< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 27 of 35

Siemens COMOS: Critical RCE and Data Exposure Fixes

Siemens warns that COMOS contains two high‑severity vulnerabilities — CVE-2023-45133 (CVSS 9.3) and CVE-2024-0056 (CVSS 8.7) — which can enable remote code execution or expose sensitive information. Siemens has released a patch in COMOS V10.4.5 and advises operators to update promptly. Implement network segmentation, avoid direct internet exposure of control systems, and follow Siemens and CISA guidance for secure remote access and system hardening.
read more →

Siemens DLL Hijacking in Software Center and Solid Edge

⚠ Siemens disclosed a DLL hijacking vulnerability (CVE-2025-40827) affecting Siemens Software Center and Solid Edge SE2025. The issue is an uncontrolled search path element (CWE-427) that could permit arbitrary code execution if a crafted DLL is placed on a system. Siemens has published fixes (Software Center v3.5+, Solid Edge V225.0 Update 10+) and recommends network isolation, access controls, and following its industrial security guidance to reduce risk.
read more →

CISA Alerts Agencies to Exploited WatchGuard Firewall Flaw

🔔 CISA has warned federal agencies to patch a critical, actively exploited vulnerability in WatchGuard Firebox firewalls that permits remote code execution through an out-of-bounds write in Fireware OS 11.x (EOL), 12.x, and 2025.1. The agency added CVE-2025-9242 to its Known Exploited Vulnerabilities catalog and imposed a three-week remediation deadline under BOD 22-01. WatchGuard released patches on September 17 but only marked the flaw as exploited on October 21. Internet scans tracked over 75,000 vulnerable appliances before counts fell to roughly 54,000.
read more →

CISA Adds Critical WatchGuard Fireware Flaw to KEV

🔒 CISA has added a critical WatchGuard Fireware vulnerability, CVE-2025-9242 (CVSS 9.3), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The out-of-bounds write in the OS iked process affects Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3 and 2025.1 and can allow remote unauthenticated code execution. Researchers at watchTowr Labs attribute the flaw to a missing length check on an identification buffer used during the IKE handshake, which permits a pre‑authentication code path before certificate validation. Shadowserver scans show over 54,300 vulnerable Firebox instances worldwide (about 18,500 in the U.S.), and Federal Civilian Executive Branch agencies are directed to apply WatchGuard patches by December 3, 2025.
read more →

Canon TTF Printer Vulnerability Allows Remote Code Execution

🖨️ Independent researcher Peter Geissler disclosed a critical vulnerability (CVE-2024-12649) in certain Canon printers that can be triggered simply by printing an XPS document containing a malicious TTF font. The exploit abuses TTF hinting instructions to overflow a virtual-machine stack in the printer’s font engine, allowing code execution on devices running Canon’s DryOS. Canon has issued firmware updates, but organizations should promptly patch, restrict printer exposure, and segment printers to reduce risk.
read more →

Synology Patches Critical BeeStation RCE Shown at Pwn2Own

🔒 Synology has released a patch for a critical remote code execution flaw (CVE-2025-12686) in BeeStation OS, following a proof-of-concept exploit shown at Pwn2Own Ireland. The vulnerability, described as a buffer copy without checking input size, can enable arbitrary code execution on impacted NAS devices and has no practical mitigations. Synology advises users to upgrade to BeeStation OS 1.3.2-65648 or later to remediate the issue. The flaw was demonstrated by Synacktiv researchers Tek and anyfun, who earned a $40,000 reward.
read more →

Hackers Exploit Triofox AV Feature to Deploy Remote Tools

⚠️ Hackers exploited a critical Triofox vulnerability (CVE-2025-12480) and abused the product's built-in antivirus configuration to achieve remote code execution as SYSTEM. Google Threat Intelligence Group traced the activity to UNC6485 targeting a Triofox server in August; attackers bypassed authentication via Host header/Referer spoofing and configured a malicious scanner to run a PowerShell downloader. Vendor patches are available; administrators should update and audit admin and scanner settings.
read more →

Attackers Exploit Critical Triofox Flaw for Code Execution

⚠️ Mandiant and Google GTIG observed UNC6485 exploiting a critical improper access control flaw, CVE-2025-12480, in Gladinet Triofox versions prior to 16.7.10368.56560. Attackers spoofed a localhost Host header to reach setup pages, create a native 'Cluster Admin' account and upload payloads. They abused the product's anti‑virus configuration to execute arbitrary scripts as SYSTEM, then deployed remote access tools, escalated privileges and exfiltrated credentials. Users are urged to update, audit admin accounts and hunt for indicators of compromise.
read more →

CISA Adds Samsung Zero-Day Used to Deploy LandFall Spyware

🛡️ US federal agencies have been directed to patch a critical Samsung zero-day exploited to deploy spyware on mobile devices. The out-of-bounds write flaw CVE-2025-21042 (CVSS 9.8) was patched by Samsung in April, but Palo Alto Networks reports it has been used in a campaign since mid-2024. Commercial spyware LandFall was embedded in malicious DNG images and distributed via WhatsApp, with possible zero-click remote code execution. CISA added the bug to its KEV catalog and requires mitigation or discontinuation by December 1.
read more →

Triofox Authentication Bypass Leads to Remote Access

🔒 Google's Mandiant reported active n‑day exploitation of a critical authentication bypass in Gladinet's Triofox (CVE-2025-12480, CVSS 9.1) that lets attackers access configuration pages and execute arbitrary payloads. Adversaries abused the product's antivirus executable path to run a malicious batch, installing Zoho UEMS and remote‑access tools such as Zoho Assist and AnyDesk. Operators created admin accounts, escalated privileges, and established SSH tunnels for inbound RDP. Triofox customers should apply the vendor patch, remove unauthorized admins, and verify antivirus executable paths cannot run untrusted scripts.
read more →

