All news with #rce tag

API Attacks Surge: 40,000 Incidents in H1 2025 Report

🔒 Thales' Imperva analysed telemetry from over 4,000 environments and reported about 40,000 API incidents in H1 2025, finding APIs now attract 44% of advanced bot traffic. Key findings included a 40% rise in credential-stuffing and account-takeover attempts against APIs without adaptive MFA, plus data scraping (31%) and coupon/payment fraud (26%). Financial services, telecoms and travel were among the most targeted sectors, and Thales warned the pace and sophistication of attacks will continue to increase.

Critical RCE in Delmia Apriso Triggers Urgent Patching

⚠ A critical remote code execution flaw, CVE-2025-5086, has been observed being exploited in the wild against Delmia Apriso, Dassault Systèmes' manufacturing operations platform. CISA added the issue to its Known Exploited Vulnerabilities catalog with a CVSS score of 9.0, yet the vendor has provided minimal public guidance. Researchers report exploit scans and a circulating sample that was detected by only one AV engine, underscoring urgent patching challenges for manufacturers.

Samsung image library flaw enables zero-click RCE exploit

📸 Samsung disclosed a critical remote code execution vulnerability in a closed-source image-parsing library, libimagecodec.quram.so, supplied by Quramsoft that affects devices running Android 13–16. The out-of-bounds write (CVE-2025-21043, CVSS 8.8) can be triggered by a specially crafted image and has been exploited in the wild. Messaging apps are a likely vector and the flaw can operate as a zero-click backdoor. Samsung released an SMR Sep-2025 Release 1 patch; enterprises should prioritize deployment.

CISA Warns of Active Exploitation of Dassault RCE Now

⚠ CISA has added a critical remote code execution flaw in DELMIA Apriso to its Known Exploited Vulnerabilities list as CVE-2025-5086, warning that attackers are actively exploiting the issue. The vulnerability is a deserialization of untrusted data that can lead to RCE when vulnerable endpoints process crafted SOAP requests containing a Base64-encoded, GZIP-compressed .NET executable embedded in XML. Dassault Systèmes confirmed the bug affects Releases 2020–2025; CISA has given federal agencies until October 2 to apply updates or mitigations or to cease using the product.

Samsung fixes libimagecodec zero-day CVE-2025-21043

⚠️ Samsung released its monthly Android security update addressing a critical zero-day, CVE-2025-21043, a high-severity (CVSS 8.8) out-of-bounds write in libimagecodec.quram.so that can enable remote arbitrary code execution. The company says the flaw affects Android 13–16 and was privately disclosed on August 13, 2025. The affected library is a closed-source image parser from Quramsoft and the patch corrects an incorrect implementation. Samsung acknowledged an exploit exists in the wild but did not provide attack specifics.

DELMIA Apriso critical CVE-2025-5086 enables RCE in the wild

⚠️ CISA added a critical deserialization vulnerability, CVE-2025-5086, affecting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) releases 2020–2025 to its KEV catalog following evidence of active exploitation. The flaw can allow remote code execution via the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint when attackers send a Base64 payload that decodes to a GZIP-compressed Windows DLL. Observed attacks delivered a DLL identified by Kaspersky as Trojan.MSIL.Zapchast.gen, capable of spying and exfiltrating data. FCEB agencies are urged to apply updates by October 2, 2025, to secure their networks.

Samsung patches actively exploited zero-day in image codec

🔒 Samsung has released a patch for a critical remote code execution vulnerability tracked as CVE-2025-21043 that was actively exploited on Android devices. Reported by Meta and WhatsApp security teams on August 13, the flaw stems from an out-of-bounds write in libimagecodec.quram.so, a closed-source Quramsoft image parser, and affects devices running Android 13 and later. Samsung’s advisory notes an exploit was observed in the wild and that other messaging apps using the vulnerable library could also be at risk; users should apply the September SMR update promptly.

Siemens UMC: Remote Code Execution and Denial-of-Service

🔐 Siemens has disclosed multiple vulnerabilities in the integrated User Management Component (UMC) that could allow unauthenticated remote attackers to execute arbitrary code or cause denial-of-service. A stack-based buffer overflow (CVE-2025-40795) and several out-of-bounds read issues (CVE-2025-40796–40798) are reported, with CVSS v4 scores up to 9.3. Siemens recommends updating UMC to V2.15.1.3 or later and, where feasible, blocking TCP ports 4002 and 4004; Siemens notes no fixes are planned for SIMATIC PCS neo V4.1 and V5.0.

Siemens SIMOTION Tools Privilege Escalation Advisory

🛡️ Siemens reports a local privilege escalation vulnerability affecting SIMOTION Tools installers that use an affected NSIS setup component. The flaw (CWE-754) in Nullsoft Scriptable Install System (NSIS) before 3.11 can allow an unprivileged user to gain SYSTEM privileges during installation by exploiting a race condition. The issue is tracked as CVE-2025-43715 with a CVSS v3.1 base score of 8.1. No vendor fix is available yet; Siemens and CISA offer mitigations and hardening guidance.

Patch SessionReaper: Critical Adobe Commerce/Magento Flaw

🔒 Adobe issued an emergency out-of-band patch for a critical vulnerability in Magento Open Source and Adobe Commerce, tracked as CVE-2025-54236 and dubbed SessionReaper. The flaw permits unauthenticated attackers to hijack user accounts and, when file-based session storage is used, can enable remote code execution. Adobe notified Commerce customers on Sept. 4 but Magento Open Source users may not have received the same advance warning. Organizations operating Magento sites should apply the patch immediately.

