< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 35 of 35

INVT VT-Designer and HMITool Vulnerabilities Alert Issued

🔔 CISA warns of multiple memory-corruption vulnerabilities in INVT products VT-Designer (v2.1.13) and HMITool (v7.1.011). The flaws—several out-of-bounds writes and a type confusion bug—occur in PM3 and VPM file parsing and can enable arbitrary code execution in the vulnerable process. Issues are tracked as CVE-2025-7223 through CVE-2025-7231 with CVSS v4 scores up to 8.5. Exploitation requires user interaction, such as opening a crafted file.
read more →

Pre-auth Exploit Chains Found in Commvault Releases

🔒 Commvault has released fixes for four vulnerabilities in versions prior to 11.36.60 that could enable unauthenticated attackers to achieve remote code execution. The flaws include an unauthenticated API access bug, a setup-time default credential exposure, a path traversal allowing filesystem access, and command-line argument injection that can elevate low-privilege sessions. Patches are available in 11.32.102 and 11.36.60; Commvault SaaS is not affected.
read more →

Threat Actors Abuse SDKs to Sell Victim Bandwidth Stealthily

🔍 Unit 42 observed a campaign exploiting CVE-2024-36401 in GeoServer to remotely deploy legitimate SDKs or apps that sell victims' internet bandwidth. The attackers leverage JXPath evaluation to achieve RCE across multiple GeoServer endpoints, then install lightweight binaries that operate quietly to monetize unused network capacity. This approach often uses unmodified vendor SDKs to maximize stealth and persistence while avoiding traditional malware indicators.
read more →

Rockwell Micro800 Series: Critical Remote Exploitation Risk

⚠️ Rockwell Automation's Micro800 family contains multiple high-severity vulnerabilities (CVSS v4 9.3) that could be exploited remotely to achieve code execution or privilege escalation. Affected models include Micro820, Micro850, and Micro870 series on specified firmware versions; impacts stem from flaws in Azure RTOS NetX Duo and ThreadX and malformed CIP packets. Rockwell and CISA advise updating to V23.011+ where available, applying vendor fixes for CVE-2023-48691/48692/48693 and CVE-2025-7693, minimizing network exposure, and performing risk assessments before deployment.
read more →

Donut Shellcode: End-to-End Malware Analysis Tutorial

🧩 This Unit 42 tutorial walks analysts through a complete infection chain that uses Donut-generated shellcode, showing how a small position-independent routine computes its own base address via a call/pop/sub pattern and how that base drives payload offsets. The authors use step-by-step static and dynamic analysis with IDA Pro, x64dbg, dnSpy, and ProcessHacker to validate findings. Readers are shown common techniques such as dynamic API resolution, process injection, and AMSI bypass through memory patching, and are directed to a full PDF on the authors' GitHub for the complete walkthrough.
read more →

Microsoft Patch Tuesday: August 2025 Security Fixes

🔒 Microsoft released fixes for more than 100 vulnerabilities in August 2025, including at least 13 rated Critical. Notable flaws include CVE-2025-53786, which lets attackers pivot from compromised on‑premises Exchange Server instances into cloud tenant services, and CVE-2025-53779 (BadSuccessor), a Kerberos dMSA weakness that can yield domain admin rights. Other high‑risk bugs affect GDI+, Word preview and NTLM; several fixes require configuration steps beyond patch installation.
read more →

Microsoft August 2025 Patch Tuesday: 111 Vulnerabilities

⚠️ Microsoft released its August 2025 Patch Tuesday updates addressing 111 vulnerabilities, including 13 marked critical. The fixes span remote code execution, elevation-of-privilege and information-disclosure flaws across Windows, Hyper-V, Microsoft Office, GDI+ and cloud services. Microsoft reports no observed in-the-wild exploitation but notes several issues where exploitation is assessed as “more likely.” Talos is issuing Snort detection rules and urges administrators to apply vendor updates and intrusion-detection signatures promptly.
read more →

Erlang/OTP SSH RCE: CVE-2025-32433 Exploitation Wave

⚠️ Unit 42 details active exploitation of CVE-2025-32433, a critical (CVSS 10.0) unauthenticated RCE in the Erlang/OTP SSH daemon that processes SSH protocol messages prior to authentication. Researchers reproduced and validated the bug and observed exploit bursts from May 1–9, 2025, with payloads delivering reverse shells and DNS-based callbacks to randomized subdomains. Immediate remediation is to upgrade to OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20 (or later); temporary measures include disabling SSH, restricting access and applying Unit 42 signature 96163.
read more →

Talos Discloses Multiple WWBN, MedDream, ThreadX Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities across WWBN AVideo, MedDream PACS Premium, and the Eclipse ThreadX FileX component. The issues include several reflected and stored XSS flaws, a race condition and incomplete blacklist handling in AVideo that can be chained to achieve arbitrary code execution, privilege escalation and credential exposure in MedDream, and a RAM-disk buffer overflow in FileX that can lead to remote code execution on embedded devices. All affected vendors issued patches per Cisco’s disclosure policy, and Talos advises deploying vendor fixes and using Snort rule updates and Talos advisories for detection and mitigation guidance.
read more →

ToolShell SharePoint Vulnerabilities and Ongoing Exploitation

🔔 Unit 42 reports active exploitation of multiple on‑premises SharePoint vulnerabilities collectively dubbed ToolShell, enabling unauthenticated remote code execution, authentication bypass, and path traversal. Activity observed from mid‑July 2025 includes web shell deployment, theft of ASP.NET MachineKeys and ViewState material, and delivery of the 4L4MD4R ransomware in at least one chain. Organizations with internet‑exposed SharePoint servers should assume potential compromise and follow containment, patching, cryptographic rotation, and incident response guidance immediately.
read more →

ToolShell SharePoint Zero-Days Exploited in the Wild

🔒 Microsoft and ESET reported active exploitation of a SharePoint Server vulnerability cluster called ToolShell, comprising CVE-2025-53770 (remote code execution) and CVE-2025-53771 (server spoofing). Attacks began on July 17, 2025, and target on-prem SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016; SharePoint Online is not affected. Operators deployed webshells — notably spinstall0.aspx (detected as MSIL/Webshell.JS) and several ghostfile*.aspx samples — to bypass MFA/SSO, exfiltrate data and move laterally across integrated Microsoft services. Microsoft and ESET confirmed patches were released on July 22, and ESET published IoCs and telemetry to assist defenders.
read more →