< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 34 of 35

Microsoft Sep 2025 Patch Tuesday: 81 fixes, two zero-days

🔒 Microsoft released its September 2025 Patch Tuesday addressing 81 vulnerabilities, including two publicly disclosed zero-days affecting Windows SMB Server and the Newtonsoft.Json library bundled with SQL Server. The update bundle contains nine Critical fixes — five remote code execution issues — and a total of 41 elevation-of-privilege vulnerabilities across Windows, Azure, and related components. Administrators are advised to apply patches promptly, enable and test SMB Server signing and Extended Protection for Authentication, enable auditing to check compatibility, and ensure SQL Server receives the patched Newtonsoft.Json to mitigate the disclosed flaws.
read more →

SAP fixes critical NetWeaver remote command execution flaw

🔒 SAP released patches in its September security bulletin addressing 21 vulnerabilities, including three critical issues affecting SAP NetWeaver. The most severe, CVE-2025-42944 (10.0), is an insecure deserialization bug in the RMI-P4 module that can allow unauthenticated attackers to execute arbitrary OS commands by sending a malicious Java object to an open port. Two other critical flaws include an insecure file operations bug in Deploy Web Service (CVE-2025-42922, 9.9) that can allow file uploads by non-admin authenticated users, and a missing authentication check (CVE-2025-42958, 9.1) that exposes high-privilege actions and sensitive data. Administrators are advised to apply SAP’s patches and mitigation guidance available via SAP notes.
read more →

Rockwell Automation CompactLogix 5480 Code Execution Flaw

⚠️ Rockwell Automation's CompactLogix® 5480 controllers (versions 32–37.011 with Windows package 2.1.0 on Windows 10 v1607) contain a Missing Authentication for Critical Function vulnerability (CVE-2025-9160). An attacker with physical access could abuse the controller's maintenance menu to execute arbitrary code. CVSS scores are v3: 6.8 and v4: 7.0, and CISA reports the flaw is not remotely exploitable with no public exploitation reported. Rockwell and CISA recommend applying published security best practices and minimizing network exposure.
read more →

Rockwell Automation FactoryTalk Optix MQTT RCE Vulnerability

⚠️ Rockwell Automation disclosed an input-validation defect in the FactoryTalk Optix MQTT broker that can enable remote code execution by loading remote Mosquitto plugins due to lack of URI sanitization. The issue affects versions 1.5.0 through 1.5.7; Rockwell recommends upgrading to 1.6.0 or later. CISA assigned CVE-2025-9161, reports a CVSS v4 base score of 7.3, and advises network segmentation and access restrictions; no public exploitation has been reported.
read more →

September 2025 Patch Tuesday: Microsoft Vulnerabilities

🔔 Microsoft’s September 2025 update addresses 84 vulnerabilities, including two publicly disclosed zero-days and eight Critical issues. CrowdStrike’s analysis identifies elevation of privilege, remote code execution and information disclosure as the top exploitation vectors and notes many critical flaws require some user interaction. Key affected components include Windows, Extended Security Updates (ESU) and Microsoft Office, with notable CVEs in SMB, NTLM, Hyper-V and graphics subsystems. Organizations should prioritize patching, apply mitigations for unpatchable issues, and plan for Windows 10 end of support in October 2025.
read more →

CISA Orders Immediate Patch for Critical Sitecore Flaw

🔒 CISA has ordered immediate patching of a critical deserialization vulnerability in Sitecore (CVE-2025-53690), rated 9.0, after active exploitation was observed. The flaw arises from exposed ASP.NET machine keys—some copied from older deployment guides—and allows ViewState deserialization that leads to remote code execution. Agencies must rotate machine keys, harden configurations, and scan for compromise indicators by September 25, 2025, to mitigate further intrusions.
read more →

