All news with #insecure deserialization tag

Zero-day Campaign Targets Cisco ISE and Citrix Systems

🔒 Amazon Threat Intelligence disclosed an advanced APT campaign that weaponized zero-day vulnerabilities in Citrix NetScaler (Citrix Bleed 2, CVE-2025-5777) and Cisco Identity Services Engine (CVE-2025-20337). Attackers achieved pre-auth remote code execution via input-validation and deserialization flaws and deployed an in-memory web shell masquerading as the ISE IdentityAuditAction component. The implant registered as a Tomcat HTTP listener, used DES with nonstandard Base-64 encoding, required specific HTTP headers, and relied on Java reflection and bespoke decoding routines to evade detection.

Amazon: APT Exploits Cisco ISE and Citrix Zero‑Days

🔒 Amazon Threat Intelligence identified an advanced threat actor exploiting undisclosed zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix products. The actor achieved pre-authentication remote code execution via a newly tracked Cisco deserialization flaw (CVE-2025-20337) and earlier Citrix Bleed Two activity (CVE-2025-5777). Following exploitation, a custom in-memory web shell disguised as IdentityAuditAction was deployed, demonstrating sophisticated evasion using Java reflection, Tomcat request listeners, and DES with nonstandard Base64. Amazon recommends limiting external access to management endpoints and implementing layered defenses and detection coverage.

Zero-day Attacks Exploit Citrix Bleed 2 and Cisco ISE

🛡️ Amazon's MadPot honeypot observed exploitation of Citrix Bleed 2 (CVE-2025-5777) and Cisco ISE (CVE-2025-20337) before public disclosure. The attacker used the ISE flaw to deploy a stealthy custom web shell named IdentityAuditAction, which registered an HTTP listener, used Java reflection to inject into Tomcat threads, and relied on DES with non-standard base64 encoding for concealment. Apply vendor patches and limit edge device access through layered firewall controls.

Actively Exploited WSUS RCE Prompts Urgent Patching

⚠️ Microsoft has released an out-of-band patch for a critical WSUS vulnerability (CVE-2025-59287) that enables unauthenticated remote code execution by sending malicious encrypted cookies to the GetCookie() endpoint. Security vendors Huntress and HawkTrace reported active exploitation of publicly exposed WSUS instances on TCP ports 8530 and 8531. Administrators should prioritize applying the update immediately; if that is not possible, isolate WSUS servers, restrict access to management hosts and Microsoft Update servers, and block inbound traffic to ports 8530/8531 until systems are remediated.

Microsoft issues emergency WSUS patch for critical RCE

⚠️ Microsoft released an out-of-band security update to address a critical WSUS remote code execution vulnerability, CVE-2025-59287 (CVSS 9.8). The flaw stems from unsafe deserialization of AuthorizationCookie objects at the GetCookie() endpoint, where AES-128-CBC-encrypted cookie payloads are decrypted and deserialized via BinaryFormatter without type validation, enabling SYSTEM-level code execution on servers running the WSUS role. Microsoft published updates for supported Windows Server releases and recommends installing the patch and rebooting; short-term mitigations include disabling the WSUS role or blocking TCP ports 8530 and 8531.

CISA Adds Two Vulnerabilities to Known Exploited Catalog

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation: CVE-2025-54236, affecting Adobe Commerce and Magento, and CVE-2025-59287, affecting Microsoft Windows Server Update Services (WSUS). The issues—an improper input validation flaw and a deserialization of untrusted data vulnerability—are common attack vectors that pose significant risk to enterprise networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by required due dates, and CISA strongly urges all organizations to prioritize timely remediation as part of their vulnerability management.

