All news with #heap overflow tag

Fuji Electric Monitouch V-SFT-6 Buffer Overflow Advisory

⚠️ Fuji Electric Monitouch V-SFT-6 (v6.2.7.0) contains two buffer overflow vulnerabilities — a heap-based and a stack-based overflow — triggered by specially crafted project files. Identified as CVE-2025-54496 and CVE-2025-54526, both carry CVSS v3.1 scores of 7.8 and CVSS v4 scores of 8.4. Successful exploitation could crash the HMI and may permit code execution; the vendor issued fixes in V6.2.8.0 and recommends updating to V6.2.9.0 or later.

Hitachi Energy RTU500 Series: Multiple DoS Vulnerabilities

⚠️ Hitachi Energy reported multiple vulnerabilities in the RTU500 series including null pointer dereference, XML parser flaws, heap and stack buffer overflows, integer overflow, and IEC 61850 message validation errors. Several CVEs have been assigned (e.g., CVE-2023-2953, CVE-2024-45490–45492, CVE-2024-28757, CVE-2025-39203, CVE-2025-6021) and the highest CVSS v4 score is 8.2. Exploitation could cause Denial-of-Service conditions such as device reboots or disconnects. Hitachi Energy provides firmware updates for affected 12.7.x–13.7.x releases and CISA recommends patching, minimizing network exposure, applying segmentation, and using secure remote access.

Rockwell 1783-NATR Memory Corruption Vulnerability

🔒 Rockwell Automation released a security update for 1783-NATR to remediate a memory corruption issue stemming from a Wind River VxWorks calloc() allocator flaw. The vulnerability (CVE-2020-28895) can produce smaller-than-expected allocations, enabling memory corruption and potential remote exploitation with low attack complexity. Rockwell published firmware 1.007 to correct the defect; customers unable to upgrade should follow Rockwell's security best practices and apply the network and access mitigations recommended by CISA.

WhatsApp Emergency Update Fixes Zero-Click iOS/macOS Bug

🔒 WhatsApp has issued emergency updates for iOS and macOS to fix CVE-2025-55177, a high-severity authorization flaw that may have been exploited alongside an Apple ImageIO zero-day (CVE-2025-43300). The bug could allow processing of content from an arbitrary URL on a target device and affects specific iOS, Business iOS, and Mac app versions. Users are urged to update immediately; confirmed targets were advised to perform a full factory reset.

Citrix Patches NetScaler Zero-Days as Active Exploits Continue

🔒Citrix has released patches for three critical zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424), including pre-auth remote code execution observed in the wild. The vendor provided fixes for affected 14.1, 13.1 and 12.1-FIPS/NDcPP builds and said no workaround is available. Security researchers and CISA urged immediate patching and forensic checks for potential backdoors.

Citrix Patches NetScaler Flaws; Confirms Active Exploitation

🔒 Citrix has issued patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway, and confirmed active exploitation of CVE-2025-7775. The flaws include two memory overflow issues (CVSS 9.2 and 8.8) that can lead to remote code execution or denial-of-service, and an improper access-control bug (CVSS 8.7) affecting the management interface. Fixes are available in multiple 12.x–14.x releases with no workarounds; Citrix credited external researchers for reporting the issues.