All news with #advisory tag

⚠️ Rockwell Automation's CompactLogix 5370 controllers are affected by a denial-of-service vulnerability (CVE-2025-11743) that can produce a major nonrecoverable fault requiring a restart. The issue is triggered by a malformed CIP Forward Open message and has a CVSS v3.1 base score of 6.5. Affected versions include <=34.013, <=35.012, and 36.011; fixed releases include 37.011, 34.016, 35.015, and 36.012. Rockwell reported the issue to CISA; no known public exploitation has been reported and CISA notes the vulnerability is not exploitable remotely. Users unable to upgrade should follow security best practices to limit exposure.

🔒 CISA reports two high-severity vulnerabilities in Weintek cMT X Series HMI devices that allow low-privileged users to escalate privileges and potentially take full control of affected units. Both issues (CVE-2025-14750 and CVE-2025-14751) receive a CVSS 3.1 base score of 8.3. Vendor firmware updates are available for specific models; apply vendor-supplied patches and follow network-segmentation mitigations.

🔔 LastPass is warning users about an active phishing campaign observed from around January 19, 2026, that impersonates the service and urges users to create local backups within 24 hours to harvest master passwords. The messages route recipients through a staged AWS S3 URL that then redirects to a fraudulent domain (mail-lastpass[.]com) and originate from several spoofed support addresses. LastPass said it will never ask for master passwords and is working with partners to take down the malicious infrastructure while urging users to report suspicious messages.

🔒 Cloudflare patched a logic flaw in its ACME HTTP-01 handling that could disable certain WAF protections for specific challenge paths. The issue was reported by researchers from FearsOff through Cloudflare’s bug bounty program on October 13, 2025, and affected requests to /.well-known/acme-challenge/*. In some cases, challenge requests could reach customer origins when they should have been blocked because WAF features were incorrectly disabled. Cloudflare implemented a code change to ensure WAF disabling only occurs when Cloudflare will serve a valid ACME challenge response; no customer action is required and there is no known abuse.

⚠️ Researchers disclosed that a critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) with public proof-of-concept code is being abused in active attacks. Horizon3.ai described the issue as an unauthenticated OS command injection via exposed phMonitor command handlers that enables arbitrary writes and escalation to root, and Fortinet released security updates plus a port-restriction workaround for phMonitor (7900). Administrators should upgrade affected FortiSIEM versions 6.7 through 7.5 to the patched releases and review phMonitor logs for indicators of compromise.

🔒 Cisco has released a fix for a maximum‑severity AsyncOS zero‑day (CVE-2025-20393) that has been exploited since November 2025. The flaw impacts Cisco Secure Email Gateway and Secure Email and Web Manager appliances with non-standard configurations when the Spam Quarantine feature is exposed to the internet, permitting arbitrary command execution as root. Cisco Talos links the intrusions to a Chinese-nexus actor tracked as UAT-9686, which deployed persistence and tunneling implants and a log-wiping utility. CISA has added the vulnerability to its known exploited vulnerabilities catalog and ordered federal remediation under BOD 22-01.

⚠️ Check Point Research links the Linux-based RondoDox botnet to a coordinated exploitation campaign against HPE OneView, leveraging the critical RCE flaw CVE-2025-37164. The vulnerability, published to the NVD on 16 December 2025 and rated CVSS 3.1 = 10 by HPE, has been the subject of tens of thousands of automated attack attempts. Check Point reported blocking more than 40,000 hits on 7 January 2026 and urged organizations to patch immediately and implement compensating controls.

⚠️ Microsoft has confirmed that the January 13, 2026 cumulative update (KB5073455) can prevent some Windows 11, version 23H2 devices with System Guard Secure Launch enabled from shutting down or entering hibernation, causing them to restart instead. The issue is limited to Enterprise and IoT editions where the update is offered. Microsoft recommends the temporary workaround shutdown /s /t 0 for shutdowns and warns there is currently no hibernation workaround. Users should save work and perform manual shutdowns to avoid battery drain.

🔒 Cisco has released patches for a maximum-severity remote command execution vulnerability (CVE-2025-20393, CVSS 10.0) in AsyncOS that affects Cisco Secure Email Gateway and Secure Email and Web Manager. The defect stems from insufficient validation of HTTP requests in the Spam Quarantine feature and can allow arbitrary commands to run as root when the feature is enabled and reachable from the internet. Cisco says a China-nexus APT tracked as UAT-9686 exploited the bug in the wild, deploying tunneling tools, a log-cleaner and a Python backdoor, and that fixes remove persistence artifacts. Administrators should apply the provided fixed releases and follow the vendor's hardening guidance to restrict access and monitor for anomalous activity.

