All news with #remote code execution tag

🔴 A critical vulnerability in the n8n workflow automation platform (CVE-2025-68613, CVSS 9.9) allows expressions supplied by authenticated users to be evaluated in an execution context that is not sufficiently isolated from the runtime. An attacker able to create or edit workflows could abuse this behavior to execute arbitrary code with the privileges of the n8n process, risking full instance compromise, data exposure, and workflow tampering. The flaw affects versions from 0.211.0 up to, but not including, 1.120.4 and has been patched in 1.120.4, 1.121.1, and 1.122.0; apply these updates or restrict workflow editing and harden deployments.

🛡️ ESET researchers re-examine CVE-2025-50165, a critical Windows Imaging Component vulnerability that can lead to remote code execution when a specially crafted JPG is re-encoded. Their analysis identifies uninitialized precision-specific function pointers in WindowsCodecs.dll (libjpeg-turbo based) as the root cause and reproduces the crash with 12‑ and 16‑bit JPEG samples. ESET concludes exploitation is technically challenging and unlikely in the wild, requiring re-encoding, an address leak and heap manipulation; patches in updated builds initialize and validate these pointers.

⚠️WatchGuard released patches for a critical remote code execution vulnerability, CVE-2025-14733, affecting Firebox devices running Fireware OS 11.x, 12.x and 2025.1 up to 2025.1.3. The flaw permits unauthenticated attackers to execute arbitrary code on devices configured for IKEv2 VPN, and may also be reachable via certain Branch Office VPN setups. Shadowserver reported more than 115,000 exposed instances online. CISA added the issue to its KEV catalog and ordered federal agencies to patch under BOD 22-01.

🔒 WatchGuard has released updates to remediate a critical vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS that enables remote unauthenticated code execution via an out-of-bounds write in the iked process. The flaw impacts IKEv2 mobile user VPNs and branch office VPNs configured with dynamic gateway peers, and the vendor reports observed exploitation attempts in the wild. WatchGuard published fixed releases, IoCs, and temporary mitigations; administrators should apply updates immediately.

🔒 WatchGuard has issued an urgent advisory for a critical remote code execution vulnerability (CVE-2025-14733) affecting Firebox appliances running Fireware OS 11.x, 12.x and 2025.1 releases. The flaw enables unauthenticated attackers to execute code via an out-of-bounds write when IKEv2 VPN is enabled. WatchGuard reports active exploitation in the wild and provides a temporary workaround for Branch Office VPN configurations where immediate patching is not possible. Administrators are urged to apply vendor updates and review provided indicators of compromise.

🚨 React2Shell (CVE-2025-55182) is a critical pre-authentication remote code execution flaw affecting React Server Components, Next.js and related frameworks. Exploitable with a single crafted HTTP request that targets the Flight protocol, the bug lets attackers inject and execute arbitrary server-side components, enabling backdoors, crypto miners and ransomware deployment. Researchers at S-RM and the Microsoft Defender team warn default configurations are vulnerable and note some early patches were incomplete; organizations should urgently verify fully patched versions and run forensic checks.

🔴 HPE has issued an urgent advisory for HPE OneView after disclosure of a maximum-severity remote code execution flaw, CVE-2025-37164, that can be triggered by unauthenticated remote actors. The vulnerability affects OneView versions 5.20 through 10.20 and requires an immediate security hotfix. HPE provides separate hotfixes for the virtual appliance and for HPE Synergy Composer; administrators should apply the fixes promptly and, until remediation, restrict management-interface access to trusted administrative networks.

🚨 HPE has released patches for a critical remote code execution vulnerability in OneView Software, tracked as CVE-2025-37164 with a CVSS score of 10.0. The flaw affects all versions prior to 11.00; HPE published version 11.00 and hotfixes for 5.20–10.20 to mitigate it. Administrators should apply the update or hotfix promptly; certain hotfixes must be reapplied after specific upgrades or Synergy Composer reimaging.

⚠️ Schneider Electric warns that a Microsoft WSUS vulnerability (CVE-2025-59287, CWE-502) impacts EcoStruxure™ Foxboro DCS Advisor and may allow remote code execution with system-level privileges (CVSS 3.1 9.8). Microsoft fixes (KB5070882, KB5070884) are available via WSUS and may require a reboot to complete installation. Apply the patches promptly, verify installation with Schneider Electric Global Customer Support, and follow recommended network isolation and access-control measures to reduce exposure.

⚠️ CISA warns of critical vulnerabilities in AXIS Camera Station products, including AXIS Camera Station Pro and AXIS Device Manager. Successful exploitation could allow remote code execution, authentication bypass, man-in-the-middle attacks, or local privilege escalation; CVEs include CVE-2025-30023, -30024, -30025, and -30026 (maximum CVSS v3 base score 9.0). Vendor-identified affected releases are older than Pro 6.9, Camera Station 5.58, and Device Manager 5.32; upgrades to these versions or later are the recommended fixes and administrators should minimize network exposure.

