw (CWE-754) in Nullsoft Scriptable Install System (NSIS) before 3.11 can allow an unprivileged user to gain SYSTEM privileges during installation by exploiting a race condition. The issue is tracked as CVE-2025-43715 with a CVSS v3.1 base score of 8.1. No vendor fix is available yet; Siemens and CISA offer mitigations and hardening guidance.
read more →

Schneider Electric Modicon M340: Files Accessible Issue

🔒 Schneider Electric disclosed a Files or Directories Accessible to External Parties vulnerability affecting Modicon M340 devices and the BMXNOE0100/BMXNOE0110 Ethernet modules that could allow remote actors to remove files, block firmware updates, and disrupt the device webserver. The issue is tracked as CVE-2024-5056 with a CVSS v4 base score of 6.9. Schneider released firmware fixes for BMXNOE0100 (SV3.60) and BMXNOE0110 (SV6.80) and recommends immediate mitigations including network segmentation, disabling FTP when not required, and configuring Access Control Lists per the device manual. CISA also advises isolating control networks, minimizing internet exposure, and using VPNs for remote access.
read more →