All news with #arbitrary file write tag

🔒 A path traversal flaw exists in the ROS# file_server prior to 2.2.2, allowing attackers to read and write arbitrary files accessible to the account running the service. The issue arises from improper input sanitization and is tracked as CWE-23 with a CVSS v3 score of 9.1. Siemens released 2.2.2 as the vendor fix and recommends immediate updates. Temporary mitigations include running the service only on trusted networks and with restricted user rights.

⚠️ Researchers warn that a critical vulnerability (CVE-2026-3844) in the Breeze Cache WordPress plugin allows unauthenticated attackers to upload arbitrary files via the fetch_gravatar_from_remote function. Exploitation can lead to remote code execution and complete site takeover, but successful attacks require the optional 'Host Files Locally - Gravatars' add-on to be enabled. Cloudways released a patch in version 2.4.5; administrators should update immediately or disable the add-on until patched.

⚠️ The GIGABYTE Control Center contains a critical arbitrary file-write vulnerability (CVE-2026-4415) affecting versions 25.07.21.01 and earlier when the pairing feature is enabled. Taiwan's CERT warns unauthenticated remote attackers could write files anywhere on the underlying OS, enabling arbitrary code execution, privilege escalation, or denial-of-service. GIGABYTE released version 25.12.10.01 with fixes for download path management, message processing, and command encryption and strongly advises immediate upgrade; users should obtain installers only from the vendor portal to avoid trojanized packages.

⚠️ A vulnerability in Ceragon / Siklu EtherHaul and MultiHaul microwave antennas allows unauthenticated uploads to any writable path via the rfpiped service on TCP port 555. File metadata uses weak encryption while file contents are transmitted in cleartext, and no authentication or path validation is performed. The issue is tracked as CVE-2025-57176 with a CVSS v3.1 base score of 5.3. Vendor firmware updates are available and should be applied promptly.

🔔 Cisco has warned that two additional Catalyst SD-WAN Manager vulnerabilities — a high-severity arbitrary file overwrite (CVE-2026-20122) and a medium-severity information disclosure flaw (CVE-2026-20128) — are being actively exploited. The file-overwrite vulnerability can be triggered remotely by attackers with valid read-only API credentials; the information-disclosure issue requires local vManage credentials. Cisco says the flaws affect the software regardless of device configuration and urges administrators to upgrade to fixed releases immediately.

⚠️ A critical flaw in the RealHomes CRM WordPress plugin—bundled with the widely used RealHomes theme and present on more than 30,000 sites—allowed any logged-in user with Subscriber access or higher to upload arbitrary files via a CSV import. Assigned CVE-2025-67968, the bug affected versions 1.0.0 and earlier and could lead to full site takeover. Developers released v1.0.1, adding a current_user_can check and file-type validation via wp_check_filetype; users should update immediately.

🚨 Maintainers of @adonisjs/bodyparser urge immediate updates after disclosure of CVE-2026-21440, a critical path traversal flaw that can enable attackers to write arbitrary files via unsanitized multipart filenames. The vulnerability stems from MultipartFile.move(location, options) defaulting to client-supplied names when the options.name is omitted. Exploitation requires a reachable upload endpoint and can lead to file overwrite and possible RCE depending on deployment, filesystem permissions, and overwrite settings.

🔒 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The listed issue, CVE-2018-4063, affects Sierra Wireless AirLink ALEOS and involves an unrestricted upload of files with dangerous types, a common attack vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by prescribed deadlines, and CISA urges all organizations to prioritize timely remediation to reduce exposure.

⚠️ A high-severity unpatched vulnerability in Gogs (tracked as CVE-2025-8110, CVSS 8.7) is under active exploitation, with Wiz reporting more than 700 compromised internet-facing instances. The flaw is a file-overwrite bug in the PutContents API that mishandles symbolic links, enabling attackers to overwrite arbitrary files and achieve local code execution. A vendor fix is reportedly in development; operators should disable open registration, limit exposure, and scan for randomly named repositories.

⚠️ King Addons for Elementor, installed on over 10,000 WordPress sites, contains two unauthenticated critical vulnerabilities that can enable full site takeover. Patchstack identified an arbitrary file upload (CVE-2025-6327) and a registration-based privilege escalation (CVE-2025-6325) that allow remote attackers to place files in web-accessible directories and create administrative accounts. The vendor released version 51.1.37 to add a role allowlist, input sanitization, upload permission checks and stricter file-type validation — administrators should update immediately and verify whether the 'King Addons Login | Register Form' widget is active.

🔒 CrowdStrike has identified active exploitation of Git vulnerability CVE-2025-48384 and confirms that Falcon detections can block the observed attack chain. The vulnerability, which affects macOS and Linux, arises from inconsistent handling of carriage return characters in configuration and submodule path parsing and can enable arbitrary file writes during a recursive clone. Observed attacks combined social engineering with malicious repositories that place crafted .gitmodules entries and submodule hooks to execute post-checkout scripts. CrowdStrike urges organizations to patch Git, enable layered protections, deploy provided detection rules and hunting queries, and use Falcon Insight XDR prevention settings to reduce exposure.

⚠ Schneider Electric has released an update addressing a link‑following vulnerability (CVE‑2025‑5296) in SESU that could allow an authenticated, low‑privileged actor to write arbitrary data to protected locations. The issue, rated CVSS v3.1 base score 7.3, affects SESU versions prior to 3.0.12 and numerous Schneider Electric products that bundle SESU. Version 3.0.12 contains the fix; apply the update or restrict access to the installation directory and follow CISA mitigation guidance.