All news with #rce tag

September 2025 Patch Tuesday: Microsoft Vulnerabilities

🔔 Microsoft’s September 2025 update addresses 84 vulnerabilities, including two publicly disclosed zero-days and eight Critical issues. CrowdStrike’s analysis identifies elevation of privilege, remote code execution and information disclosure as the top exploitation vectors and notes many critical flaws require some user interaction. Key affected components include Windows, Extended Security Updates (ESU) and Microsoft Office, with notable CVEs in SMB, NTLM, Hyper-V and graphics subsystems. Organizations should prioritize patching, apply mitigations for unpatchable issues, and plan for Windows 10 end of support in October 2025.

Critical SAP S/4HANA Command Injection (CVE-2025-42957)

⚠️ SAP patched a critical command injection in SAP S/4HANA tracked as CVE-2025-42957 (CVSS 9.9) that allows low-privileged users to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks. SecurityBridge and NVD report active exploitation affecting both on-premise and Private Cloud editions, with potential for full system compromise. Organizations are urged to apply SAP's monthly fixes immediately, monitor for suspicious RFC calls or new admin accounts, implement network segmentation and backups, adopt SAP UCON to restrict RFC usage, and review access to authorization object S_DMIS activity 02.

Honeywell OneWireless WDM Vulnerabilities and Patch Advisory

⚠️ Honeywell's OneWireless Wireless Device Manager (WDM) contains multiple high‑severity vulnerabilities in the Control Data Access (CDA) component — including buffer overread, sensitive resource reuse, integer underflow, and wrong handler deployment (CVE‑2025‑2521, CVE‑2025‑2522, CVE‑2025‑2523, CVE‑2025‑3946). These issues can enable information disclosure, denial of service, or remote code execution. Honeywell advises updating affected WDM releases to R322.5 or R331.1; CISA recommends minimizing network exposure and isolating control networks to reduce exploitation risk.

CISA Adds Two Exploited TP-Link Router Vulnerabilities

🔔 CISA has added two TP-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing in-the-wild exploitation activity. The flaws—CVE-2023-50224 (CVSS 6.5), an authentication bypass via spoofing in the httpd service exposing stored credentials at /tmp/dropbear/dropbearpwd, and CVE-2025-9377 (CVSS 8.6), an OS command injection enabling remote code execution—affect multiple TL-WR841 and Archer C7 models. TP-Link says several affected models are End-of-Life, released firmware updates in November 2024, and recommends upgrading hardware; CISA urges federal agencies to apply mitigations by September 24, 2025.

GhostRedirector: IIS SEO Fraud and Windows Backdoors

🕵️ ESET researchers uncovered GhostRedirector, a previously undocumented actor that compromised at least 65 Windows servers across Brazil, Thailand, Vietnam and other countries. The intrusions deployed a passive C++ backdoor, Rungan, and a native IIS module, Gamshen, to enable remote command execution and conduct SEO fraud that targets search-engine crawlers. Attackers also used public LPE exploits (EfsPotato, BadPotato) and PowerShell-based payloads; ESET attributes the activity to a China-aligned actor with medium confidence.

HexStrike‑AI Enables Rapid N‑Day Exploitation of Citrix

🔒 HexStrike-AI, an open-source red‑teaming framework, is being adopted by malicious actors to rapidly weaponize newly disclosed Citrix NetScaler vulnerabilities such as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Check Point Research reports dark‑web chatter and evidence of automated exploitation chains that scan, exploit, and persist on vulnerable appliances. Defenders should prioritize immediate patching, threat intelligence, and AI-enabled detection to reduce shrinking n‑day windows.

Sitecore ViewState Deserialization Zero-Day Advisory

🔒 Mandiant and Sitecore investigated an active ViewState deserialization exploit that allowed remote code execution on internet-facing Sitecore instances that used publicly exposed sample ASP.NET machine keys. Tracked as CVE-2025-53690, the vulnerability enabled attackers to craft malicious __VIEWSTATE payloads, deploy a reconnaissance backdoor (WEEPSTEEL), and stage tunneling and remote access tooling. Sitecore has updated deployments to auto-generate unique machine keys and notified affected customers; Mandiant recommends rotating keys, enabling ViewState MAC, and encrypting secrets in web.config to mitigate similar attacks.

