All news with #security advisory tag

HP Pulls Update That Broke Entra ID Auth on AI PCs

⚠️ HP has pulled an over-the-air update to HP OneAgent for Windows 11 after a cleanup script removed Microsoft certificates required for some organizations to authenticate to Microsoft Entra ID. The silent update deployed on HP AI PCs ran package SP161710 and an install.cmd that deleted any certificate containing the substring "1E", producing false positives. Affected devices disconnected from Entra ID/Intune; HP says the update is no longer available and is assisting impacted customers.

CISA Warns of Critical Lanscope Endpoint Manager Flaw

⚠️ CISA warns that attackers are exploiting a critical flaw (CVE-2025-61932) in Motex's Lanscope Endpoint Manager, enabling unauthenticated remote code execution via specially crafted packets. The issue affects client components in versions 9.4.7.2 and earlier; Motex has released patched client builds and noted managers do not require updates. No mitigations are available—install the vendor updates; CISA added the flaw to its KEV with a Nov. 12 remediation deadline for federal agencies.

Microsoft Disables Explorer Preview for Internet Files

🔒 Microsoft has updated File Explorer to disable the preview pane by default for files downloaded from the Internet or marked with the Mark of the Web. The change, included in Windows security updates released on and after October 14, 2025, is designed to block exploits that can leak NTLM hashes when previewed documents reference external resources. When preview is blocked, File Explorer shows a warning and users can manually unblock trusted files via Properties > Unblock or add the location to Trusted sites/Local intranet; a sign-out may be required for the change to take effect.

Microsoft Blocks Ransomware Campaign Targeting Teams Users

🛡️ Microsoft said it disrupted a ransomware campaign that used fake Teams installers to deliver a backdoor and prepare for encryption operations. Attackers lured victims with impersonated MSTeamsSetup.exe files hosted on malicious domains, which installed a loader and a fraudulently signed Oyster backdoor. The group identified as Vanilla Tempest intended to follow with Rhysida ransomware. Microsoft revoked over 200 fraudulent code-signing certificates and says a fully enabled Defender Antivirus will block the threat.

AutomationDirect Productivity Suite: Multiple High-Risk Flaws

⚠️ AutomationDirect's Productivity Suite and several Productivity PLC models contain multiple high-severity vulnerabilities — including relative path traversal (ZipSlip), a weak password recovery mechanism, incorrect permission assignment, and binding to an unrestricted IP address. Exploitation could allow remote attackers to read, write, or delete files, execute arbitrary code, or gain full control of projects. AutomationDirect has released updates (Productivity Suite v4.5.0.x and newer) and recommends applying the latest firmware and implementing network isolation and firewall/NAC controls if immediate upgrades are not possible.

ASKI Energy ALS-Mini S4/S8: Missing Authentication Flaw

⚠ An unauthenticated access vulnerability in the embedded web server of ASKI Energy ALS‑Mini‑S4 and ALS‑Mini‑S8 IP controllers allows remote actors to read and modify device configuration, potentially yielding full control. Tracked as CVE-2025-9574, the issue is a Missing Authentication for Critical Function (CWE‑306) with a CVSS v4 base score of 9.9. ABB reports these products reached end of life in 2022 and will not be patched; operators should remove internet exposure, place devices behind firewalls or secure proxies that enforce authentication and logging, restrict access to whitelisted IPs, monitor for unauthorized access with IDS/IPS, or physically disconnect the Ethernet port if web features are not required.

Delta ASDA-Soft Stack Overflow Vulnerabilities (2025)

⚠️ Delta Electronics' ASDA-Soft contains two stack-based buffer overflow vulnerabilities (CVE-2025-62579, CVE-2025-62580) affecting versions 7.0.2.0 and earlier. Both issues were assigned a CVSS v4 base score of 8.4 and can allow writing outside the intended stack buffer when a valid user opens a crafted project file. Exploitation requires local access and user interaction; no public exploitation has been reported to CISA. Delta has released ASDA-Soft v7.1.1.0 and users should update and apply network isolation and standard email/attachment precautions.

Veeder-Root TLS4B: Remote Command Injection and 2038 Bug

🔒 Veeder-Root's TLS4B Automatic Tank Gauge System contains two serious vulnerabilities: a SOAP-based command injection (CVE-2025-58428) that allows remote authenticated attackers to execute system-level commands, and an integer overflow/2038 time wraparound (CVE-2025-55067) that can disrupt authentication and core functions. The command injection carries very high severity (CVSS v3.1 9.9 / CVSS v4 9.4); Veeder-Root recommends upgrading to Version 11.A. For the time-related overflow, Veeder-Root is developing a patch and advises applying network-security best practices, isolating devices, and restricting access until a fix is available.

CISA Issues Eight New Industrial Control Systems Advisories

🔔 CISA released eight Industrial Control Systems advisories addressing vulnerabilities and updates across multiple vendors and products, including AutomationDirect, ASKI Energy, Veeder-Root, Delta Electronics, NIHON KOHDEN, Schneider Electric, and Hitachi Energy. The notices cover new findings and several updates (for example, Update A and Update C) and list ICSA/ICSMA identifiers for each advisory. Administrators and asset owners should review the technical details, apply available patches or vendor mitigations, and reinforce network segmentation, access controls, and monitoring to reduce exposure.

NIHON KOHDEN CNS-6201 NULL Pointer DoS Advisory Update

⚠️ A remote NULL pointer dereference in NIHON KOHDEN CNS-6201 central monitors can be triggered by a specially crafted UDP packet, causing the monitoring process to terminate and producing a denial-of-service. The issue is unauthenticated, reproducible when UDP is reachable, and is tracked as CVE-2025-59668 with CVSS v4 8.7. Vendor support for affected versions has ended; users should migrate to successor products or apply strict network-level mitigations such as isolation, boundary devices, and careful traffic monitoring.

