All news with #patch tag

Ivanti warns of critical Endpoint Manager code flaw

⚠️ Ivanti is urging customers to patch a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) that allows unauthenticated remote actors to execute arbitrary JavaScript via low-complexity cross-site scripting that requires user interaction. Reported by Rapid7, the flaw lets attackers join fake managed endpoints to poison administrator dashboards and hijack admin sessions when viewed. Ivanti released EPM 2024 SU4 SR1 and addressed three other high-severity bugs, while Shadowserver reports hundreds of Internet-facing EPM instances.

Critical Auth Bypass in India-Deployed CCTV Cameras

🔒 CISA reports a critical authentication bypass (CWE-306, CVE-2025-13607) affecting multiple India-deployed CCTV products, including D-Link DCS-F5614-L1. The flaw permits unauthenticated remote retrieval of device configuration and account credentials with low attack complexity and high impact. D-Link has released a software update for the DCS-F5614-L1; users should install the patch, verify firmware versions, and minimize network exposure while seeking guidance from other vendors.

U-Boot Bootloader: Improper Access to Volatile Boot Code

⚠️ U-Boot contains an improper access control vulnerability in volatile memory holding boot code (CVE-2025-24857) affecting all U-Boot versions prior to 2017.11 and several Qualcomm SoCs. Successful exploitation could allow arbitrary code execution; CISA reports a CVSS v4 base score of 8.6 with low attack complexity. Vendors advise upgrading to v2025.4, ensuring physical device security, and contacting Qualcomm support where appropriate.

Festo LX Appliance XSS Vulnerability (CVE-2021-23414)

⚠️ Festo SE & Co. KG's LX Appliance contains a cross-site scripting (XSS) vulnerability tied to the video.js library (CVE-2021-23414) that can allow crafted course content to execute scripts in high-privilege user sessions. The issue affects LX Appliance versions prior to June 2023 and has a CVSS v3.1 base score of 6.1. Festo coordinated disclosure with CERT@VDE and published advisory FSA-202301. Administrators should update affected appliances and apply recommended network isolation and secure remote access controls.

December 2025 Patch Tuesday: One Zero-Day, 57 CVEs Addressed

🔔 Microsoft’s December 2025 Patch Tuesday addresses 57 CVEs, including one actively exploited Important zero‑day in the Windows Cloud Files Mini Filter Driver and two publicly disclosed Important zero‑days impacting GitHub Copilot for JetBrains and PowerShell. Two Critical RCE flaws in Microsoft Office increase urgency for enterprise patching and remediation. Organizations should prioritize applying Microsoft fixes, adopt layered mitigations where patches are delayed, and use CrowdStrike Falcon dashboards to track affected assets and remediation progress.

Apache Tika XXE Flaw Expanded; Critical Patch Urged

⚠️ Apache Tika maintainers warn that an XML External Entity (XXE) vulnerability originally disclosed in August (CVE-2025-54988) is broader than first reported and is now covered by a superset CVE (CVE-2025-66516). The issue affects tika-core, tika-parsers and the standalone tika-parser-pdf-module, and could allow attackers to read sensitive data or trigger requests to internal resources. Users are advised to upgrade to the patched releases or disable XML parsing via tika-config.xml to mitigate risk.

React2Shell RCE Actively Exploited by Multiple Threat Actors

🔴 The newly disclosed React2Shell vulnerability (CVE-2025-55182) is being actively exploited in the wild and carries a CVSS v3.1 score of 10. AWS has attributed exploitation attempts to state-linked groups including Earth Lamia and Jackpot Panda, while multiple proof-of-concept exploits have rapidly appeared. Broad scans from Shadowserver and Censys show tens of thousands to over two million potentially affected instances, and defenders are urged to apply the published React security updates immediately.

CISA Adds Critical React2Shell RCE to KEV Catalog Now

⚠️ CISA has added a critical remote code execution flaw affecting React Server Components (tracked as CVE-2025-55182 / React2Shell) to its Known Exploited Vulnerabilities catalog. The vulnerability, rated CVSS 10.0, stems from insecure deserialization in React’s Flight protocol and enables unauthenticated attackers to run arbitrary commands via crafted HTTP requests. Fixes are available in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0.1, 19.1.2, 19.2.1) and should be applied immediately.

Critical XML External Entity (XXE) Flaw in Apache Tika

🔒 A critical XML External Entity (XXE) vulnerability, tracked as CVE-2025-66516, has been disclosed in Apache Tika and carries a CVSS score of 10.0. The flaw allows XXE via a crafted XFA file inside PDFs and affects tika-core, tika-parser-pdf-module, and tika-parsers across multiple versions. Users are strongly advised to upgrade to the patched releases immediately to mitigate file disclosure and potential remote code execution.

Critical React2Shell RCE in React.js and Next.js Servers

⚠️React.js and Next.js servers are vulnerable to a critical remote code execution flaw dubbed React2Shell (CVE-2025-55182), disclosed to Meta on 29 November 2025. The bug targets server-side React Server Function endpoints and default Next.js App Router setups, enabling unauthenticated attackers to execute arbitrary code with a single HTTP request. Researchers report near‑100% exploitability in default configurations and published proof‑of‑concepts; security teams should upgrade affected packages to the fixed versions immediately and verify PoC sources before testing.

