All news with #arbitrary file write tag

Festo Didactic: TIA Portal Path Traversal Vulnerability

🔒 Festo reported a path traversal vulnerability in Siemens TIA Portal (V15–V18) as deployed on Festo Didactic hardware. Tracked as CVE-2023-26293 with a CVSS v3.1 base score of 7.8, the flaw can allow creation or overwriting of arbitrary files and could lead to arbitrary code execution if a user opens a crafted project file. The issue requires user interaction and is not remotely exploitable; Festo and CISA recommend applying Siemens updates and following standard protections against malicious files and social engineering.

Critical Flaws in King Addons for Elementor Risk Takeover

⚠️ King Addons for Elementor, installed on over 10,000 WordPress sites, contains two unauthenticated critical vulnerabilities that can enable full site takeover. Patchstack identified an arbitrary file upload (CVE-2025-6327) and a registration-based privilege escalation (CVE-2025-6325) that allow remote attackers to place files in web-accessible directories and create administrative accounts. The vendor released version 51.1.37 to add a role allowlist, input sanitization, upload permission checks and stricter file-type validation — administrators should update immediately and verify whether the 'King Addons Login | Register Form' widget is active.

AutomationDirect Productivity Suite: Multiple High-Risk Flaws

⚠️ AutomationDirect's Productivity Suite and several Productivity PLC models contain multiple high-severity vulnerabilities — including relative path traversal (ZipSlip), a weak password recovery mechanism, incorrect permission assignment, and binding to an unrestricted IP address. Exploitation could allow remote attackers to read, write, or delete files, execute arbitrary code, or gain full control of projects. AutomationDirect has released updates (Productivity Suite v4.5.0.x and newer) and recommends applying the latest firmware and implementing network isolation and firewall/NAC controls if immediate upgrades are not possible.

Critical TAR parsing bug found in popular Rust libraries

🛡️ Researchers at Edera disclosed a critical boundary-parsing flaw called TARmageddon (CVE-2025-62518) in the async-tar family and many forks, including the widely used tokio-tar. The desynchronization bug can smuggle extra archive entries during nested TAR extraction, enabling file overwrites that may lead to Remote Code Execution or supply-chain compromise. Administrators should patch affected forks, consider migrating to the patched astral-tokio-tar ≥0.5.6, and scan Rust-built applications for exposure.

TARmageddon: High-Severity Flaw in async-tar Rust ecosystem

⚠️Researchers disclosed a high-severity vulnerability (CVE-2025-62518, CVSS 8.1) in the async-tar Rust library and forks such as tokio-tar that can enable remote code execution via file-overwrite attacks when processing nested TAR archives. Edera, which found the issue in late August 2025, attributes the problem to inconsistent PAX/ustar header handling that allows attackers to 'smuggle' additional entries by exploiting size overrides. Because tokio-tar appears unmaintained, users are advised to migrate to astral-tokio-tar v0.5.6, which patches the boundary-parsing vulnerability affecting projects like testcontainers and wasmCloud.

Rockwell Automation PanelView and FactoryTalk ME Flaws

🔒 Rockwell Automation disclosed vulnerabilities in FactoryTalk View Machine Edition and PanelView Plus 7 that can allow unauthorized access to device file systems and diagnostic data. CVE-2025-9064 is a network-exploitable path traversal issue; CVE-2025-9063 is an improper-authorization flaw tied to an ActiveX control. Rockwell recommends installing provided firmware and software updates, and CISA advises minimizing network exposure, isolating control networks, and using secure remote access.

CrowdStrike Falcon Blocks Git Vulnerability CVE-2025-48384

🔒 CrowdStrike has identified active exploitation of Git vulnerability CVE-2025-48384 and confirms that Falcon detections can block the observed attack chain. The vulnerability, which affects macOS and Linux, arises from inconsistent handling of carriage return characters in configuration and submodule path parsing and can enable arbitrary file writes during a recursive clone. Observed attacks combined social engineering with malicious repositories that place crafted .gitmodules entries and submodule hooks to execute post-checkout scripts. CrowdStrike urges organizations to patch Git, enable layered protections, deploy provided detection rules and hunting queries, and use Falcon Insight XDR prevention settings to reduce exposure.