Google ships September Android patches for 120 flaws

🔒 Google has released its September 2025 Android security updates addressing 120 vulnerabilities, including two issues that Google says have been exploited in limited, targeted attacks. The two highlighted flaws are CVE-2025-38352 (CVSS 7.4), affecting the Linux Kernel, and CVE-2025-48543, impacting the Android Runtime; both can enable local privilege escalation with no user interaction. Google issued patch levels 2025-09-01 and 2025-09-05 to let partners deploy common fixes more quickly and credited Benoît Sevens of TAG with reporting the kernel issue.

Copeland OT Controller Flaws Risk Remote Control and Damage

⚠️ Security firm Armis disclosed 10 vulnerabilities, dubbed Frostbyte10, in Copeland LP E2 and E3 controllers used in heating, cooling, and refrigeration that could let attackers disable or remotely control equipment. Copeland issued firmware 2.31F01; organizations should deploy the update promptly to mitigate exposure. Combined flaws can enable unauthenticated remote code execution with root privileges; specific issues include a predictable default admin account (CVE-2025-6519), API endpoints that expose credential hashes, and unauthenticated file operations. Copeland says engineers acted quickly and that there are no known exploits to date.

HexStrike-AI Enables Rapid Zero-Day Exploitation at Scale

⚠️ HexStrike-AI is a newly released framework that acts as an orchestration “brain,” directing more than 150 specialized AI agents to autonomously scan, exploit, and persist inside targets. Within hours of release, dark‑web chatter showed threat actors attempting to weaponize it against recent zero‑day CVEs, dropping webshells enabling unauthenticated remote code execution. Although the targeted vulnerabilities are complex and typically require advanced skills, operators claim HexStrike-AI can reduce exploitation time from days to under 10 minutes, potentially lowering the barrier for less skilled attackers.

Fuji Electric FRENIC-Loader 4 Deserialization Vulnerability

⚠️ Fuji Electric's FRENIC-Loader 4 (versions prior to 1.4.0.1) contains a deserialization of untrusted data vulnerability (CVE-2025-9365) that can allow arbitrary code execution when a crafted file is imported. CISA assigns a CVSS v4 base score of 8.4 and reports the issue has low attack complexity but is not remotely exploitable. Researcher kimiya, working with Trend Micro ZDI, reported the flaw. Fuji Electric advises updating to v1.4.0.1 and CISA recommends network segmentation, minimizing exposure, using up-to-date VPNs, and performing impact analysis.

Attackers Abuse Velociraptor to Tunnel C2 via VS Code

🔍 In a recent Sophos report, unknown actors abused the open-source forensic tool Velociraptor to download and execute Visual Studio Code, enabling an encrypted tunnel to an attacker-controlled command-and-control server. The intruders used the Windows msiexec utility to fetch MSI installers hosted on Cloudflare Workers, staged additional tooling including a tunneling proxy and Radmin, and invoked an encoded PowerShell command to enable VS Code's tunnel option. Sophos warns that misuse of incident response tools can precede ransomware and recommends deploying EDR, monitoring for unauthorized Velociraptor activity, and hardening backup and monitoring processes.

WordPress Plugin and Theme Vulnerabilities Surge in 2025

⚠️ Recent investigations show a wave of active attacks against WordPress plugins and themes, including Gravity Forms, the Alone and Motors themes, and Post SMTP. Exploits have enabled remote code execution, administrator account takeover, and mass site compromise, while the Efimer trojan has been distributed from some infected sites. Vendors have issued patches, but many sites remain unpatched—site owners should update immediately and follow hardening best practices.