Chinese Threat Actors Rapidly Exploit React2Shell Flaw

⚠️ Within hours of public disclosure, two China-linked groups began exploiting the newly disclosed CVE-2025-55182 (React2Shell) remote code execution flaw in React Server Components. AWS telemetry from MadPot honeypots attributes activity to Earth Lamia and Jackpot Panda, showing attempts to run discovery commands such as "whoami", write files like "/tmp/pwned.txt", and read sensitive files such as "/etc/passwd". Vendors addressed the bug in React 19.0.1, 19.1.2, and 19.2.1, but attackers are concurrently scanning for other N-day flaws.

Cloudflare Outage Caused by Emergency React2Shell Patch

🔧 Cloudflare says an emergency patch to mitigate the critical React2Shell vulnerability (CVE-2025-55182) introduced a change to its Web Application Firewall request parsing that briefly rendered the network unavailable and caused global "500 Internal Server Error" responses. The update targeted active remote code execution attempts against React Server Components and dependent frameworks. Cloudflare emphasized the incident was not an attack and that the change was deployed to protect customers while the industry addresses the flaw.

Cloudflare outage after WAF update to block React exploit

🛡️ Cloudflare briefly disrupted service after a Web Application Firewall update intended to mitigate a vulnerability in React Server Components (CVE-2025-55182) caused its request parser to fail. The incident began at 09:09 UTC and a corrective change was deployed within ten minutes, but monitoring sites and customers reported widespread errors during the outage. Downdetector logged spikes for enterprise and consumer services including Shopify, Zoom, Claude AI, and AWS. Cloudflare said the change was a protective measure for unpatched customers and confirmed the disruption was not an attack.

JPCERT Confirms Active Command-Injection in ArrayOS

⚠️ JPCERT/CC warns that a command injection flaw in Array Networks AG Series secure access gateways' DesktopDirect feature has been actively exploited since August 2025, enabling attackers to execute arbitrary commands. The vendor patched the issue in ArrayOS 9.4.5.9 on May 11, 2025; affected versions include 9.4.5.8 and earlier. JPCERT/CC confirms web shells were dropped on devices in Japan and notes attacks from IP 194.233.100[.]138. Administrators should apply the update or disable DesktopDirect and block URLs containing a semicolon as a temporary mitigation.

Attackers Exploit ArrayOS AG VPN Bug to Deploy Webshells

🔒 Threat actors are exploiting a command injection vulnerability in Array Networks ArrayOS AG VPN appliances to plant PHP webshells and create rogue user accounts. The flaw affects ArrayOS AG 9.4.5.8 and earlier when the DesktopDirect feature is enabled; Array issued a May update (9.4.5.9) to address the issue. Japan's CERT (JPCERT/CC) reports attacks since at least August originating from IP 194.233.100[.]138. If immediate patching is not possible, disable DesktopDirect or block URLs containing a semicolon as a temporary mitigation.

Critical RCE in React and Next.js Flight Protocol Disclosed

🚨 Researchers disclosed critical remote code execution vulnerabilities in the Flight protocol for React Server Components (CVE-2025-55182 and CVE-2025-66478). The flaw permits unauthenticated attackers to achieve deterministic RCE via insecure deserialization of malformed HTTP payloads, with near-100% reliability against default deployments. Vendors have issued patched releases; administrators should apply upgrades immediately. Palo Alto Networks Unit 42 published detection guidance and hunting queries to help identify exploitation and post-exploitation activity.

Socomec DIRIS Digiware M Series and PDF XChange Flaws

🔒 Cisco Talos disclosed an out‑of‑bounds read in PDF‑XChange Editor (CVE‑2025‑58113) and ten vulnerabilities affecting Socomec DIRIS Digiware M series and Easy Config. The issues range from information disclosure and authentication bypass to multiple denial‑of‑service and buffer overflow flaws. Vendors have released patches; administrators should apply updates and deploy Snort rules to detect exploitation.

Critical React4Shell RSC Vulnerability CVE-2025-55182

🛡️ A critical remote code execution flaw, CVE-2025-55182 (React4Shell), was disclosed affecting React Server Components and multiple derivatives including Next.js, React Router RSC preview, and several bundler plugins. The bug arises from unsafe deserialization of Flight protocol payloads and permits unauthenticated HTTP requests to execute code on vulnerable servers. Immediate updating to the patched React and Next.js releases, plus deployment of WAF rules and access restrictions, is strongly recommended.

Critical React2Shell RCE Affects React and Next.js Servers

🚨 React and Next.js applications are affected by a maximum-severity deserialization vulnerability dubbed React2Shell, which enables unauthenticated remote code execution via the React Server Components (RSC) "Flight" protocol. Discovered by researcher Lachlan Davidson and reported on November 29, the flaw received a 10/10 severity rating and has been assigned CVE-2025-55182 for React (Next.js received CVE-2025-66478, later rejected by the NVD). Affected default packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, and researchers warn many deployments are exploitable without additional misconfiguration. Developers should apply the published patches and audit environments immediately.

Windows LNK Shortcut Abuse Addressed by Recent Patches

🔒 Microsoft has quietly altered how Windows displays .lnk shortcut Targets, addressing a long‑abused technique attackers used to hide malicious commands in trailing whitespace. The issue (tracked as CVE-2025-9491) stemmed from Explorer showing only the first 260 characters of a Target field, allowing long PowerShell or BAT scripts to be concealed. Third‑party vendor 0patch acknowledges the UI change but says Microsoft’s fix doesn't prevent execution and offers a micropatch that truncates long Targets and warns users.