All news with #privilege escalation tag

⚠️ Festo firmware for Controller CECC-S, -LK, and -D families contains multiple vulnerabilities (aggregate CVSS up to 9.8) in the integrated CODESYS V3 runtime and related components. Affected releases include R05 (2.3.8.0) and R06 (2.3.8.1); Festo advises updating affected units to firmware 2.4.2.0 where fixes are provided. Exploitable issues may enable remote code execution, denial-of-service, privilege escalation, or unauthorized access. CISA recommends isolating control networks, restricting remote exposure, and applying vendor guidance and mitigations while performing appropriate risk analysis.

⚠️ Festo CPX-CEC-C1 and CPX-CMXX devices contain an improper privilege management vulnerability (CWE-269) that permits unauthenticated remote access to critical webserver functions and may cause a denial of service. The issue is identified as CVE-2022-3079 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/A:H). Festo currently has no firmware fix planned; recommended mitigations include restricting access to TCP port 80 and replacing affected units with specified follow-up products.

⚠️ NVISO Labs says China-linked UNC5174 has been exploiting a newly patched local privilege escalation bug, CVE-2025-41244, in Broadcom VMware Tools and VMware Aria Operations since mid-October 2024. The vulnerability (CVSS 7.8) stems from a vulnerable get_version() regex that can match non-system binaries in writable directories (for example, /tmp/httpd) and cause metrics collection to execute them with elevated privileges. VMware and Broadcom have released fixes and mitigations; affected organizations should apply vendor patches and follow VMware's guidance, and Linux distributions will receive patched open-vm-tools packages from vendors.

🔒 CISA added a critical vulnerability affecting the Sudo utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaw, CVE-2025-32463 (CVSS 9.3), impacts Sudo versions prior to 1.9.17p1 and can be abused via the -R (--chroot) option to execute arbitrary commands as root, bypassing sudoers. Four additional flaws were also added to the KEV list. Agencies and organizations are advised to apply mitigations and updates by October 20, 2025 and upgrade or implement compensating controls immediately.

🔐Akira ransomware operators are successfully authenticating to SonicWall SSL VPN accounts even when one-time password (OTP) multi-factor authentication is enabled. Arctic Wolf links the logins to credentials and OTP seeds harvested via an improper access control flaw tracked as CVE-2024-40766, and notes attackers can reuse those secrets after devices are patched. Once inside, actors rapidly scan internal networks, harvest backup server credentials, and use techniques such as BYOVD to sideload vulnerable drivers and disable protections. Administrators are urged to install the latest SonicOS (recommended 7.3.0) and reset all SSL VPN credentials immediately.

⚠ The new Phoenix Rowhammer technique reverse-engineers TRR in SK Hynix DDR5 DIMMs to induce controlled bit flips previously believed mitigated. Researchers from ETH Zurich and Google report Phoenix reliably triggers flips across all 15 tested modules, enabling practical exploits such as forged Page Table Entries, RSA-2048 key leakage from co-located VMs, and a sudo-based root escalation. The issue is tracked as CVE-2025-6202.

⚠️ Researchers at ETH Zürich and Google disclosed a RowHammer variant named Phoenix (CVE-2025-6202) that reliably induces bit flips on SK Hynix DDR5 devices and bypasses on-die ECC and advanced TRR protections. The team demonstrated an end-to-end privilege escalation on a production desktop with default DDR5 settings in as little as 109 seconds. Phoenix takes advantage of refresh intervals that mitigation logic does not sample, enabling flips across DIMM stacks produced between 2021 and 2024. Because DRAM chips cannot be updated in the field, the researchers recommend increasing the DRAM refresh rate to 3× as an immediate mitigation and urge vendors to pursue firmware and hardware countermeasures.

🧨 Researchers have developed Phoenix, a new Rowhammer variant that defeats DDR5 TRR protections on SK Hynix modules by synchronizing and self-correcting against missed refresh intervals. After reverse-engineering TRR behavior, the team identified refresh slots that were not sampled and used precise hammering patterns covering 128 and 2,608 refresh intervals to flip bits. In tests they flipped bits across all tested DIMMs and produced a working privilege-escalation exploit, achieving a root shell on commodity DDR5 systems in under two minutes. The authors published an academic paper and an FPGA-based repository with experiments and proof-of-concept code.

🔒 ESET researchers identified HybridPetya, a new ransomware strain that blends Petya-style MFT encryption with a UEFI bootkit that can bypass Secure Boot by abusing a patched flaw (CVE-2024-7344) in the Howyar Reloader EFI component. The malware installs a malicious EFI application, uses a three-state flag to track encryption and ransom status, displays a fake CHKDSK screen, and demands $1,000 in Bitcoin. Select variants load a cloak.dat payload into reloader.efi to evade integrity checks; Microsoft revoked the vulnerable binary via dbx updates. ESET found no evidence of widespread active abuse but warned Secure Boot bypasses are increasingly common and urged prompt patching and boot integrity monitoring.

🔒 Siemens SINAMICS drive firmware contains an Improper Privilege Management vulnerability (CVE-2025-40594) that can allow local network users to escalate privileges and perform a factory reset without required rights. A CVSS v3.1 base score of 6.3 and a CVSS v4 base score of 6.9 were calculated. Siemens provides updates for S210 and G220 (V6.4 HF2); S200 V6.4 currently has no fix. CISA and Siemens recommend minimizing network exposure, isolating control networks, and using secure remote access methods.

