< ciso
brief />
Tag Banner

All news with #insecure deserialization tag

42 articles · page 2 of 3

CISA Adds Critical React2Shell RCE to KEV Catalog Now

⚠️ CISA has added a critical remote code execution flaw affecting React Server Components (tracked as CVE-2025-55182 / React2Shell) to its Known Exploited Vulnerabilities catalog. The vulnerability, rated CVSS 10.0, stems from insecure deserialization in React’s Flight protocol and enables unauthenticated attackers to run arbitrary commands via crafted HTTP requests. Fixes are available in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0.1, 19.1.2, 19.2.1) and should be applied immediately.
read more →

Critical React4Shell RSC Vulnerability CVE-2025-55182

🛡️ A critical remote code execution flaw, CVE-2025-55182 (React4Shell), was disclosed affecting React Server Components and multiple derivatives including Next.js, React Router RSC preview, and several bundler plugins. The bug arises from unsafe deserialization of Flight protocol payloads and permits unauthenticated HTTP requests to execute code on vulnerable servers. Immediate updating to the patched React and Next.js releases, plus deployment of WAF rules and access restrictions, is strongly recommended.
read more →

Critical React2Shell RCE Affects React and Next.js Servers

🚨 React and Next.js applications are affected by a maximum-severity deserialization vulnerability dubbed React2Shell, which enables unauthenticated remote code execution via the React Server Components (RSC) "Flight" protocol. Discovered by researcher Lachlan Davidson and reported on November 29, the flaw received a 10/10 severity rating and has been assigned CVE-2025-55182 for React (Next.js received CVE-2025-66478, later rejected by the NVD). Affected default packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, and researchers warn many deployments are exploitable without additional misconfiguration. Developers should apply the published patches and audit environments immediately.
read more →

Urgent: Patch React 19 and Next.js to Mitigate RCE

⚠️ Developers must immediately upgrade React 19 and affected frameworks such as Next.js after researchers at Wiz disclosed a critical deserialization vulnerability in the React Server Components (RSC) Flight protocol that can enable remote code execution. The flaw exists in default configurations and impacts React 19.0.0, 19.1.0, 19.1.1 and 19.2.0, while Next.js 15.x and 16.x App Router deployments received a related CVE. Upgrade to the latest vendor-recommended releases now and follow the React blog's guidance.
read more →

Critical RSC Deserialization Flaw in React and Next.js

🚨 A maximum-severity remote code execution vulnerability in React Server Components (CVE-2025-55182, CVSS 10.0) allows unauthenticated attackers to execute arbitrary JavaScript by sending crafted payloads to Server Function endpoints. Affected npm packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in specific 19.x releases; fixes are available in 19.0.1, 19.1.2, and 19.2.1. The issue also impacts Next.js (CVE-2025-66478, CVSS 10.0) across multiple releases and has been patched in a series of 15.x and 16.x updates. Security firm Wiz reports roughly 39% of cloud environments host vulnerable instances; apply patches immediately.
read more →

ShadowMQ Deserialization Flaws in Major AI Inference Engines

⚠️ Oligo Security researcher Avi Lumelsky disclosed a widespread insecure-deserialization pattern dubbed ShadowMQ that affects major AI inference engines including vLLM, NVIDIA TensorRT-LLM, Microsoft Sarathi-Serve, Modular Max Server and SGLang. The root cause is using ZeroMQ's recv_pyobj() to deserialize network input with Python's pickle, permitting remote arbitrary code execution. Patches vary: some projects fixed the issue, others remain partially addressed or unpatched, and mitigations include applying updates, removing exposed ZMQ sockets, and auditing code for unsafe deserialization.
read more →

Copy-Paste RCE Flaw Impacts Major AI Inference Servers

🔒 Cybersecurity researchers disclosed a chain of remote code execution (RCE) vulnerabilities affecting AI inference frameworks from Meta, NVIDIA, Microsoft and open-source projects such as vLLM and SGLang. The flaws stem from reused code that called ZeroMQ’s recv-pyobj() and passed data directly into Python’s pickle.loads(), enabling unauthenticated RCE over exposed sockets. Vendors have released patches replacing unsafe pickle usage with JSON-based serialization and adding authentication and transport protections. Operators are urged to upgrade to patched releases and harden ZMQ channels, restrict network exposure, and avoid deserializing untrusted data.
read more →

