< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 23 of 35

Critical AXIS Camera Station and Device Manager Flaws

⚠️ CISA warns of critical vulnerabilities in AXIS Camera Station products, including AXIS Camera Station Pro and AXIS Device Manager. Successful exploitation could allow remote code execution, authentication bypass, man-in-the-middle attacks, or local privilege escalation; CVEs include CVE-2025-30023, -30024, -30025, and -30026 (maximum CVSS v3 base score 9.0). Vendor-identified affected releases are older than Pro 6.9, Camera Station 5.58, and Device Manager 5.32; upgrades to these versions or later are the recommended fixes and administrators should minimize network exposure.
read more →

Ignition Vulnerability Allows Unnecessary SYSTEM Execution

⚠️ Inductive Automation Ignition contains a Python scripting vulnerability (CVE-2025-13911) that can allow direct SYSTEM-level code execution on Windows hosts running the Ignition Gateway. The issue stems from insufficient controls on which Python libraries and scripts can be imported and executed, and the Ignition service account running with excessive SYSTEM privileges. A malicious project uploaded by an authenticated administrator can execute bind shells or similar payloads with Gateway process privileges. Inductive Automation identifies affected releases as 8.1.x and 8.3.x and provides mitigations on its Trust Portal; CISA rates the flaw CVSS 3.1 6.4 and recommends network segmentation and reduced exposure.
read more →

ICONICS/Mitsubishi Electric Keypad Code Execution Bug

⚠️ CISA reports CVE-2025-11774, a high-severity vulnerability in the software 'keypad' function of ICONICS Suite, GENESIS64, MobileHMI, and MC Works64. An attacker who tampers with the keypad configuration file can trigger execution of arbitrary EXE files when a legitimate user uses the keypad, enabling information disclosure, tampering, deletion, or a denial-of-service. The issue is rated CVSS 3.1 8.2 (CWE-78). Upgrade affected ICONICS products to GENESIS64 v10.97.3 or V11; MC Works64 users should migrate per vendor guidance.
read more →

LabVIEW Multiple Vulnerabilities Allow Code Execution

⚠ National Instruments released patches addressing multiple vulnerabilities in LabVIEW that could allow information disclosure and arbitrary code execution if a user opens a specially crafted VI file. The flaws include out-of-bounds read/write, use-after-free, and a stack-based buffer overflow across several LabVIEW releases up to 2025_Q3. Administrators should apply the vendor Q3 patch updates and minimize exposure of LabVIEW files while performing risk assessments.
read more →

HPE OneView RCE Flaw (CVE-2025-37164) Requires Patch

⚠️ HPE has released patches for a maximum-severity remote code execution vulnerability, CVE-2025-37164, in OneView that affects all versions prior to v11.00. Reported by Nguyen Quoc Khanh (brocked200), the flaw permits unauthenticated, low-complexity code injection leading to RCE on unpatched systems. There are no vendor-provided workarounds or mitigations, so administrators should upgrade to OneView v11.00 or apply the appropriate hotfixes without delay. Separate hotfix packages are available for virtual appliance and Synergy deployments.
read more →

Cisco warns of exploited AsyncOS zero-day CVE-2025-20393

🚨 Cisco has warned of a maximum-severity zero-day in AsyncOS (CVE-2025-20393) that is actively exploited by a China-nexus APT tracked as UAT-9686. The flaw carries a CVSS score of 10.0 and can allow arbitrary command execution as root when the Spam Quarantine feature is enabled and reachable from the internet. Cisco observed attacks since late November 2025 and advises isolating affected appliances, restricting internet access, tightening authentication, monitoring web logs, and rebuilding compromised units until a patch is available.
read more →

