All news with #path traversal tag

WinRAR Path Traversal CVE-2025-6218 Under Active Attack

⚠️ CISA has added WinRAR path traversal CVE-2025-6218 (CVSS 7.8) to its Known Exploited Vulnerabilities list after reports of active exploitation. RARLAB patched the Windows-only flaw in WinRAR 7.12 (June 2025); attackers can place files in sensitive locations such as the Startup folder or Word’s global template to achieve code execution. Multiple groups — including GOFFEE, Bitter (APT‑C‑08/Manlinghua), and Gamaredon — have used the bug in phishing campaigns; organizations should deploy 7.12 or apply mitigations like blocking malicious archives, disabling macros, and monitoring for C2 activity.

CISA Adds Two Vulnerabilities to Known-Exploited Catalog

🔒 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-6218 (WinRAR path traversal) and CVE-2025-62221 (Microsoft Windows use-after-free). The agency cited evidence of active exploitation and emphasized that these flaws are frequent attack vectors posing significant risk to the federal enterprise. CISA reiterated that BOD 22-01 requires FCEB agencies to remediate cataloged CVEs by the required due dates and urged all organizations to prioritize timely remediation.

Fluent Bit Bugs Could Enable Complete Cloud Takeover

⚠️ Fluent Bit, a widely deployed log-processing agent used across containers, Kubernetes DaemonSets, and major cloud platforms, contains multiple critical vulnerabilities that can enable authentication bypass, arbitrary file writes, and full agent takeover. Oligo Security, in cooperation with AWS, disclosed five severe flaws impacting in_forward authentication and the tag-handling logic, plus path traversal and buffer-overflow defects. The project has released patches in v4.1.1 and v4.0.12; operators should update and validate configurations immediately to prevent log tampering, telemetry rerouting, and potential remote code execution.

Fluent Bit Vulnerabilities Threaten Cloud and Kubernetes

⚠️ Researchers disclosed five vulnerabilities in Fluent Bit, the open-source telemetry agent, that can be chained to bypass authentication, write or overwrite files, execute code, corrupt logs, and cause denial-of-service conditions. CERT/CC noted many issues require network access, and fixes were released in Fluent Bit 4.1.1 and 4.0.12 with AWS participating in coordinated disclosure. Operators are urged to update immediately and apply mitigations such as avoiding dynamic tags, mounting configs read-only, and running the agent as a non-root user.

Critical Fluent Bit Vulnerabilities Expose Telemetry Risk

⚠️ Fluent Bit, a widely deployed telemetry agent, has multiple critical vulnerabilities disclosed by Oligo Security affecting inputs, tag processing and output handling. Patches are available in Fluent Bit v4.1.1 and v4.0.12 released in early October 2025; older releases remain at risk. Operators are advised to update immediately, avoid dynamic tags, lock down output file parameters, run with least privilege and mount configuration directories read-only to reduce exposure.

Silent FortiWeb Patch Raises Alarm as Critical Flaw Exploited

🔒 Fortinet's FortiWeb appliances are affected by a critical vulnerability tracked as CVE-2025-64446 that researchers say was exploited in the wild before an official advisory. The issue chains a relative path traversal to an internal CGI backend with an HTTP_CGIINFO header authentication bypass that allows unauthenticated admin impersonation and potential remote code execution. Fortinet released fixes in multiple 7.x and 8.x maintenance updates and recommends disabling HTTP/HTTPS on internet-facing management interfaces if upgrades cannot be applied immediately.

METZ CONNECT EWIO2 Firmware Critical Vulnerabilities

🔒 METZ CONNECT released firmware updates addressing multiple critical vulnerabilities in EWIO2 devices that allow unauthenticated remote attackers to bypass authentication, upload and execute arbitrary code, and read PHP source files. The flaws include an authentication bypass, PHP remote file inclusion, unrestricted file uploads, path traversal, and improper access control. METZ CONNECT firmware 2.2.0 remediates these issues; administrators should schedule and install the update and ensure devices are not exposed to the internet.

Schneider Electric PowerChute Serial Shutdown Fixes

🔒 Schneider Electric has released updates for PowerChute Serial Shutdown to address multiple vulnerabilities that may be exploited locally on the network. The issues include path traversal (CWE-22, CVE-2025-11565), excessive authentication attempts (CWE-307, CVE-2025-11566), and incorrect default permissions (CWE-276, CVE-2025-11567) with CVSS scores up to 7.8. Schneider Electric published version 1.4 with fixes for Windows and Linux; administrators should upgrade and apply recommended permissions and network isolation measures.

Fortinet silently patches FortiWeb zero-day flaw in the wild

🚨 Fortinet confirmed a silent patch for a critical FortiWeb GUI path confusion zero-day (tracked as CVE-2025-64446) that is being "massively exploited in the wild." The flaw allowed unauthenticated HTTP(S) requests to execute administrative commands and create local admin accounts on internet-exposed devices. Fortinet released fixes in FortiWeb 8.0.2 (Oct 28) and later; administrators should upgrade, disable internet-facing management interfaces if they cannot update immediately, and audit logs for unauthorized accounts.

CISA Adds Fortinet FortiWeb Path Traversal to KEV Catalog

🔒 CISA has added CVE-2025-64446 — a Fortinet FortiWeb path traversal vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by the required due date. CISA strongly urges all organizations to prioritize timely patching, apply available mitigations, and monitor for indicators of compromise. CISA will continue to add vulnerabilities that meet catalog criteria.

