All news with #patch tag

Critical RCE in expr-eval JavaScript Library, affects NPM

⚠️ A critical remote code execution vulnerability (CVE-2025-12735) has been disclosed in the popular expr-eval JavaScript expression parser, which sees over 800,000 weekly downloads on NPM. Reported by Jangwoo Choe and rated 9.8 by CISA, the flaw stems from insufficient validation of the variables/context object passed to Parser.evaluate(), allowing attacker-supplied function objects to be invoked during evaluation. Both the original project and its maintained fork are affected; the fork provides a fix in v3.0.0. Developers should migrate to the patched fork and republish dependent packages immediately.

High-severity runc bugs allow container breakouts via procfs

⚠ Three high-severity vulnerabilities in the runc container runtime allow attackers to escape containers and gain host-level privileges by abusing masked paths, console bind-mounts, and redirected writes to procfs. Aleksa Sarai of SUSE and the OCI described logic flaws that let runc mount or write to sensitive /proc targets, including /proc/sys/kernel/core_pattern and /proc/sysrq-trigger. Patches are available in runc 1.2.8, 1.3.3 and 1.4.0-rc.3; administrators should update promptly, favor rootless containers where feasible, and monitor for suspicious symlink behaviour.

Critical runC Vulnerabilities Allow Docker Container Escape

⚠️ Three newly disclosed vulnerabilities in runC (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could allow attackers to bypass container isolation and obtain root write access on the host. The issues involve manipulated bind mounts and redirected writes to /proc, and one flaw affects runC releases back to 1.0.0-rc3. Patches are available in recent runC releases; administrators should update, monitor for suspicious symlink/mount activity, and consider enabling user namespaces or running rootless containers as mitigations.

Still on Windows 10? Enroll in Free ESU Before Patch Tuesday

🛡️ If you’re still running Windows 10, enroll in Microsoft’s Extended Security Updates (ESU) program before the next Patch Tuesday to continue receiving security fixes. Consumers can get one year of ESU for free by signing into a Microsoft account and enabling Windows settings backup, or alternatively pay $30 or redeem 1,000 Microsoft Rewards points. Enrollment is available via Settings > Update & Security > Windows Update and should confirm coverage through October 13, 2026.

QNAP Fixes Seven NAS Zero-Day Flaws From Pwn2Own Competition

🔒 QNAP has released patches for seven zero-day vulnerabilities that were exploited to hack NAS devices during the Pwn2Own Ireland 2025 contest. The flaws affect QTS/QuTS hero and several bundled apps, including Hyper Data Protector, Malware Remover, and HBS 3, and are tracked under multiple CVEs. Fixed firmware and app builds are available and administrators are advised to update via Control Panel > System > Firmware Update and the App Center, then change all passwords. Regularly checking product support status and applying updates promptly are recommended to maintain security.

Samsung Zero-Click Flaw Exploited to Deploy LANDFALL Spyware

🔒 A now-patched out-of-bounds write in libimagecodec.quram.so (CVE-2025-21042, CVSS 8.8) was used as a zero-click vector to deliver commercial-grade Android spyware known as LANDFALL. The campaign appears to have used malicious DNG images sent via WhatsApp to extract and load a shared library that installs the spyware. Unit 42 links activity to targets in Iraq, Iran, Turkey, and Morocco and notes samples dating back to July 2024. The exploit also deployed a secondary module to modify SELinux policy for persistence and elevated privileges.

Cisco Firewall Zero-Days Now Triggering DoS Reboots

⚠️ Cisco warned that two recently patched firewall vulnerabilities (CVE-2025-20362 and CVE-2025-20333) — previously leveraged in zero-day intrusions — are now being abused to force ASA and FTD devices into unexpected reboot loops, causing denial-of-service. The vendor issued updates on September 25 and strongly urged customers to apply fixes immediately. CISA issued an emergency 24-hour directive for U.S. federal agencies and ordered EoS ASA devices to be disconnected. Shadowserver still reports tens of thousands of internet-exposed, unpatched devices.

Cisco Fixes Critical Authentication and RCE Flaws in CCX

🔒 Cisco has released security updates for Unified Contact Center Express (CCX) to address two critical vulnerabilities that can enable authentication bypass and remote code execution as root. The company issued software updates 15.0 ES01 and 12.5 SU3 ES07 and urged customers to apply them immediately. Cisco also fixed four medium-severity issues across CCX, CCE and UIC, and warned of a new attack variant affecting ASA and FTD devices tied to earlier patches.

Cisco Warns of Firewall Attack Causing DoS; Urges Patch

⚠️ Cisco disclosed a new attack variant that targets devices running Cisco Secure Firewall ASA and FTD software that are vulnerable to CVE-2025-20333 and CVE-2025-20362. The exploit can cause unpatched devices to unexpectedly reload, creating denial-of-service conditions, and follows prior zero-day campaigns that delivered malware such as RayInitiator and LINE VIPER, per the U.K. NCSC. Cisco additionally released patches for critical Unified CCX flaws and a high-severity DoS bug in ISE, and urges customers to apply updates immediately.

Critical Cisco UCCX Flaw Allows Remote Root Execution

🔒 Cisco has released updates to address a critical vulnerability in Unified Contact Center Express (UCCX) — CVE-2025-20354 — found in the Java RMI process that can let unauthenticated attackers execute arbitrary commands as root. A separate CCX Editor flaw allows authentication bypass and script execution with admin privileges. Administrators should upgrade to the first fixed releases (12.5 SU3 ES07 or 15.0 ES01) immediately; Cisco has not yet observed active exploitation.