Motors WordPress Theme Flaw Allows Site Takeover at Scale

🔓 A critical arbitrary file upload vulnerability in the Motors WordPress theme could let low-privileged, logged-in users install and activate plugins, enabling remote code execution and full site takeover. The flaw, tracked as CVE-2025-64374, affects versions 5.6.81 and earlier and was discovered by Denver Jackson of the Patchstack Alliance community. The issue stems from an AJAX handler that relies on a nonce for validation but lacks a proper permission check, allowing Subscriber-level users to supply arbitrary plugin URLs. The vendor released a fix in version 5.6.82 on 3 November; site owners should update immediately to mitigate the risk.
read more →

React2Shell Exploits Deliver Backdoors, Credential Theft

🔒 Researchers warn that the React2Shell flaw (CVE-2025-55182) is being actively exploited to deploy sophisticated Linux backdoors and harvest credentials. Palo Alto Networks Unit 42 and NTT Security report active use of KSwapDoor and ZnDoor, which provide interactive shells, file operations, lateral scanning, and stealthy mesh networking. Attackers are also abusing Cloudflare Tunnels and secret-scraping tools to extract cloud and AI tokens. Organizations should prioritize discovery, credential rotation, and removal of dropped backdoors and follow vendor mitigations immediately.
read more →

Defending Against CVE-2025-55182 (React2Shell) RCE Threat

🔒 Microsoft Defender researchers describe CVE-2025-55182 (React2Shell), a critical pre-authentication remote code execution vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, a single crafted HTTP POST can result in server-side deserialization of attacker-controlled payloads and arbitrary code execution without authentication. Exploitation was observed beginning December 5, 2025, with attackers delivering coin miners, RATs, and other payloads across Windows and Linux environments. Microsoft urges immediate patching to published fixes, enabling Defender telemetry, and applying Azure WAF rules as compensating controls while broader detection coverage is deployed.
read more →

FreePBX Fixes Critical SQLi, Upload, AUTH Bypass Flaws

🔒 FreePBX has released patches addressing several high‑severity vulnerabilities, including an authentication bypass that may be triggered when the legacy AUTHTYPE is set to webserver. Horizon3.ai reported authenticated SQL injection flaws and an arbitrary file upload that can be used to deploy a PHP web shell and achieve remote code execution. Administrators should apply the provided updates, ensure Authorization Type is set to usermanager, remove the legacy AUTHTYPE option from Advanced Settings, rotate credentials, and perform forensic checks if legacy settings were enabled.
read more →

Google Links Additional Chinese Groups to React2Shell

🔒 Google's Threat Intelligence Group linked five additional China-aligned cyber-espionage groups to active exploitation of the maximum-severity CVE-2025-55182 React2Shell remote code execution flaw affecting React and Next.js server components. Attackers are executing commands and exfiltrating AWS configuration files and credentials from vulnerable hosts; Palo Alto and AWS reported widespread breaches. Shadowserver and GreyNoise are tracking tens of thousands of exposed systems and hundreds of exploit attempts. Organizations should urgently patch affected React 19.0–19.2.0 releases and apply mitigations.
read more →

Gladinet hardcoded keys enable remote code execution

🔒 Huntress warns attackers are exploiting hardcoded AES keys in Gladinet file‑sharing products CentreStack and Triofox, allowing decryption and forging of access tickets. Because the server uses a static GenerateSecKey() output — identical AES key and IV strings — adversaries can retrieve sensitive files like web.config, extract the ASP.NET machine key, and craft trusted ViewState payloads to achieve remote code execution. Gladinet released fixes on December 8 (build 16.12.10420.56791); Huntress advises immediate patching or temporary replacement of machine keys and notes active exploitation across customer environments.
read more →

React2Shell RCE exploited widely: GTIG findings Dec 2025

⚠️GTIG reports active, widespread exploitation of a critical unauthenticated RCE in React Server Components (CVE-2025-55182, “React2Shell”) disclosed on Dec. 3, 2025. Attackers ranging from opportunistic cryptominers to suspected China-nexus espionage clusters have delivered payloads including MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, and XMRig miners. Exploits target vulnerable react-server-dom-* package versions and commonly use simple HTTP fetch-and-execute chains to establish persistence via cron, systemd, and shell profile modifications. Organizations are advised to patch immediately, deploy WAF rules, audit dependencies, and hunt for the supplied IOCs and YARA signatures.
read more →

