All news with #security advisory tag

ASP.NET Core Kestrel Flaw Earns 9.9 Severity Score Now

⚠️Microsoft patched a critical ASP.NET Core vulnerability in the built‑in Kestrel web server and assigned it a CVSS score of 9.9, the highest rating the vendor has ever issued. Tracked as CVE-2025-55315, the flaw enables authenticated attackers to use HTTP request smuggling to bypass security checks and could allow actions such as logging in as another user, bypassing CSRF protections, or performing injection attacks. Microsoft advises updating affected runtimes or rebuilding and redeploying self‑contained apps, while noting that reverse proxies or gateways may already mitigate exposure.

Critical WatchGuard Fireware VPN Bug Allows Pre-Auth RCE

🔒 Researchers disclosed a recently patched critical vulnerability in WatchGuard Fireware (CVE-2025-9242, CVSS 9.3) that can allow unauthenticated attackers to execute arbitrary code via an out-of-bounds write in the iked process. The flaw affects multiple Fireware branches, including 11.10.2 through 11.12.4_Update1 (EOL noted for 11.x), 12.0 through 12.11.3 and 2025.1, and has been fixed across several updates such as 2025.1.1 and 12.11.4. Administrators are urged to apply the vendor updates immediately, limit internet exposure of VPN interfaces, and follow vendor mitigation guidance until patches are deployed.

Windows 11 updates break localhost HTTP/2 (127.0.0.1)

⚠️ Microsoft’s October Windows 11 updates (notably KB5066835 and the September preview KB5065789) have disrupted HTTP/2 connections to localhost (127.0.0.1), preventing local services and developer tools from completing requests. Users report errors such as "ERR_CONNECTION_RESET" and "ERR_HTTP2_PROTOCOL_ERROR" when applications attempt to connect to the loopback interface. Affected software includes Visual Studio debugging, SSMS Entra ID authentication, and Duo Desktop; community workarounds include disabling HTTP/2 via Registry entries or uninstalling the problematic updates.

Nation-State Actor Steals F5 BIG-IP Source Code Exposed

🔒 On Oct. 15, 2025, F5 disclosed a nation-state compromise that exfiltrated source code and undisclosed vulnerability information from the BIG-IP product development and engineering knowledge platforms. F5 reports no evidence of modification to its software supply chain or access to CRM, financial, support case management, iHealth, NGINX or distributed cloud products. Unit 42 warns the theft could accelerate exploit development and recommends immediate patching, hardening, and targeted threat hunting for anomalous admin activity and configuration changes.

Gladinet patches zero-day in CentreStack file sharing

🔒 Gladinet released an urgent update for its CentreStack business solution to fix a local file inclusion flaw tracked as CVE-2025-11371, which was abused in the wild as a zero-day. The LFI allowed attackers to read Web.config, extract the ASP.NET machine key, and then leverage a prior deserialization RCE (CVE-2025-30406) to achieve remote code execution. Administrators should upgrade to CentreStack version 16.10.10408.56683 immediately; if patching is not possible, disable the temp handler in Web.config for the UploadDownloadProxy component as a temporary mitigation.

Siemens HyperLynx and Industrial Edge Publisher Security

⚠️ Siemens disclosed a type confusion vulnerability (CVE-2025-6554) affecting HyperLynx and Industrial Edge App Publisher, which can enable remote arbitrary read/write and potential code execution via crafted HTML. The issue carries a CVSS v4 base score of 7.0 and a v3.1 score up to 8.1 depending on context. Siemens has released v1.23.5 for App Publisher; no fix is available yet for HyperLynx. Organizations should restrict network exposure, isolate control systems, use secure remote access, and follow Siemens and CISA guidance to mitigate risk.

Rockwell ArmorStart AOP: Uncaught Exception Causes DoS

⚠️ A remotely exploitable uncaught exception in Rockwell Automation's ArmorStart AOP for Studio 5000 Logix Designer can trigger a denial-of-service on versions V2.05.07 and earlier. The issue arises from invalid inputs to COM methods and is tracked as CVE-2025-9437 with a CVSS v4 base score of 8.7 (high). Rockwell reports no fix is available; users should apply vendor best practices and minimize network exposure.

