All news with #rce tag

Atlas browser CSRF flaw lets attackers poison ChatGPT memory

⚠️ Researchers at LayerX disclosed a vulnerability in ChatGPT Atlas that can let attackers inject hidden instructions into a user's memory via a CSRF vector, contaminating stored context and persisting across sessions and devices. The exploit works by tricking an authenticated user to visit a malicious page which issues a CSRF request to silently write memory entries that later influence assistant responses. Detection requires behavioral hunting—correlating browser logs, exported chats and timestamped memory changes—since there are no file-based indicators. Administrators are advised to limit Atlas in enterprise pilots, export and review chat histories, and treat affected accounts as compromised until memory is cleared and credentials rotated.

Hitachi Energy TropOS Command Injection and Privilege Issues

⚠️ Hitachi Energy's TropOS wireless devices contain multiple vulnerabilities — including OS command injection and improper privilege management — that can be exploited remotely by authenticated users to obtain root access. Affected 4th Gen firmware versions up to 8.9.6.0 are vulnerable (CVE-2025-1036, CVE-2025-1037, CVE-2025-1038); CVSS v4 scores reach 8.7. Hitachi Energy advises immediate update to version 8.9.7.0, and CISA recommends isolating devices, minimizing network exposure, and following ICS security best practices.

Rise in Attacks on PHP Servers, IoT and Cloud Gateways

🔒 Qualys' Threat Research Unit reports a sharp rise in attacks targeting PHP servers, IoT devices and cloud gateways, driven by botnets such as Mirai, Gafgyt and Mozi exploiting known CVEs and misconfigurations. Researchers highlight active exploitation of flaws like CVE-2022-47945 (ThinkPHP RCE), CVE-2021-3129 (Laravel Ignition) and aging test/debug artifacts such as CVE-2017-9841, while attackers also harvest exposed AWS credentials. Qualys urges continuous visibility, timely patching, removal of debugging tools in production and managed secret stores to reduce risk.

Active Exploits Target DELMIA Apriso and XWiki — CISA

⚠️ CISA and researchers report active exploitation of critical vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki, including code injection, missing authorization, and eval injection flaws. Dassault addressed CVE-2025-6204 and CVE-2025-6205 for 2020–2025 releases in August and these issues were added to CISA’s Known Exploited Vulnerabilities catalog. The XWiki flaw (CVE-2025-24893) is being abused in a two-stage chain that stages and later executes a downloader to deliver a cryptocurrency miner. Organizations should apply vendor updates immediately and meet federal remediation deadlines where applicable.

CISA Warns of Two Actively Exploited DELMIA Flaws Now

⚠️ CISA has confirmed active exploitation of two vulnerabilities in Dassault Systèmes' DELMIA Apriso: CVE-2025-6205 (critical missing authorization) and CVE-2025-6204 (high-severity code injection). Both flaws were patched by the vendor in early August 2025 and affect Releases 2020 through 2025. Federal agencies must remediate within three weeks under BOD 22-01, and CISA urges all organizations to prioritize vendor mitigations or discontinue use if no fixes exist.

Atlas Browser Flaw Lets Attackers Poison ChatGPT Memory

⚠️ Researchers at LayerX Security disclosed a vulnerability in OpenAI’s Atlas browser that allows attackers to inject hidden instructions into a user’s ChatGPT memory via a CSRF-style flow. An attacker lures a logged-in user to a malicious page, leverages existing authentication, and taints the account-level memory so subsequent prompts can trigger malicious behavior. LayerX reported the issue to OpenAI and advised enterprises to restrict Atlas use and monitor AI-driven anomalies. Detection relies on behavioral indicators rather than traditional malware artifacts.

