All news with #remote code execution tag

🔒 SolarWinds has released a hotfix addressing a critical unauthenticated remote code execution vulnerability in Web Help Desk tracked as CVE-2025-26399. The flaw affects WHD 12.8.7 and is caused by unsafe deserialization in the AjaxProxy component, described as a patch bypass of earlier CVE-2024-28986/28988 fixes. Administrators should obtain the hotfix from the SolarWinds Customer Portal and follow the vendor’s JAR replacement steps promptly.

🔧 SolarWinds has released a hotfix to address a critical deserialization vulnerability in Web Help Desk that affects versions up to 12.8.7, tracked as CVE-2025-26399 (CVSS 9.8). The unauthenticated AjaxProxy flaw can enable remote command execution on vulnerable hosts if exploited. An anonymous researcher working with the Trend Micro Zero Day Initiative reported the issue. SolarWinds recommends immediate upgrade to 12.8.7 HF1 to mitigate risk.

⚠ Users of GoAnywhere MFT are urged to install an urgent patch for a critical insecure deserialization vulnerability tracked as CVE-2025-10035, rated CVSS 10. The flaw resides in the License Servlet and can allow an attacker with access to the Admin Console to submit a forged license response that deserializes an arbitrary, actor-controlled object, enabling remote command execution. Fortra released fixes in versions 7.8.4 and 7.6.3 and advises customers not to expose the Admin Console directly to the internet. The issue closely mirrors a 2023 vulnerability that was widely exploited by ransomware groups, elevating the risk of rapid exploitation.

🔒 Fortra has released security updates to address a maximum-severity deserialization vulnerability in the License Servlet of GoAnywhere MFT (CVE-2025-10035) that can lead to command injection when a forged license response is accepted. The vendor issued patched builds — GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3 — and advised administrators to remove public access to the Admin Console if immediate patching is not possible. Shadowserver is monitoring over 470 instances, and Fortra emphasized that exploitation is highly dependent on the Admin Console being internet-exposed.

🔒 Fortra has released an urgent patch for GoAnywhere MFT to address a critical deserialization flaw (CVE-2025-10035, CVSS 10.0) in the License Servlet that can allow execution of arbitrary commands when an attacker supplies a forged license response signature. The vendor recommends updating to v7.8.4 or the Sustain Release 7.6.3. If patching cannot be applied immediately, ensure the Admin Console is not publicly accessible. No active exploitation has been reported.

🔒 WatchGuard has patched a critical IKEv2 "iked out of bounds write" vulnerability (CVE-2025-9242) that affects nearly three dozen current and legacy Firebox models. The flaw can enable remote code execution and authentication bypass via VPN ports UDP 500 and UDP 4500 and carries a CVSS score of 9.3, making prompt updates essential. Administrators should update to the vendor-supplied Fireware releases or apply the provided mitigations for environments that cannot upgrade immediately.

⚠️ Hitachi Energy has disclosed multiple high-severity vulnerabilities in Asset Suite, affecting versions 9.6.4.5 and earlier. The issues include SSRF, deserialization of untrusted data, cleartext password exposure, uncontrolled resource consumption, open redirect, and improper authentication that can lead to remote code execution. Customers should apply vendor-provided mitigations and upgrades immediately to reduce exposure.

⚠️ Westermo disclosed an OS command injection vulnerability in WeOS 5 (CVE-2025-46418) affecting versions 5.24 and later. The flaw arises from unsafe handling of media definitions and can allow an authenticated administrator to inject OS commands and potentially exceed intended privileges. CVSS scores include 7.6 (v3.1) and 8.7 (v4). Vendor and CISA recommend restricting admin access, segmenting networks, and using secure remote access practices as mitigations.

🔍 CISA analyzed malicious artifacts deployed after threat actors exploited CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The report details two distinct loader/listener sets written to /tmp that enable arbitrary code execution through crafted HTTP requests. CISA provides IOCs, YARA and SIGMA detection rules, and recommends immediate patching and treating MDM systems as high-value assets.

⚠️ Hitachi Energy disclosed a critical deserialization-of-untrusted-data vulnerability affecting Service Suite (versions prior to 9.6.0.4 EP4) that permits unauthenticated remote access via IIOP or T3 to compromise Oracle WebLogic Server. The issue is tracked as CVE-2020-2883 with a CVSS v4 base score of 9.3 and is characterized as remotely exploitable with low attack complexity. Hitachi Energy advises updating affected instances to version 9.8.2 or the latest release and applying vendor mitigation guidance immediately. CISA additionally recommends minimizing network exposure, isolating control networks behind firewalls, using up-to-date VPNs for remote access, and performing risk and impact assessments prior to deploying defensive changes.

🔒 WatchGuard has released security updates to address a remote code execution vulnerability affecting its Firebox firewalls. Tracked as CVE-2025-9242, the flaw stems from an out-of-bounds write in the iked process and can be exploited remotely when devices are configured to use IKEv2 VPN. Patches are available for Fireware OS 12.x, 2025.1, and select 11.x builds, and WatchGuard offers a temporary workaround for environments using branch office VPNs to static peers.