⚠️ Inductive Automation Ignition contains a Python scripting vulnerability (CVE-2025-13911) that can allow direct SYSTEM-level code execution on Windows hosts running the Ignition Gateway. The issue stems from insufficient controls on which Python libraries and scripts can be imported and executed, and the Ignition service account running with excessive SYSTEM privileges. A malicious project uploaded by an authenticated administrator can execute bind shells or similar payloads with Gateway process privileges. Inductive Automation identifies affected releases as 8.1.x and 8.3.x and provides mitigations on its Trust Portal; CISA rates the flaw CVSS 3.1 6.4 and recommends network segmentation and reduced exposure.

⚠️ CISA reports CVE-2025-11774, a high-severity vulnerability in the software 'keypad' function of ICONICS Suite, GENESIS64, MobileHMI, and MC Works64. An attacker who tampers with the keypad configuration file can trigger execution of arbitrary EXE files when a legitimate user uses the keypad, enabling information disclosure, tampering, deletion, or a denial-of-service. The issue is rated CVSS 3.1 8.2 (CWE-78). Upgrade affected ICONICS products to GENESIS64 v10.97.3 or V11; MC Works64 users should migrate per vendor guidance.

⚠ National Instruments released patches addressing multiple vulnerabilities in LabVIEW that could allow information disclosure and arbitrary code execution if a user opens a specially crafted VI file. The flaws include out-of-bounds read/write, use-after-free, and a stack-based buffer overflow across several LabVIEW releases up to 2025_Q3. Administrators should apply the vendor Q3 patch updates and minimize exposure of LabVIEW files while performing risk assessments.

⚠️ HPE has released patches for a maximum-severity remote code execution vulnerability, CVE-2025-37164, in OneView that affects all versions prior to v11.00. Reported by Nguyen Quoc Khanh (brocked200), the flaw permits unauthenticated, low-complexity code injection leading to RCE on unpatched systems. There are no vendor-provided workarounds or mitigations, so administrators should upgrade to OneView v11.00 or apply the appropriate hotfixes without delay. Separate hotfix packages are available for virtual appliance and Synergy deployments.

🚨 Cisco has warned of a maximum-severity zero-day in AsyncOS (CVE-2025-20393) that is actively exploited by a China-nexus APT tracked as UAT-9686. The flaw carries a CVSS score of 10.0 and can allow arbitrary command execution as root when the Spam Quarantine feature is enabled and reachable from the internet. Cisco observed attacks since late November 2025 and advises isolating affected appliances, restricting internet access, tightening authentication, monitoring web logs, and rebuilding compromised units until a patch is available.

🔓 A critical arbitrary file upload vulnerability in the Motors WordPress theme could let low-privileged, logged-in users install and activate plugins, enabling remote code execution and full site takeover. The flaw, tracked as CVE-2025-64374, affects versions 5.6.81 and earlier and was discovered by Denver Jackson of the Patchstack Alliance community. The issue stems from an AJAX handler that relies on a nonce for validation but lacks a proper permission check, allowing Subscriber-level users to supply arbitrary plugin URLs. The vendor released a fix in version 5.6.82 on 3 November; site owners should update immediately to mitigate the risk.

🔒 Researchers warn that the React2Shell flaw (CVE-2025-55182) is being actively exploited to deploy sophisticated Linux backdoors and harvest credentials. Palo Alto Networks Unit 42 and NTT Security report active use of KSwapDoor and ZnDoor, which provide interactive shells, file operations, lateral scanning, and stealthy mesh networking. Attackers are also abusing Cloudflare Tunnels and secret-scraping tools to extract cloud and AI tokens. Organizations should prioritize discovery, credential rotation, and removal of dropped backdoors and follow vendor mitigations immediately.

🔒 Microsoft Defender researchers describe CVE-2025-55182 (React2Shell), a critical pre-authentication remote code execution vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, a single crafted HTTP POST can result in server-side deserialization of attacker-controlled payloads and arbitrary code execution without authentication. Exploitation was observed beginning December 5, 2025, with attackers delivering coin miners, RATs, and other payloads across Windows and Linux environments. Microsoft urges immediate patching to published fixes, enabling Defender telemetry, and applying Azure WAF rules as compensating controls while broader detection coverage is deployed.

🔒 FreePBX has released patches addressing several high‑severity vulnerabilities, including an authentication bypass that may be triggered when the legacy AUTHTYPE is set to webserver. Horizon3.ai reported authenticated SQL injection flaws and an arbitrary file upload that can be used to deploy a PHP web shell and achieve remote code execution. Administrators should apply the provided updates, ensure Authorization Type is set to usermanager, remove the legacy AUTHTYPE option from Advanced Settings, rotate credentials, and perform forensic checks if legacy settings were enabled.

🔒 Google's Threat Intelligence Group linked five additional China-aligned cyber-espionage groups to active exploitation of the maximum-severity CVE-2025-55182 React2Shell remote code execution flaw affecting React and Next.js server components. Attackers are executing commands and exfiltrating AWS configuration files and credentials from vulnerable hosts; Palo Alto and AWS reported widespread breaches. Shadowserver and GreyNoise are tracking tens of thousands of exposed systems and hundreds of exploit attempts. Organizations should urgently patch affected React 19.0–19.2.0 releases and apply mitigations.