< ciso
brief />
Tag Banner

All news with #active exploitation tag

684 articles · page 23 of 35

WatchGuard Warns of Actively Exploited RCE in Firebox

🔒 WatchGuard has issued an urgent advisory for a critical remote code execution vulnerability (CVE-2025-14733) affecting Firebox appliances running Fireware OS 11.x, 12.x and 2025.1 releases. The flaw enables unauthenticated attackers to execute code via an out-of-bounds write when IKEv2 VPN is enabled. WatchGuard reports active exploitation in the wild and provides a temporary workaround for Branch Office VPN configurations where immediate patching is not possible. Administrators are urged to apply vendor updates and review provided indicators of compromise.
read more →

React2Shell: Pre-auth RCE Exposes Front-End Risk in Enterprise

🚨 React2Shell (CVE-2025-55182) is a critical pre-authentication remote code execution flaw affecting React Server Components, Next.js and related frameworks. Exploitable with a single crafted HTTP request that targets the Flight protocol, the bug lets attackers inject and execute arbitrary server-side components, enabling backdoors, crypto miners and ransomware deployment. Researchers at S-RM and the Microsoft Defender team warn default configurations are vulnerable and note some early patches were incomplete; organizations should urgently verify fully patched versions and run forensic checks.
read more →

HPE OneView RCE Vulnerability Demands Immediate Patch

🔴 HPE has issued an urgent advisory for HPE OneView after disclosure of a maximum-severity remote code execution flaw, CVE-2025-37164, that can be triggered by unauthenticated remote actors. The vulnerability affects OneView versions 5.20 through 10.20 and requires an immediate security hotfix. HPE provides separate hotfixes for the virtual appliance and for HPE Synergy Composer; administrators should apply the fixes promptly and, until remediation, restrict management-interface access to trusted administrative networks.
read more →

Clop Targets Internet-Exposed Gladinet CentreStack Servers

🔒 The Clop ransomware gang is actively targeting Internet-exposed Gladinet CentreStack file servers in a new extortion campaign, with incident responders reporting ransom notes on compromised systems. Gladinet has issued multiple security updates since April to address several flaws, some disclosed as zero-days. It remains unclear whether Clop is exploiting a fresh zero-day or targeting unpatched instances. Threat data shows 200+ IPs exposing CentreStack login pages and potentially at risk.
read more →

CISA Adds Critical ASUS Live Update Flaw to KEV Catalog

⚠️ CISA has added a critical vulnerability (CVE-2025-59374, CVSS 9.3) in ASUS Live Update to its Known Exploited Vulnerabilities catalog after identifying evidence of active exploitation tied to a supply-chain compromise. The flaw stems from trojanized installer builds distributed during the 2018 Operation ShadowHammer campaign that could make targeted devices perform unintended actions. ASUS previously remediated the issue in v3.6.8, but the vendor has since declared the client end-of-support; federal agencies are urged to discontinue use by January 7, 2026.
read more →

SonicWall Fixes Actively Exploited SMA 100 Vulnerability

⚠ SonicWall released patches addressing CVE-2025-40602 (CVSS 6.6), a local privilege escalation in the Secure Mobile Access (SMA) 100 Appliance Management Console caused by insufficient authorization. Affected firmware builds prior to 12.4.3-03245 and 12.5.0-02283 have updates available to remediate the issue. SonicWall said the flaw has been actively exploited and has been observed chained with CVE-2025-23006 to achieve unauthenticated remote code execution with root privileges; users should apply fixes immediately.
read more →

SonicWall alerts on SMA1000 zero-day used in attacks

⚠️ SonicWall warns of a medium-severity local privilege escalation in the SonicWall SMA1000 Appliance Management Console (CVE-2025-40602), reported by Google Threat Intelligence researchers Clément Lecigne and Zander Work. The vendor says this LPE was chained in active zero-day attacks with a critical pre-auth deserialization bug (CVE-2025-23006) to execute OS commands and escalate to root. Administrators should apply the vendor hotfix and firmware updates immediately.
read more →

Critical React2Shell Vulnerability Used in Ransomware Attack

🔴 Researchers observed the critical React2Shell vulnerability (CVE-2025-55182) being exploited to gain initial access and deploy the Weaxor ransomware in under a minute. The attacker executed an obfuscated PowerShell command to stage a Cobalt Strike beacon, disabled Windows Defender real‑time protection, and launched the encryptor. Encrypted files used the .WEAX extension while shadow copies were removed and event logs cleared to impede recovery and forensic analysis.
read more →

CISA Adds Three CVEs to Known Exploited Vulnerabilities

🔔 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-20393 (Cisco multiple products, improper input validation), CVE-2025-40602 (SonicWall SMA1000, missing authorization), and CVE-2025-59374 (ASUS Live Update, embedded malicious code). These flaws are frequent attack vectors that pose significant risks to federal and nonfederal organizations. Agencies covered by BOD 22-01 must remediate by the required due dates; CISA urges all organizations to prioritize mitigation.
read more →

Russian APT Targets Energy and Critical Infrastructure

🔎 Amazon Threat Intelligence reports a Russian state-sponsored cyber espionage team has increasingly targeted energy providers and other critical infrastructure, operating since at least 2021. The actors have shifted toward exploiting device misconfigurations while continuing to leverage known vulnerabilities such as CVE-2022-26318, CVE-2021-26084, CVE-2023-22518 and CVE-2023-2753. Observed tradecraft includes compromise of network-edge devices hosted on AWS EC2, passive credential capture and credential-replay attacks to move laterally across victim environments. Amazon provides indicators of compromise and specific mitigation guidance, including configuration audits, isolation of management interfaces and deployment of multi-factor authentication.
read more →