Siemens SiPass integrated vulnerabilities and update

🔒 Siemens released security updates for SiPass integrated to address four vulnerabilities—an Accusoft ImageGear heap-based buffer overflow, stored cross-site scripting, an authorization bypass via user-controlled keys, and recoverable password storage. Exploitation could enable account compromise, data manipulation, impersonation, or arbitrary code execution on affected servers. Siemens recommends updating to V3.0, restricting access to trusted personnel, and avoiding untrusted image uploads; CISA advises isolating devices and using secure remote access.

Siemens TeleControl Server Basic: Remote Auth Bypass

🔒 Siemens TeleControl Server Basic V3.1 contains a critical missing-authentication vulnerability (CVE-2025-40765) that allows unauthenticated remote attackers to obtain user password hashes and perform authenticated database operations. The issue carries a CVSS v3.1 score of 9.8 and a CVSS v4 score of 9.3, with network attack vector and low attack complexity. Siemens advises updating to V3.1.2.3 or later and restricting access to port 8000; CISA emphasizes isolating control networks and minimizing internet exposure. Tenable reported the issue and, to date, CISA has not received reports of public exploitation.

Hitachi Energy MACH GWS Vulnerabilities — Patch Alert

⚠️ Hitachi Energy reported three vulnerabilities in MACH GWS (versions 3.0.0.0–3.4.0.0) that could enable local tampering, denial-of-service via IEC 61850 message handling, or remote man-in-the-middle attacks. The issues are categorized as Incorrect Default Permissions, Improper Validation of Integrity Check Value, and Improper Certificate Validation and carry CVSS v4 scores up to 7.1. Hitachi Energy recommends updating to MACH GWS 3.5 immediately and following deployment guidance such as network segregation, minimal exposed ports, scanning removable media, and enforcing strong password policies. CISA notes no known public exploitation at this time.

Siemens Solid Edge: Multiple PRT Parsing Vulnerabilities

🔒 Siemens' Solid Edge CAD applications contain multiple vulnerabilities in PRT file parsing—two out‑of‑bounds writes (CWE‑787) and two out‑of‑bounds reads (CWE‑125)—tracked as CVE‑2025‑40809 through CVE‑2025‑40812. Affected releases include SE2024 versions prior to V224.0 Update 14 and SE2025 versions prior to V225.0 Update 6. Exploitation could crash the application or enable code execution in the context of the current process; Siemens and CISA recommend applying the listed updates, avoiding untrusted PRT files, and limiting network exposure.

SINEC NMS SQL Injection (CVE-2025-40755) — Siemens Advisory

🛡️ This advisory details an SQL injection vulnerability in Siemens SINEC NMS (versions prior to V4.0 SP1) affecting the getTotalAndFilterCounts endpoint. Assigned CVE-2025-40755 with high severity (CVSS v3.1 8.8 / CVSS v4 8.7), an authenticated low-privilege attacker could inject SQL to insert data and escalate privileges. Siemens advises updating to V4.0 SP1 or later and applying network protections such as segmentation and firewalls; CISA reports no known public exploitation.

Rockwell FactoryTalk Linx MSI Privilege Chaining Flaw

⚠️ Rockwell Automation disclosed two privilege-chaining vulnerabilities in FactoryTalk Linx (versions 6.40 and prior) that allow authenticated Windows users to escalate to SYSTEM privileges by hijacking MSI repair console windows. The issues are tracked as CVE-2025-9067 and CVE-2025-9068 and carry a CVSS v4 base score of 8.5 (CVSS v3.1 7.8). Rockwell recommends applying the Microsoft MSI patch and upgrading to FactoryTalk Linx 6.50 or later; CISA notes these flaws are not remotely exploitable and no public exploitation has been reported.

