All news with #rce tag

TARmageddon: Abandoned Rust tar library enables RCE

🚨 A high-severity logic flaw in the abandoned async-tar Rust library and its forks allows unauthenticated attackers to inject archive entries and achieve remote code execution when nested TARs with mismatched ustar and PAX headers are processed. Edera, which named the issue TARmageddon and tracked it as CVE-2025-62518, explains the parser can jump into file content and mistake it for headers, enabling extraction of attacker-supplied files. The bug also affects the widely used but abandoned tokio-tar fork (7M+ downloads), while several active forks have already been patched. Developers are advised to upgrade to patched forks such as astral-tokio-tar or remove the vulnerable dependency immediately.

Chinese Groups Exploit ToolShell SharePoint Flaw Widespread

🔒 Symantec reports that China-linked threat actors exploited the ToolShell vulnerability in Microsoft SharePoint (CVE-2025-53770) weeks after Microsoft issued a July 2025 patch, compromising a Middle Eastern telecom and multiple government and corporate targets across regions. Attackers used loaders and backdoors such as KrustyLoader, ShadowPad and Zingdoor, and in several incidents employed DLL side-loading and privilege escalation via CVE-2021-36942. Symantec notes the operations aimed at credential theft, stealthy persistence, and likely espionage, with activity linked to groups including Linen Typhoon, Violet Typhoon, Storm-2603 and Salt Typhoon.

ToolShell SharePoint Exploit Hits Organizations Worldwide

⚠️ Symantec reports that hackers linked to China exploited the ToolShell vulnerability (CVE-2025-53770) in on-premise Microsoft SharePoint servers to target government agencies, universities, telecommunications providers, and financial firms across four continents. The zero-day, disclosed on July 20, was used to plant webshells and enable remote code execution. Attackers deployed DLL side-loading to load a Go backdoor named Zingdoor, later chained to ShadowPad, KrustyLoader, and the Sliver framework, and performed credential dumping and PetitPotam abuse to escalate to domain compromise.

TP-Link fixes four critical Omada Gateway vulnerabilities

🔒 TP-Link has published firmware updates to address four security flaws in its Omada gateway devices, including two critical command injection vulnerabilities that could allow arbitrary command execution on the device OS. The issues are tracked as CVE-2025-6541, CVE-2025-6542, CVE-2025-7850 and CVE-2025-7851, affecting multiple ER, FR and G-series models. Users are urged to install the patched builds promptly and verify device configurations after upgrading.

TP-Link Omada Gateways Vulnerable to Critical RCE Flaw

⚠️ TP-Link has disclosed two command injection vulnerabilities affecting Omada gateway devices that allow execution of arbitrary OS commands. One issue, CVE-2025-6542 (CVSS 9.3), can be exploited remotely without authentication; the other, CVE-2025-6541 (CVSS 8.6), requires access to the web management interface. Thirteen models are listed as impacted and TP-Link has released firmware updates to address the flaws; administrators are urged to apply patches and verify configurations after upgrading.

Cursor, Windsurf IDEs Exposed to 94+ Chromium Flaws

⚠️ The latest releases of Cursor and Windsurf IDEs embed outdated Chromium and V8 engines that contain at least 94 known, patched vulnerabilities. Ox Security researchers demonstrated a proof‑of‑concept exploiting CVE-2025-7656 (a Maglev JIT integer overflow) to crash Cursor, and warn that similar flaws could enable denial‑of‑service or arbitrary code execution in real attacks. Attack vectors include deeplinks, malicious extensions, poisoned README previews or documentation; the two IDEs together serve an estimated 1.8 million developers. Cursor dismissed the DoS finding as out of scope and Windsurf did not respond to inquiries.

Raisecomm RAX701-GC SSH Authentication Bypass Vulnerability

🔒 A critical authentication bypass in Raisecomm RAX701-GC devices permits SSH sessions without completing user authentication, potentially granting unauthenticated root shell access. The flaw is tracked as CVE-2025-11534 with a CVSS v3.1 score of 9.8 and CVSS v4 score of 9.3, exploitable remotely with low attack complexity. Affected firmware versions include 5.5.27_20190111, 5.5.13_20180720, and 5.5.36_20190709. CISA recommends isolating affected devices from the internet, placing control networks behind firewalls, and using secure remote access methods such as updated VPNs while contacting vendor support.

