All news with #remote code execution tag

🔒 Cisco Talos disclosed multiple vulnerabilities across Dell ControlVault, the Entr'ouvert Lasso SAML library, and the GL.iNet Slate AX travel router. Issues range from a hard-coded password and privilege escalation in ControlVault to memory corruption and buffer overflows that can enable arbitrary code execution, a type confusion bug and DoS in Lasso, and an OTA firmware downgrade in GL.iNet. Vendors have issued patches under Cisco’s disclosure policy and Snort rule updates are available to detect exploitation. Administrators should apply vendor updates, verify OTA integrity mechanisms, and deploy IDS signatures promptly.

⚠️ASUS has released firmware updates to remediate nine vulnerabilities, including a critical authentication bypass (CVE-2025-59366) affecting routers with AiCloud enabled. The flaw is caused by an unintended Samba side effect and can be exploited by unauthenticated remote attackers chaining a path traversal and an OS command injection in low-complexity attacks. Users should apply the provided firmware (3.0.0.4_386, 3.0.0.4_388, 3.0.0.6_102) immediately or follow ASUS mitigation guidance for end-of-life models.

⚠️ Zenitel has disclosed multiple high‑severity vulnerabilities in the TCIV-3+ intercom device, including three OS command injection flaws, an out‑of‑bounds write, and a reflected XSS. The issues (CVE-2025-64126 through CVE-2025-64130) carry high CVSS ratings — several are scored CVSS v4 10.0 — and can be exploited remotely with low complexity. Zenitel advises upgrading to version 9.3.3.0 or later; CISA recommends isolating devices, minimizing Internet exposure, and applying defensive controls until patches are deployed.

🔒 Rockwell Automation has released an update for Arena Simulation to address a stack-based buffer overflow (CWE-121) in the parsing of DOE files that could allow local attackers to execute arbitrary code. The issue, tracked as CVE-2025-11918 (CVSS v4 7.1), affects versions 16.20.10 and earlier and requires opening a malicious DOE file. Rockwell fixed the vulnerability in 16.20.11; users should upgrade or apply recommended mitigations to reduce exposure.

⚠️ The Cybersecurity and Infrastructure Security Agency (CISA) added a critical pre-authenticated remote code execution flaw in Oracle Identity Manager (CVE-2025-61757) to its Known Exploited Vulnerabilities catalog after active exploitation was observed. Searchlight Cyber reported that a flawed authentication filter combined with matrix/query parameters lets attackers bypass auth and reach a Groovy compile endpoint, enabling RCE through compile-time annotation processing. Oracle fixed the issue in its October 2025 Critical Patch Update; federal agencies must remediate by December 12, 2025.

🔴 Oracle Identity Manager is affected by a critical unauthenticated remote code execution flaw, CVE-2025-61757, impacting versions 12.2.1.4.0 and 14.1.2.1.0. Disclosed by Searchlight Cyber on 20 November and reported by Oracle on 21 November, the bug was added to the CISA KEV catalog the same day. The issue resides in the REST WebServices component and carries a CVSS score of 9.8, enabling HTTP access to execute arbitrary code and potentially allowing full takeover. CISA urges immediate patching or isolation of affected services from the public internet.

🛡️ A recently patched WSUS deserialization flaw, CVE-2025-59287, has been weaponized to install the ShadowPad backdoor on Windows servers. AhnLab's ASEC reports attackers used PowerCat to spawn a CMD shell and then leveraged certutil and curl to retrieve payloads from 149.28.78.189:42306. ShadowPad was deployed via DLL side-loading of ETDApix.dll by ETDCtrlHelper.exe and runs as an in-memory loader with plugin support, anti-detection, and persistence.

⚠️ CISA has added CVE-2025-61757 to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation targeting Oracle Identity Manager. The flaw, a missing-authentication issue with a CVSS score of 9.8, affects versions 12.2.1.4.0 and 14.1.2.1.0 and was addressed in Oracle's recent quarterly updates. Searchlight Cyber researchers demonstrated that an allow-list bypass using URI tricks such as ?WSDL or ;.wadl can expose protected API endpoints and enable pre-authenticated remote code execution via the groovyscriptstatus endpoint. Federal civilian agencies must apply the patch by December 12, 2025.

🚨 CISA has added CVE-2025-61757, a pre-authentication remote code execution vulnerability in Oracle Identity Manager, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by December 12 under BOD 22-01. The flaw, disclosed by Searchlight Cyber, abuses an authentication bypass in REST APIs by appending parameters such as ?WSDL or ;.wadl to URL paths, exposing a Groovy compilation endpoint. Researchers showed that Groovy's annotation-processing can execute code at compile time, enabling pre-auth RCE. Oracle released a fix on October 21, 2025; CISA warned the issue is being actively exploited.

⚠️ SonicWall has released patches for a high-severity SonicOS SSLVPN vulnerability (CVE-2025-40601) that can trigger a stack-based buffer overflow and remotely crash Gen7 and Gen8 firewalls. The company says the flaw allows a remote unauthenticated attacker to cause a DoS but reports no active exploitation or public PoC. Fixed versions are 7.3.1-7013+ for Gen7 and 8.0.3-8011+ for Gen8; admins unable to patch should disable SSLVPN or restrict access.