ThreatsDay: Widespread Attacks Exploit Trusted Systems

🔒 This ThreatsDay bulletin highlights a series of recent incidents where attackers favored the easiest paths in: tricking users, abusing trusted services, and exploiting stale or misconfigured components. Notable items include a malicious npm package with a post-install backdoor, a CA$176M FINTRAC penalty for missed crypto reporting, session hijacking via MCP (CVE-2025-6515), and OAuth-based persistent backdoors. Practical defenses emphasized are rapid patching, disabling risky install hooks, auditing OAuth apps and advertisers, and hardening agent and deserialization boundaries.

Critical and High Flaws Found in TP-Link VPN Routers

🔒 Researchers at Forescout’s Vedere Labs have disclosed two vulnerabilities in TP-Link Omada and Festa VPN routers that enable command injection and potential unauthorized root access. The flaws are tracked as CVE-2025-7850 (critical, CVSS v4.0 9.3) and CVE-2025-7851 (high, CVSS v4.0 8.7) and stem from an incomplete 2024 fix that left debug functionality and alternate attack paths. TP-Link has published firmware updates; Vedere Labs urges immediate patching and additional mitigations including WAFs, disabling remote admin, and improved monitoring.

CISA: Critical Lanscope Endpoint Manager Flaw Exploited

⚠️ CISA has added a critical defect in Motex LANSCOPE Endpoint Manager to its Known Exploited Vulnerabilities catalog after observing active exploitation. Tracked as CVE-2025-61932 (CVSS v4: 9.3), the flaw affects on-premises Client program and Detection Agent components and allows arbitrary code execution via specially crafted packets. Motex released patches for multiple 9.3/9.4 builds, and federal agencies are advised to remediate by November 12, 2025.

Critical TAR parsing bug found in popular Rust libraries

🛡️ Researchers at Edera disclosed a critical boundary-parsing flaw called TARmageddon (CVE-2025-62518) in the async-tar family and many forks, including the widely used tokio-tar. The desynchronization bug can smuggle extra archive entries during nested TAR extraction, enabling file overwrites that may lead to Remote Code Execution or supply-chain compromise. Administrators should patch affected forks, consider migrating to the patched astral-tokio-tar ≥0.5.6, and scan Rust-built applications for exposure.

Prompt Hijacking Risks MCP-Based AI Workflows Exposed

⚠️ Security researchers warn that MCP-based AI workflows are vulnerable to "prompt hijacking" when MCP servers issue predictable or reused session IDs, allowing attackers to inject malicious prompts into active client sessions. JFrog demonstrated the issue in oatpp-mcp (CVE-2025-6515), where guessable session IDs could be harvested and reassigned to craft poisoned responses. Recommended mitigations include generating session IDs with cryptographically secure RNGs (≥128 bits of entropy) and having clients validate unpredictable event IDs.

Active Exploitation of SessionReaper Flaw in Adobe Magento

⚠️ Sansec reports active exploitation of the critical SessionReaper vulnerability (CVE-2025-54236) affecting Adobe Commerce. The flaw enables account session takeover through the Commerce REST API; observed attacks delivered PHP webshells and phpinfo probes. Researchers report about 62% of stores remain unpatched six weeks after Adobe's emergency update. Administrators should apply Adobe's patch or recommended mitigations immediately.

TARmageddon: Abandoned Rust tar library enables RCE

🚨 A high-severity logic flaw in the abandoned async-tar Rust library and its forks allows unauthenticated attackers to inject archive entries and achieve remote code execution when nested TARs with mismatched ustar and PAX headers are processed. Edera, which named the issue TARmageddon and tracked it as CVE-2025-62518, explains the parser can jump into file content and mistake it for headers, enabling extraction of attacker-supplied files. The bug also affects the widely used but abandoned tokio-tar fork (7M+ downloads), while several active forks have already been patched. Developers are advised to upgrade to patched forks such as astral-tokio-tar or remove the vulnerable dependency immediately.

CISA Adds Motex LANSCOPE CVE to KEV Catalog, Urges Fixes

⚠️ CISA added CVE-2025-61932 — an Improper Verification of Source of a Communication Channel vulnerability in Motex LANSCOPE Endpoint Manager — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by mandated deadlines. CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management and will continue updating the KEV Catalog as new exploited vulnerabilities are confirmed.

TARmageddon: High-Severity Flaw in async-tar Rust ecosystem

⚠️Researchers disclosed a high-severity vulnerability (CVE-2025-62518, CVSS 8.1) in the async-tar Rust library and forks such as tokio-tar that can enable remote code execution via file-overwrite attacks when processing nested TAR archives. Edera, which found the issue in late August 2025, attributes the problem to inconsistent PAX/ustar header handling that allows attackers to 'smuggle' additional entries by exploiting size overrides. Because tokio-tar appears unmaintained, users are advised to migrate to astral-tokio-tar v0.5.6, which patches the boundary-parsing vulnerability affecting projects like testcontainers and wasmCloud.

NTLM/LDAP Authentication Bypass (CVE-2025-54918) Analysis

🔍 This analysis examines CVE-2025-54918, a critical NTLM/LDAP authentication bypass that enables privilege escalation from a standard domain user to SYSTEM on Domain Controllers. The vulnerability chains coercion (PrinterBug-style) with NTLM relay and packet manipulation to evade channel binding and LDAP signing. The post outlines the attack flow, detection indicators such as empty usernames and LOCAL_CALL flags, and mitigations using CrowdStrike Falcon capabilities.