All news with #security advisory tag

High-Severity Oracle E-Business Suite Vulnerability Alert

🔒 Oracle issued an alert for CVE-2025-61884, a high-severity (CVSS 7.5) flaw in Oracle E-Business Suite versions 12.2.3 through 12.2.14 that can be exploited remotely over HTTP without authentication. The NIST description warns the defect permits an unauthenticated attacker to compromise Oracle Configurator, potentially exposing or allowing complete access to critical configurable data. Oracle urges administrators to apply the update immediately; it has not reported observed in-the-wild exploitation.

Fortra Confirms Active Exploitation of GoAnywhere Flaw

🔒 Fortra disclosed its investigation into CVE-2025-10035, a deserialization vulnerability in the GoAnywhere License Servlet that has been exploited since September 11, 2025. The vendor issued a hotfix within 24 hours and published patched builds (7.6.3 and 7.8.4) on September 15, saying the risk is limited to admin consoles exposed to the public internet. Microsoft attributes observed exploitation to threat actor Storm-1175, which deployed Medusa ransomware; Fortra recommends restricting internet access to admin consoles, enabling monitoring, and keeping software up to date.

Microsoft Defender Mislabels SQL Server as End-of-Life

⚠️Microsoft is addressing a bug in Microsoft Defender for Endpoint that incorrectly tags SQL Server 2017 and SQL Server 2019 as end-of-life. The company says a recent code change introduced the issue and it has begun deploying a fix to reverse that change. Support timelines remain unchanged: 2019 is supported until January 2030 and 2017 until October 2027. The incident is being tracked as an advisory while remediation continues.

Cloudflare Launches REACT: Unified Incident Response

🔒 Cloudflare today introduces REACT, a new incident response and advisory service from Cloudforce One designed to bridge the gap between edge defenses and in‑network remediation. REACT combines proactive advisory work—threat hunting, tabletop exercises, and readiness assessments—with emergency incident response and retainer options for guaranteed availability. As a network‑native, vendor‑agnostic service, REACT can deploy mitigations at the Cloudflare edge and coordinate investigations across on‑premise, cloud, and hybrid environments.

Oracle EBS Zero-Day Exploitation and Extortion Campaign

⚠️ GTIG and Mandiant tracked a large-scale extortion campaign beginning Sept. 29, 2025, in which actors claiming affiliation with the CL0P brand alleged theft from Oracle E‑Business Suite (EBS) environments. Analysis indicates exploitation of a zero-day (CVE-2025-61882) as early as Aug. 9, 2025, with suspicious activity dating back to July 10. Attackers abused UiServlet and SyncServlet flows, embedding Java payloads via XSL templates to achieve unauthenticated RCE and deploy in-memory implants. Organizations are urged to apply Oracle emergency patches, hunt for malicious templates in XDO_TEMPLATES_B/XDO_LOBS, and restrict outbound traffic to disrupt C2.

Reassignment of CISA Staff Raises National Cyber Risks

🔔 The US Department of Homeland Security has reassigned hundreds of cybersecurity personnel from the Cybersecurity and Infrastructure Security Agency to non-cyber roles supporting immigration and border enforcement, reports say. This shift has most impacted CISA’s Capacity Building team, which writes emergency directives and oversees protections for the government’s highest-value assets; refusal to accept new roles reportedly risks termination. Analysts warn that reductions in specialized threat hunting, vulnerability scanning, and coordinated advisories will slow response times and create exploitable gaps. Enterprises are urged to tighten patch cycles, adopt phishing-resistant MFA, review privileges, and rely on sector ISACs and private intel sharing while federal capacity is strained.

CISA Publishes Four ICS Advisories on October 9, 2025

🔔 CISA released four Industrial Control Systems (ICS) Advisories on October 9, 2025, covering vulnerabilities in Hitachi Energy Asset Suite, Rockwell Automation Lifecycle Services with Cisco, Rockwell Automation Stratix, and an update to Mitsubishi Electric Multiple FA Products. Each advisory provides technical details, risk ratings, and recommended mitigations. Administrators and asset owners should review the advisories promptly and apply mitigations or vendor patches to reduce exposure. CISA emphasizes timely review and implementation to protect operational environments.

Rockwell Stratix Devices Vulnerable to SNMP Stack Overflow

⚠️ Rockwell Automation has published an advisory for Stratix switches informing operators of a stack-based buffer overflow in the SNMP subsystem derived from Cisco IOS XE (CVE-2025-20352). A remote, authenticated attacker with knowledge of SNMPv2c read-only community strings or valid SNMPv3 credentials could cause a denial-of-service, while administrative (privilege 15) credentials may permit arbitrary code execution as root. Affected models include Stratix 5700, 5400, 5410, 5200, and 5800; Rockwell and CISA recommend applying Cisco workarounds, implementing network isolation, using secure remote access, and following Rockwell advisory SD1749.

Hitachi Energy Asset Suite Log Injection Vulnerability

⚠️A vulnerability in Hitachi Energy Asset Suite (versions 9.7 and prior) permits an authenticated user to manipulate or inject performance log entries (CWE-117). Tracked as CVE-2025-10217, it has a CVSS v3.1 base score of 6.5 and CVSS v4 base score of 6.0; exploitation could enable further malicious actions by corrupting logs. Hitachi Energy recommends disabling performance logging and applying updates when available, while CISA advises network segmentation, firewall protections, and secure remote access to minimize exposure.

