All news with #rce tag

Triofox CVE-2025-12480: Unauthenticated Access Leads to RCE

⚠️ Mandiant Threat Defense observed active exploitation of an unauthenticated access control vulnerability in Gladinet's Triofox (CVE-2025-12480) that allowed attackers to bypass authentication and reach administrative setup pages. By manipulating the HTTP Host header to impersonate localhost, attackers accessed protected admin workflows, created a native admin account, and configured the built-in anti‑virus engine to execute a malicious script as SYSTEM. The chain led to a PowerShell downloader, installation of a legitimate Zoho UEMS agent, and deployment of remote access tools; the vulnerability affected Triofox 16.4.10317.56372 and was mitigated in 16.7.10368.56560. Operators should upgrade immediately, audit admin accounts, and restrict anti‑virus engine paths.

LANDFALL: Commercial Android Spyware Exploits DNG Files

🔍 Unit 42 disclosed LANDFALL, a previously unknown commercial-grade Android spyware family that abused a Samsung DNG parsing zero-day (CVE-2025-21042) to run native payloads embedded in malformed DNG files. The campaign targeted Samsung Galaxy models and enabled microphone and call recording, location tracking, and exfiltration of photos, contacts and databases via native loaders and SELinux manipulation. Apply vendor firmware updates and contact Unit 42 for incident response.

Cisco Fixes Critical Authentication and RCE Flaws in CCX

🔒 Cisco has released security updates for Unified Contact Center Express (CCX) to address two critical vulnerabilities that can enable authentication bypass and remote code execution as root. The company issued software updates 15.0 ES01 and 12.5 SU3 ES07 and urged customers to apply them immediately. Cisco also fixed four medium-severity issues across CCX, CCE and UIC, and warned of a new attack variant affecting ASA and FTD devices tied to earlier patches.

Cisco Warns of Firewall Attack Causing DoS; Urges Patch

⚠️ Cisco disclosed a new attack variant that targets devices running Cisco Secure Firewall ASA and FTD software that are vulnerable to CVE-2025-20333 and CVE-2025-20362. The exploit can cause unpatched devices to unexpectedly reload, creating denial-of-service conditions, and follows prior zero-day campaigns that delivered malware such as RayInitiator and LINE VIPER, per the U.K. NCSC. Cisco additionally released patches for critical Unified CCX flaws and a high-severity DoS bug in ISE, and urges customers to apply updates immediately.

Critical Cisco UCCX Flaw Allows Remote Root Execution

🔒 Cisco has released updates to address a critical vulnerability in Unified Contact Center Express (UCCX) — CVE-2025-20354 — found in the Java RMI process that can let unauthenticated attackers execute arbitrary commands as root. A separate CCX Editor flaw allows authentication bypass and script execution with admin privileges. Administrators should upgrade to the first fixed releases (12.5 SU3 ES07 or 15.0 ES01) immediately; Cisco has not yet observed active exploitation.

Advantech DeviceOn/iEdge: Multiple Remote Flaws Report

⚠️ Advantech DeviceOn/iEdge versions 2.0.2 and earlier contain multiple remotely exploitable vulnerabilities, including XSS and several path-traversal flaws assigned CVE-2025-64302, CVE-2025-62630, CVE-2025-59171, and CVE-2025-58423. Successful exploitation may lead to denial-of-service, arbitrary file disclosure, or remote code execution with system-level permissions. CISA notes the products are EOL and recommends upgrading to DeviceOn, isolating devices from the internet, and using secure remote access methods to reduce risk.

ABB FLXeon Devices: Multiple Remote-Access Vulnerabilities

⚠ ABB FLXeon devices are affected by multiple high-severity vulnerabilities, including hard-coded credentials, MD5 password hashing without proper salt, and improper input validation that can enable remote code execution. Combined CVSS v4 scores reach up to 8.7 and successful exploitation could allow remote control, arbitrary code execution, or device crashes. ABB and CISA advise disconnecting Internet-exposed units, applying the latest firmware, enforcing physical access controls, and using secure remote-access methods such as properly configured VPNs.

ThreatsDay Bulletin: Cybercrime Trends and Major Incidents

🛡️ This bulletin catalogues a broad set of 2025 incidents showing cybercrime’s increasing real-world impacts. Microsoft patched three Windows GDI flaws (CVE-2025-30388, CVE-2025-53766, CVE-2025-47984) rooted in gdiplus.dll and gdi32full.dll, while Check Point warned partial fixes can leave data leaks lingering. Threat actors expanded toolsets and infrastructure — from RondoDox’s new exploits and TruffleNet’s AWS abuse to FIN7’s SSH backdoor and sophisticated phishing campaigns — and law enforcement action ranged from large fraud takedowns to prison sentences and cross-border crackdowns.

Prompt Injection Flaw in Anthropic Claude Desktop Exts

🔒Anthropic's official Claude Desktop extensions for Chrome, iMessage and Apple Notes were found vulnerable to web-based prompt injection that could enable remote code execution. Koi Security reported unsanitized command injection in the packaged Model Context Protocol (MCP) servers, which run unsandboxed on users' devices with full system permissions. Unlike browser extensions, these connectors can read files, execute commands and access credentials. Anthropic released a fix in v0.1.9, verified by Koi Security on September 19.

CISA Adds Gladinet, CWP Flaws to KEV After Exploits

🚨 CISA added two vulnerabilities affecting Gladinet CentreStack/Triofox and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation. CVE-2025-11371 (CVSS 7.5) can expose files or directories to external parties, while CVE-2025-48703 (CVSS 9.0) is an OS command injection enabling remote code execution via the t_total parameter. Huntress reported live reconnaissance activity against Gladinet, and Federal civilian agencies must remediate by November 25, 2025.

