All news with #rce tag

Chinese Hackers Exploited VMware Zero-Day Since Oct 2024

🔒 Broadcom issued patches for a high-severity privilege escalation vulnerability in VMware Aria Operations and VMware Tools that has been actively exploited since October 2024. European firm NVISO linked the in-the-wild abuse to the China-aligned group UNC5174 and published a proof-of-concept for CVE-2025-41244. The flaw allows an unprivileged local attacker to stage a malicious binary (commonly in /tmp/httpd), have it discovered by VMware service discovery, and escalate to root-level execution on vulnerable VMs.

Festo CECC Controller Firmware Vulnerabilities and Fixes

⚠️ Festo firmware for Controller CECC-S, -LK, and -D families contains multiple vulnerabilities (aggregate CVSS up to 9.8) in the integrated CODESYS V3 runtime and related components. Affected releases include R05 (2.3.8.0) and R06 (2.3.8.1); Festo advises updating affected units to firmware 2.4.2.0 where fixes are provided. Exploitable issues may enable remote code execution, denial-of-service, privilege escalation, or unauthorized access. CISA recommends isolating control networks, restricting remote exposure, and applying vendor guidance and mitigations while performing appropriate risk analysis.

NI Circuit Design Suite Vulnerabilities — Patches Available

⚠️ CISA reports high-severity vulnerabilities in National Instruments' Circuit Design Suite that could cause memory corruption, information disclosure, or enable arbitrary code execution. Two flaws—a type confusion (CVE-2025-6033) and an out-of-bounds read (CVE-2025-6034)—affect versions 14.3.1 and earlier and carry CVSS v4 base scores of 8.4. Both issues require local access but have low attack complexity. National Instruments has released version 14.3.2 and CISA advises updating and reducing network exposure for control-system devices.

September 2025 Zero-Day Exploits Impact Cisco ASA/FTD

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.

Maximum-severity GoAnywhere MFT zero-day exploited

⚠️ Fortra's GoAnywhere MFT is being exploited in the wild via a deserialization flaw tracked as CVE-2025-10035 in the License Servlet, enabling unauthenticated remote command injection when attackers supply a forged license response signature. WatchTowr Labs reports credible evidence of exploitation dating back to September 10, 2025, prior to Fortra's advisory published on September 18. Administrators should apply patches to 7.8.4 or 7.6.3, remove public Admin Console exposure, and search logs for the error string 'SignedObject.getObject'.

Active Exploitation of Fortra GoAnywhere CVE-2025-10035

🔴 watchTowr Labs reports credible evidence that the critical unsafe deserialization flaw CVE-2025-10035 in Fortra GoAnywhere MFT was exploited in the wild as early as Sept 10, 2025, a week before public disclosure. The License Servlet vulnerability can permit unauthenticated command injection, earning a CVSS 10.0 rating. Fortra has released fixes (GoAnywhere 7.8.4 and Sustain 7.6.3); affected organizations should apply updates immediately and investigate for signs of compromise.

Critical Cisco Firewall Zero-Day Demands Immediate Patch

🔴 A critical zero-day vulnerability (CVE-2025-20363) in Cisco firewall and IOS families requires immediate patching, US CISA and the UK NCSC warned. Cisco says the flaw is caused by improper validation of user-supplied HTTP input and can allow remote arbitrary code execution as root when exploited. Affected products include Cisco Secure Firewall ASA, FTD, and certain IOS/IOS XE/IOS XR builds; Cisco has released fixes and advises there are no viable workarounds.

Cisco IOS/IOS XE SNMP Stack Overflow — Patch Immediately

⚠️ Cisco has warned of a stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE software identified as CVE-2025-20352. A low-privileged authenticated attacker can send a crafted SNMP packet to cause a system reload and a denial-of-service, while a high-privileged actor could achieve root-level arbitrary code execution. Administrators are urged to apply vendor patches immediately and restrict SNMP access until systems are updated.

Urgent Cisco ASA Zero-Day Duo Under Active Attack Now

⚠️ Cisco is urging customers to immediately patch two zero-day vulnerabilities affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) and FTD software after observing exploitation in the wild. CVE-2025-20333 (CVSS 9.9) allows an authenticated VPN user to execute arbitrary code as root; CVE-2025-20362 (CVSS 6.5) permits unauthenticated access to restricted URL endpoints. CISA has issued Emergency Directive ED 25-03, added both flaws to the Known Exploited Vulnerabilities catalog with a 24-hour mitigation requirement, and warned of a widespread campaign linked to the ArcaneDoor/UAT4356 cluster that can modify ASA ROM to persist.

CISA Directs Agencies to Mitigate Cisco Device Risks

🚨 CISA issued Emergency Directive ED 25-03 directing federal agencies to identify, analyze, and mitigate potential compromises of Cisco ASA and Cisco Firepower devices after adding CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog. Agencies must inventory all devices (all versions) and collect memory/core dump files for forensic analysis, transmitting them to CISA by 11:59 p.m. EST on Sept. 26. CISA published supplemental guidance, an Eviction Strategies Tool template, and referenced Cisco and UK NCSC analyses to support containment, eviction, and remediation.

