All news with #kev added tag

Critical Ivanti EPM Flaw Patched; Immediate Updates Urged

🔒 Ivanti released EPM 2024 SU4 SR1 to address a critical stored XSS vulnerability (CVE-2025-10573) that lets unauthenticated attackers hijack administrator sessions by submitting malicious device scan data to the incoming API. The update also fixes three high-severity flaws that can enable code execution with user interaction and an issue that permits unauthorized file writes. Ivanti said reports came through its responsible disclosure program and it was not aware of active exploitation at disclosure. Organizations with internet-facing or high-privilege EPM instances should apply the patch immediately and isolate management interfaces until updated.

WinRAR Path Traversal CVE-2025-6218 Under Active Attack

⚠️ CISA has added WinRAR path traversal CVE-2025-6218 (CVSS 7.8) to its Known Exploited Vulnerabilities list after reports of active exploitation. RARLAB patched the Windows-only flaw in WinRAR 7.12 (June 2025); attackers can place files in sensitive locations such as the Startup folder or Word’s global template to achieve code execution. Multiple groups — including GOFFEE, Bitter (APT‑C‑08/Manlinghua), and Gamaredon — have used the bug in phishing campaigns; organizations should deploy 7.12 or apply mitigations like blocking malicious archives, disabling macros, and monitoring for C2 activity.

Microsoft Patches 56 Flaws Including Active Zero-Days

🛡️ Microsoft released December 2025 patches addressing 56 Windows vulnerabilities, three rated Critical and 53 Important. The update fixes 29 privilege-escalation flaws, 18 remote code execution bugs and other defects, and includes two zero-days and one actively exploited use-after-free (CVE-2025-62221) in the Cloud Files Mini Filter Driver. Administrators are urged to prioritize the KEV-listed fix and follow vendor guidance for mitigation and monitoring.

CISA Adds Two Vulnerabilities to Known-Exploited Catalog

🔒 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-6218 (WinRAR path traversal) and CVE-2025-62221 (Microsoft Windows use-after-free). The agency cited evidence of active exploitation and emphasized that these flaws are frequent attack vectors posing significant risk to the federal enterprise. CISA reiterated that BOD 22-01 requires FCEB agencies to remediate cataloged CVEs by the required due dates and urged all organizations to prioritize timely remediation.

CISA Adds Two Vulnerabilities to Known Exploited Catalog

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2022-37055, a buffer overflow affecting D-Link routers, and CVE-2025-66644, an OS command injection in Array Networks ArrayOS AG. Both were included based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by their due dates, and CISA urges all organizations to prioritize timely remediation and risk-reduction measures.

React2Shell RCE Exploited, 77K+ IPs and 30+ Breaches

🔴 React2Shell (CVE-2025-55182) is an unauthenticated remote code execution flaw in React Server Components and frameworks like Next.js, disclosed on December 3, 2025. A public proof-of-concept on December 4 accelerated automated scanning and exploitation; Shadowserver found 77,664 vulnerable IPs (≈23,700 in the US), and Palo Alto reports more than 30 breached organizations. Observed attacks use PowerShell stages, AMSI bypass and Cobalt Strike; mitigation requires updating React, rebuilding and redeploying apps, and reviewing logs for post-exploitation indicators.

CISA Adds Critical React2Shell RCE to KEV Catalog Now

⚠️ CISA has added a critical remote code execution flaw affecting React Server Components (tracked as CVE-2025-55182 / React2Shell) to its Known Exploited Vulnerabilities catalog. The vulnerability, rated CVSS 10.0, stems from insecure deserialization in React’s Flight protocol and enables unauthenticated attackers to run arbitrary commands via crafted HTTP requests. Fixes are available in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0.1, 19.1.2, 19.2.1) and should be applied immediately.

CISA Adds CVE-2025-55182 to Known Exploited Vulnerabilities

⚠️ CISA added CVE-2025-55182, a remote code execution vulnerability in Meta React Server Components, to the Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation. This type of RCE is a common and serious attack vector that poses significant risk to federal networks and other organizations. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by their due dates. CISA strongly urges all organizations to prioritize timely remediation and vulnerability management to reduce exposure.

Year-End Infosec Reflections and GenAI Impacts Review

🧭 William Largent’s year-end Threat Source newsletter combines career reflection with a practical security briefing, urging professionals to learn from mistakes while noting rapid changes in the threat landscape. He highlights a Cisco Talos analysis of how generative AI is already empowering attackers—especially in phishing, coding, evasion, and vulnerability discovery—while offering powerful advantages to defenders in detection and incident response. The newsletter recommends immediate, measured experimentation with GenAI tools, training teams to use them responsibly, and blending automation with human expertise to stay ahead of evolving risks.

CISA Adds One CVE to Known Exploited Vulnerabilities Catalog

🚨 CISA added CVE-2021-26828 — an OpenPLC ScadaBR unrestricted file upload vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The flaw allows dangerous file types to be uploaded, a frequent attack vector that poses significant risks to federal networks. Under BOD 22-01 federal agencies must remediate cataloged CVEs by required dates; CISA also urges all organizations to prioritize remediation.

