All news with #command injection tag

Opto 22 GRV-EPIC and groov RIO: Remote RCE Vulnerability

⚠️ A remotely exploitable OS command injection in the Opto 22 Groov Manage REST API allows attackers with administrative credentials to inject shell commands that execute as root on affected GRV-EPIC and groov RIO devices. The issue is tracked as CVE-2025-13087 and carries a CVSS v4 base score of 7.5. Opto 22 has released firmware 4.0.3 to address the flaw; users should apply the update promptly. CISA also recommends isolating control networks, minimizing Internet exposure, and monitoring API and system logs for suspicious activity.

CISA Adds Two Vulnerabilities to KEV Catalog — Nov 2025

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-11371 affecting Gladinet CentreStack and Triofox (files or directories exposed to external parties), and CVE-2025-48703 affecting CWP Control Web Panel (OS command injection). These entries reflect evidence of active exploitation and elevated risk. CISA urges timely remediation under BOD 22-01 and recommends organizations prioritize patching, mitigations, and compensating controls.

CISA Adds Two Dassault DELMIA Apriso Vulnerabilities

🔒 CISA added two vulnerabilities to its Known Exploited Vulnerabilities Catalog affecting Dassault Systèmes DELMIA Apriso. The issues—CVE-2025-6204 (code injection) and CVE-2025-6205 (missing authorization)—have evidence of active exploitation and pose significant risk. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed CVEs by the required due dates. CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

Critical and High Flaws Found in TP-Link VPN Routers

🔒 Researchers at Forescout’s Vedere Labs have disclosed two vulnerabilities in TP-Link Omada and Festa VPN routers that enable command injection and potential unauthorized root access. The flaws are tracked as CVE-2025-7850 (critical, CVSS v4.0 9.3) and CVE-2025-7851 (high, CVSS v4.0 8.7) and stem from an incomplete 2024 fix that left debug functionality and alternate attack paths. TP-Link has published firmware updates; Vedere Labs urges immediate patching and additional mitigations including WAFs, disabling remote admin, and improved monitoring.

TP-Link Omada Gateways Vulnerable to Critical RCE Flaw

⚠️ TP-Link has disclosed two command injection vulnerabilities affecting Omada gateway devices that allow execution of arbitrary OS commands. One issue, CVE-2025-6542 (CVSS 9.3), can be exploited remotely without authentication; the other, CVE-2025-6541 (CVSS 8.6), requires access to the web management interface. Thirteen models are listed as impacted and TP-Link has released firmware updates to address the flaws; administrators are urged to apply patches and verify configurations after upgrading.

Legacy Flaws in Network Edge Devices Threaten Orgs Today

🔒 Enterprises' network edge devices — firewalls, VPNs, routers, and email gateways — are increasingly being exploited due to longstanding 1990s‑era flaws such as buffer overflows, command and SQL injections. Researchers tracked dozens of zero‑day exploits in 2024 and continuing into 2025 that affected vendors including Fortinet, Palo Alto Networks, Cisco, Ivanti, and others. These appliances are attractive targets because they are remotely accessible, often lack endpoint protections and centralized logging, and hold privileged credentials, making them common initial access vectors for state‑affiliated actors and ransomware groups.

OpenPLC and Planet WGR-500: Multiple Vulnerabilities

⚠️ Cisco Talos disclosed vulnerabilities affecting OpenPLC and the Planet WGR-500 industrial router, including a ModbusTCP denial-of-service and multiple critical flaws in HTTP-handling functions. The OpenPLC issue (TALOS-2025-2223 / CVE-2025-53476) can be triggered by a crafted series of TCP connections to exhaust the ModbusTCP server. Planet WGR-500 vulnerabilities (TALOS-2025-2226–2229 / CVE-2025-54399–54406, CVE-2025-48826) include stack-based buffer overflows, format string, and OS command injection flaws that may lead to memory corruption or arbitrary command execution.

Severe Figma MCP Command Injection Enables RCE Remotely

🔒 Cybersecurity researchers disclosed a now-patched command injection vulnerability in the figma-developer-mcp Model Context Protocol server that could allow remote code execution. Tracked as CVE-2025-53967 (CVSS 7.5), the flaw stems from unsanitized user input interpolated into shell commands when a fetch fallback uses child_process.exec to run curl. Imperva reported the issue and maintainers released a fix in figma-developer-mcp v0.6.3; users should update immediately.

TOTOLINK X6000R Router: Multiple Firmware Vulnerabilities

⚠️ TOTOLINK X6000R routers running firmware V9.4.0cu.1360_B20241207 contain three vulnerabilities that enable argument injection, unauthenticated command execution, and sanitization bypasses leading to file corruption or persistent denial-of-service. The most severe, CVE-2025-52906, is an unauthenticated command injection rated Critical (CVSS 9.3). TOTOLINK has released updated firmware and users should apply the patch immediately while defenders use device visibility and threat prevention to detect exploitation.

MegaSys Telenium Online: Critical OS Command Injection

⚠ The MegaSys Enterprises Telenium Online Web Application contains a critical OS command injection vulnerability (CVE-2025-10659) that allows unauthenticated remote attackers to inject arbitrary operating system commands via crafted HTTP requests. CISA reports a CVSS v3.1 score of 9.8 and a CVSS v4 score of 9.3, indicating high potential for remote code execution. MegaSys has published a fix; administrators should apply updates promptly and follow CISA mitigation guidance to reduce internet exposure and isolate control systems.

