All news with #remote code execution tag

SAP patches three critical vulnerabilities in December

🔒 SAP released December security updates fixing 14 vulnerabilities across multiple products, including three critical flaws that could enable remote code execution and full system compromise. The most severe, CVE-2025-42880 (CVSS 9.9), is a code-injection issue in SAP Solution Manager ST 720. A Tomcat-related bundle tracked as CVE-2025-55754 (CVSS 9.6) affects SAP Commerce Cloud, and CVE-2025-42928 (CVSS 9.1) is a deserialization bug in SAP jConnect. Administrators are urged to deploy the provided fixes without delay.

React2Shell critical flaw exploited by China-linked groups

⚠️React2Shell is a max-severity insecure deserialization vulnerability in the React Server Components 'Flight' protocol that allows unauthenticated remote execution of JavaScript on affected servers. Within hours of disclosure, AWS telemetry observed exploitation attempts by China-linked groups including Earth Lamia and Jackpot Panda, and multiple proof-of-concept exploits have been published. React and Next.js have released patches; administrators should apply updates, scan for vulnerable deployments, and monitor for known exploitation indicators.

CISA Warns of Critical CentOS Web Panel RCE Exploit

⚠️ CISA warns that a critical remote command execution vulnerability, tracked as CVE-2025-48703, is being exploited in the wild against CentOS Web Panel (CWP). The flaw impacts all CWP versions before 0.9.8.1204 and allows unauthenticated attackers who know a valid username to inject shell commands via the file-manager changePerm t_total parameter. The vendor fixed the issue in 0.9.8.1205, and federal agencies have until Nov 25 under BOD 22-01 to remediate or stop using the product.

DrayTek warns of RCE vulnerability in Vigor routers

🔒 DrayTek has issued an advisory for Vigor routers after a researcher reported a remotely triggerable vulnerability (CVE-2025-10547) that can cause memory corruption and may allow arbitrary code execution via crafted HTTP/HTTPS requests to the device WebUI. Reported on July 22 by ChapsVision researcher Pierre-Yves Maes, the root cause is an uninitialized stack value that can be abused to force an arbitrary free() and achieve RCE, and Maes successfully tested an exploit. DrayTek provides firmware versions to mitigate the issue and recommends applying updates promptly while reducing WAN exposure by disabling or restricting remote WebUI/SSL VPN access.

Google fixes actively exploited Android flaws in September

🔒 Google has released the September 2025 Android security update addressing 84 vulnerabilities, including two zero-day flaws observed in limited, targeted exploitation: CVE-2025-38352 (Linux kernel) and CVE-2025-48543 (Android Runtime). The bulletin also patches four critical issues — including an RCE in the System component and three Qualcomm vulnerabilities affecting modem and data stacks. Users are urged to install security patch level 2025-09-01 or 2025-09-05 via Settings > System > Software updates > System update.