Sitecore ViewState Flaw Under Active Exploitation Now

⚠️ Mandiant reports attackers are actively exploiting a leaked ASP.NET machineKey sample from old Sitecore deployment guides to carry out ViewState code-injection attacks that execute arbitrary .NET assemblies in server memory. The issue, tracked as CVE-2025-53690, affects multi-instance deployments of Sitecore XM, XP, and XC that used the static sample key, and may also impact some Sitecore Managed Cloud Standard container configurations. After initial access, adversaries deploy tools Mandiant calls WEEPSTEEL and EARTHWORM, escalate to SYSTEM, create administrative accounts, dump SYSTEM/SAM hives, and move laterally. Sitecore customers are advised to inspect environments for indicators of compromise, rotate and encrypt <machineKey> entries, and follow Microsoft ASP.NET ViewState guidance.
read more →

New TP-Link CWMP Zero-Day Targets Multiple Routers

🔒TP-Link has confirmed an unpatched zero-day in its CWMP implementation that can enable remote code execution on multiple routers. Independent researcher Mehrun (ByteRay) reported the issue to TP-Link on May 11, 2024; the flaw is a stack-based buffer overflow in the SOAP SetParameterValues handler caused by unbounded strncpy calls. TP-Link says a patch exists for some European firmware builds and that fixes for U.S. and other global versions are in development; users should update firmware, change default admin credentials, and disable CWMP if it is not required.
read more →

Sitecore Issues Patch After Critical Exploited Zero-Day

🔒 Mandiant disrupted an active exploitation of a critical zero-day in Sitecore's Experience Manager and Experience Platform that permits remote code execution via ViewState deserialization. Publicly disclosed on September 3 as CVE-2025-53690 (CVSS 9.0), the flaw affects Sitecore versions up to 9.0 when deployments retained the sample ASP.NET machine key published in older deployment guides. Attackers used the vulnerability to deliver WEEPSTEEL and other tooling, harvest credentials and perform lateral movement. Sitecore has issued a security advisory, notified impacted customers and says recent deployments now auto-generate unique machine keys.
read more →

Sitecore ViewState Deserialization Zero-Day Advisory

🔒 Mandiant and Sitecore investigated an active ViewState deserialization exploit that allowed remote code execution on internet-facing Sitecore instances that used publicly exposed sample ASP.NET machine keys. Tracked as CVE-2025-53690, the vulnerability enabled attackers to craft malicious __VIEWSTATE payloads, deploy a reconnaissance backdoor (WEEPSTEEL), and stage tunneling and remote access tooling. Sitecore has updated deployments to auto-generate unique machine keys and notified affected customers; Mandiant recommends rotating keys, enabling ViewState MAC, and encrypting secrets in web.config to mitigate similar attacks.
read more →

Copeland OT Controller Flaws Risk Remote Control and Damage

⚠️ Security firm Armis disclosed 10 vulnerabilities, dubbed Frostbyte10, in Copeland LP E2 and E3 controllers used in heating, cooling, and refrigeration that could let attackers disable or remotely control equipment. Copeland issued firmware 2.31F01; organizations should deploy the update promptly to mitigate exposure. Combined flaws can enable unauthenticated remote code execution with root privileges; specific issues include a predictable default admin account (CVE-2025-6519), API endpoints that expose credential hashes, and unauthenticated file operations. Copeland says engineers acted quickly and that there are no known exploits to date.
read more →

HexStrike-AI Enables Rapid Zero-Day Exploitation at Scale

⚠️ HexStrike-AI is a newly released framework that acts as an orchestration “brain,” directing more than 150 specialized AI agents to autonomously scan, exploit, and persist inside targets. Within hours of release, dark‑web chatter showed threat actors attempting to weaponize it against recent zero‑day CVEs, dropping webshells enabling unauthenticated remote code execution. Although the targeted vulnerabilities are complex and typically require advanced skills, operators claim HexStrike-AI can reduce exploitation time from days to under 10 minutes, potentially lowering the barrier for less skilled attackers.
read more →

Critical SQLi in Paid Memberships Subscriptions Plugin

🔒 A critical unauthenticated SQL injection vulnerability (CVE-2025-49870) was discovered in the WordPress Paid Memberships Subscriptions plugin affecting versions up to 2.15.1, used by over 10,000 sites. Patchstack Alliance researcher ChuongVN reported the flaw, which stems from unsafe handling of PayPal IPN payment IDs. The vendor released 2.15.2 to enforce numeric validation of payment IDs, adopt prepared statements and strengthen input handling; administrators should update immediately.
read more →