SAP issues patches for NetWeaver deserialization RCE

🔒 SAP has released security updates addressing 13 vulnerabilities, including a maximum-severity insecure deserialization flaw in NetWeaver AS Java (CVE-2025-42944, CVSS 10.0) that can lead to arbitrary OS command execution via the RMI‑P4 module. The vendor's latest patch adds a JVM-wide serial filter (jdk.serialFilter) to block dangerous classes and packages — a list curated with the ORL and recommended by security firm Onapsis — and complements an earlier remediation issued last month. Other critical fixes include a directory traversal in SAP Print Service (CVE-2025-42937, 9.8) and an unrestricted file upload in SAP Supplier Relationship Management (CVE-2025-42910, 9.0); administrators are urged to apply patches and mitigations immediately.

New Chinese Group Hijacks IIS Servers for SEO Fraud

🔍 Cisco Talos warns a Chinese‑speaking threat group tracked as UAT-8099 is actively compromising misconfigured Microsoft IIS servers to run SEO fraud and harvest high-value data. The actors favor high-reputation domains in universities, technology firms, and telecom providers across India, Thailand, Vietnam, Canada and Brazil to reduce detection. They exploit unrestricted file uploads to install web shells, escalate a guest account to admin, enable RDP and deploy the BadIIS SEO malware, then persist with hidden accounts and VPN/backdoor tools. Talos has published indicators and mitigation guidance, including blocking script execution in upload folders, disabling RDP and enabling MFA.

TOTOLINK X6000R Router: Multiple Firmware Vulnerabilities

⚠️ TOTOLINK X6000R routers running firmware V9.4.0cu.1360_B20241207 contain three vulnerabilities that enable argument injection, unauthenticated command execution, and sanitization bypasses leading to file corruption or persistent denial-of-service. The most severe, CVE-2025-52906, is an unauthenticated command injection rated Critical (CVSS 9.3). TOTOLINK has released updated firmware and users should apply the patch immediately while defenders use device visibility and threat prevention to detect exploitation.

Schneider Electric SESU Link-Following Flaw CVE-2025-5296

⚠ Schneider Electric has released an update addressing a link‑following vulnerability (CVE‑2025‑5296) in SESU that could allow an authenticated, low‑privileged actor to write arbitrary data to protected locations. The issue, rated CVSS v3.1 base score 7.3, affects SESU versions prior to 3.0.12 and numerous Schneider Electric products that bundle SESU. Version 3.0.12 contains the fix; apply the update or restrict access to the installation directory and follow CISA mitigation guidance.

Talos Threat Source: Community, Ransomware, and Events

🔗 The latest Threat Source newsletter reflects on the value of the cybersecurity community after Black Hat USA 2025 and DEF CON 33, encouraging practitioners to seek local, affordable alternatives like Bsides, student clubs and hackathons. It summarizes Talos telemetry showing a 1.4× surge in ransomware activity in Japan during H1 2025, with Qilin most active and the new actor Kawa4096 emerging. The edition also highlights major headlines such as an exploited Git vulnerability, updated CISA SBOM guidance, and early reports of an AI-powered ransomware project called PromptLock.

Docker fixes critical container escape CVE-2025-9074

🚨Docker has released an urgent patch for CVE-2025-9074, a critical container escape flaw in Docker Desktop for Windows and macOS that carries a CVSS score of 9.3. A malicious container could reach the Docker Engine API at 192.168.65.7:2375 without authentication, create and start new containers that bind the host C:\ drive and thereby access or modify host files. The issue is fixed in version 4.44.3; Enhanced Container Isolation (ECI) does not mitigate the vulnerability. Linux desktop installations are not affected because they use a host named pipe instead of a TCP socket.