All news with #remote code execution tag

🔒 Cybersecurity researchers disclosed a chain of remote code execution (RCE) vulnerabilities affecting AI inference frameworks from Meta, NVIDIA, Microsoft and open-source projects such as vLLM and SGLang. The flaws stem from reused code that called ZeroMQ’s recv-pyobj() and passed data directly into Python’s pickle.loads(), enabling unauthenticated RCE over exposed sockets. Vendors have released patches replacing unsafe pickle usage with JSON-based serialization and adding authentication and transport protections. Operators are urged to upgrade to patched releases and harden ZMQ channels, restrict network exposure, and avoid deserializing untrusted data.

⚠️ ImunifyAV, a widely used Linux malware scanner, contains a remote code execution flaw in its AI-bolit component affecting versions prior to 32.7.4.0. The vulnerability is rooted in unsafe use of call_user_func_array during deobfuscation, which can execute attacker-supplied PHP function names when the scanner performs active unpacking. CloudLinux released fixes in late October and backported them on November 10; administrators should update to 32.7.4.0 or newer immediately to mitigate risk.

⚠️ Quokka's assessment of the Uhale Android platform used in many consumer digital picture frames found devices that download and execute malware on boot. The tested units update to Uhale app 4.2.0, install a JAR/DEX payload from China-based servers, and persistently load it at every reboot. Devices were rooted, shipped with SELinux disabled and signed with AOSP test-keys, increasing exposure. Quokka disclosed 17 vulnerabilities (11 with CVEs) including remote code execution, command injection, an unauthenticated file server and insecure WebViews; researchers linked artifacts to Vo1d and Mezmess while the vendor did not respond to notifications.

🔒 Amazon Threat Intelligence disclosed an advanced APT campaign that weaponized zero-day vulnerabilities in Citrix NetScaler (Citrix Bleed 2, CVE-2025-5777) and Cisco Identity Services Engine (CVE-2025-20337). Attackers achieved pre-auth remote code execution via input-validation and deserialization flaws and deployed an in-memory web shell masquerading as the ISE IdentityAuditAction component. The implant registered as a Tomcat HTTP listener, used DES with nonstandard Base-64 encoding, required specific HTTP headers, and relied on Java reflection and bespoke decoding routines to evade detection.

🔒 CISA has ordered U.S. federal agencies to fully patch two actively exploited vulnerabilities in Cisco firewall appliances within 24 hours. Tracked as CVE-2025-20362 and CVE-2025-20333, the flaws permit unauthenticated access to restricted URL endpoints and remote code execution; chained together they can yield full device takeover. The agency emphasized applying the latest updates to all ASA and Firepower devices immediately, not just Internet-facing units.

🔒 Siemens disclosed multiple vulnerabilities in Spectrum Power 4 that allow privilege escalation and remote command execution in affected versions prior to V4.70 SP12 Update 2. Several issues carry high severity ratings (CVSS v4 up to 8.7) and include weaknesses such as incorrect privilege and permission assignments (CWE-266, CWE-732), incorrect use of privileged APIs (CWE-648), and inclusion of untrusted control-sphere functionality (CWE-829). Siemens recommends updating to V4.70 SP12 Update 2 and limiting network exposure; CISA reiterates defensive best practices.

⚠️ Siemens published an advisory for LOGO! 8 and SIPLUS LOGO! devices detailing three vulnerabilities (CVE-2025-40815, CVE-2025-40816, CVE-2025-40817) that could enable remote code execution, denial-of-service, or unauthenticated device manipulation. CVE-2025-40815 is a buffer overflow (CVSSv4 8.6) caused by improper TCP packet validation; the others are missing-authentication issues affecting IP and time configuration. Siemens is preparing fixes; interim mitigations include protecting LSC access with a strong password and restricting UDP port 10006 to trusted IPs while CISA recommends impact analyses before changes.

⚠️ Rockwell Automation's AADvance-Trusted SIS Workstation has a directory traversal vulnerability (CWE-22) in DotNetZip (v1.16.0 and earlier) that can enable remote code execution if a user opens a crafted file. The issue is tracked as CVE-2024-48510 and has a CVSS v4 base score of 8.6 (CVSS v3.1 8.8). Affected versions are 2.00.00 through 2.00.04; Rockwell reports the defect is corrected in Version 2.01.00. Users unable to immediately upgrade should follow vendor guidance, minimize network exposure of control devices, isolate control networks, use secure remote access, and contact Rockwell support for assistance.

⚠ Siemens warns that COMOS contains two high‑severity vulnerabilities — CVE-2023-45133 (CVSS 9.3) and CVE-2024-0056 (CVSS 8.7) — which can enable remote code execution or expose sensitive information. Siemens has released a patch in COMOS V10.4.5 and advises operators to update promptly. Implement network segmentation, avoid direct internet exposure of control systems, and follow Siemens and CISA guidance for secure remote access and system hardening.

⚠ Siemens disclosed a DLL hijacking vulnerability (CVE-2025-40827) affecting Siemens Software Center and Solid Edge SE2025. The issue is an uncontrolled search path element (CWE-427) that could permit arbitrary code execution if a crafted DLL is placed on a system. Siemens has published fixes (Software Center v3.5+, Solid Edge V225.0 Update 10+) and recommends network isolation, access controls, and following its industrial security guidance to reduce risk.

