All news with #patch tag

Fortinet Criticized for Silent Patching of Two Zero-Days

⚠️Fortinet has faced criticism for quietly patching two zero-day vulnerabilities in its FortiWeb WAFs before publicly disclosing them. The first, CVE-2025-64446, is rated critical (CVSS 9.4) and involves a GUI path-traversal plus an authentication-bypass flaw; the second, CVE-2025-58034 (CVSS 6.7), is an OS command injection that may allow authenticated code execution. Both fixes were included in the 8.0.2 update on October 28 and have been observed exploited in the wild, prompting calls for greater transparency and urgent patching.

New SonicWall SonicOS Flaw Lets Attackers Crash Firewalls

⚠️ SonicWall has released patches for a high-severity SonicOS SSLVPN vulnerability (CVE-2025-40601) that can trigger a stack-based buffer overflow and remotely crash Gen7 and Gen8 firewalls. The company says the flaw allows a remote unauthenticated attacker to cause a DoS but reports no active exploitation or public PoC. Fixed versions are 7.3.1-7013+ for Gen7 and 8.0.3-8011+ for Gen8; admins unable to patch should disable SSLVPN or restrict access.

Opto 22 GRV-EPIC and groov RIO: Remote RCE Vulnerability

⚠️ A remotely exploitable OS command injection in the Opto 22 Groov Manage REST API allows attackers with administrative credentials to inject shell commands that execute as root on affected GRV-EPIC and groov RIO devices. The issue is tracked as CVE-2025-13087 and carries a CVSS v4 base score of 7.5. Opto 22 has released firmware 4.0.3 to address the flaw; users should apply the update promptly. CISA also recommends isolating control networks, minimizing Internet exposure, and monitoring API and system logs for suspicious activity.

Automated Logic WebCTRL: Open Redirect and XSS Fix

🔒 Automated Logic's WebCTRL servers and related products are affected by an open redirect (CVE-2024-8527) and a reflected XSS vulnerability (CVE-2024-8528) impacting versions 6.1, 7.0, 8.0, and 8.5. The open redirect carries high severity (CVSS v3.1 9.3; v4 8.6) while the XSS stems from an unsanitized "wbs" GET parameter (CVSS v3.1 7.5; v4 5.4). Automated Logic reports remediation in WebCTRL 9.0 and advises upgrades; CISA recommends minimizing device exposure, using firewalls and secure remote access, and following anti-phishing best practices. CISA notes no known public exploitation and states the vulnerabilities are not remotely exploitable as described.

CISA Issues Six New Industrial Control Systems Advisories

⚠️ CISA released six Industrial Control Systems (ICS) Advisories on 20 November 2025 to inform operators and administrators about current security issues, vulnerabilities, and potential exploits affecting ICS products. The advisories cover affected products including Automated Logic WebCTRL Premium Server, ICAM365 CCTV camera models, Opto 22 GRV‑EPIC/GRV‑RIO, Festo MSE6 and Festo Didactic lines, and Emerson Appleton UPSMON‑PRO. Administrators are encouraged to review each advisory for technical details and mitigations and to apply vendor guidance promptly to reduce operational and safety risk.

EC2 Auto Scaling adds ReplaceRootVolume for live root swaps

🔁 Amazon EC2 Auto Scaling introduces the ReplaceRootVolume strategy for instance refresh, allowing replacement of an instance's root Amazon EBS volume without stopping or terminating the instance. The feature preserves attachments and metadata (network interfaces, elastic IPs) and reduces operational complexity for OS-level updates, patching, and recovery from corrupted root volumes. It is particularly valuable for specialized instance types such as Mac and GPU instances and for stateful applications where data and attachments must be preserved. ReplaceRootVolume is available in select regions at no additional cost beyond standard EC2 and EBS usage.

An Open Letter to Cybersecurity Vendors and Investors

🔊 The cybersecurity market is awash in noise: vendors and investors chase flashy pitches while the long-standing vulnerabilities that cause real breaches remain neglected. The author argues CISOs don’t buy technology so much as they buy reduced risk and confidence, so purchases must fit roadmaps, integrate cleanly, and be sustainable. He prioritizes visibility, identity, automation that empowers people, and tools that reinforce fundamentals like patching and segmentation. Hype, overlapping products, and complexity are rejected in favor of practical reliability.

W3 Total Cache Plugin Critical PHP Command Injection

⚠️ A critical unauthenticated command injection (CVE-2025-9501) in the W3 Total Cache WordPress plugin allows attackers to execute arbitrary PHP via a crafted comment that abuses the _parse_dynamic_mfunc() routine. The developer released 2.8.13 on October 20 to address the flaw, but WordPress.org data indicate hundreds of thousands of sites may still be vulnerable. WPScan has produced a proof-of-concept exploit and plans public release on November 24, increasing the immediate risk for unpatched installations.

Active Exploitation of 7-Zip Symbolic Link Flaw Now

⚠️A high-severity vulnerability (CVE-2025-11001, CVSS 7.0) in 7-Zip that mishandles symbolic links in ZIP archives is being actively exploited in the wild, NHS England Digital warns. The flaw can trigger directory traversal and enable remote code execution and was addressed in 7-Zip 25.00 released in July 2025. A related issue, CVE-2025-11002, was also fixed in that release. Proof-of-concept exploits are public, and exploitation requires an elevated Windows user or service account or developer mode enabled, so users should apply the update immediately.