Sitecore Vulnerabilities Enable Cache Poisoning to RCE

🔒 Three vulnerabilities affecting the Sitecore Experience Platform can be chained to escalate from HTML cache poisoning to remote code execution. Researchers describe a pre-auth HTML cache reflection (CVE-2025-53693) combined with an insecure deserialization RCE (CVE-2025-53691) and an ItemService API information-disclosure bug (CVE-2025-53694) that permits cache key enumeration and poisoned HTML injection. Sitecore issued patches in June and July 2025; administrators should apply updates, restrict ItemService exposure to trusted networks, and consider WAF rules and other mitigations to reduce the chaining risk.
read more →

WordPress Plugin and Theme Vulnerabilities Surge in 2025

⚠️ Recent investigations show a wave of active attacks against WordPress plugins and themes, including Gravity Forms, the Alone and Motors themes, and Post SMTP. Exploits have enabled remote code execution, administrator account takeover, and mass site compromise, while the Efimer trojan has been distributed from some infected sites. Vendors have issued patches, but many sites remain unpatched—site owners should update immediately and follow hardening best practices.
read more →

Critical FreePBX Zero-Day Under Active Exploitation

🚨 The Sangoma FreePBX project has issued an advisory for an actively exploited zero-day (CVE-2025-57819) that allows unauthenticated access to the Administrator control panel, enabling arbitrary database manipulation and remote code execution. The flaw stems from insufficiently sanitized user input in the commercial endpoint module and impacts FreePBX 15, 16, and 17 prior to their listed patched releases. Administrators should apply the emergency updates immediately, restrict public ACP access, and scan for indicators of compromise.
read more →

Delta Electronics CNCSoft-G2: Out-of-Bounds Write Advisory

⚠️ Delta Electronics disclosed an CNCSoft-G2 out‑of‑bounds write vulnerability (CVE-2025-47728) in DPAX file parsing that can cause memory corruption and enable arbitrary code execution in the affected process. CISA assigns a CVSS v4 base score of 8.5 and notes low attack complexity but requires user interaction such as opening a malicious file or visiting a malicious page. Affected versions include v2.1.0.20 and earlier; Delta recommends updating to v2.1.0.27 or later per advisory Delta-PCSA-2025-00007. CISA advises applying the update, isolating control systems, avoiding untrusted attachments, and following ICS recommended practices; no public exploitation has been reported to date.
read more →

Delta Electronics COMMGR: Remote Code Execution Risks

⚠️ Delta Electronics has identified two critical vulnerabilities in COMMGR (v2.9.0 and earlier) — a stack-based buffer overflow (CVE-2025-53418) and a code injection flaw (CVE-2025-53419) — that can enable arbitrary code execution via crafted .isp files. Delta and CISA rate the combined risk as high (CISA lists CVSS v4 8.8) and recommend upgrading to v2.10.0 or later. Additional mitigations include network segmentation, limiting Internet exposure, and using secure remote access methods. CISA reports no known public exploitation at this time.
read more →

Citrix warns of NetScaler ADC/Gateway zero-day exploit

⚠️ Citrix has warned of multiple zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway, highlighting CVE-2025-7775 as being actively exploited. The critical issue is a memory overflow that can lead to denial of service or remote code execution on appliances meeting specific configuration preconditions. Citrix provides CLI checks to identify affected devices but reports no mitigations or workarounds, and researchers estimate a large percentage of appliances remain unpatched. Administrators are urged to prioritize patching immediately.
read more →

Ten Vulnerabilities in Libbiosig and Multiple Vendors

🔒 Cisco Talos disclosed multiple vulnerabilities affecting libbiosig, Tenda AC6, SAIL, PDF‑XChange Editor, and Foxit PDF Reader. The flaws include integer overflows, heap and stack buffer overflows, out‑of‑bounds reads, authentication and firmware validation weaknesses, and other memory corruption issues that can lead to remote code execution or information disclosure. Vendors have released patches in coordination with Talos and Snort coverage is available to detect exploitation attempts. Apply vendor updates and detection rules immediately to reduce exposure.
read more →