Microsoft issues emergency WSUS updates for critical RCE

⚠️ Microsoft has released out-of-band security updates to remediate a critical WSUS vulnerability tracked as CVE-2025-59287. The flaw affects only Windows servers with the WSUS Server Role enabled and allows remote, unauthenticated attackers to execute code as SYSTEM in low-complexity attacks without user interaction. Microsoft published cumulative KB updates for all affected Server builds and requires a reboot; administrators who cannot patch immediately are advised to disable the WSUS role or block TCP ports 8530/8531 as temporary mitigations.

Hugging Face and VirusTotal: Integrating Security Insights

🔒 VirusTotal and Hugging Face have announced a collaboration to surface security insights directly within the Hugging Face platform. When browsing model files, datasets, or related artifacts, users will now see multi‑scanner results including VirusTotal detections and links to public reports so potential risks can be reviewed before downloading. VirusTotal is also enhancing its analysis portfolio with AI-driven tools such as Code Insight and format‑aware scanners (picklescan, safepickle, ModelScan) to highlight unsafe deserialization flows and other risky patterns. The integration aims to increase visibility across the AI supply chain and help researchers, developers, and defenders build more secure models and workflows.

Gladinet patches zero-day in CentreStack file sharing

🔒 Gladinet released an urgent update for its CentreStack business solution to fix a local file inclusion flaw tracked as CVE-2025-11371, which was abused in the wild as a zero-day. The LFI allowed attackers to read Web.config, extract the ASP.NET machine key, and then leverage a prior deserialization RCE (CVE-2025-30406) to achieve remote code execution. Administrators should upgrade to CentreStack version 16.10.10408.56683 immediately; if patching is not possible, disable the temp handler in Web.config for the UploadDownloadProxy component as a temporary mitigation.

Patch Tuesday Oct 2025: 172 Flaws, End of Windows 10

⚠️ Microsoft’s October 2025 updates close 172 security holes and include at least two actively exploited zero‑days. The company removed a decades-old Agere modem driver to mitigate CVE-2025-24990 and patched an elevation-of-privilege zero-day in RasMan (CVE-2025-59230). A critical unauthenticated RCE in WSUS (CVE-2025-59287) carries a 9.8 threat score and should be prioritized. This release also marks the end of security updates for Windows 10, prompting ESU enrollment or migration options.

Zero-Day in Gladinet CentreStack and Triofox Exploited

⚠️ Researchers report an actively exploited zero-day (CVE-2025-11371) in Gladinet's CentreStack and Triofox that permits unauthenticated Local File Inclusion (LFI) on default installs, exposing system files and allowing machine-key disclosure. Huntress observed exploitation on Sept 27 with at least three companies targeted. No patch is available yet; Gladinet has issued a workaround to disable a temp handler in the UploadDownloadProxy Web.config, though this may affect some functionality.

Fortra Confirms Active Exploitation of GoAnywhere Flaw

🔒 Fortra disclosed its investigation into CVE-2025-10035, a deserialization vulnerability in the GoAnywhere License Servlet that has been exploited since September 11, 2025. The vendor issued a hotfix within 24 hours and published patched builds (7.6.3 and 7.8.4) on September 15, saying the risk is limited to admin consoles exposed to the public internet. Microsoft attributes observed exploitation to threat actor Storm-1175, which deployed Medusa ransomware; Fortra recommends restricting internet access to admin consoles, enabling monitoring, and keeping software up to date.

Critical GoAnywhere MFT Flaw Exploited in Medusa Attacks

⚠️ Microsoft warns that a critical deserialization vulnerability in GoAnywhere MFT (CVE-2025-10035) has been actively exploited by a Medusa ransomware affiliate tracked as Storm-1175 since early September. The License Servlet flaw enables remote compromise without user interaction, allowing attackers to gain initial access and persist via abused RMM tools. Administrators should apply Fortra's patches and inspect logs for SignedObject.getObject stack traces.