Rockwell Automation Lifecycle Services SNMP Overflow

⚠️ Rockwell Automation reports a stack-based buffer overflow in its Lifecycle Services with Cisco offerings related to the Cisco IOS XE SNMP subsystem (CVE-2025-20352). An authenticated remote actor with low privileges can trigger a denial-of-service, and an actor with higher privileges and administrative access may achieve arbitrary code execution as root. A CVSS v4 score of 6.3 and a CVSS v3 score of 7.7 are provided. Rockwell and Cisco publish updates and mitigations; CISA advises minimizing network exposure and applying vendor fixes or recommended workarounds.

SonicWall Cloud Backups Accessed in Firewall Breach

🔒 SonicWall has confirmed that an unauthorized actor accessed firewall configuration backup files stored in its cloud backup service for customers. The files include encrypted credentials and device configuration data; while encryption remains in place, SonicWall warned that possession of these backups could increase the risk of targeted attacks. The vendor says access was achieved via brute-force attacks and that suspicious activity was first detected in early September 2025. Working with Mandiant, SonicWall has issued remediation tools, published impacted device lists in the MySonicWall portal, and is notifying affected partners and customers.

Critical Service Finder Bug Lets Attackers Hijack Sites

🔒 A critical authentication bypass in the Service Finder Bookings plugin (CVE-2025-5947, CVSS 9.8) allows unauthenticated attackers to sign in as any user, including administrators. The root cause is improper cookie validation in the account-switching function service_finder_switch_back(), which enables privilege escalation. Maintainers released Service Finder version 6.1 on July 17, 2025 to address the issue, and exploitation attempts have been observed since August 1, 2025. Administrators should upgrade immediately and audit sites for unauthorized accounts or unexpected changes.

Critical auth bypass in Service Finder WordPress theme

🔒 A critical authentication bypass in the Service Finder WordPress theme (tracked as CVE-2025-5947) is being actively exploited to obtain administrator access. The flaw affects versions 6.0 and older and results from improper validation of the original_user_id cookie in the service_finder_switch_back() function. Aonetheme released a patch in version 6.1 on July 17; site operators should update immediately or discontinue use.

How Cloudflare Found and Fixed a Bug in Go's ARM64 Compiler

🔍 Cloudflare engineers describe discovering a rare race condition in the Go arm64 compiler that caused goroutine stack-unwinding crashes in production. They traced sporadic fatal panics and segfaults to async preemption interrupting a split stack-pointer adjustment, leaving an invalid stack frame. A minimal reproducer showed the assembler could split a large ADD into multiple instructions, creating a one-instruction window where preemption caused unwinder corruption. The issue was fixed upstream in go1.23.12, go1.24.6, and go1.25.0.

Severe Figma MCP Command Injection Enables RCE Remotely

🔒 Cybersecurity researchers disclosed a now-patched command injection vulnerability in the figma-developer-mcp Model Context Protocol server that could allow remote code execution. Tracked as CVE-2025-53967 (CVSS 7.5), the flaw stems from unsanitized user input interpolated into shell commands when a fetch fallback uses child_process.exec to run curl. Imperva reported the issue and maintainers released a fix in figma-developer-mcp v0.6.3; users should update immediately.

Critical 10.0 RCE Flaw in Redis Exposes 60,000 Instances

⚠ The popular Redis in-memory data store received an urgent patch for a critical use-after-free vulnerability tracked as CVE-2025-49844 (RediShell), which can escape the Lua script sandbox and achieve remote code execution on the host. Exploitation requires authentication, but many deployments disable it; researchers estimate roughly 60,000 internet-exposed instances lack authentication. Redis released fixes on Oct. 3 across multiple branches and administrators are urged to patch exposed servers immediately and enable hardening controls.

Critical Redis Flaw 'RediShell' Exposes 60,000 Servers

🚨 Redis has a critical, decade‑old vulnerability identified as CVE-2025-49844 (RediShell) in its embedded Lua scripting engine that can let authenticated users escape the sandbox and execute arbitrary code on the host. Researchers at Wiz report roughly 330,000 Redis instances are exposed online, with about 60,000 lacking authentication. Redis and Wiz disclosed the issue on October 3 and published patches; administrators should apply updates, restrict access, and disable Lua scripting if not required.

Delta DIAScreen Multiple Out-of-Bounds Write Flaws

⚠️ Delta Electronics issued an advisory for DIAScreen addressing four out-of-bounds write vulnerabilities (CWE-787) that can be triggered when a valid user opens a maliciously crafted project file. The issues are tracked as CVE-2025-59297 through CVE-2025-59300 and have CVSS v3.1 base scores of 6.6 and CVSS v4 base scores of 6.8. Delta released v1.6.1 to remediate the flaws; administrators should apply the update and follow CISA guidance on social-engineering protections and ICS defensive best practices.

CISA Issues Two New ICS Advisories for Delta, Rockwell

🛡️ CISA released two Industrial Control Systems advisories on October 7, 2025, addressing security issues in Delta Electronics DIAScreen and an updated advisory for Rockwell Automation 1756-EN4TR/1756-EN4TRXT. The notices provide technical details, vulnerability descriptions, and recommended mitigations to reduce exposure in operational environments. Administrators and users are urged to review the advisories and apply mitigations promptly to protect ICS assets.

NCSC Urges Patch for Critical Oracle E-Business Bug

🔔 The UK's National Cyber Security Centre has urged Oracle E-Business Suite customers to apply an emergency update for CVE-2025-61882, a critical unauthenticated remote code execution vulnerability in the BI Publisher Integration component affecting EBS 12.2.3–12.2.14. Security firm Mandiant reports the Clop ransomware group exploited the bug as a zero-day in August, and the exploit has since been leaked, raising the risk of wider attacks. The NCSC and Rapid7 recommend immediate compromise assessments using Oracle's IoCs, contacting Oracle PSIRT and the NCSC if compromise is suspected, installing the latest EBS update (with the October 2023 CPU applied first), and reducing internet exposure of EBS instances.