🔐 Researchers at Varonis Threat Labs uncovered 'Reprompt', a one-click attack that abuses Microsoft Copilot Personal by embedding prompts in URLs and using follow-up server requests to exfiltrate data. It combines a URL 'q' parameter injection, a double-request bypass of initial sanitization, and chained server instructions to siphon conversation history and files without further user interaction. Microsoft issued a patch; organizations should treat prefilled prompts as untrusted and enforce continuous authentication, least privilege, prompt hygiene, auditing, and anomaly detection.

🔒 Palo Alto Networks has released patches for PAN-OS after a researcher disclosed CVE-2026-0227, a high-severity (CVSS 7.7) vulnerability in GlobalProtect gateway and portal components that can trigger a denial-of-service and force affected firewalls into maintenance mode. The vendor reports no known in-the-wild exploitation but acknowledges proof-of-concept code exists. Prisma Access customers have largely been upgraded; on-premises NGFWs must apply vendor updates per the posted remediation table. There are no official workarounds; temporarily disabling the VPN interface may reduce risk while patching.

🔒 Hackers are actively exploiting a maximum-severity authentication bypass in the Modular DS WordPress plugin (CVE-2026-23550) to gain admin-level access on vulnerable installs. The flaw affects versions 2.5.1 and earlier and was first observed in the wild on January 13; the vendor released a fix in version 2.5.2 shortly after disclosure. Site owners should update immediately, review server logs, verify admin accounts, and regenerate WordPress salts after patching.

🔐 The US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC) and the Federal Bureau of Investigation (FBI), alongside international partners, have released principles to secure operational technology (OT) connectivity. Led by NCSC-UK, the guidance offers a shared framework to design and manage secure connectivity across OT environments. It emphasizes embedding cybersecurity into network design to reduce exposure to both state-backed and opportunistic adversaries. The document warns that increased interconnection brings benefits such as real-time analytics and predictive maintenance, but also raises risks that could cause physical harm, environmental damage or service disruption.

⚠️ AVEVA has released patches for multiple vulnerabilities in Process Optimization that could allow remote code execution, SQL injection, privilege escalation, and disclosure of sensitive data. The most severe, CVE-2025-61937, permits unauthenticated remote code execution at OS System privileges (CVSS 10.0). AVEVA's remediation requires updating to Process Optimization v2025; CISA and the vendor also recommend firewall restrictions, ACLs, and ensuring encrypted channels.

⚠️ A critical command injection vulnerability in Fortinet FortiSIEM (phMonitor, tracked as CVE-2025-64155) enables unauthenticated attackers to inject commands and write files that are executed as the root user. Exploit code was disclosed publicly after a responsible disclosure to Fortinet in August 2025, and researchers warn the flaw may have allowed remote root access for nearly three years. Fortinet has released patched builds and advises restricting access to TCP port 7900 and applying updates immediately.

⚠️ Palo Alto Networks patched a high-severity flaw (CVE-2026-0227) in PAN-OS that can allow unauthenticated actors to trigger a denial-of-service, forcing affected firewalls into maintenance mode when GlobalProtect gateway or portal features are enabled. The issue impacts PAN-OS 10.1 and later and some Prisma Access configurations; most cloud Prisma Access instances have been upgraded. Administrators should apply vendor-supplied fixes for their PAN-OS branch immediately to prevent potential disruptions.

⚠️ CISA has added CVE-2025-8110 to its Known Exploited Vulnerabilities catalog after reports of active exploitation targeting Gogs. The high-severity (CVSS 8.7) flaw is a path traversal in the repository file editor's PutContents API that mishandles symbolic links and can lead to remote code execution. There is not yet an official upstream patch, though GitHub pull requests show fixes have been merged and maintainers say new images will include the correction once built. Until patched, users should disable default open-registration, restrict server access behind VPNs or allow-lists, and apply other access controls; FCEB agencies must implement mitigations by Feb 2, 2026.

⚠️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a high-severity remote code execution flaw in Gogs tracked as CVE-2025-8110. The issue is a path traversal weakness in the PutContents API that lets authenticated attackers overwrite files outside repositories via symbolic links, enabling arbitrary command execution. Patches released last week add symlink-aware path validation; agencies must remediate by February 2, 2026. Administrators are advised to disable default open registration and restrict server access.

⚠️ CISA added CVE-2025-8110 to its Known Exploited Vulnerabilities (KEV) Catalog for a Gogs path traversal vulnerability after evidence of active exploitation. The advisory cites BOD 22-01 requirements for Federal Civilian Executive Branch agencies to remediate cataloged KEV entries by the due date. CISA strongly urges all organizations to prioritize timely patching to reduce exposure. CISA will continue to add vulnerabilities that meet the specified criteria.

🛡️ CISA announced the retirement of ten Emergency Directives issued between 2019 and 2024 after required mitigations were implemented or their coverage was incorporated into BOD 22‑01 and CISA’s Known Exploited Vulnerabilities catalog. The closures include directives tied to specific CVEs and high‑profile incidents such as SolarWinds and Exchange. CISA said the action reflects strengthened federal remediation, operational collaboration, and continued emphasis on Secure by Design principles.