Critical WSUS RCE (CVE-2025-59287) Actively Exploited

⚠️ A critical unauthenticated remote code execution vulnerability in Microsoft Windows Server Update Services was identified as CVE-2025-59287 and observed being actively exploited in October 2025. The flaw stems from unsafe deserialization in WSUS endpoints (GetCookie and ReportingWebService) and enables remote attackers to execute arbitrary code as SYSTEM. Microsoft issued an emergency out-of-band patch on Oct 23 after initial Patch Tuesday fixes were incomplete; organizations should apply the update or follow temporary mitigations such as disabling the WSUS Server Role or blocking inbound TCP ports 8530/8531 immediately.
read more →

SAP issues patches for NetWeaver deserialization RCE

🔒 SAP has released security updates addressing 13 vulnerabilities, including a maximum-severity insecure deserialization flaw in NetWeaver AS Java (CVE-2025-42944, CVSS 10.0) that can lead to arbitrary OS command execution via the RMI‑P4 module. The vendor's latest patch adds a JVM-wide serial filter (jdk.serialFilter) to block dangerous classes and packages — a list curated with the ORL and recommended by security firm Onapsis — and complements an earlier remediation issued last month. Other critical fixes include a directory traversal in SAP Print Service (CVE-2025-42937, 9.8) and an unrestricted file upload in SAP Supplier Relationship Management (CVE-2025-42910, 9.0); administrators are urged to apply patches and mitigations immediately.
read more →

SolarWinds Issues Hotfix for Critical Web Help Desk RCE

🔧 SolarWinds has released a hotfix to address a critical deserialization vulnerability in Web Help Desk that affects versions up to 12.8.7, tracked as CVE-2025-26399 (CVSS 9.8). The unauthenticated AjaxProxy flaw can enable remote command execution on vulnerable hosts if exploited. An anonymous researcher working with the Trend Micro Zero Day Initiative reported the issue. SolarWinds recommends immediate upgrade to 12.8.7 HF1 to mitigate risk.
read more →

Fortra patches critical GoAnywhere MFT deserialization bug

⚠ Users of GoAnywhere MFT are urged to install an urgent patch for a critical insecure deserialization vulnerability tracked as CVE-2025-10035, rated CVSS 10. The flaw resides in the License Servlet and can allow an attacker with access to the Admin Console to submit a forged license response that deserializes an arbitrary, actor-controlled object, enabling remote command execution. Fortra released fixes in versions 7.8.4 and 7.6.3 and advises customers not to expose the Admin Console directly to the internet. The issue closely mirrors a 2023 vulnerability that was widely exploited by ransomware groups, elevating the risk of rapid exploitation.
read more →

Fortra warns and patches max-severity GoAnywhere MFT flaw

🔒 Fortra has released security updates to address a maximum-severity deserialization vulnerability in the License Servlet of GoAnywhere MFT (CVE-2025-10035) that can lead to command injection when a forged license response is accepted. The vendor issued patched builds — GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 — and advised administrators to remove public access to the Admin Console if immediate patching is not possible. Shadowserver is monitoring over 470 instances, and Fortra emphasized that exploitation is highly dependent on the Admin Console being internet-exposed.
read more →

Fortra issues critical GoAnywhere MFT patch for RCE

🔒 Fortra has released an urgent patch for GoAnywhere MFT to address a critical deserialization flaw (CVE-2025-10035, CVSS 10.0) in the License Servlet that can allow execution of arbitrary commands when an attacker supplies a forged license response signature. The vendor recommends updating to v7.8.4 or the Sustain Release 7.6.3. If patching cannot be applied immediately, ensure the Admin Console is not publicly accessible. No active exploitation has been reported.
read more →

