All news with #rce tag

CISA Adds Meteobridge Command Injection CVE-2025-4008

⚠️ CISA has added a high-severity command injection flaw, CVE-2025-4008, affecting Smartbedded Meteobridge to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands as root via a vulnerable /cgi-bin/template.cgi endpoint that improperly uses eval calls. ONEKEY reported the issue and Meteobridge issued a fix in version 6.2 on May 13, 2025.

Cisco Talos Discloses Multiple Nvidia and Adobe Flaws

⚠ Cisco Talos disclosed five vulnerabilities in NVIDIA's CUDA Toolkit components and one use-after-free flaw in Adobe Acrobat Reader. The Nvidia issues affect tools like cuobjdump (12.8.55) and nvdisasm (12.8.90), where specially crafted fatbin or ELF files can trigger out-of-bounds writes, heap overflows, and potential arbitrary code execution. The Adobe bug (2025.001.20531) involves malicious JavaScript in PDFs that can reuse freed objects, leading to memory corruption and possible remote code execution if a user opens a crafted document.

TOTOLINK X6000R Router: Multiple Firmware Vulnerabilities

⚠️ TOTOLINK X6000R routers running firmware V9.4.0cu.1360_B20241207 contain three vulnerabilities that enable argument injection, unauthenticated command execution, and sanitization bypasses leading to file corruption or persistent denial-of-service. The most severe, CVE-2025-52906, is an unauthenticated command injection rated Critical (CVSS 9.3). TOTOLINK has released updated firmware and users should apply the patch immediately while defenders use device visibility and threat prevention to detect exploitation.

Nearly 50,000 Cisco Firewalls Exposed to Active Flaws

⚠️More than 48,800 internet-exposed Cisco ASA and FTD appliances remain vulnerable to two remotely exploitable flaws, CVE-2025-20333 and CVE-2025-20362, that allow arbitrary code execution and access to restricted VPN endpoints. Cisco confirmed active exploitation began before patches were available and no workarounds exist. Administrators should restrict VPN web interface exposure, increase logging and monitoring for suspicious VPN activity, and apply vendor fixes immediately.

Critical WD My Cloud Bug Allows Remote Command Injection

🔒 Western Digital issued firmware 5.31.108 to fix a critical OS command injection (CVE-2025-30247) in the My Cloud web UI that allows remote execution via crafted HTTP POST requests. The update addresses multiple consumer and small-business NAS models, though My Cloud DL2100 and DL4100 have reached end of support and may not receive fixes. WD urges immediate patching; affected owners should apply the firmware or disconnect devices from the internet until updated.

Chinese Hackers Exploited VMware Zero-Day Since Oct 2024

🔒 Broadcom issued patches for a high-severity privilege escalation vulnerability in VMware Aria Operations and VMware Tools that has been actively exploited since October 2024. European firm NVISO linked the in-the-wild abuse to the China-aligned group UNC5174 and published a proof-of-concept for CVE-2025-41244. The flaw allows an unprivileged local attacker to stage a malicious binary (commonly in /tmp/httpd), have it discovered by VMware service discovery, and escalate to root-level execution on vulnerable VMs.

NI Circuit Design Suite Vulnerabilities — Patches Available

⚠️ CISA reports high-severity vulnerabilities in National Instruments' Circuit Design Suite that could cause memory corruption, information disclosure, or enable arbitrary code execution. Two flaws—a type confusion (CVE-2025-6033) and an out-of-bounds read (CVE-2025-6034)—affect versions 14.3.1 and earlier and carry CVSS v4 base scores of 8.4. Both issues require local access but have low attack complexity. National Instruments has released version 14.3.2 and CISA advises updating and reducing network exposure for control-system devices.

Festo CECC Controller Firmware Vulnerabilities and Fixes

⚠️ Festo firmware for Controller CECC-S, -LK, and -D families contains multiple vulnerabilities (aggregate CVSS up to 9.8) in the integrated CODESYS V3 runtime and related components. Affected releases include R05 (2.3.8.0) and R06 (2.3.8.1); Festo advises updating affected units to firmware 2.4.2.0 where fixes are provided. Exploitable issues may enable remote code execution, denial-of-service, privilege escalation, or unauthorized access. CISA recommends isolating control networks, restricting remote exposure, and applying vendor guidance and mitigations while performing appropriate risk analysis.

September 2025 Zero-Day Exploits Impact Cisco ASA/FTD

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.

Maximum-severity GoAnywhere MFT zero-day exploited

⚠️ Fortra's GoAnywhere MFT is being exploited in the wild via a deserialization flaw tracked as CVE-2025-10035 in the License Servlet, enabling unauthenticated remote command injection when attackers supply a forged license response signature. WatchTowr Labs reports credible evidence of exploitation dating back to September 10, 2025, prior to Fortra's advisory published on September 18. Administrators should apply patches to 7.8.4 or 7.6.3, remove public Admin Console exposure, and search logs for the error string 'SignedObject.getObject'.

Active Exploitation of Fortra GoAnywhere CVE-2025-10035

🔴 watchTowr Labs reports credible evidence that the critical unsafe deserialization flaw CVE-2025-10035 in Fortra GoAnywhere MFT was exploited in the wild as early as Sept 10, 2025, a week before public disclosure. The License Servlet vulnerability can permit unauthenticated command injection, earning a CVSS 10.0 rating. Fortra has released fixes (GoAnywhere 7.8.4 and Sustain 7.6.3); affected organizations should apply updates immediately and investigate for signs of compromise.