React2Shell Zero-Day Sparks Global Exploitation Surge

⚠️ The critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) enables remote, unauthenticated code execution via unsafe deserialization in the React Server Components Flight protocol. Since disclosure on December 3, 2025, multiple actors have exploited it to deliver miners, botnets, and other malware, targeting Next.js and containerized cloud workloads. CISA has accelerated mitigation deadlines and is urging agencies to patch by December 12, 2025; defenders should apply vendor fixes, enable WAF protections, and review logs for indicators of compromise.
read more →

Attackers Exploit Gladinet CentreStack AES Key Flaw

🔐 Hackers are exploiting an undocumented cryptographic flaw in Gladinet's CentreStack and Triofox products that exposes hardcoded AES keys and enables remote code execution. Huntress researchers found static 100-byte strings in GladCtrl64.dll that produce identical encryption keys and IVs across installations, allowing attackers to decrypt or forge access tickets. Attackers have used this to retrieve web.config and abuse the machineKey with a ViewState deserialization flaw for RCE. Gladinet released patches and IoCs; customers should upgrade immediately and rotate machine keys.
read more →

React2Shell and RSC Vulnerabilities: Rapid Exploitation

🚨 Cloudflare's Cloudforce One team observed rapid scanning and exploitation attempts immediately after the public disclosure of React2Shell (CVE-2025-55182) on 2025-12-03. Attackers quickly integrated the unauthenticated RCE into automated reconnaissance using public asset discovery, Nuclei templates, and custom scanners to find exposed React Server Components. Cloudflare deployed Free and Paid WAF rules (default Block) and Worker-level protections while urging immediate patching. Telemetry showed millions of hits, diverse User-Agent fingerprints, and broad payload experimentation.
read more →

Unpatched Gogs zero-day RCE exploited across servers

⚠️ An unpatched zero-day in Gogs enables remote code execution on Internet-facing instances by exploiting a path traversal weakness in the PutContents API (CVE-2025-8110). Attackers abuse symbolic links to overwrite files outside repositories and modify Git configuration values such as sshCommand, forcing arbitrary command execution. Researchers found over 1,400 exposed servers and more than 700 with compromise indicators. Administrators should disable open registration and restrict access immediately.
read more →

Johnson Controls iSTAR Controllers: OS Command Injection

🔒 Johnson Controls disclosed two OS command injection vulnerabilities (CVE-2025-43873, CVE-2025-43874) affecting multiple iSTAR Ultra, iSTAR Ultra G2, and iSTAR Edge G2 door controller firmware versions. Successful exploitation could allow remote attackers to execute OS commands, modify firmware, and gain full device control. Both issues are rated high severity (CVSS v3.1 8.8; CVSS v4 8.7) and are exploitable with low attack complexity. Users are advised to apply vendor firmware updates and reduce network exposure immediately.
read more →

Johnson Controls iSTAR: Remote OS Command Flaws Discovery

🔒 Johnson Controls disclosed two command-injection vulnerabilities in its iSTAR series (CVE-2025-43875, CVE-2025-43876). Both are classified as CWE-78 and carry high severity (CVSS v3.1 8.8; CVSS v4 8.7), exploitable remotely with low complexity. Johnson Controls and CISA advise upgrading affected devices to the fixed firmware and applying network isolation and secure remote-access controls.
read more →

Unpatched Gogs Zero-Day Actively Exploited on 700+ Hosts

⚠️ A high-severity unpatched vulnerability in Gogs (tracked as CVE-2025-8110, CVSS 8.7) is under active exploitation, with Wiz reporting more than 700 compromised internet-facing instances. The flaw is a file-overwrite bug in the PutContents API that mishandles symbolic links, enabling attackers to overwrite arbitrary files and achieve local code execution. A vendor fix is reportedly in development; operators should disable open registration, limit exposure, and scan for randomly named repositories.
read more →