FortiGate SSO Vulnerabilities Lead to Credential Theft

🔒 Security researchers and incident response teams warn that threat actors are rapidly exploiting newly disclosed authentication bypass vulnerabilities in Fortinet's FortiOS that affect FortiGate, FortiWeb, FortiProxy and FortiSwitchManager devices. Arctic Wolf reported seeing tens of intrusions since December 12, 2025, and advises that hashed credentials in exfiltrated configurations should be presumed compromised and rotated immediately. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities list and Fortinet has released patches; administrators are urged to disable FortiCloud SSO until devices are upgraded and to follow Fortinet's hardening guidance.
read more →

Hackers Exploit Fortinet FortiCloud SSO Auth Bypass

🔒 Researchers report active exploitation of two critical FortiCloud SSO authentication bypasses (CVE-2025-59718, CVE-2025-59719) that can grant unauthenticated admin access to multiple Fortinet products. The flaws stem from improper verification of SAML cryptographic signatures, enabling forged assertions to bypass login controls. Attacks observed from December 12 targeted admin accounts and led to exfiltration of system configuration files. Administrators should disable FortiCloud SSO if unable to upgrade and apply vendor patches immediately.
read more →

CISA Adds Fortinet CVE to Known Exploited Vulnerabilities

🔔 CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The vulnerability is described as an improper verification of cryptographic signature affecting multiple Fortinet products and represents a high-risk attack vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by mandated due dates. CISA strongly urges all organizations to prioritize timely remediation and apply vendor fixes or mitigations promptly.
read more →

Active Attacks Exploit Fortinet FortiGate SSO Flaws

🔒 Arctic Wolf observed active intrusions on December 12, 2025 exploiting two critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719). The flaws, both scored 9.8, permit unauthenticated bypass of SSO login via crafted SAML messages when FortiCloud SSO is enabled; Fortinet published patches for FortiOS, FortiWeb, FortiProxy and FortiSwitchManager last week. Attackers used hosting IPs tied to providers such as The Constant Company llc, Bl Networks and Kaopu Cloud Hk Limited to log in as "admin" and export device configurations. Organizations should apply updates immediately, disable FortiCloud SSO until systems are patched, restrict management access and assume compromise if IoCs are present.
read more →

Defending Against CVE-2025-55182 (React2Shell) RCE Threat

🔒 Microsoft Defender researchers describe CVE-2025-55182 (React2Shell), a critical pre-authentication remote code execution vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, a single crafted HTTP POST can result in server-side deserialization of attacker-controlled payloads and arbitrary code execution without authentication. Exploitation was observed beginning December 5, 2025, with attackers delivering coin miners, RATs, and other payloads across Windows and Linux environments. Microsoft urges immediate patching to published fixes, enabling Defender telemetry, and applying Azure WAF rules as compensating controls while broader detection coverage is deployed.
read more →

Google Links Additional Chinese Groups to React2Shell

🔒 Google's Threat Intelligence Group linked five additional China-aligned cyber-espionage groups to active exploitation of the maximum-severity CVE-2025-55182 React2Shell remote code execution flaw affecting React and Next.js server components. Attackers are executing commands and exfiltrating AWS configuration files and credentials from vulnerable hosts; Palo Alto and AWS reported widespread breaches. Shadowserver and GreyNoise are tracking tens of thousands of exposed systems and hundreds of exploit attempts. Organizations should urgently patch affected React 19.0–19.2.0 releases and apply mitigations.
read more →

Weekly Cyber Recap: Apple 0-Days, WinRAR & React Exploits

⚠️ Apple and Google issued urgent patches for two actively exploited zero-days affecting iOS, macOS, Safari and Chrome's ANGLE library, while multiple high‑severity flaws in React, WinRAR, and .NET proxies are being weaponized in live attacks. Researchers also disclosed SOAPwn .NET proxy abuse and a CentreStack/Triofox token‑encryption failure leading to remote code execution. CISA added the WinRAR path‑traversal bug to KEV; LastPass was fined after the 2022 breach. Prioritize immediate patching and validate web and SSO defenses.
read more →

CISA Adds Two Vulnerabilities to KEV Catalog After Evidence

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-14611 (Gladinet CentreStack and Triofox hard coded cryptographic vulnerability) and CVE-2025-43529 (Apple multiple products use-after-free in WebKit). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate listed KEV items by the specified due dates, and CISA strongly urges all organizations to prioritize timely remediation.
read more →

CISA Orders Immediate Patching for Critical GeoServer XXE

🚨 CISA has ordered federal agencies to immediately patch GeoServer to address a critical unauthenticated XML External Entity (XXE) flaw, tracked as CVE-2025-58360. The vulnerability (CVSS 9.8) enables attackers to retrieve arbitrary files, trigger SSRF, or cause denial-of-service against affected GeoServer instances. Exploit code has circulated since late November and CISA added the issue to its Known Exploited Vulnerabilities catalog, urging remediation before December 26, 2025.
read more →

CISA Adds Actively Exploited Sierra Wireless Issue

⚠️ CISA has added a high-severity Sierra Wireless AirLink vulnerability, CVE-2018-4063, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. The flaw in the ACEManager upload.cgi function permits unrestricted file uploads that can lead to remote code execution, and ACEManager runs with root privileges. Federal agencies are advised to update affected devices to supported versions or discontinue use by January 2, 2026.
read more →