State-Sponsored Hackers Behind Majority of Exploits

🔐 Recorded Future’s Insikt Group reports that 53% of attributed vulnerability exploits in H1 2025 were carried out by state-sponsored actors, driven largely by geopolitical aims such as espionage and surveillance. Chinese-linked groups accounted for the largest share, with UNC5221 exploiting numerous flaws—often in Ivanti products. The study found 161 exploited CVEs, 69% of which required no authentication and 48% were remotely exploitable. It also highlights the rise of social-engineering techniques like ClickFix and increasing EDR-evasion methods used by ransomware actors.

Critical FreePBX Zero-Day Under Active Exploitation

🚨 The Sangoma FreePBX project has issued an advisory for an actively exploited zero-day (CVE-2025-57819) that allows unauthenticated access to the Administrator control panel, enabling arbitrary database manipulation and remote code execution. The flaw stems from insufficiently sanitized user input in the commercial endpoint module and impacts FreePBX 15, 16, and 17 prior to their listed patched releases. Administrators should apply the emergency updates immediately, restrict public ACP access, and scan for indicators of compromise.

Delta Electronics CNCSoft-G2: Out-of-Bounds Write Advisory

⚠️ Delta Electronics disclosed an CNCSoft-G2 out‑of‑bounds write vulnerability (CVE-2025-47728) in DPAX file parsing that can cause memory corruption and enable arbitrary code execution in the affected process. CISA assigns a CVSS v4 base score of 8.5 and notes low attack complexity but requires user interaction such as opening a malicious file or visiting a malicious page. Affected versions include v2.1.0.20 and earlier; Delta recommends updating to v2.1.0.27 or later per advisory Delta-PCSA-2025-00007. CISA advises applying the update, isolating control systems, avoiding untrusted attachments, and following ICS recommended practices; no public exploitation has been reported to date.

Delta Electronics COMMGR: Remote Code Execution Risks

⚠️ Delta Electronics has identified two critical vulnerabilities in COMMGR (v2.9.0 and earlier) — a stack-based buffer overflow (CVE-2025-53418) and a code injection flaw (CVE-2025-53419) — that can enable arbitrary code execution via crafted .isp files. Delta and CISA rate the combined risk as high (CISA lists CVSS v4 8.8) and recommend upgrading to v2.10.0 or later. Additional mitigations include network segmentation, limiting Internet exposure, and using secure remote access methods. CISA reports no known public exploitation at this time.

Schneider Electric Saitel RTU Privilege Escalation Advisory

⚠ Schneider Electric disclosed an improper privilege management vulnerability (CVE-2025-8453, CVSS 6.7) affecting Saitel DR and Saitel DP Remote Terminal Units that could allow an authenticated privileged engineer with console access to escalate privileges and potentially execute arbitrary code. Schneider released HUe firmware 11.06.30 for Saitel DR to remediate the issue; a remediation plan for Saitel DP is pending. CISA notes the vulnerability is not remotely exploitable and recommends limiting physical and console access, enforcing root ownership and restrictive permissions on configuration files, and following ICS defensive guidance.

Chinese Tech Firms Linked to Salt Typhoon Espionage

🔍 A joint advisory from the UK, US and allied partners attributes widespread cyber-espionage operations to the Chinese APT group Salt Typhoon and alleges assistance from commercial vendors that supplied "cyber-related products and services." The report names Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology and Sichuan Zhixin Ruijie Network Technology. It warns attackers exploited known vulnerabilities in edge devices to access routers and trusted provider connections, and urges immediate patching, proactive hunting using supplied IoCs, and regular review of device logs.

Citrix warns of NetScaler ADC/Gateway zero-day exploit

⚠️ Citrix has warned of multiple zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway, highlighting CVE-2025-7775 as being actively exploited. The critical issue is a memory overflow that can lead to denial of service or remote code execution on appliances meeting specific configuration preconditions. Citrix provides CLI checks to identify affected devices but reports no mitigations or workarounds, and researchers estimate a large percentage of appliances remain unpatched. Administrators are urged to prioritize patching immediately.