All news with #security advisory tag

Windows 11 KB5072033 & KB5071417 Patch Tuesday December 2025

🔔 Microsoft released cumulative updates KB5072033 (25H2/24H2) and KB5071417 (23H2) as the December 2025 Patch Tuesday rollup. The mandatory updates include security fixes, bug patches, and new or enhanced features such as improved File Explorer dark mode, Virtual Workspaces advanced settings, and expanded Full‑Screen Experience for handheld devices. Install via Settings > Windows Update or the Microsoft Update Catalog; features will roll out gradually.

Ivanti warns of critical Endpoint Manager code flaw

⚠️ Ivanti is urging customers to patch a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) that allows unauthenticated remote actors to execute arbitrary JavaScript via low-complexity cross-site scripting that requires user interaction. Reported by Rapid7, the flaw lets attackers join fake managed endpoints to poison administrator dashboards and hijack admin sessions when viewed. Ivanti released EPM 2024 SU4 SR1 and addressed three other high-severity bugs, while Shadowserver reports hundreds of Internet-facing EPM instances.

U-Boot Bootloader: Improper Access to Volatile Boot Code

⚠️ U-Boot contains an improper access control vulnerability in volatile memory holding boot code (CVE-2025-24857) affecting all U-Boot versions prior to 2017.11 and several Qualcomm SoCs. Successful exploitation could allow arbitrary code execution; CISA reports a CVSS v4 base score of 8.6 with low attack complexity. Vendors advise upgrading to v2025.4, ensuring physical device security, and contacting Qualcomm support where appropriate.

Critical Auth Bypass in India-Deployed CCTV Cameras

🔒 CISA reports a critical authentication bypass (CWE-306, CVE-2025-13607) affecting multiple India-deployed CCTV products, including D-Link DCS-F5614-L1. The flaw permits unauthenticated remote retrieval of device configuration and account credentials with low attack complexity and high impact. D-Link has released a software update for the DCS-F5614-L1; users should install the patch, verify firmware versions, and minimize network exposure while seeking guidance from other vendors.

CISA Releases Three New Industrial Control Advisories

🔔 CISA published three Industrial Control Systems (ICS) advisories addressing vulnerabilities in Universal Boot Loader (U-Boot) (ICSA-25-343-01), the Festo LX Appliance (ICSA-25-343-02), and several India-based CCTV camera models (ICSA-25-343-03). Each advisory provides technical details, impact assessments, and recommended mitigations. CISA urges system operators, vendors, and administrators to review the advisories promptly and apply available updates or compensating controls to reduce operational risk.

CISA, FBI Warn: Protect Critical Infrastructure Now

🚨 CISA, the FBI, NSA, DOE, EPA, DOD’s DC3, and international partners issued a joint advisory alerting operators that pro‑Russia hacktivist groups are conducting opportunistic, low‑sophistication attacks against U.S. and global critical infrastructure. These actors exploit internet‑facing OT components (notably VNC and SCADA) and sometimes combine intrusions with DDoS. The advisory urges immediate mitigations: reduce OT exposure, improve asset management, and enforce robust authentication.

Festo LX Appliance XSS Vulnerability (CVE-2021-23414)

⚠️ Festo SE & Co. KG's LX Appliance contains a cross-site scripting (XSS) vulnerability tied to the video.js library (CVE-2021-23414) that can allow crafted course content to execute scripts in high-privilege user sessions. The issue affects LX Appliance versions prior to June 2023 and has a CVSS v3.1 base score of 6.1. Festo coordinated disclosure with CERT@VDE and published advisory FSA-202301. Administrators should update affected appliances and apply recommended network isolation and secure remote access controls.

Pro-Russia Hacktivists Target Critical Infrastructure

⚠️ This joint advisory from CISA, FBI, NSA, and international partners details opportunistic intrusions by pro‑Russia hacktivist groups—CARR, NoName057(16), Z‑Pentest, and Sector16—against OT/ICS environments. Actors are exploiting internet‑exposed VNC services, using open‑source scanning and brute‑force tools to access HMI devices with default or weak credentials, causing loss of view, configuration changes, and operational downtime. The advisory urges organizations to reduce public exposure, apply network segmentation, enforce strong authentication (MFA where feasible), harden device credentials, and follow secure‑by‑design guidance for OT products.

December 2025 Patch Tuesday: One Zero-Day, 57 CVEs Addressed

🔔 Microsoft’s December 2025 Patch Tuesday addresses 57 CVEs, including one actively exploited Important zero‑day in the Windows Cloud Files Mini Filter Driver and two publicly disclosed Important zero‑days impacting GitHub Copilot for JetBrains and PowerShell. Two Critical RCE flaws in Microsoft Office increase urgency for enterprise patching and remediation. Organizations should prioritize applying Microsoft fixes, adopt layered mitigations where patches are delayed, and use CrowdStrike Falcon dashboards to track affected assets and remediation progress.

Apache Tika XXE Flaw Expanded; Critical Patch Urged

⚠️ Apache Tika maintainers warn that an XML External Entity (XXE) vulnerability originally disclosed in August (CVE-2025-54988) is broader than first reported and is now covered by a superset CVE (CVE-2025-66516). The issue affects tika-core, tika-parsers and the standalone tika-parser-pdf-module, and could allow attackers to read sensitive data or trigger requests to internal resources. Users are advised to upgrade to the patched releases or disable XML parsing via tika-config.xml to mitigate risk.