Critical WatchGuard Fireware OS RCE via IKEv2 VPN Exploit

🔴 A critical out-of-bounds write vulnerability (CVE-2025-9242) in WatchGuard Fireware OS could allow remote code execution via IKEv2 mobile VPN and Branch Office VPN when configured with dynamic gateway peers. Affected releases include Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3 and 2025.1, and WatchGuard warns devices previously configured with these peers may remain vulnerable. Shadowserver estimates over 71,000 potentially exposed devices; WatchGuard and the US NVD have published advisories and guidance, and a temporary workaround plus narrower BOVPN access policies are recommended if immediate upgrades are not possible.

Zero Disco: Fileless Rootkits Target Legacy Cisco Switches

⚠️Threat actors exploited a Cisco SNMP vulnerability (CVE-2025-20352) to achieve remote code execution on legacy IOS XE switches and install custom, largely fileless Linux rootkits that hook into the IOSd memory space, set universal passwords (including one containing 'Disco'), and hide processes and network activity. The rootkits spawn a UDP-based controller to toggle or zero logs, bypass access controls, and reset running-config timestamps to mask changes. Trend Micro also observed spoofed IP/MAC addresses and attempts to combine a retooled Telnet memory-access exploit to deepen persistence.

Critical WatchGuard Fireware VPN Bug Allows Pre-Auth RCE

🔒 Researchers disclosed a recently patched critical vulnerability in WatchGuard Fireware (CVE-2025-9242, CVSS 9.3) that can allow unauthenticated attackers to execute arbitrary code via an out-of-bounds write in the iked process. The flaw affects multiple Fireware branches, including 11.10.2 through 11.12.4_Update1 (EOL noted for 11.x), 12.0 through 12.11.3 and 2025.1, and has been fixed across several updates such as 2025.1.1 and 12.11.4. Administrators are urged to apply the vendor updates immediately, limit internet exposure of VPN interfaces, and follow vendor mitigation guidance until patches are deployed.

Hackers Deploy Rootkit via Cisco SNMP Zero-Day on Switches

⚠️Threat actors exploited a recently patched SNMP remote code execution flaw (CVE-2025-20352) in older Cisco IOS and IOS XE devices to deploy a persistent Linux rootkit. Trend Micro reports the campaign targeted unprotected 9400, 9300 and legacy 3750G switches and has been tracked as Operation Zero Disco, named for the universal password that contains 'disco'. The implant can disable logging, bypass AAA and VTY ACLs, hide running-configuration items and enable lateral movement; researchers recommend low-level firmware and ROM-region checks when compromise is suspected.

Gladinet patches zero-day in CentreStack file sharing

🔒 Gladinet released an urgent update for its CentreStack business solution to fix a local file inclusion flaw tracked as CVE-2025-11371, which was abused in the wild as a zero-day. The LFI allowed attackers to read Web.config, extract the ASP.NET machine key, and then leverage a prior deserialization RCE (CVE-2025-30406) to achieve remote code execution. Administrators should upgrade to CentreStack version 16.10.10408.56683 immediately; if patching is not possible, disable the temp handler in Web.config for the UploadDownloadProxy component as a temporary mitigation.

Cisco SNMP Rootkit Campaign Targets Network Devices

🔒 Trend Micro detailed a campaign exploiting CVE-2025-20352 that installed Linux rootkits on exposed Cisco switches and routers, enabling persistent unauthorized access. The attackers combined an SNMP remote code execution with a modified Telnet flaw (based on CVE-2017-3881) to read and write device memory and deploy fileless backdoors. Affected models include Cisco 9400, 9300 and legacy 3750G series. Device owners should apply Cisco patches, disable or harden SNMP and restrict management access.