CISA Adds Five Vulnerabilities to KEV Catalog; Federal Risk

⚠️ CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on Sept. 29, 2025, citing evidence of active exploitation. The newly listed issues are CVE-2021-21311 (Adminer SSRF), CVE-2025-20352 (Cisco IOS/IOS XE stack overflow), CVE-2025-10035 (Fortra GoAnywhere deserialization), CVE-2025-59689 (Libraesva command injection), and CVE-2025-32463 (sudo untrusted-control vulnerability). Federal Civilian Executive Branch agencies must remediate these under BOD 22-01, and CISA urges all organizations to prioritize timely fixes as part of standard vulnerability management.

State-Sponsored Attacks Exploit Libraesva ESG Vulnerability

⚠️ Libraesva has released an urgent update to address a command injection vulnerability in its ESG email security product that is being exploited by state‑sponsored actors. Tracked as CVE-2025-59689 with a CVSS score of 6.1, the flaw is triggered by a malicious compressed attachment and can execute arbitrary commands as a non‑privileged user. Users should upgrade affected versions (4.5–5.5.x before 5.5.7) to the patched releases immediately.

Libraesva ESG issues emergency fix for exploited bug

⚠ Libraesva issued an emergency update for ESG to fix a command injection vulnerability (CVE-2025-59689) triggered by a specially crafted compressed email attachment. The flaw allowed arbitrary shell commands to run as a non-privileged user and was confirmed exploited by actors believed to be state-sponsored. Fixed releases were auto-deployed to cloud and on-premise customers; end-of-life versions require manual upgrades.

Fortra warns and patches max-severity GoAnywhere MFT flaw

🔒 Fortra has released security updates to address a maximum-severity deserialization vulnerability in the License Servlet of GoAnywhere MFT (CVE-2025-10035) that can lead to command injection when a forged license response is accepted. The vendor issued patched builds — GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 — and advised administrators to remove public access to the Admin Console if immediate patching is not possible. Shadowserver is monitoring over 470 instances, and Fortra emphasized that exploitation is highly dependent on the Admin Console being internet-exposed.

Chaos Mesh Flaws Enable Cluster Takeover via GraphQL

⚠️Security researchers disclosed multiple critical vulnerabilities in Chaos Mesh that allow minimally privileged in-cluster actors to execute fault injections and potentially take over Kubernetes clusters. The issues, grouped as Chaotic Deputy, include an unauthenticated GraphQL debugging endpoint and several operating-system command-injection flaws (CVE-2025-59358 through CVE-2025-59361). Chaos Mesh released a remediation in 2.7.3; administrators should patch immediately or restrict access to the daemon and API server if they cannot upgrade.

New TP-Link CWMP Zero-Day Targets Multiple Routers

🔒TP-Link has confirmed an unpatched zero-day in its CWMP implementation that can enable remote code execution on multiple routers. Independent researcher Mehrun (ByteRay) reported the issue to TP-Link on May 11, 2024; the flaw is a stack-based buffer overflow in the SOAP SetParameterValues handler caused by unbounded strncpy calls. TP-Link says a patch exists for some European firmware builds and that fixes for U.S. and other global versions are in development; users should update firmware, change default admin credentials, and disable CWMP if it is not required.

Delta Electronics COMMGR: Remote Code Execution Risks

⚠️ Delta Electronics has identified two critical vulnerabilities in COMMGR (v2.9.0 and earlier) — a stack-based buffer overflow (CVE-2025-53418) and a code injection flaw (CVE-2025-53419) — that can enable arbitrary code execution via crafted .isp files. Delta and CISA rate the combined risk as high (CISA lists CVSS v4 8.8) and recommend upgrading to v2.10.0 or later. Additional mitigations include network segmentation, limiting Internet exposure, and using secure remote access methods. CISA reports no known public exploitation at this time.

What 17,845 GitHub MCP Servers Reveal About Risk and Abuse

🛡️ VirusTotal ran a large-scale audit of 17,845 GitHub projects implementing the MCP (Model Context Protocol) using Code Insight powered by Gemini 2.5 Flash. The automated review initially surfaced an overwhelming number of issues, and a refined prompt focused on intentional malice marked 1,408 repos as likely malicious. Manual checks showed many flagged projects were demos or PoCs, but the analysis still exposed numerous real attack vectors—credential harvesting, remote code execution via exec/subprocess, supply-chain tricks—and recurring insecure practices. The post recommends treating MCP servers like browser extensions: sign and pin versions, sandbox or WASM-isolate them, enforce strict permissions and filter model outputs to remove invisible or malicious content.

Linux Backdoor Delivered via Malicious RAR Filenames

🛡️ Trellix researchers describe a Linux-focused infection chain that uses a malicious RAR filename to trigger command execution. The filename embeds a Base64-encoded Bash payload that leverages shell command injection when untrusted filenames are parsed, allowing an ELF downloader to fetch and run an architecture-specific binary. The chain ultimately delivers the VShell backdoor, which runs in memory to evade disk-based detection.

Mass-Scale Vulnerability in Hikvision Surveillance Cameras

🔓 Over 80,000 Hikvision surveillance cameras remain vulnerable to an 11-month-old command injection flaw tracked as CVE-2021-36260, which NIST rated 9.8/10. Researchers report evidence of criminal activity in Russian dark-web forums where leaked credentials are being sold and exploitation collaborations are solicited. The persistent exposure underscores systemic IoT weaknesses, widespread use of default credentials, and uneven patching practices that leave organizations and critical infrastructure at risk.