Talos Discloses TruffleHog, Fade In, and BSAFE Flaws

🔒 Cisco Talos’ Vulnerability Discovery & Research team disclosed multiple vulnerabilities affecting TruffleHog, Fade In, and Dell BSAFE Crypto-C, including arbitrary code execution, out-of-bounds write/use-after-free, and integer/stack overflow issues. The issues were reported by Talos researchers and external collaborators and vendors have issued patches following Cisco’s disclosure policy. Users should apply vendor updates, deploy updated detection rules such as Snort signatures, and consult Talos advisories for indicators and recommended mitigations.

Critical React Native CLI Flaw Enables Remote OS Commands

⚠ A critical vulnerability in the @react-native-community/cli ecosystem could let remote, unauthenticated attackers execute arbitrary OS commands on machines running the React Native development server. JFrog researcher Or Peles reported that the Metro dev server binds to external interfaces by default and exposes a vulnerable /open-url endpoint that passes user input to the unsafe open() call. The flaw (CVE-2025-11953, CVSS 9.8) affected versions 4.8.0–20.0.0-alpha.2 and is fixed in 20.0.0.

IDIS ICM Viewer Argument Injection Vulnerability Reported

🔒 An argument injection vulnerability (CWE-88) in ICM Viewer v1.6.0.10 (CVE-2025-12556) could allow remote attackers to execute arbitrary code on the host system. CISA assigns a CVSS v3 score of 8.8 and a CVSS v4 score of 8.7, noting remote exploitability with low attack complexity and limited privileges required. IDIS requires immediate upgrade to v1.7.1 or uninstallation; Claroty Team82 researchers reported the issue and CISA reports no known public exploitation to date.

Delta Electronics CNCSoft-G2 Stack Overflow Advisory

⚠️ Delta Electronics and CISA warn of a stack-based buffer overflow in CNCSoft-G2 (CVE-2025-58317) affecting versions 2.1.0.27 and earlier. When a user opens a specially crafted file, an attacker could execute arbitrary code in the context of the affected process; the vulnerability received a CVSS v4 base score of 8.5 and is characterized by low attack complexity. Delta recommends updating to Version 2.1.0.34 or later. CISA advises minimizing network exposure for control systems, isolating control networks, and using secure remote access methods.

Fuji Electric Monitouch V-SFT-6 Buffer Overflow Advisory

⚠️ Fuji Electric Monitouch V-SFT-6 (v6.2.7.0) contains two buffer overflow vulnerabilities — a heap-based and a stack-based overflow — triggered by specially crafted project files. Identified as CVE-2025-54496 and CVE-2025-54526, both carry CVSS v3.1 scores of 7.8 and CVSS v4 scores of 8.4. Successful exploitation could crash the HMI and may permit code execution; the vendor issued fixes in V6.2.8.0 and recommends updating to V6.2.9.0 or later.

GDI Vulnerabilities in Windows Enable RCE and Data Leak

🔒 Microsoft has issued updates to address three previously unknown flaws in the Windows Graphics Device Interface (GDI) that could permit remote code execution and information disclosure. The issues, rooted in malformed EMF/EMF+ records, cause out-of-bounds memory access in GdiPlus.dll and gdi32full.dll during image rendering, thumbnailing and print initialization. Patches were released across the May, July and August 2025 Patch Tuesdays (KB5058411, KB5062553, KB5063878); administrators should apply updates promptly and avoid opening untrusted EMF files.

Australia warns of BadCandy infections on Cisco devices

⚠️ The Australian Signals Directorate warns of ongoing attacks against unpatched Cisco IOS XE devices being backdoored with the Lua-based BadCandy webshell. The exploited flaw, CVE-2023-20198, allows unauthenticated actors to create local admin accounts via the web UI and execute commands with root privileges. Cisco issued a patch in October 2023, but many internet-exposed devices remain vulnerable and have been repeatedly re-infected.

China-linked Tick exploits Lanscope flaw to deploy backdoor

⚠️ Sophos and JPCERT/CC have linked active exploitation of a critical Motex Lanscope Endpoint Manager vulnerability (CVE-2025-61932, CVSS 9.3) to the China-aligned Tick group. Attackers leveraged the flaw to execute SYSTEM-level commands and drop a Gokcpdoor backdoor, observed in both server and client variants that create covert C2 channels. The campaign used DLL side-loading to run an OAED Loader, deployed the Havoc post-exploitation framework on select hosts, and used tools like goddi and tunneled Remote Desktop for lateral movement. Organizations are advised to upgrade or isolate internet-facing LANSCOPE servers and review deployments of the MR and DA agents.

CISA and NSA Urge Immediate Hardening of Exchange Servers

🔒 CISA, the NSA and international partners have issued urgent guidance to harden on‑premises Microsoft Exchange Server instances by restricting administrative access, enforcing multi‑factor authentication, and applying strict transport security. The agencies recommend migrating or decommissioning end‑of‑life and hybrid Exchange servers, enabling the Exchange Emergency Mitigation Service, and disabling remote PowerShell for users. Organizations are also advised to maintain patch cadence, apply security baselines, and enable antivirus, EDR, ASR, and AppLocker controls.

Trick, Treat, Repeat: Patch Trends and Tooling for Q3

🎃 Microsoft’s free Windows 10 updates have largely ended, with EEA consumers receiving free Extended Security Updates through Oct 14, 2026, while most other users must pay. Q3 telemetry shows roughly 35,000 CVEs through September, averaging about 130 new entries per day, and a rising set of Known Exploited Vulnerabilities (KEV) that widen vendor and network impact. Talos also launched the Tool Talk series, offering a hands-on guide to dynamic binary instrumentation with DynamoRIO for malware analysis and runtime inspection.