All news with #security advisory tag

Unity runtime vulnerability forces game updates worldwide

⚠ A critical vulnerability in the Unity Runtime, introduced in engine version 2017.01, can allow attackers to pass crafted startup parameters that cause games to load arbitrary native libraries on Windows, macOS, Linux and Android. Exploitation may execute malicious code or expose device data, and the risk depends on game and OS settings. Vendors Valve and Microsoft advise blocking or removing affected titles while Unity urges developers to update, recompile and republish builds; Unity also provides an application patcher for unmaintained games.

Microsoft: Critical GoAnywhere Flaw Used in Ransomware

⚠️ Microsoft warns that a critical deserialization vulnerability, CVE-2025-10035, in Fortra's GoAnywhere MFT License Servlet Admin Console is being actively exploited in ransomware campaigns. The flaw (CVSS 10.0) enables attackers to bypass signature verification and deserialize attacker-controlled objects, potentially resulting in command injection and remote code execution on internet-exposed instances. Customers are urged to apply Fortra's patch, harden perimeter controls and run endpoint defenses in block mode to detect and stop post-breach activity.

Redis 13-Year Use-After-Free Flaw Rated CVSS 10.0 Severity

⚠️ Redis disclosed a maximum-severity vulnerability, CVE-2025-49844 (RediShell), a use-after-free bug in its Lua scripting implementation that has been assigned a CVSS score of 10.0. An authenticated user can submit crafted Lua scripts to manipulate the garbage collector, trigger a use-after-free, and potentially achieve remote code execution on the host. The issue affects all Redis versions with Lua and was fixed in 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 (released Oct 3, 2025). Administrators should immediately restrict EVAL/EVALSHA via ACLs, avoid exposing Redis instances to the internet, enforce strong authentication, and apply the patches without delay.

Microsoft Links Storm-1175 to GoAnywhere Flaw, Medusa

🔒 Microsoft attributed active exploitation of a critical Fortra GoAnywhere vulnerability (CVE-2025-10035, CVSS 10.0) to the cybercriminal group Storm-1175, which has been observed deploying Medusa ransomware. The flaw is a deserialization bug that can permit unauthenticated command injection when a forged license response signature is accepted. Fortra released fixes in GoAnywhere 7.8.4 and Sustain Release 7.6.3; organizations should apply updates immediately and hunt for indicators such as dropped RMM tools, .jsp web shells, Cloudflare tunnels and Rclone usage.

Cl0p Exploits Critical Oracle E-Business Suite Flaw

🔒 Oracle released an emergency patch to address a critical unauthenticated vulnerability in E-Business Suite (CVE-2025-61882) with a CVSS score of 9.8. The flaw allows remote code execution against the Oracle concurrent processing component over HTTP and has been actively exploited by the Cl0p group in large-scale data theft. Security firms report mass email-based distribution from hundreds of compromised accounts and recommend immediate patching and forensic checks for listed IoCs and suspicious GET/POST activity.

Redis warns of critical Lua RCE flaw in many instances

🔒 The Redis security team has released patches for CVE-2025-49844, a maximum-severity use-after-free in the bundled Lua interpreter that can enable remote code execution when an attacker supplies a specially crafted Lua script. Wiz researchers, who disclosed the issue at Pwn2Own Berlin and dubbed it RediShell, found approximately 330,000 Redis instances exposed online and at least 60,000 requiring no authentication. Administrators should apply the published fixes (for example, 7.22.2-12 and later; OSS/CE/Stack variants also updated) immediately and implement mitigations such as enabling authentication, disabling Lua scripting where possible, running Redis as a non-root user, and restricting network access.

Steam, Microsoft Warn of Unity Flaw Exposing Gamers

⚠️ A code execution vulnerability in Unity's Runtime (CVE-2025-59489) can allow unsafe file loading and local file inclusion, enabling code execution on Android and privilege escalation on Windows. Valve/Steam issued a Client update to block launching custom URI schemes and urges publishers to rebuild with a safe Unity version or replace the UnityPlayer.dll. Microsoft published guidance recommending users uninstall vulnerable games until patched, and Unity advises developers to update the Editor, recompile, and redeploy.

CISA Adds Seven CVEs to Known Exploited Vulnerabilities

🔒 CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The newly listed entries include CVE-2010-3765, CVE-2010-3962, CVE-2011-3402, CVE-2013-3918, CVE-2021-22555, CVE-2021-43226, and CVE-2025-61882, impacting Mozilla, Microsoft, the Linux Kernel, and Oracle E-Business Suite. Federal Civilian Executive Branch agencies must remediate these vulnerabilities under BOD 22-01, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

Weekly Cyber Recap: Oracle 0-Day, BitLocker Bypass

🛡️Threat actors tied to Cl0p exploited a critical Oracle E-Business Suite zero-day (CVE-2025-61882, CVSS 9.8) to steal large volumes of data, with multiple flaws abused across patched and unpatched systems. The week also spotlights a new espionage actor, Phantom Taurus, plus diverse campaigns from WordPress-based loaders to self-spreading WhatsApp malware. Prioritize patching, strengthen pre-boot authentication for BitLocker, and increase monitoring for the indicators associated with these campaigns.

Zimbra XSS Zero-Day Used to Target Brazilian Military

⚠️A stored cross-site scripting vulnerability in the Zimbra Classic Web Client (CVE-2025-27915) was exploited in targeted attacks and has since been patched. The flaw allowed embedded JavaScript in ICS calendar entries to execute via an ontoggle event, enabling attackers to create mail filters, redirect messages, and exfiltrate mailbox data. Zimbra released fixes on January 27, 2025; administrators should apply updates and audit mailbox filters and logs for indicators of compromise.