Critical WordPress Plugin Flaws Exploited at Scale Globally

🔴 Wordfence warns that threat actors are actively exploiting three critical 2024 CVEs in popular WordPress plugins, GutenKit and Hunk Companion, which report more than 40,000 and 8,000 active installations respectively. The vulnerabilities permit unauthenticated attackers to install and activate arbitrary plugins or upload spoofed plugin files, enabling remote code execution (RCE) and straightforward site takeover when exploited or chained with other flaws. Discovered via Wordfence's bug bounty in late September and early October, the campaign reignited on 8 October and the vendor has already blocked nearly 8.8 million exploitation attempts while urging administrators to update or remove affected versions.

Critical Microsoft WSUS RCE Flaw Exploited in Wild Now

⚠️Microsoft released out-of-band updates to fully remediate a critical deserialization vulnerability in Windows Server Update Service (WSUS), tracked as CVE-2025-59287. The initial Oct. 14 fixes were incomplete, prompting emergency patches for multiple Windows Server versions. Exploits in the wild were reported after a public proof-of-concept was published, allowing remote code execution as SYSTEM on affected servers.

Mass Attacks Exploit Outdated WordPress Plugins in 2024

🔒 A large-scale campaign is exploiting outdated GutenKit and Hunk Companion WordPress plugins to achieve remote code execution by chaining unauthenticated or missing-authorization REST endpoint flaws (CVE-2024-9234, CVE-2024-9707, CVE-2024-11972). Wordfence observed 8.7 million blocked attempts across October 8–9. Attackers host a malicious ZIP plugin on GitHub that installs backdoors, and often drop the vulnerable wp-query-console plugin to gain RCE. Administrators should update affected plugins and scan for indicators of compromise immediately.

Microsoft issues emergency WSUS patch for critical RCE

⚠️ Microsoft released an out-of-band security update to address a critical WSUS remote code execution vulnerability, CVE-2025-59287 (CVSS 9.8). The flaw stems from unsafe deserialization of AuthorizationCookie objects at the GetCookie() endpoint, where AES-128-CBC-encrypted cookie payloads are decrypted and deserialized via BinaryFormatter without type validation, enabling SYSTEM-level code execution on servers running the WSUS role. Microsoft published updates for supported Windows Server releases and recommends installing the patch and rebooting; short-term mitigations include disabling the WSUS role or blocking TCP ports 8530 and 8531.

Critical WSUS RCE Flaw in Windows Server Exploited Now

⚠️Microsoft confirmed attackers are exploiting a critical Windows Server Update Service vulnerability tracked as CVE-2025-59287, a remote code execution flaw that affects servers running the WSUS Server role when configured as an update source for other WSUS servers. The bug can be abused remotely with low complexity and no user interaction to run code as SYSTEM, raising wormable concerns. Microsoft released out-of-band patches for all affected Windows Server versions and advised immediate installation or temporary disabling of the WSUS Server role; public proof-of-concept code and active scanning have been observed in the wild.

Microsoft Releases Out-of-Band WSUS Patch for CVE-2025-59287

⚠ Microsoft released an out-of-band security update (October 23, 2025) to remediate a critical Windows Server Update Service (WSUS) remote code execution vulnerability, CVE-2025-59287, after a prior fix proved incomplete. The flaw affects WSUS on Windows Server 2012, 2016, 2019, 2022, and 2025 and could allow an unauthenticated actor to execute code with SYSTEM privileges. CISA urges organizations to identify affected WSUS servers, apply the update and reboot, or temporarily disable the WSUS Server Role or block inbound TCP ports 8530/8531 as mitigations until the patch is installed.

Microsoft issues emergency WSUS updates for critical RCE

⚠️ Microsoft has released out-of-band security updates to remediate a critical WSUS vulnerability tracked as CVE-2025-59287. The flaw affects only Windows servers with the WSUS Server Role enabled and allows remote, unauthenticated attackers to execute code as SYSTEM in low-complexity attacks without user interaction. Microsoft published cumulative KB updates for all affected Server builds and requires a reboot; administrators who cannot patch immediately are advised to disable the WSUS role or block TCP ports 8530/8531 as temporary mitigations.