CISA Adds Five Vulnerabilities to KEV Catalog; Federal Risk

⚠️ CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on Sept. 29, 2025, citing evidence of active exploitation. The newly listed issues are CVE-2021-21311 (Adminer SSRF), CVE-2025-20352 (Cisco IOS/IOS XE stack overflow), CVE-2025-10035 (Fortra GoAnywhere deserialization), CVE-2025-59689 (Libraesva command injection), and CVE-2025-32463 (sudo untrusted-control vulnerability). Federal Civilian Executive Branch agencies must remediate these under BOD 22-01, and CISA urges all organizations to prioritize timely fixes as part of standard vulnerability management.

Maximum-severity GoAnywhere MFT zero-day exploited

⚠️ Fortra's GoAnywhere MFT is being exploited in the wild via a deserialization flaw tracked as CVE-2025-10035 in the License Servlet, enabling unauthenticated remote command injection when attackers supply a forged license response signature. WatchTowr Labs reports credible evidence of exploitation dating back to September 10, 2025, prior to Fortra's advisory published on September 18. Administrators should apply patches to 7.8.4 or 7.6.3, remove public Admin Console exposure, and search logs for the error string 'SignedObject.getObject'.

SolarWinds issues third patch for Web Help Desk RCE

🔒 SolarWinds has released a hotfix addressing a critical unauthenticated remote code execution vulnerability in Web Help Desk tracked as CVE-2025-26399. The flaw affects WHD 12.8.7 and is caused by unsafe deserialization in the AjaxProxy component, described as a patch bypass of earlier CVE-2024-28986/28988 fixes. Administrators should obtain the hotfix from the SolarWinds Customer Portal and follow the vendor’s JAR replacement steps promptly.

Fortra patches critical GoAnywhere MFT deserialization bug

⚠ Users of GoAnywhere MFT are urged to install an urgent patch for a critical insecure deserialization vulnerability tracked as CVE-2025-10035, rated CVSS 10. The flaw resides in the License Servlet and can allow an attacker with access to the Admin Console to submit a forged license response that deserializes an arbitrary, actor-controlled object, enabling remote command execution. Fortra released fixes in versions 7.8.4 and 7.6.3 and advises customers not to expose the Admin Console directly to the internet. The issue closely mirrors a 2023 vulnerability that was widely exploited by ransomware groups, elevating the risk of rapid exploitation.

Fortra warns and patches max-severity GoAnywhere MFT flaw

🔒 Fortra has released security updates to address a maximum-severity deserialization vulnerability in the License Servlet of GoAnywhere MFT (CVE-2025-10035) that can lead to command injection when a forged license response is accepted. The vendor issued patched builds — GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 — and advised administrators to remove public access to the Admin Console if immediate patching is not possible. Shadowserver is monitoring over 470 instances, and Fortra emphasized that exploitation is highly dependent on the Admin Console being internet-exposed.

Hitachi Energy Asset Suite: Multiple High-Risk Flaws

⚠️ Hitachi Energy has disclosed multiple high-severity vulnerabilities in Asset Suite, affecting versions 9.6.4.5 and earlier. The issues include SSRF, deserialization of untrusted data, cleartext password exposure, uncontrolled resource consumption, open redirect, and improper authentication that can lead to remote code execution. Customers should apply vendor-provided mitigations and upgrades immediately to reduce exposure.

Hitachi Energy Service Suite Deserialization Vulnerability

⚠️ Hitachi Energy disclosed a critical deserialization-of-untrusted-data vulnerability affecting Service Suite (versions prior to 9.6.0.4 EP4) that permits unauthenticated remote access via IIOP or T3 to compromise Oracle WebLogic Server. The issue is tracked as CVE-2020-2883 with a CVSS v4 base score of 9.3 and is characterized as remotely exploitable with low attack complexity. Hitachi Energy advises updating affected instances to version 9.8.2 or the latest release and applying vendor mitigation guidance immediately. CISA additionally recommends minimizing network exposure, isolating control networks behind firewalls, using up-to-date VPNs for remote access, and performing risk and impact assessments prior to deploying defensive changes.