Oracle issues emergency patch for CVE-2025-61882 exploit

🔒 Oracle has released an emergency update to address CVE-2025-61882, a critical (CVSS 9.8) vulnerability in the E-Business Suite Concurrent Processing component that can be exploited over HTTP without authentication. Oracle warned the flaw may allow remote code execution and issued additional fixes after discovering further potential exploitation vectors. Indicators shared with the advisory point to activity linked to Cl0p and a group associated with Scattered LAPSUS$ Hunters; organizations are urged to apply the patch and hunt for signs of compromise.

Oracle patches critical EBS zero-day used by Clop gang

⚠️ Oracle has released an emergency update addressing CVE-2025-61882, a critical unauthenticated remote code execution flaw in Oracle E-Business Suite (Concurrent Processing / BI Publisher Integration). The vulnerability affects versions 12.2.3–12.2.14 and carries a CVSS base score of 9.8. Customers must first install the October 2023 Critical Patch Update before applying the new fix. Intelligence firms say the Clop extortion gang actively used the bug in August 2025 to steal data.

Oracle Links Clop Extortion to July EBS Vulnerabilities

🔒 Oracle said some customers received extortion emails tied to its E-Business Suite and linked the campaign to vulnerabilities patched in the July 2025 Critical Patch Update. While Oracle did not attribute the activity to a specific ransomware group, its investigation found potential use of previously identified EBS flaws, including three that were remotely exploitable. Security firms reported executives began receiving ransom demands on or before September 29, 2025. Oracle urged customers to apply the latest patches and contact support if they need assistance.

Hackers Target Unpatched Oracle E-Business Suite Flaws

⚠️ Oracle has warned customers that attackers may be exploiting unpatched instances of Oracle E-Business Suite, following alerts from the Google Threat Intelligence Group and reports of extortion emails sent to company executives. The vendor’s investigation points to vulnerabilities addressed in the July 2025 Critical Patch Update, and it urges organizations to apply those fixes immediately. The July update fixed nine EBS flaws, including three critical issues and several that can be exploited remotely without authentication, raising urgent remediation priorities for affected deployments. Security teams should verify patch status, hunt for indicators of compromise, and validate account integrity.

CISA Adds Meteobridge Command Injection CVE-2025-4008

⚠️ CISA has added a high-severity command injection flaw, CVE-2025-4008, affecting Smartbedded Meteobridge to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands as root via a vulnerable /cgi-bin/template.cgi endpoint that improperly uses eval calls. ONEKEY reported the issue and Meteobridge issued a fix in version 6.2 on May 13, 2025.

DrayTek warns of RCE vulnerability in Vigor routers

🔒 DrayTek has issued an advisory for Vigor routers after a researcher reported a remotely triggerable vulnerability (CVE-2025-10547) that can cause memory corruption and may allow arbitrary code execution via crafted HTTP/HTTPS requests to the device WebUI. Reported on July 22 by ChapsVision researcher Pierre-Yves Maes, the root cause is an uninitialized stack value that can be abused to force an arbitrary free() and achieve RCE, and Maes successfully tested an exploit. DrayTek provides firmware versions to mitigate the issue and recommends applying updates promptly while reducing WAN exposure by disabling or restricting remote WebUI/SSL VPN access.

Critical RBAC Flaw in Red Hat OpenShift AI Risks Clusters

⚠ Red Hat has patched a design flaw in OpenShift AI (CVE-2025-10725) with a CVSS score of 9.9 that can let an authenticated low-privilege user escalate to full cluster administrator and fully compromise clusters and hosted applications. The vulnerability stems from an overly permissive ClusterRole binding that grants broad permissions to system:authenticated. Red Hat advises removing the kueue-batch-user-role ClusterRoleBinding, tightening job-creation permissions to follow least privilege, and upgrading to fixed RHOAI images (2.19 and 2.21). Administrators should audit affected environments and apply the recommended fixes promptly.

Hitachi Energy MSM: XSS and Assertion Vulnerabilities

⚠️ Hitachi Energy reports multiple vulnerabilities in the MSM product that are exploitable remotely with low attack complexity. An XSS flaw in the EmbedThis GoAhead goform/formTest endpoint (name parameter) can allow HTML injection, while an assertion in open62541's fuzz_binary_decode can cause a crash. CVE-2023-53155 (CVSS 7.2) and CVE-2024-53429 (CVSS 7.5) are assigned. Vendors and CISA recommend disconnecting affected devices from internet-facing networks and following product-specific guidance.

Raise3D Pro2 Series Authentication Bypass Advisory

⚠️ CISA warns of a high-severity authentication bypass in Raise3D Pro2 Series 3D printers caused by an unauthenticated debug port that can expose the device file system. The flaw, CVE-2025-10653, has a CVSS v4 score of 8.8 and is remotely exploitable with low complexity when developer mode is enabled. Raise3D is developing firmware fixes; users should disable developer mode and limit network access until patched.

CISA Adds Five Vulnerabilities to KEV Catalog — Oct 2025

🔔 CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The additions are CVE-2014-6278 (GNU Bash), CVE-2015-7755 (Juniper ScreenOS), CVE-2017-1000353 (Jenkins), CVE-2025-4008 (Smartbedded Meteobridge), and CVE-2025-21043 (Samsung mobile). Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by their due dates; CISA urges all organizations to prioritize timely mitigation and patching.