Critical RCE in React Native CLI Exposes Dev Servers

⚠️ A critical remote-code execution vulnerability in @react-native-community/cli and its cli-server-api component lets attackers run arbitrary OS commands via the Metro development server. The flaw stems from a /open-url endpoint that forwards a supplied URL directly to the open() package and, despite console messages, the server can bind to 0.0.0.0 rather than localhost. JFrog demonstrated Windows exploitation and the issue is fixed in cli-server-api version 20.0.0; users should update or bind the server to 127.0.0.1.

ABB FLXeon Devices: Multiple Remote-Access Vulnerabilities

⚠ ABB FLXeon devices are affected by multiple high-severity vulnerabilities, including hard-coded credentials, MD5 password hashing without proper salt, and improper input validation that can enable remote code execution. Combined CVSS v4 scores reach up to 8.7 and successful exploitation could allow remote control, arbitrary code execution, or device crashes. ABB and CISA advise disconnecting Internet-exposed units, applying the latest firmware, enforcing physical access controls, and using secure remote-access methods such as properly configured VPNs.

Critical Post SMTP WordPress Plugin Flaw Enables Takeover

⚠️ A critical vulnerability in the popular Post SMTP WordPress plugin, which has more than 400,000 active installations, allowed unauthenticated attackers to read email logs — including password reset messages — and change any user password, enabling full account and site takeover. Wordfence reported active exploitation and urged immediate updates after detecting thousands of automated attacks. Administrators should install the patched release or disable the plugin immediately to prevent compromise.

Prompt Injection Flaw in Anthropic Claude Desktop Exts

🔒Anthropic's official Claude Desktop extensions for Chrome, iMessage and Apple Notes were found vulnerable to web-based prompt injection that could enable remote code execution. Koi Security reported unsanitized command injection in the packaged Model Context Protocol (MCP) servers, which run unsandboxed on users' devices with full system permissions. Unlike browser extensions, these connectors can read files, execute commands and access credentials. Anthropic released a fix in v0.1.9, verified by Koi Security on September 19.

October Windows Updates Can Trigger BitLocker Recovery

🔒 Microsoft warned that installing Windows security updates released on or after October 14, 2025 can cause some systems to boot into BitLocker recovery, prompting users to enter their recovery key on first restart. The issue mainly affects Intel devices that support Connected Standby (Modern Standby) and occurs during restart or startup on Windows 11 24H2/25H2 and Windows 10 22H2. Microsoft says devices should boot normally after the key is entered and offers a Group Policy mitigation via Known Issue Rollback (KIR), with affected customers advised to contact Microsoft Support for Business.

Hackers Exploit Post SMTP Plugin to Hijack Admin Accounts

⚠️ WordPress sites using Post SMTP (≤3.6.0) are under active attack after disclosure of CVE-2025-11833, a critical (9.8) email log disclosure that lets unauthenticated actors read password-reset messages and hijack administrator accounts. A vendor patch, Post SMTP 3.6.1, was released Oct 29, but roughly 210,000 sites remain unpatched. Wordfence observed exploitation beginning Nov 1 and has blocked over 4,500 attempts; site owners should update or disable the plugin immediately.

Talos Discloses TruffleHog, Fade In, and BSAFE Flaws

🔒 Cisco Talos’ Vulnerability Discovery & Research team disclosed multiple vulnerabilities affecting TruffleHog, Fade In, and Dell BSAFE Crypto-C, including arbitrary code execution, out-of-bounds write/use-after-free, and integer/stack overflow issues. The issues were reported by Talos researchers and external collaborators and vendors have issued patches following Cisco’s disclosure policy. Users should apply vendor updates, deploy updated detection rules such as Snort signatures, and consult Talos advisories for indicators and recommended mitigations.

Critical React Native CLI Flaw Enables Remote OS Commands

⚠ A critical vulnerability in the @react-native-community/cli ecosystem could let remote, unauthenticated attackers execute arbitrary OS commands on machines running the React Native development server. JFrog researcher Or Peles reported that the Metro dev server binds to external interfaces by default and exposes a vulnerable /open-url endpoint that passes user input to the unsafe open() call. The flaw (CVE-2025-11953, CVSS 9.8) affected versions 4.8.0–20.0.0-alpha.2 and is fixed in 20.0.0.

Microsoft Teams Bugs Enable Message and Caller Spoofing

🔒 Check Point researchers disclosed four vulnerabilities in Microsoft Teams that let attackers alter message content, spoof senders, and manipulate notifications to impersonate colleagues. The issues were reported in March 2024 and remediated across multiple updates beginning with an August 2024 fix for CVE-2024-38197, followed by patches in September 2024 and October 2025. Exploitable by external guests and internal actors alike, the flaws could trick users into clicking malicious links, sharing sensitive data, or accepting fraudulent calls by making messages and caller notifications appear to originate from trusted executives or coworkers.

Windows 10 update bug shows incorrect end-of-support alerts

⚠️Microsoft says installing the October 2025 updates can cause some Windows 10 systems with active coverage to display an incorrect "Your version of Windows has reached the end of support" message in Windows Update settings. The cosmetic issue affects Windows 10 Enterprise LTSC 2021, Windows 10 IoT Enterprise LTSC 2021, and Windows 10 22H2 devices enrolled in ESU. Microsoft has deployed a cloud configuration update to correct the message automatically, but devices that are offline or block dynamic updates may not receive it. Administrators can use Known Issue Rollback (KIR) by setting the KB5066791 251020_20401 value to Disabled to remove the alert on managed systems until a permanent fix ships in a future Windows update.