Cisco: Actively Exploited SNMP Flaw Risks RCE or DoS

🔒 Cisco has issued an urgent advisory about a high-severity SNMP vulnerability (CVE-2025-20352, CVSS 7.7) in IOS and IOS XE Software that has been exploited in the wild. The flaw is a stack overflow in the SNMP subsystem that can allow an authenticated remote attacker to cause a denial-of-service or, with higher privileges, execute arbitrary code as root. Exploitation requires SNMP community strings or valid SNMPv3 credentials and, for code execution, administrative (privilege 15) access. Cisco called out affected devices including Meraki MS390 and Catalyst 9300 series running Meraki CS 17 and earlier, and issued a fix in IOS XE 17.15.4a. There are no full workarounds; administrators should restrict SNMP access, monitor with "show snmp host", and consider excluding affected OIDs where supported.

Retail at Risk: Single Alert Reveals Persistent Threat

🔍 A single Microsoft Defender alert triggered an investigation that uncovered a persistent cyberthreat against retail customers. Attackers exploited unpatched SharePoint flaws CVE-2025-49706 and CVE-2025-49704 using obfuscated ASPX web shells while also compromising identities through self-service password reset abuse and Microsoft Entra ID reconnaissance. DART swiftly contained the intrusions—removing web shells, isolating Entra ID, deprivileging accounts, and recommending Zero Trust measures, MFA enforcement, timely patching, and EDR deployment.

Cisco warns of IOS and IOS XE SNMP zero-day attacks

🛡️ Cisco released security updates addressing a high-severity zero-day, tracked as CVE-2025-20352, in IOS and IOS XE. The flaw is a stack-based buffer overflow in the SNMP subsystem that allows authenticated remote attackers with low privileges to trigger DoS, and high-privileged actors to execute code as root on affected devices. Cisco reports exploitation in the wild after Administrator credentials were compromised and urges customers to upgrade; as a temporary mitigation it recommends limiting SNMP access to trusted users.

Chinese State-Linked RedNovember Targets Global Org

🛰️ Recorded Future has attributed a widespread cyber-espionage cluster to a Chinese state-sponsored actor it has named RedNovember, which overlaps with Microsoft's Storm-2077. From June 2024 to July 2025 the group targeted internet-facing perimeter appliances and used a mix of open-source and commercial tooling — notably Pantegana, Spark RAT and Cobalt Strike — to gain persistent access across government and private-sector networks worldwide. Attacks exploited known CVEs in VPNs, firewalls and other security appliances and leveraged a Go-based loader derived from LESLIELOADER, while administration infrastructure relied on VPN services such as ExpressVPN and Warp.

CISA: Federal Agency Breached via GeoServer RCE Incident

🔒 CISA reported that an unnamed federal civilian agency was breached after actors exploited CVE-2024-36401, an RCE in a public-facing GeoServer, on July 11, 2024. The vendor had patched the flaw on June 30 and CISA added it to the KEV catalogue on July 15; a second GeoServer was compromised on July 24. Attackers deployed open-source tools and web shells such as China Chopper, used living-off-the-land and brute-force techniques, and established persistence. CISA highlighted failures in timely patching, incident-response testing, and continuous EDR monitoring.

QR Codes Used to Hide JavaScript Backdoor in npm Package

🔒 A malicious npm package called fezbox was discovered using layered obfuscation and QR-code steganography to conceal credential-stealing logic. Disguised as a benign JavaScript/TypeScript utility, importing the library triggered retrieval and execution of code hidden inside a remote QR image; the payload reads document.cookie and attempts to extract username and password pairs for exfiltration. Socket researchers highlighted a development-environment guard and a 120-second delay as anti-analysis measures; the package has been removed from GitHub and marked malicious.

SolarWinds Patches Third Bypass for Web Help Desk Bug

🔒SolarWinds has issued a third patch for a critical Java deserialization vulnerability in its Web Help Desk product. The vendor describes the new advisory as a patch bypass of CVE-2024-28988, which itself bypassed CVE-2024-28986, and has designated the latest issue CVE-2025-26399. The underlying unsafe Java deserialization flaw in the AjaxProxy component can permit unauthenticated remote code execution and is rated 9.8/10 on the CVSS scale.

CISA: GeoServer RCE Exploit Led to Federal Agency Breach

🔒 CISA says attackers breached a U.S. federal agency after exploiting an unpatched GeoServer instance using the critical RCE flaw CVE-2024-36401. Threat actors uploaded web shells and access scripts, then moved laterally to compromise a web server and an SQL server. The intrusion remained undetected for three weeks until an EDR alert flagged suspected malware on July 31, 2024. CISA urges rapid patching of critical flaws and continuous EDR monitoring.

SolarWinds Issues Hotfix for Critical Web Help Desk RCE

🔧 SolarWinds has released a hotfix to address a critical deserialization vulnerability in Web Help Desk that affects versions up to 12.8.7, tracked as CVE-2025-26399 (CVSS 9.8). The unauthenticated AjaxProxy flaw can enable remote command execution on vulnerable hosts if exploited. An anonymous researcher working with the Trend Micro Zero Day Initiative reported the issue. SolarWinds recommends immediate upgrade to 12.8.7 HF1 to mitigate risk.

Viessmann Vitogate 300: OS Command Injection Risks

🚨 CISA published an advisory on September 23, 2025, describing high‑severity vulnerabilities in Viessmann's Vitogate 300 gateway. The advisory identifies an OS command injection (CWE‑78, CVE‑2025‑9494) and a client‑side enforcement bypass (CWE‑602, CVE‑2025‑9495) that can enable command modification or unexpected client–server interactions. A CVSS v4 base score of 8.7 is reported overall, and affected devices running versions prior to 3.1.0.1 should be upgraded. CISA notes these issues are not remotely exploitable and recommends updating to 3.1.0.1 and implementing network hardening controls.