🛡️ Siemens reports a local privilege escalation vulnerability affecting SIMOTION Tools installers that use an affected NSIS setup component. The flaw (CWE-754) in Nullsoft Scriptable Install System (NSIS) before 3.11 can allow an unprivileged user to gain SYSTEM privileges during installation by exploiting a race condition. The issue is tracked as CVE-2025-43715 with a CVSS v3.1 base score of 8.1. No vendor fix is available yet; Siemens and CISA offer mitigations and hardening guidance.

🔧 Microsoft has issued a fix for an August 2025 update that caused unexpected User Account Control (UAC) prompts and blocked MSI app installations for non-administrative users across multiple Windows client and server releases. The behavior resulted from a security patch addressing CVE-2025-50173, which introduced broader elevation checks to mitigate privilege escalation. Microsoft’s September 2025 update narrows when UAC is required for MSI repairs and lets IT administrators add specific MSI packages to an allowlist via new SecureRepairPolicy and SecureRepairWhitelist registry keys. The company also resolved a separate bug that caused severe lag and stuttering in NDI streaming software on Windows 10 and Windows 11.

🔒 Microsoft released fixes for 80 security flaws across its products, including one publicly disclosed SMB privilege-escalation issue (CVE-2025-55234). Eight flaws are rated Critical and 72 Important, with a high proportion of elevation-of-privilege bugs. The update also includes a CVSS 10.0 Azure Networking fix and new auditing options to help administrators assess Windows SMB signing and Extended Protection compatibility before hardening.

🔔 CISOs with SAP NetWeaver AS Java deployments should urgently patch two critical flaws: CVE-2025-42944, a CVSS 10.0 insecure deserialization in the RMI-P4 module, and a CVSS 9.9 insecure file-upload vulnerability that can lead to full system compromise. As an immediate mitigation, admins can apply P4 port filtering at the ICM level until patches are installed. Microsoft released fixes for 13 critical bugs this month, including Hyper‑V guest-to-host escalation issues and an NTLM elevation flaw (CVE-2025-54918) marked Exploitation More Likely; teams should prioritize domain controllers and virtualization hosts.

🔒 Microsoft today released Patch Tuesday updates addressing more than 80 vulnerabilities across Windows and related products, including 13 rated critical. There are no known zero‑day or actively exploited flaws in this bundle, but Microsoft patched several high‑risk issues such as CVE-2025-54918 (Windows NTLM), CVE-2025-55234 (SMB client), and CVE-2025-54916 (NTFS). Researchers warn many fixes are for privilege‑escalation bugs — some remotely exploitable — and note that Apple and Google recently patched zero‑days in their platforms as well.

🔔 Microsoft’s September 2025 update addresses 84 vulnerabilities, including two publicly disclosed zero-days and eight Critical issues. CrowdStrike’s analysis identifies elevation of privilege, remote code execution and information disclosure as the top exploitation vectors and notes many critical flaws require some user interaction. Key affected components include Windows, Extended Security Updates (ESU) and Microsoft Office, with notable CVEs in SMB, NTLM, Hyper-V and graphics subsystems. Organizations should prioritize patching, apply mitigations for unpatchable issues, and plan for Windows 10 end of support in October 2025.

⚠️ Microsoft says the August 2025 security updates are causing unexpected User Account Control (UAC) credential prompts and preventing application installations and MSI repair operations for non‑admin users across supported Windows client and server releases. The behavior stems from a patch addressing CVE-2025-50173, a Windows Installer privilege escalation vulnerability that now enforces elevated UAC prompts during MSI repair and related operations. Affected scenarios include MSI repair commands, ConfigMgr deployments relying on per‑user advertising, Secure Desktop enablement, and launching certain Autodesk applications. Microsoft plans a fix allowing admins to exempt specific apps and recommends running affected apps as administrator or applying a Known Issue Rollback via support as a temporary mitigation.

🔒 Google has released its September 2025 Android security updates addressing 120 vulnerabilities, including two issues that Google says have been exploited in limited, targeted attacks. The two highlighted flaws are CVE-2025-38352 (CVSS 7.4), affecting the Linux Kernel, and CVE-2025-48543, impacting the Android Runtime; both can enable local privilege escalation with no user interaction. Google issued patch levels 2025-09-01 and 2025-09-05 to let partners deploy common fixes more quickly and credited Benoît Sevens of TAG with reporting the kernel issue.

🚨 Check Point attributes a BYOVD campaign to the Silver Fox actor that leverages a Microsoft-signed WatchDog kernel driver (amsdk.sys v1.0.600) to neutralize endpoint defenses. The operation uses a dual-driver approach—an older Zemana-based driver on Windows 7 and the WatchDog driver on Windows 10/11—to terminate processes and escalate privileges. An all-in-one loader bundles anti-analysis checks, embedded drivers, AV-killer logic, and a ValleyRAT downloader to establish persistent remote access.

⚠️ GE Vernova's CIMPLICITY HMI/SCADA software is affected by an Uncontrolled Search Path Element vulnerability (CVE-2025-7719) in versions 2024, 2023, 2022, and 11.0. CISA reports this flaw could enable a low-privileged local attacker to escalate privileges; a CVSS v4 score of 7.0 and a CVSS v3.1 score of 7.8 were calculated. The issue is not remotely exploitable and no public exploitation has been reported; GE Vernova recommends upgrading to CIMPLICITY 2024 SIM 4 and following the Secure Deployment Guide while CISA advises network isolation and secure remote access.