CISA Warns: Critical Adobe AEM Flaw Actively Exploited

🚨 CISA has added a maximum-severity vulnerability in Adobe Experience Manager (AEM) Forms to its Known Exploited Vulnerabilities Catalog after confirming active exploitation. Tracked as CVE-2025-54253, the flaw is an authentication bypass via Struts DevMode that can result in unauthenticated remote code execution on AEM JEE 6.5.23 and earlier. Adobe released fixes on August 9 after public proof-of-concept code appeared; CISA requires federal agencies to remediate by November 5 and urges all organizations to prioritize patching, apply vendor mitigations, or restrict Internet access to affected AEM Forms deployments.

Siemens Solid Edge: Multiple PRT Parsing Vulnerabilities

🔒 Siemens' Solid Edge CAD applications contain multiple vulnerabilities in PRT file parsing—two out‑of‑bounds writes (CWE‑787) and two out‑of‑bounds reads (CWE‑125)—tracked as CVE‑2025‑40809 through CVE‑2025‑40812. Affected releases include SE2024 versions prior to V224.0 Update 14 and SE2025 versions prior to V225.0 Update 6. Exploitation could crash the application or enable code execution in the context of the current process; Siemens and CISA recommend applying the listed updates, avoiding untrusted PRT files, and limiting network exposure.

Siemens SiPass integrated vulnerabilities and update

🔒 Siemens released security updates for SiPass integrated to address four vulnerabilities—an Accusoft ImageGear heap-based buffer overflow, stored cross-site scripting, an authorization bypass via user-controlled keys, and recoverable password storage. Exploitation could enable account compromise, data manipulation, impersonation, or arbitrary code execution on affected servers. Siemens recommends updating to V3.0, restricting access to trusted personnel, and avoiding untrusted image uploads; CISA advises isolating devices and using secure remote access.

Siemens HyperLynx and Industrial Edge Publisher Security

⚠️ Siemens disclosed a type confusion vulnerability (CVE-2025-6554) affecting HyperLynx and Industrial Edge App Publisher, which can enable remote arbitrary read/write and potential code execution via crafted HTML. The issue carries a CVSS v4 base score of 7.0 and a v3.1 score up to 8.1 depending on context. Siemens has released v1.23.5 for App Publisher; no fix is available yet for HyperLynx. Organizations should restrict network exposure, isolate control systems, use secure remote access, and follow Siemens and CISA guidance to mitigate risk.

Attackers Use Cisco SNMP Flaw to Deploy Linux Rootkits

🛡️ Researchers disclosed a campaign, Operation Zero Disco, that exploited a recently patched SNMP stack overflow (CVE-2025-20352) in Cisco IOS and IOS XE devices to deploy Linux rootkits on older, unprotected switches. The attackers achieved remote code execution and persistence by installing hooks into IOSd memory and setting universal passwords that include the string "disco." Targets included legacy 3750G and 9300/9400 series devices lacking EDR protections.

CrowdStrike Falcon Blocks Git Vulnerability CVE-2025-48384

🔒 CrowdStrike has identified active exploitation of Git vulnerability CVE-2025-48384 and confirms that Falcon detections can block the observed attack chain. The vulnerability, which affects macOS and Linux, arises from inconsistent handling of carriage return characters in configuration and submodule path parsing and can enable arbitrary file writes during a recursive clone. Observed attacks combined social engineering with malicious repositories that place crafted .gitmodules entries and submodule hooks to execute post-checkout scripts. CrowdStrike urges organizations to patch Git, enable layered protections, deploy provided detection rules and hunting queries, and use Falcon Insight XDR prevention settings to reduce exposure.

CISA Adds Adobe AEM Critical RCE Flaw with CVSS 10.0

⚠ Adobe's Experience Manager (AEM) has a critical misconfiguration—CVE-2025-54253—scored 10.0 and added to CISA's KEV after evidence of active exploitation. The flaw exposes the /adminui/debug servlet, which evaluates OGNL expressions without authentication, enabling arbitrary code execution via a single crafted HTTP request. Adobe addressed the issue in 6.5.0-0108; affected organizations should apply updates immediately and FCEB agencies must remediate by November 5, 2025.