🔔 CISA has warned federal agencies to patch a critical, actively exploited vulnerability in WatchGuard Firebox firewalls that permits remote code execution through an out-of-bounds write in Fireware OS 11.x (EOL), 12.x, and 2025.1. The agency added CVE-2025-9242 to its Known Exploited Vulnerabilities catalog and imposed a three-week remediation deadline under BOD 22-01. WatchGuard released patches on September 17 but only marked the flaw as exploited on October 21. Internet scans tracked over 75,000 vulnerable appliances before counts fell to roughly 54,000.

🔒 CISA has added a critical WatchGuard Fireware vulnerability, CVE-2025-9242 (CVSS 9.3), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The out-of-bounds write in the OS iked process affects Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3 and 2025.1 and can allow remote unauthenticated code execution. Researchers at watchTowr Labs attribute the flaw to a missing length check on an identification buffer used during the IKE handshake, which permits a pre‑authentication code path before certificate validation. Shadowserver scans show over 54,300 vulnerable Firebox instances worldwide (about 18,500 in the U.S.), and Federal Civilian Executive Branch agencies are directed to apply WatchGuard patches by December 3, 2025.

🖨️ Independent researcher Peter Geissler disclosed a critical vulnerability (CVE-2024-12649) in certain Canon printers that can be triggered simply by printing an XPS document containing a malicious TTF font. The exploit abuses TTF hinting instructions to overflow a virtual-machine stack in the printer’s font engine, allowing code execution on devices running Canon’s DryOS. Canon has issued firmware updates, but organizations should promptly patch, restrict printer exposure, and segment printers to reduce risk.

🔒 Synology has released a patch for a critical remote code execution flaw (CVE-2025-12686) in BeeStation OS, following a proof-of-concept exploit shown at Pwn2Own Ireland. The vulnerability, described as a buffer copy without checking input size, can enable arbitrary code execution on impacted NAS devices and has no practical mitigations. Synology advises users to upgrade to BeeStation OS 1.3.2-65648 or later to remediate the issue. The flaw was demonstrated by Synacktiv researchers Tek and anyfun, who earned a $40,000 reward.

⚠️ Hackers exploited a critical Triofox vulnerability (CVE-2025-12480) and abused the product's built-in antivirus configuration to achieve remote code execution as SYSTEM. Google Threat Intelligence Group traced the activity to UNC6485 targeting a Triofox server in August; attackers bypassed authentication via Host header/Referer spoofing and configured a malicious scanner to run a PowerShell downloader. Vendor patches are available; administrators should update and audit admin and scanner settings.

⚠️ Mandiant and Google GTIG observed UNC6485 exploiting a critical improper access control flaw, CVE-2025-12480, in Gladinet Triofox versions prior to 16.7.10368.56560. Attackers spoofed a localhost Host header to reach setup pages, create a native 'Cluster Admin' account and upload payloads. They abused the product's anti‑virus configuration to execute arbitrary scripts as SYSTEM, then deployed remote access tools, escalated privileges and exfiltrated credentials. Users are urged to update, audit admin accounts and hunt for indicators of compromise.

🛡️ US federal agencies have been directed to patch a critical Samsung zero-day exploited to deploy spyware on mobile devices. The out-of-bounds write flaw CVE-2025-21042 (CVSS 9.8) was patched by Samsung in April, but Palo Alto Networks reports it has been used in a campaign since mid-2024. Commercial spyware LandFall was embedded in malicious DNG images and distributed via WhatsApp, with possible zero-click remote code execution. CISA added the bug to its KEV catalog and requires mitigation or discontinuation by December 1.

🔒 Google's Mandiant reported active n‑day exploitation of a critical authentication bypass in Gladinet's Triofox (CVE-2025-12480, CVSS 9.1) that lets attackers access configuration pages and execute arbitrary payloads. Adversaries abused the product's antivirus executable path to run a malicious batch, installing Zoho UEMS and remote‑access tools such as Zoho Assist and AnyDesk. Operators created admin accounts, escalated privileges, and established SSH tunnels for inbound RDP. Triofox customers should apply the vendor patch, remove unauthorized admins, and verify antivirus executable paths cannot run untrusted scripts.

🔒 CISA has ordered U.S. federal agencies to patch a critical Samsung vulnerability, CVE-2025-21042, which has been exploited to deploy LandFall spyware via malicious DNG images sent over WhatsApp. The flaw is an out-of-bounds write in libimagecodec.quram.so affecting devices on Android 13 and later; Samsung issued a patch in April after reports from Meta and WhatsApp security teams. CISA added the bug to its Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to remediate by December 1 under BOD 22-01. The spyware can exfiltrate data, record audio, and track location.

⚠️ A critical remote code execution vulnerability (CVE-2025-12735) has been disclosed in the popular expr-eval JavaScript expression parser, which sees over 800,000 weekly downloads on NPM. Reported by Jangwoo Choe and rated 9.8 by CISA, the flaw stems from insufficient validation of the variables/context object passed to Parser.evaluate(), allowing attacker-supplied function objects to be invoked during evaluation. Both the original project and its maintained fork are affected; the fork provides a fix in v3.0.0. Developers should migrate to the patched fork and republish dependent packages immediately.