Rockwell FactoryTalk ViewPoint XML External Entity Flaw

🔒 Rockwell Automation reported a FactoryTalk ViewPoint XML External Entity (XXE) vulnerability (CVE-2025-9066) that can be exploited remotely with low attack complexity to induce a temporary denial-of-service via crafted SOAP requests. Affected devices include PanelView Plus 7 terminals (version 14 and prior). Rockwell released firmware fixes and patches, and CISA recommends minimizing network exposure, isolating control networks, and applying vendor updates promptly. The vulnerability is scored CVSS v4 8.7 (CVSS v3.1 7.5).

Rockwell Automation PanelView and FactoryTalk ME Flaws

🔒 Rockwell Automation disclosed vulnerabilities in FactoryTalk View Machine Edition and PanelView Plus 7 that can allow unauthorized access to device file systems and diagnostic data. CVE-2025-9064 is a network-exploitable path traversal issue; CVE-2025-9063 is an improper-authorization flaw tied to an ActiveX control. Rockwell recommends installing provided firmware and software updates, and CISA advises minimizing network exposure, isolating control networks, and using secure remote access.

Missing Authentication in Siemens SIMATIC ET 200SP Modules

⚠️ Siemens ProductCERT and CISA report a Missing Authentication for Critical Function vulnerability (CVE-2025-40771) affecting SIMATIC ET 200SP CP modules. The flaw allows an unauthenticated remote actor to access device configuration data and is rated highly severe (CVSS v4 9.3; CVSS v3.1 9.8). Siemens advises updating affected modules to V2.4.24 or later and restricting access to trusted IP addresses; CISA recommends minimizing network exposure, isolating control networks, and using secure remote access methods.

CISA Issues Thirteen ICS Advisories on October 16, 2025

🔔 CISA released thirteen Industrial Control Systems (ICS) advisories on October 16, 2025, providing details on vulnerabilities and mitigations affecting multiple vendors. The advisories cover products from Rockwell Automation (FactoryTalk View Machine Edition, Linx, ViewPoint, ArmorStart AOP), Siemens (Solid Edge, SiPass Integrated, SIMATIC ET 200SP Communication Processors, SINEC NMS, TeleControl Server Basic, HyperLynx and Industrial Edge App Publisher), Hitachi Energy (MACH GWS), and updates for Schneider Electric and Delta Electronics. Administrators and operators are urged to review the technical details and apply recommended mitigations to reduce exposure and maintain operational continuity.

ThreatsDay Bulletin: $15B Crypto Seizure, Weekly Risks

🔔 This week’s ThreatsDay bulletin highlights a historic U.S. DOJ seizure of roughly $15 billion in cryptocurrency linked to an alleged transnational fraud network, alongside active commodity malware, phishing-as-a-service, and novel abuses of legitimate tools. Notable incidents include the Brazil-distributed Maverick banking trojan spread via a WhatsApp worm, consumer-grade interception of geostationary satellite traffic, and UEFI BombShell flaws enabling bootkit persistence. Priorities: identity resilience, patching, and monitoring of remote-access and cloud services.

Nation-state Breach Exposes F5 BIG-IP Source Code

⚠️ F5 has confirmed a nation-state actor maintained persistent access to its development systems, including the BIG-IP product development environment and engineering knowledge management platforms, with discovery in August and customer notification on October 15. The breach included stolen files containing BIG-IP source code and information on undisclosed vulnerabilities. While F5 reports no known active exploitation, it and CISA have urged immediate patching and mitigations, and the US government delayed public disclosure in September after a Justice Department order.

CrowdStrike Falcon Blocks Git Vulnerability CVE-2025-48384

🔒 CrowdStrike has identified active exploitation of Git vulnerability CVE-2025-48384 and confirms that Falcon detections can block the observed attack chain. The vulnerability, which affects macOS and Linux, arises from inconsistent handling of carriage return characters in configuration and submodule path parsing and can enable arbitrary file writes during a recursive clone. Observed attacks combined social engineering with malicious repositories that place crafted .gitmodules entries and submodule hooks to execute post-checkout scripts. CrowdStrike urges organizations to patch Git, enable layered protections, deploy provided detection rules and hunting queries, and use Falcon Insight XDR prevention settings to reduce exposure.