Cursor AI IDE auto-runs tasks, exposing developers worldwide

⚠️ A default configuration in Cursor, an AI-powered fork of VS Code, automatically executes tasks when a project folder is opened because Workspace Trust is disabled. Oasis Security demonstrated that a malicious .vscode/tasks.json can run arbitrary commands without user action, risking credential theft and environment takeover. Cursor intends to keep the autorun behavior and advises enabling Workspace Trust manually or using a different editor for untrusted repos.

Cursor autorun flaw lets repos execute arbitrary code

🔓 Oasis Security disclosed a flaw in Cursor that allows malicious repositories to execute code when a developer opens a folder. The vulnerability stems from Workspace Trust being disabled by default, permitting crafted .vscode/tasks.json entries set to run on folder open to autorun without prompting. Successful exploitation can expose API keys, cloud credentials and local secrets, risking organization-wide compromise.

Adobe issues emergency patch for critical Commerce flaw

🔒 Adobe has issued an emergency patch for a critical input-validation vulnerability dubbed SessionReaper in Adobe Commerce and Magento. The flaw, tracked as CVE-2025-542360 with a CVSS score of 9.1, affects multiple 2.4.x releases and earlier. Sansec researchers said the bug can enable session hijacking and, according to the original finder, may allow unauthenticated remote code execution in some circumstances. Administrators are advised to deploy APSB25-88 immediately or enable a WAF as a temporary mitigation.

Critical SessionReaper Vulnerability in Adobe Commerce

⚠️ Adobe has disclosed a critical flaw, CVE-2025-54236 (SessionReaper), in Adobe Commerce and Magento Open Source that can enable attackers to take over customer accounts through the Commerce REST API. The issue, rated 9.1 by CVSS, stems from improper input validation and affects multiple product versions and a third-party module. Adobe published a hotfix and deployed WAF rules for cloud-hosted merchants while e-commerce security firm Sansec reproduced an exploitation path involving session manipulation and nested deserialization. Merchants should apply fixes, review session storage settings, and monitor for suspicious activity.

Patch Tuesday: Critical SAP NetWeaver and Microsoft Fixes

🔔 CISOs with SAP NetWeaver AS Java deployments should urgently patch two critical flaws: CVE-2025-42944, a CVSS 10.0 insecure deserialization in the RMI-P4 module, and a CVSS 9.9 insecure file-upload vulnerability that can lead to full system compromise. As an immediate mitigation, admins can apply P4 port filtering at the ICM level until patches are installed. Microsoft released fixes for 13 critical bugs this month, including Hyper‑V guest-to-host escalation issues and an NTLM elevation flaw (CVE-2025-54918) marked Exploitation More Likely; teams should prioritize domain controllers and virtualization hosts.

Microsoft Patch Tuesday: September 2025 Security Fixes

🔒 Microsoft today released Patch Tuesday updates addressing more than 80 vulnerabilities across Windows and related products, including 13 rated critical. There are no known zero‑day or actively exploited flaws in this bundle, but Microsoft patched several high‑risk issues such as CVE-2025-54918 (Windows NTLM), CVE-2025-55234 (SMB client), and CVE-2025-54916 (NTFS). Researchers warn many fixes are for privilege‑escalation bugs — some remotely exploitable — and note that Apple and Google recently patched zero‑days in their platforms as well.

Microsoft Sep 2025 Patch Tuesday: 81 fixes, two zero-days

🔒 Microsoft released its September 2025 Patch Tuesday addressing 81 vulnerabilities, including two publicly disclosed zero-days affecting Windows SMB Server and the Newtonsoft.Json library bundled with SQL Server. The update bundle contains nine Critical fixes — five remote code execution issues — and a total of 41 elevation-of-privilege vulnerabilities across Windows, Azure, and related components. Administrators are advised to apply patches promptly, enable and test SMB Server signing and Extended Protection for Authentication, enable auditing to check compatibility, and ensure SQL Server receives the patched Newtonsoft.Json to mitigate the disclosed flaws.

SAP fixes critical NetWeaver remote command execution flaw

🔒 SAP released patches in its September security bulletin addressing 21 vulnerabilities, including three critical issues affecting SAP NetWeaver. The most severe, CVE-2025-42944 (10.0), is an insecure deserialization bug in the RMI-P4 module that can allow unauthenticated attackers to execute arbitrary OS commands by sending a malicious Java object to an open port. Two other critical flaws include an insecure file operations bug in Deploy Web Service (CVE-2025-42922, 9.9) that can allow file uploads by non-admin authenticated users, and a missing authentication check (CVE-2025-42958, 9.1) that exposes high-privilege actions and sensitive data. Administrators are advised to apply SAP’s patches and mitigation guidance available via SAP notes.

Rockwell Automation CompactLogix 5480 Code Execution Flaw

⚠️ Rockwell Automation's CompactLogix® 5480 controllers (versions 32–37.011 with Windows package 2.1.0 on Windows 10 v1607) contain a Missing Authentication for Critical Function vulnerability (CVE-2025-9160). An attacker with physical access could abuse the controller's maintenance menu to execute arbitrary code. CVSS scores are v3: 6.8 and v4: 7.0, and CISA reports the flaw is not remotely exploitable with no public exploitation reported. Rockwell and CISA recommend applying published security best practices and minimizing network exposure.

ABB Cylon Aspect BMS/BAS: High-Risk Firmware Flaws

🛡️ ABB has disclosed critical vulnerabilities in its ASPECT, NEXUS, and MATRIX building management and automation products that permit authentication bypass, unauthenticated critical functions, and a classic buffer overflow. Assigned CVEs include CVE-2025-53187, CVE-2025-7677, and CVE-2025-7679 with CVSS v4 scores up to 9.3. ABB resolved CVE-2025-53187 in firmware 3.08.04-s01 and recommends updating affected devices, avoiding direct Internet exposure, restricting network access segments, requiring VPN-based remote access, and changing default credentials to reduce risk.