Fortinet FortiWeb Path Traversal Vulnerability Alert

⚠️ Fortinet has released an advisory for FortiWeb addressing CVE-2025-64446, a CWE-23 relative path traversal that can allow unauthenticated actors to execute administrative commands via crafted HTTP/HTTPS requests. Affected releases include multiple 7.x and 8.x versions; Fortinet provides specific upgrade targets (8.0.2+, 7.6.5+, 7.4.10+, 7.2.12+, 7.0.12+). If immediate upgrades are not possible, disable HTTP/HTTPS on internet-facing interfaces and, after remediation, review configurations and logs for unexpected modifications or unauthorized administrator accounts.

FortiWeb Path Traversal Flaw Allows Admin Account Creation

⚠️ A path traversal vulnerability in Fortinet FortiWeb appliances is being actively exploited to create local administrative users without authentication. Researchers from Defused and PwnDefend described requests targeting the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi endpoint that inject admin accounts. Rapid7 and others confirm versions 8.0.1 and earlier are affected, while 8.0.2 is believed to contain the fix. Administrators are urged to update immediately, review logs for fwbcgi access, and search for unexpected admin accounts.

AADvance Trusted SIS Workstation: Rockwell Automation Flaw

⚠️ Rockwell Automation's AADvance-Trusted SIS Workstation has a directory traversal vulnerability (CWE-22) in DotNetZip (v1.16.0 and earlier) that can enable remote code execution if a user opens a crafted file. The issue is tracked as CVE-2024-48510 and has a CVSS v4 base score of 8.6 (CVSS v3.1 8.8). Affected versions are 2.00.00 through 2.00.04; Rockwell reports the defect is corrected in Version 2.01.00. Users unable to immediately upgrade should follow vendor guidance, minimize network exposure of control devices, isolate control networks, use secure remote access, and contact Rockwell support for assistance.

Rockwell Studio 5000 Simulation Interface Vulnerabilities

⚠️ Rockwell Automation disclosed two local vulnerabilities in Studio 5000 Simulation Interface (version 2.02 and earlier) that allow path traversal–based local code execution (CVE-2025-11696) and a local SSRF that can trigger outbound SMB requests for NTLM hash capture (CVE-2025-11697). Both issues carry high severity (CVSS v4: 9.3 and 8.8) and are exploitable by low-complexity local attackers. Rockwell recommends upgrading to version 3.0.0 or later; CISA advises isolating control system networks, minimizing exposure, and following secure remote-access practices.

Advantech DeviceOn/iEdge: Multiple Remote Flaws Report

⚠️ Advantech DeviceOn/iEdge versions 2.0.2 and earlier contain multiple remotely exploitable vulnerabilities, including XSS and several path-traversal flaws assigned CVE-2025-64302, CVE-2025-62630, CVE-2025-59171, and CVE-2025-58423. Successful exploitation may lead to denial-of-service, arbitrary file disclosure, or remote code execution with system-level permissions. CISA notes the products are EOL and recommends upgrading to DeviceOn, isolating devices from the internet, and using secure remote access methods to reduce risk.

Rockwell Automation PanelView and FactoryTalk ME Flaws

🔒 Rockwell Automation disclosed vulnerabilities in FactoryTalk View Machine Edition and PanelView Plus 7 that can allow unauthorized access to device file systems and diagnostic data. CVE-2025-9064 is a network-exploitable path traversal issue; CVE-2025-9063 is an improper-authorization flaw tied to an ActiveX control. Rockwell recommends installing provided firmware and software updates, and CISA advises minimizing network exposure, isolating control networks, and using secure remote access.

CISA Adds Grafana Path Traversal to KEV Catalog Notice

📢 CISA has added CVE-2021-43798 — a Grafana path traversal vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. The agency notes that path traversal is a frequent attack vector that poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates. CISA strongly urges all organizations to prioritize remediation and will continue updating the KEV Catalog.

Surge in Scans Targeting Palo Alto Network Login Portals

🔍 GreyNoise has observed a roughly 500% rise in IP addresses scanning Palo Alto Networks login portals, primarily emulating GlobalProtect and PAN-OS profiles. Activity peaked on October 3 with more than 1,285 unique IPs—typical daily scans are usually under 200—while most sources were geolocated to the United States with smaller clusters in the UK, Netherlands, Canada, and Russia. GreyNoise classified 91% of the IPs as suspicious and 7% as malicious, noting clusters with distinct TLS fingerprints and warning this reconnaissance could precede exploitation attempts; administrators should verify device exposure and monitoring.

Delta DIALink Path Traversal Vulnerabilities (CVE-2025)

⚠️ Delta Electronics' DIALink contains multiple path traversal vulnerabilities that can be exploited remotely to bypass authentication, including at least one flaw rated CVSS v4 10.0. Affected releases include V1.6.0.0 and prior. An anonymous researcher working with Trend Micro's Zero Day Initiative reported the issues to CISA and Delta has released updates. Organizations should upgrade to v1.8.0.0 or later, segment devices from business networks, avoid exposing control equipment to the Internet, and use secure remote access methods.

Critical SessionReaper Vulnerability in Adobe Commerce

⚠️ Adobe has disclosed a critical flaw, CVE-2025-54236 (SessionReaper), in Adobe Commerce and Magento Open Source that can enable attackers to take over customer accounts through the Commerce REST API. The issue, rated 9.1 by CVSS, stems from improper input validation and affects multiple product versions and a third-party module. Adobe published a hotfix and deployed WAF rules for cloud-hosted merchants while e-commerce security firm Sansec reproduced an exploitation path involving session manipulation and nested deserialization. Merchants should apply fixes, review session storage settings, and monitor for suspicious activity.