Vulnerability-Informed Hunting: Nexus of Risk and Intel

🔎 Vulnerability-informed hunting transforms static vulnerability scans into dynamic intelligence by enriching CVE data with asset context, exploit activity and threat feeds. The article shows how mapping vulnerabilities to adversary behaviors (for example, Log4Shell, ProxyShell and Zerologon) lets teams run focused hunts that detect exploitation or reveal telemetry gaps. It advocates a continuous loop where hunts inform detection engineering, improving logging, SIEM content and overall resilience.

CISA Orders Rapid Patching for New FortiWeb Flaw Directive

🔒 CISA has ordered U.S. federal agencies to remediate a FortiWeb OS command injection vulnerability (CVE-2025-58034) within seven days after reports of active exploitation. Fortinet warns the flaw can allow an authenticated attacker to execute unauthorized code via crafted HTTP requests or CLI commands. The agency added the issue to its Known Exploited Vulnerabilities Catalog and set a November 25 deadline under BOD 22-01. CISA cited related zero-day activity (CVE-2025-64446) and recommended expedited fixes.

Fortinet Warns: FortiWeb Command Injection CVE-2025-58034

🔔 Fortinet has issued an advisory about a newly discovered FortiWeb vulnerability, CVE-2025-58034, rated CVSS 6.7 and reported as being exploited in the wild. The flaw is an OS command injection that allows an authenticated attacker, who has gained access by other means, to execute arbitrary commands via crafted HTTP requests or CLI input. Fortinet provides version-based upgrade guidance to remediate the issue and credited a Trend Micro researcher for reporting the bug.

Fortinet warns of FortiWeb zero-day being exploited

🚨 Fortinet has released security updates to remediate a new FortiWeb zero-day tracked as CVE-2025-58034, which the vendor says is being actively exploited in the wild. The vulnerability is an authenticated OS command injection (CWE-78) that can allow an attacker to execute code via crafted HTTP requests or CLI commands without user interaction. Fortinet confirmed observed exploitation and published fixes; administrators should upgrade affected FortiWeb appliances to the patched releases as soon as possible.

Google patches V8 zero-day in Chrome; admins urged

⚠️ Google released an emergency patch for a high‑severity Type Confusion vulnerability in the V8 JavaScript engine (CVE-2025-13223), which the company says is being exploited in the wild. The flaw, rated CVSS 8.8 and discovered by Clément Lecigne of Google TAG, affects Chromium‑based browsers and can enable heap corruption and potential code execution. Administrators should prioritize updating Chrome to the patched 142.0.7444.175/.176 builds. A second V8 issue, CVE-2025-13224, is also fixed.

Meta Expands WhatsApp Security Research Effort

🛡️ Meta has provided selected long‑time bug bounty researchers with a new tool, WhatsApp Research Proxy, to streamline analysis of WhatsApp's network protocol and reduce barriers to in‑depth research. The company is also running a pilot that invites research teams to focus on platform abuse with internal engineering and tooling support. Meta said it has paid more than $25 million to over 1,400 researchers in 15 years and recently added anti‑scraping protections after a study showed an account‑enumeration technique able to map billions of users.

Silent FortiWeb Patch Raises Alarm as Critical Flaw Exploited

🔒 Fortinet's FortiWeb appliances are affected by a critical vulnerability tracked as CVE-2025-64446 that researchers say was exploited in the wild before an official advisory. The issue chains a relative path traversal to an internal CGI backend with an HTTP_CGIINFO header authentication bypass that allows unauthenticated admin impersonation and potential remote code execution. Fortinet released fixes in multiple 7.x and 8.x maintenance updates and recommends disabling HTTP/HTTPS on internet-facing management interfaces if upgrades cannot be applied immediately.

Schneider Electric PowerChute Serial Shutdown Fixes

🔒 Schneider Electric has released updates for PowerChute Serial Shutdown to address multiple vulnerabilities that may be exploited locally on the network. The issues include path traversal (CWE-22, CVE-2025-11565), excessive authentication attempts (CWE-307, CVE-2025-11566), and incorrect default permissions (CWE-276, CVE-2025-11567) with CVSS scores up to 7.8. Schneider Electric published version 1.4 with fixes for Windows and Linux; administrators should upgrade and apply recommended permissions and network isolation measures.

Shelly Pro 4PM DoS Vulnerability (CVE-2025-11243)

⚠ A vulnerability in Shelly Pro 4PM (CVE-2025-11243) can cause device reboots and denial-of-service conditions. Due to insufficient input bounds checking in the device's JSON parser, specially crafted RPC requests can trigger memory overallocation and force a reboot. Devices running firmware prior to v1.6 are affected; CISA notes the exploit is reachable from adjacent networks with low attack complexity. Operators should update to v1.6.0 or later and limit network exposure.

CISA Issues Six New Industrial Control Systems Advisories

🔔 CISA released six Industrial Control Systems (ICS) advisories detailing current security issues, vulnerabilities, and potential exploits affecting multiple vendors and products. The advisories cover Schneider Electric products (including EcoStruxure Machine SCADA Expert, Pro-face BLUE Open Studio, and PowerChute Serial Shutdown), Shelly Pro devices, and METZ CONNECT hardware. One advisory is an update (B) to a prior Schneider Electric notice. Users and administrators are encouraged to review the technical details and apply recommended mitigations promptly.

METZ CONNECT EWIO2 Firmware Critical Vulnerabilities

🔒 METZ CONNECT released firmware updates addressing multiple critical vulnerabilities in EWIO2 devices that allow unauthenticated remote attackers to bypass authentication, upload and execute arbitrary code, and read PHP source files. The flaws include an authentication bypass, PHP remote file inclusion, unrestricted file uploads, path traversal, and improper access control. METZ CONNECT firmware 2.2.0 remediates these issues; administrators should schedule and install the update and ensure devices are not exposed to the internet.