CISA Warns of Critical Lanscope Endpoint Manager Flaw

⚠️ CISA warns that attackers are exploiting a critical flaw (CVE-2025-61932) in Motex's Lanscope Endpoint Manager, enabling unauthenticated remote code execution via specially crafted packets. The issue affects client components in versions 9.4.7.2 and earlier; Motex has released patched client builds and noted managers do not require updates. No mitigations are available—install the vendor updates; CISA added the flaw to its KEV with a Nov. 12 remediation deadline for federal agencies.

Veeder-Root TLS4B: Remote Command Injection and 2038 Bug

🔒 Veeder-Root's TLS4B Automatic Tank Gauge System contains two serious vulnerabilities: a SOAP-based command injection (CVE-2025-58428) that allows remote authenticated attackers to execute system-level commands, and an integer overflow/2038 time wraparound (CVE-2025-55067) that can disrupt authentication and core functions. The command injection carries very high severity (CVSS v3.1 9.9 / CVSS v4 9.4); Veeder-Root recommends upgrading to Version 11.A. For the time-related overflow, Veeder-Root is developing a patch and advises applying network-security best practices, isolating devices, and restricting access until a fix is available.

AutomationDirect Productivity Suite: Multiple High-Risk Flaws

⚠️ AutomationDirect's Productivity Suite and several Productivity PLC models contain multiple high-severity vulnerabilities — including relative path traversal (ZipSlip), a weak password recovery mechanism, incorrect permission assignment, and binding to an unrestricted IP address. Exploitation could allow remote attackers to read, write, or delete files, execute arbitrary code, or gain full control of projects. AutomationDirect has released updates (Productivity Suite v4.5.0.x and newer) and recommends applying the latest firmware and implementing network isolation and firewall/NAC controls if immediate upgrades are not possible.

ThreatsDay: Widespread Attacks Exploit Trusted Systems

🔒 This ThreatsDay bulletin highlights a series of recent incidents where attackers favored the easiest paths in: tricking users, abusing trusted services, and exploiting stale or misconfigured components. Notable items include a malicious npm package with a post-install backdoor, a CA$176M FINTRAC penalty for missed crypto reporting, session hijacking via MCP (CVE-2025-6515), and OAuth-based persistent backdoors. Practical defenses emphasized are rapid patching, disabling risky install hooks, auditing OAuth apps and advertisers, and hardening agent and deserialization boundaries.

Over 250 Magento Stores Targeted Using SessionReaper Bug

⚠️ Sansec warns that threat actors have begun exploiting CVE-2025-54236 (SessionReaper) in Adobe Commerce and Magento Open Source, with over 250 attack attempts recorded in 24 hours. The critical (CVSS 9.1) improper input validation flaw can enable customer account takeover via the Commerce REST API, and Adobe released a patch last month. Sansec cautions that 62% of Magento stores remain unpatched six weeks after disclosure, and observed activity includes dropping PHP webshells via '/customer/address_file/upload' and probing phpinfo from several attacker IPs.

CISA: Critical Lanscope Endpoint Manager Flaw Exploited

⚠️ CISA has added a critical defect in Motex LANSCOPE Endpoint Manager to its Known Exploited Vulnerabilities catalog after observing active exploitation. Tracked as CVE-2025-61932 (CVSS v4: 9.3), the flaw affects on-premises Client program and Detection Agent components and allows arbitrary code execution via specially crafted packets. Motex released patches for multiple 9.3/9.4 builds, and federal agencies are advised to remediate by November 12, 2025.

Samsung Galaxy S25 Hacked at Pwn2Own Ireland 2025 Event

🔒 At Pwn2Own Ireland 2025, researchers from Mobile Hacking Lab and Summoning Team successfully exploited a Samsung Galaxy S25 using a five‑vulnerability chain to achieve code execution. The findings, credited to Ken Gannon and Dimitrios Valsamaras, were surrendered to Samsung under the event's coordinated disclosure rules. Hours later a second team, Interrupt Labs, used an improper input validation bug to seize camera and location access. Each team received $50,000; Samsung has 90 days to issue fixes.