Critical Cisco Firewall Zero-Day Demands Immediate Patch

🔴 A critical zero-day vulnerability (CVE-2025-20363) in Cisco firewall and IOS families requires immediate patching, US CISA and the UK NCSC warned. Cisco says the flaw is caused by improper validation of user-supplied HTTP input and can allow remote arbitrary code execution as root when exploited. Affected products include Cisco Secure Firewall ASA, FTD, and certain IOS/IOS XE/IOS XR builds; Cisco has released fixes and advises there are no viable workarounds.

Cisco IOS/IOS XE SNMP Stack Overflow — Patch Immediately

⚠️ Cisco has warned of a stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE software identified as CVE-2025-20352. A low-privileged authenticated attacker can send a crafted SNMP packet to cause a system reload and a denial-of-service, while a high-privileged actor could achieve root-level arbitrary code execution. Administrators are urged to apply vendor patches immediately and restrict SNMP access until systems are updated.

Urgent Cisco ASA Zero-Day Duo Under Active Attack Now

⚠️ Cisco is urging customers to immediately patch two zero-day vulnerabilities affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) and FTD software after observing exploitation in the wild. CVE-2025-20333 (CVSS 9.9) allows an authenticated VPN user to execute arbitrary code as root; CVE-2025-20362 (CVSS 6.5) permits unauthenticated access to restricted URL endpoints. CISA has issued Emergency Directive ED 25-03, added both flaws to the Known Exploited Vulnerabilities catalog with a 24-hour mitigation requirement, and warned of a widespread campaign linked to the ArcaneDoor/UAT4356 cluster that can modify ASA ROM to persist.

CISA Directs Agencies to Mitigate Cisco Device Risks

🚨 CISA issued Emergency Directive ED 25-03 directing federal agencies to identify, analyze, and mitigate potential compromises of Cisco ASA and Cisco Firepower devices after adding CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog. Agencies must inventory all devices (all versions) and collect memory/core dump files for forensic analysis, transmitting them to CISA by 11:59 p.m. EST on Sept. 26. CISA published supplemental guidance, an Eviction Strategies Tool template, and referenced Cisco and UK NCSC analyses to support containment, eviction, and remediation.

Cisco: Actively Exploited SNMP Flaw Risks RCE or DoS

🔒 Cisco has issued an urgent advisory about a high-severity SNMP vulnerability (CVE-2025-20352, CVSS 7.7) in IOS and IOS XE Software that has been exploited in the wild. The flaw is a stack overflow in the SNMP subsystem that can allow an authenticated remote attacker to cause a denial-of-service or, with higher privileges, execute arbitrary code as root. Exploitation requires SNMP community strings or valid SNMPv3 credentials and, for code execution, administrative (privilege 15) access. Cisco called out affected devices including Meraki MS390 and Catalyst 9300 series running Meraki CS 17 and earlier, and issued a fix in IOS XE 17.15.4a. There are no full workarounds; administrators should restrict SNMP access, monitor with "show snmp host", and consider excluding affected OIDs where supported.

Retail at Risk: Single Alert Reveals Persistent Threat

🔍 A single Microsoft Defender alert triggered an investigation that uncovered a persistent cyberthreat against retail customers. Attackers exploited unpatched SharePoint flaws CVE-2025-49706 and CVE-2025-49704 using obfuscated ASPX web shells while also compromising identities through self-service password reset abuse and Microsoft Entra ID reconnaissance. DART swiftly contained the intrusions—removing web shells, isolating Entra ID, deprivileging accounts, and recommending Zero Trust measures, MFA enforcement, timely patching, and EDR deployment.

Cisco warns of IOS and IOS XE SNMP zero-day attacks

🛡️ Cisco released security updates addressing a high-severity zero-day, tracked as CVE-2025-20352, in IOS and IOS XE. The flaw is a stack-based buffer overflow in the SNMP subsystem that allows authenticated remote attackers with low privileges to trigger DoS, and high-privileged actors to execute code as root on affected devices. Cisco reports exploitation in the wild after Administrator credentials were compromised and urges customers to upgrade; as a temporary mitigation it recommends limiting SNMP access to trusted users.

Chinese State-Linked RedNovember Targets Global Org

🛰️ Recorded Future has attributed a widespread cyber-espionage cluster to a Chinese state-sponsored actor it has named RedNovember, which overlaps with Microsoft's Storm-2077. From June 2024 to July 2025 the group targeted internet-facing perimeter appliances and used a mix of open-source and commercial tooling — notably Pantegana, Spark RAT and Cobalt Strike — to gain persistent access across government and private-sector networks worldwide. Attacks exploited known CVEs in VPNs, firewalls and other security appliances and leveraged a Go-based loader derived from LESLIELOADER, while administration infrastructure relied on VPN services such as ExpressVPN and Warp.

CISA: Federal Agency Breached via GeoServer RCE Incident

🔒 CISA reported that an unnamed federal civilian agency was breached after actors exploited CVE-2024-36401, an RCE in a public-facing GeoServer, on July 11, 2024. The vendor had patched the flaw on June 30 and CISA added it to the KEV catalogue on July 15; a second GeoServer was compromised on July 24. Attackers deployed open-source tools and web shells such as China Chopper, used living-off-the-land and brute-force techniques, and established persistence. CISA highlighted failures in timely patching, incident-response testing, and continuous EDR monitoring.