CISA Adds Two Android Vulnerabilities to KEV Catalog

⚠️ CISA added two Android Framework vulnerabilities to the KEV Catalog: CVE-2025-48572 (privilege escalation) and CVE-2025-48633 (information disclosure). Both issues show evidence of active exploitation and pose significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by their due dates; CISA strongly urges all organizations to prioritize timely patching and other mitigations.

CISA Adds Actively Exploited XSS Bug in OpenPLC ScadaBR

⚠️ CISA has added an actively exploited cross-site scripting flaw, CVE-2021-26829, to its Known Exploited Vulnerabilities catalog after reports of operational abuse against OpenPLC ScadaBR. The XSS affects Windows 1.12.4 and Linux 0.9.1 via system_settings.shtm and was used to deface HMI pages and disable logs. Federal civilian agencies must remediate by December 19, 2025; operators should apply vendor fixes, change default credentials, enable logging and monitor for web-layer manipulation and outbound callbacks.

CISA Adds CVE-2021-26829 to Known Exploited Vulnerabilities

🔔 CISA has added CVE-2021-26829 — a cross-site scripting vulnerability in OpenPLC ScadaBR — to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Cross-site scripting is a frequent attack vector that can enable data theft, session hijacking, and unauthorized actions, posing significant risks to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV-listed flaws by the specified due date; CISA also strongly urges all organizations to prioritize timely remediation. CISA will continue to update the catalog as new threats meet its criteria.

Webinar: Safely Patching Systems Using Community Tools

🔒 Community-driven package managers like Chocolatey and Winget speed deployments but can introduce supply-chain risks when packages are added or updated without rigorous vetting. Gene Moody, Field CTO at Action1, will lead a free webinar that tests these tools in practice, highlights common weak points, and demonstrates pragmatic safeguards such as source pinning, allow-lists, and hash/signature verification. The session focuses on actionable steps to help teams prioritize updates using known-exploited vulnerability data (KEV) and to choose whether to rely on community repos, vendor sources, or a hybrid approach while maintaining operational velocity.

Pre-auth RCE in Oracle Identity Manager Forces Patching

⚠️ The Cybersecurity and Infrastructure Security Agency (CISA) added a critical pre-authenticated remote code execution flaw in Oracle Identity Manager (CVE-2025-61757) to its Known Exploited Vulnerabilities catalog after active exploitation was observed. Searchlight Cyber reported that a flawed authentication filter combined with matrix/query parameters lets attackers bypass auth and reach a Groovy compile endpoint, enabling RCE through compile-time annotation processing. Oracle fixed the issue in its October 2025 Critical Patch Update; federal agencies must remediate by December 12, 2025.

CISA Adds Critical Oracle Identity Manager RCE to KEV

🔴 Oracle Identity Manager is affected by a critical unauthenticated remote code execution flaw, CVE-2025-61757, impacting versions 12.2.1.4.0 and 14.1.2.1.0. Disclosed by Searchlight Cyber on 20 November and reported by Oracle on 21 November, the bug was added to the CISA KEV catalog the same day. The issue resides in the REST WebServices component and carries a CVSS score of 9.8, enabling HTTP access to execute arbitrary code and potentially allowing full takeover. CISA urges immediate patching or isolation of affected services from the public internet.

CISA Adds Oracle Identity Manager Flaw to KEV List

⚠️ CISA has added CVE-2025-61757 to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation targeting Oracle Identity Manager. The flaw, a missing-authentication issue with a CVSS score of 9.8, affects versions 12.2.1.4.0 and 14.1.2.1.0 and was addressed in Oracle's recent quarterly updates. Searchlight Cyber researchers demonstrated that an allow-list bypass using URI tricks such as ?WSDL or ;.wadl can expose protected API endpoints and enable pre-authenticated remote code execution via the groovyscriptstatus endpoint. Federal civilian agencies must apply the patch by December 12, 2025.

CISA Warns: Oracle Identity Manager RCE Actively Exploited

🚨 CISA has added CVE-2025-61757, a pre-authentication remote code execution vulnerability in Oracle Identity Manager, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by December 12 under BOD 22-01. The flaw, disclosed by Searchlight Cyber, abuses an authentication bypass in REST APIs by appending parameters such as ?WSDL or ;.wadl to URL paths, exposing a Groovy compilation endpoint. Researchers showed that Groovy's annotation-processing can execute code at compile time, enabling pre-auth RCE. Oracle released a fix on October 21, 2025; CISA warned the issue is being actively exploited.

CISA Adds Oracle Fusion Middleware CVE to KEV Catalog

🔒 CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-61757, a Missing Authentication for Critical Function issue affecting Oracle Fusion Middleware. The entry was added based on evidence of active exploitation and is identified as a common attack vector that poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the specified due date; CISA strongly urges all organizations to prioritize timely remediation and other risk-reduction measures.

Fortinet Criticized for Silent Patching of Two Zero-Days

⚠️Fortinet has faced criticism for quietly patching two zero-day vulnerabilities in its FortiWeb WAFs before publicly disclosing them. The first, CVE-2025-64446, is rated critical (CVSS 9.4) and involves a GUI path-traversal plus an authentication-bypass flaw; the second, CVE-2025-58034 (CVSS 6.7), is an OS command injection that may allow authenticated code execution. Both fixes were included in the 8.0.2 update on October 28 and have been observed exploited in the wild, prompting calls for greater transparency and urgent patching.