⚠️ Google released security updates for Chrome to address four vulnerabilities, including a zero-day (CVE-2025-10585) in the V8 JavaScript and WebAssembly engine that is reported to be exploited in the wild. The issue is a type confusion bug discovered and reported by Google's Threat Analysis Group on September 16, 2025, and can enable arbitrary code execution or crashes. Users should update to Chrome 140.0.7339.185/.186 (Windows/macOS) or 140.0.7339.185 (Linux) and apply vendor patches for other Chromium-based browsers when available.

⚠️ JFrog Security Research disclosed multiple CVEs in Chaos-Mesh, including three critical flaws that permit in-cluster attackers to execute arbitrary code on any pod. The Chaos Controller Manager exposes an unauthenticated ClusterIP GraphQL /query endpoint on port 10082 by default, enabling mutations such as killProcesses and cleanTcs. The critical issues (CVSS 9.8) arise from unsafe command construction in resolvers and an ExecBypass routine that allows OS command injection. Operators should upgrade to Chaos-Mesh 2.7.3 immediately; as a temporary mitigation redeploy the Helm chart with the control server disabled.

🔴 Researchers from JFrog disclosed critical command-injection vulnerabilities in Chaos-Mesh (tracked as CVE-2025-59358, CVE-2025-59360, CVE-2025-59361, and CVE-2025-59359) that allow an attacker with access to an unprivileged pod to execute shell commands via an exposed GraphQL API and the Chaos Daemon. Three of the flaws carry a CVSS score of 9.8 and can be exploited in default deployments, enabling denial-of-service or full cluster takeover. Users are advised to upgrade to Chaos-Mesh 2.7.3 or to disable the chaosctl tool and its port via the Helm chart as a workaround.

🔒 Apple has released security updates that backport a patch for CVE-2025-43300 to older iPhone, iPad and iPod touch builds. The flaw is an out-of-bounds write in the Image I/O framework that can cause memory corruption, crashes, or enable remote code execution when a device processes a malicious image file. Apple said the issue was exploited in an extremely sophisticated targeted attack and has added improved bounds checking; affected users should install the updates promptly.

🔒 Siemens ProductCERT disclosed multiple high-severity vulnerabilities affecting devices that use Apache HTTP Server components, including RUGGEDCOM, SINEC NMS, and SINEMA. CVE-2021-34798, CVE-2021-39275, and CVE-2021-40438 carry CVSSv3 scores up to 9.8 and can be exploited remotely with low attack complexity. Siemens has published updates for some products (for example, SINEC NMS V1.0.3 and SINEMA Remote Connect Server V3.1), while other platforms currently have no fix planned. CISA advises restricting access to affected systems and following Siemens ProductCERT guidance.

🛡️ Apple has backported a fix for CVE-2025-43300, an ImageIO out-of-bounds write that can cause memory corruption and has been observed in an extremely sophisticated, targeted spyware campaign. The flaw (CVSS 8.8) was reportedly chained with a WhatsApp vulnerability (CVE-2025-55177, CVSS 5.4) in attacks against fewer than 200 individuals. Patches were issued for current releases and older OS builds — including iOS 16.7.12 and iOS 15.8.5 device backports — and distributed across macOS, tvOS, visionOS, watchOS, Safari, and Xcode. Users and administrators should install the available updates immediately to ensure protection.

⚠ A critical remote code execution flaw, CVE-2025-5086, has been observed being exploited in the wild against Delmia Apriso, Dassault Systèmes' manufacturing operations platform. CISA added the issue to its Known Exploited Vulnerabilities catalog with a CVSS score of 9.0, yet the vendor has provided minimal public guidance. Researchers report exploit scans and a circulating sample that was detected by only one AV engine, underscoring urgent patching challenges for manufacturers.

📸 Samsung disclosed a critical remote code execution vulnerability in a closed-source image-parsing library, libimagecodec.quram.so, supplied by Quramsoft that affects devices running Android 13–16. The out-of-bounds write (CVE-2025-21043, CVSS 8.8) can be triggered by a specially crafted image and has been exploited in the wild. Messaging apps are a likely vector and the flaw can operate as a zero-click backdoor. Samsung released an SMR Sep-2025 Release 1 patch; enterprises should prioritize deployment.

⚠ CISA has added a critical remote code execution flaw in DELMIA Apriso to its Known Exploited Vulnerabilities list as CVE-2025-5086, warning that attackers are actively exploiting the issue. The vulnerability is a deserialization of untrusted data that can lead to RCE when vulnerable endpoints process crafted SOAP requests containing a Base64-encoded, GZIP-compressed .NET executable embedded in XML. Dassault Systèmes confirmed the bug affects Releases 2020–2025; CISA has given federal agencies until October 2 to apply updates or mitigations or to cease using the product.