⚠️ D-Link has issued an advisory for remotely exploitable command-execution vulnerabilities in its end-of-life DIR-878 router. A researcher using the name Yangyifan (GitHub: yifan20020708) published technical details and proof-of-concept code demonstrating the issues. Four CVEs are listed—three allow unauthenticated remote command execution and one is a USB/physical-access overflow. D-Link recommends replacing EOL units and disabling WAN/remote management until devices are replaced.

⚠️ A remotely exploitable OS command injection in the Opto 22 Groov Manage REST API allows attackers with administrative credentials to inject shell commands that execute as root on affected GRV-EPIC and groov RIO devices. The issue is tracked as CVE-2025-13087 and carries a CVSS v4 base score of 7.5. Opto 22 has released firmware 4.0.3 to address the flaw; users should apply the update promptly. CISA also recommends isolating control networks, minimizing Internet exposure, and monitoring API and system logs for suspicious activity.

⚠ Emerson's Appleton UPSMON-PRO contains a stack-based buffer overflow that can be triggered remotely via UDP port 2601. A crafted UDP packet can overwrite stack memory and enable arbitrary code execution with SYSTEM privileges if UPSMONProService traffic is not validated; the issue is tracked as CVE-2024-3871 and carries high severity (CVSS v3.1 9.8; CVSS v4 9.3). Affected versions are 2.6 and earlier; Emerson lists the product as End of Life, and CISA advises replacing unsupported units or applying mitigations such as blocking UDP 2601, isolating monitoring networks, filtering oversized packets, and monitoring for service crashes.

⚠️ A critical unauthenticated command injection (CVE-2025-9501) in the W3 Total Cache WordPress plugin allows attackers to execute arbitrary PHP via a crafted comment that abuses the _parse_dynamic_mfunc() routine. The developer released 2.8.13 on October 20 to address the flaw, but WordPress.org data indicate hundreds of thousands of sites may still be vulnerable. WPScan has produced a proof-of-concept exploit and plans public release on November 24, increasing the immediate risk for unpatched installations.

⚠️A high-severity vulnerability (CVE-2025-11001, CVSS 7.0) in 7-Zip that mishandles symbolic links in ZIP archives is being actively exploited in the wild, NHS England Digital warns. The flaw can trigger directory traversal and enable remote code execution and was addressed in 7-Zip 25.00 released in July 2025. A related issue, CVE-2025-11002, was also fixed in that release. Proof-of-concept exploits are public, and exploitation requires an elevated Windows user or service account or developer mode enabled, so users should apply the update immediately.

🔒 Fortinet's FortiWeb appliances are affected by a critical vulnerability tracked as CVE-2025-64446 that researchers say was exploited in the wild before an official advisory. The issue chains a relative path traversal to an internal CGI backend with an HTTP_CGIINFO header authentication bypass that allows unauthenticated admin impersonation and potential remote code execution. Fortinet released fixes in multiple 7.x and 8.x maintenance updates and recommends disabling HTTP/HTTPS on internet-facing management interfaces if upgrades cannot be applied immediately.

🔒 METZ CONNECT released firmware updates addressing multiple critical vulnerabilities in EWIO2 devices that allow unauthenticated remote attackers to bypass authentication, upload and execute arbitrary code, and read PHP source files. The flaws include an authentication bypass, PHP remote file inclusion, unrestricted file uploads, path traversal, and improper access control. METZ CONNECT firmware 2.2.0 remediates these issues; administrators should schedule and install the update and ensure devices are not exposed to the internet.

⚠️ RondoDox operators are exploiting a critical remote code execution flaw in XWiki Platform (CVE-2025-24893), which CISA flagged as actively exploited on October 30. VulnCheck observed attacks beginning November 3 that inject base64-encoded Groovy into the XWiki SolrSearch endpoint via a crafted HTTP GET to download and run a remote shell (rondo..sh) that stages the main payload. Administrators should upgrade to 15.10.11 or 16.4.1, apply network controls, and use published IoCs to block scanning and payload hosts.

⚠️ RondoDox has been observed exploiting unpatched XWiki instances to weaponize a critical eval injection, CVE-2025-24893, enabling arbitrary remote code execution via the /bin/get/Main/SolrSearch endpoint. The flaw was patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1 in late February 2025, but scanning and exploitation surged in November, including botnet-driven DDoS and cryptocurrency miner deployments. Security vendors noted spikes in activity on November 7 and November 11 and observed RondoDox adding this vector on November 3, 2025. Administrators should apply vendor patches immediately and review logs and network traffic for indicators of compromise.

⚠️ Oligo Security researcher Avi Lumelsky disclosed a widespread insecure-deserialization pattern dubbed ShadowMQ that affects major AI inference engines including vLLM, NVIDIA TensorRT-LLM, Microsoft Sarathi-Serve, Modular Max Server and SGLang. The root cause is using ZeroMQ's recv_pyobj() to deserialize network input with Python's pickle, permitting remote arbitrary code execution. Patches vary: some projects fixed the issue, others remain partially addressed or unpatched, and mitigations include applying updates, removing exposed ZMQ sockets, and auditing code for unsafe deserialization.