Hitachi Energy Asset Suite: Multiple High-Risk Flaws

⚠️ Hitachi Energy has disclosed multiple high-severity vulnerabilities in Asset Suite, affecting versions 9.6.4.5 and earlier. The issues include SSRF, deserialization of untrusted data, cleartext password exposure, uncontrolled resource consumption, open redirect, and improper authentication that can lead to remote code execution. Customers should apply vendor-provided mitigations and upgrades immediately to reduce exposure.
read more →

Hitachi Energy Service Suite Deserialization Vulnerability

⚠️ Hitachi Energy disclosed a critical deserialization-of-untrusted-data vulnerability affecting Service Suite (versions prior to 9.6.0.4 EP4) that permits unauthenticated remote access via IIOP or T3 to compromise Oracle WebLogic Server. The issue is tracked as CVE-2020-2883 with a CVSS v4 base score of 9.3 and is characterized as remotely exploitable with low attack complexity. Hitachi Energy advises updating affected instances to version 9.8.2 or the latest release and applying vendor mitigation guidance immediately. CISA additionally recommends minimizing network exposure, isolating control networks behind firewalls, using up-to-date VPNs for remote access, and performing risk and impact assessments prior to deploying defensive changes.
read more →

CISA Warns of Active Exploitation of Dassault RCE Now

⚠ CISA has added a critical remote code execution flaw in DELMIA Apriso to its Known Exploited Vulnerabilities list as CVE-2025-5086, warning that attackers are actively exploiting the issue. The vulnerability is a deserialization of untrusted data that can lead to RCE when vulnerable endpoints process crafted SOAP requests containing a Base64-encoded, GZIP-compressed .NET executable embedded in XML. Dassault Systèmes confirmed the bug affects Releases 2020–2025; CISA has given federal agencies until October 2 to apply updates or mitigations or to cease using the product.
read more →

CISA Adds One Vulnerability to KEV Catalog (2025-09-11)

🔔 CISA added CVE-2025-5086 — a Dassault Systèmes DELMIA Apriso deserialization of untrusted data vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog on September 11, 2025, based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed issues by required due dates. CISA urges all organizations to prioritize timely remediation as part of vulnerability management and will continue updating the catalog with vulnerabilities that meet its criteria.
read more →

Critical SessionReaper Vulnerability in Adobe Commerce

⚠️ Adobe has disclosed a critical flaw, CVE-2025-54236 (SessionReaper), in Adobe Commerce and Magento Open Source that can enable attackers to take over customer accounts through the Commerce REST API. The issue, rated 9.1 by CVSS, stems from improper input validation and affects multiple product versions and a third-party module. Adobe published a hotfix and deployed WAF rules for cloud-hosted merchants while e-commerce security firm Sansec reproduced an exploitation path involving session manipulation and nested deserialization. Merchants should apply fixes, review session storage settings, and monitor for suspicious activity.
read more →

SAP fixes critical NetWeaver remote command execution flaw

🔒 SAP released patches in its September security bulletin addressing 21 vulnerabilities, including three critical issues affecting SAP NetWeaver. The most severe, CVE-2025-42944 (10.0), is an insecure deserialization bug in the RMI-P4 module that can allow unauthenticated attackers to execute arbitrary OS commands by sending a malicious Java object to an open port. Two other critical flaws include an insecure file operations bug in Deploy Web Service (CVE-2025-42922, 9.9) that can allow file uploads by non-admin authenticated users, and a missing authentication check (CVE-2025-42958, 9.1) that exposes high-privilege actions and sensitive data. Administrators are advised to apply SAP’s patches and mitigation guidance available via SAP notes.
read more →

Fuji Electric FRENIC-Loader 4 Deserialization Vulnerability

⚠️ Fuji Electric's FRENIC-Loader 4 (versions prior to 1.4.0.1) contains a deserialization of untrusted data vulnerability (CVE-2025-9365) that can allow arbitrary code execution when a crafted file is imported. CISA assigns a CVSS v4 base score of 8.4 and reports the issue has low attack complexity but is not remotely exploitable. Researcher kimiya, working with Trend Micro ZDI, reported the flaw. Fuji Electric advises updating to v1.4.0.1 and CISA recommends network segmentation, minimizing exposure, using up-to-date VPNs, and performing impact analysis.
read more →