CISA Orders Federal Patch for Samsung Zero‑Day Spyware

🔒 CISA has ordered U.S. federal agencies to patch a critical Samsung vulnerability, CVE-2025-21042, which has been exploited to deploy LandFall spyware via malicious DNG images sent over WhatsApp. The flaw is an out-of-bounds write in libimagecodec.quram.so affecting devices on Android 13 and later; Samsung issued a patch in April after reports from Meta and WhatsApp security teams. CISA added the bug to its Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to remediate by December 1 under BOD 22-01. The spyware can exfiltrate data, record audio, and track location.
read more →

Critical RCE in expr-eval JavaScript Library, affects NPM

⚠️ A critical remote code execution vulnerability (CVE-2025-12735) has been disclosed in the popular expr-eval JavaScript expression parser, which sees over 800,000 weekly downloads on NPM. Reported by Jangwoo Choe and rated 9.8 by CISA, the flaw stems from insufficient validation of the variables/context object passed to Parser.evaluate(), allowing attacker-supplied function objects to be invoked during evaluation. Both the original project and its maintained fork are affected; the fork provides a fix in v3.0.0. Developers should migrate to the patched fork and republish dependent packages immediately.
read more →

Triofox CVE-2025-12480: Unauthenticated Access Leads to RCE

⚠️ Mandiant Threat Defense observed active exploitation of an unauthenticated access control vulnerability in Gladinet's Triofox (CVE-2025-12480) that allowed attackers to bypass authentication and reach administrative setup pages. By manipulating the HTTP Host header to impersonate localhost, attackers accessed protected admin workflows, created a native admin account, and configured the built-in anti‑virus engine to execute a malicious script as SYSTEM. The chain led to a PowerShell downloader, installation of a legitimate Zoho UEMS agent, and deployment of remote access tools; the vulnerability affected Triofox 16.4.10317.56372 and was mitigated in 16.7.10368.56560. Operators should upgrade immediately, audit admin accounts, and restrict anti‑virus engine paths.
read more →

Cisco Fixes Critical Authentication and RCE Flaws in CCX

🔒 Cisco has released security updates for Unified Contact Center Express (CCX) to address two critical vulnerabilities that can enable authentication bypass and remote code execution as root. The company issued software updates 15.0 ES01 and 12.5 SU3 ES07 and urged customers to apply them immediately. Cisco also fixed four medium-severity issues across CCX, CCE and UIC, and warned of a new attack variant affecting ASA and FTD devices tied to earlier patches.
read more →

Critical Cisco UCCX Flaw Allows Remote Root Execution

🔒 Cisco has released updates to address a critical vulnerability in Unified Contact Center Express (UCCX)CVE-2025-20354 — found in the Java RMI process that can let unauthenticated attackers execute arbitrary commands as root. A separate CCX Editor flaw allows authentication bypass and script execution with admin privileges. Administrators should upgrade to the first fixed releases (12.5 SU3 ES07 or 15.0 ES01) immediately; Cisco has not yet observed active exploitation.
read more →

Critical RCE in React Native CLI Exposes Dev Servers

⚠️ A critical remote-code execution vulnerability in @react-native-community/cli and its cli-server-api component lets attackers run arbitrary OS commands via the Metro development server. The flaw stems from a /open-url endpoint that forwards a supplied URL directly to the open() package and, despite console messages, the server can bind to 0.0.0.0 rather than localhost. JFrog demonstrated Windows exploitation and the issue is fixed in cli-server-api version 20.0.0; users should update or bind the server to 127.0.0.1.
read more →

Advantech DeviceOn/iEdge: Multiple Remote Flaws Report

⚠️ Advantech DeviceOn/iEdge versions 2.0.2 and earlier contain multiple remotely exploitable vulnerabilities, including XSS and several path-traversal flaws assigned CVE-2025-64302, CVE-2025-62630, CVE-2025-59171, and CVE-2025-58423. Successful exploitation may lead to denial-of-service, arbitrary file disclosure, or remote code execution with system-level permissions. CISA notes the products are EOL and recommends upgrading to DeviceOn, isolating devices from the internet, and using secure remote access methods to reduce risk.
read more →

ABB FLXeon Devices: Multiple Remote-Access Vulnerabilities

ABB FLXeon devices are affected by multiple high-severity vulnerabilities, including hard-coded credentials, MD5 password hashing without proper salt, and improper input validation that can enable remote code execution. Combined CVSS v4 scores reach up to 8.7 and successful exploitation could allow remote control, arbitrary code execution, or device crashes. ABB and CISA advise disconnecting Internet-exposed units, applying the latest firmware, enforcing physical access controls, and using secure remote-access methods such as properly configured VPNs.
read more →

Critical Post SMTP WordPress Plugin Flaw Enables Takeover

⚠️ A critical vulnerability in the popular Post SMTP WordPress plugin, which has more than 400,000 active installations, allowed unauthenticated attackers to read email logs — including password reset messages — and change any user password, enabling full account and site takeover. Wordfence reported active exploitation and urged immediate updates after detecting thousands of automated attacks. Administrators should install the patched release or disable the plugin immediately to prevent compromise.
read more →

CISA Warns of Critical CentOS Web Panel RCE Exploit

⚠️ CISA warns that a critical remote command execution vulnerability, tracked as CVE-2025-48703, is being exploited in the wild against CentOS Web Panel (CWP). The flaw impacts all CWP versions before 0.9.8.1204 and allows unauthenticated attackers who know a valid username to inject shell commands via the file-manager changePerm t_total parameter. The vendor fixed the issue in 0.9.8.1205, and federal agencies have until Nov 25 under BOD 22-01 to remediate or stop using the product.
read more →