CISA Adds Two Vulnerabilities to Known Exploited Catalog

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2022-37055, a buffer overflow affecting D-Link routers, and CVE-2025-66644, an OS command injection in Array Networks ArrayOS AG. Both were included based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by their due dates, and CISA urges all organizations to prioritize timely remediation and risk-reduction measures.

React2Shell RCE Actively Exploited by Multiple Threat Actors

🔴 The newly disclosed React2Shell vulnerability (CVE-2025-55182) is being actively exploited in the wild and carries a CVSS v3.1 score of 10. AWS has attributed exploitation attempts to state-linked groups including Earth Lamia and Jackpot Panda, while multiple proof-of-concept exploits have rapidly appeared. Broad scans from Shadowserver and Censys show tens of thousands to over two million potentially affected instances, and defenders are urged to apply the published React security updates immediately.

Critical Sneeit WordPress RCE Exploited in the Wild

🔴 A critical remote code execution flaw in the Sneeit Framework WordPress plugin (CVE-2025-6389) is being actively exploited, according to Wordfence. The issue, patched in version 8.4 on August 5, 2025, affects all releases up to and including 8.3 and lets unauthenticated attackers invoke arbitrary PHP functions via sneeit_articles_pagination_callback() and call_user_func(). Wordfence reported more than 131,000 blocked attempts since disclosure, including tens of thousands in a single day, and observed uploads of PHP shells and creation of malicious admin accounts on vulnerable sites.

CISA Adds Critical React2Shell RCE to KEV Catalog Now

⚠️ CISA has added a critical remote code execution flaw affecting React Server Components (tracked as CVE-2025-55182 / React2Shell) to its Known Exploited Vulnerabilities catalog. The vulnerability, rated CVSS 10.0, stems from insecure deserialization in React’s Flight protocol and enables unauthenticated attackers to run arbitrary commands via crafted HTTP requests. Fixes are available in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0.1, 19.1.2, 19.2.1) and should be applied immediately.

React2Shell (CVE-2025-55182): Critical Server RCE Threat

🛡️ In early December 2025 the React project disclosed a critical server-side vulnerability dubbed React2Shell (CVE-2025-55182) rated CVSS 10.0. The bug allows unauthenticated attackers to execute arbitrary code by sending a specially crafted request to a vulnerable server feature. Check Point notes that CloudGuard WAF customers were proactively protected and not affected. Organizations should patch promptly and review traffic controls.

Chinese Threat Actors Backdoor VMware vSphere Servers

🔒 Chinese state-sponsored actors are implanting a Go-based backdoor called BRICKSTORM on VMware vCenter and ESXi servers to maintain long-term persistence in targeted networks. CISA, NSA and the Canadian Cyber Centre analyzed multiple samples and found the malware often remained undetected for extended periods, enabling lateral movement, credential theft and exfiltration via VSOCK and SOCKS5 proxy functionality. The joint advisory includes IOCs, YARA and Sigma rules and recommends patching, hardening vSphere, restricting service account privileges, segmenting networks and blocking unauthorized DoH.

Critical XML External Entity (XXE) Flaw in Apache Tika

🔒 A critical XML External Entity (XXE) vulnerability, tracked as CVE-2025-66516, has been disclosed in Apache Tika and carries a CVSS score of 10.0. The flaw allows XXE via a crafted XFA file inside PDFs and affects tika-core, tika-parser-pdf-module, and tika-parsers across multiple versions. Users are strongly advised to upgrade to the patched releases immediately to mitigate file disclosure and potential remote code execution.

Critical React2Shell RCE in React.js and Next.js Servers

⚠️React.js and Next.js servers are vulnerable to a critical remote code execution flaw dubbed React2Shell (CVE-2025-55182), disclosed to Meta on 29 November 2025. The bug targets server-side React Server Function endpoints and default Next.js App Router setups, enabling unauthenticated attackers to execute arbitrary code with a single HTTP request. Researchers report near‑100% exploitability in default configurations and published proof‑of‑concepts; security teams should upgrade affected packages to the fixed versions immediately and verify PoC sources before testing.

China-Linked Warp Panda Espionage Targets North America

🛡️ CrowdStrike has attributed a sophisticated cyber‑espionage campaign to a China-linked group dubbed Warp Panda, which has targeted North American legal, technology and manufacturing firms to support PRC intelligence priorities. The actor employed BRICKSTORM implants and Golang-based tools to persist on VMware vSphere infrastructures, including vCenter and ESXi hosts. CISA’s advisory corroborates long-term access and vCenter exploitation.

Cloudflare Outage Caused by Emergency React2Shell Patch

🔧 Cloudflare says an emergency patch to mitigate the critical React2Shell vulnerability (CVE-2025-55182) introduced a change to its Web Application Firewall request parsing that briefly rendered the network unavailable and caused global "500 Internal Server Error" responses. The update targeted active remote code execution attempts against React Server Components and dependent frameworks. Cloudflare emphasized the incident was not an attack and that the change was deployed to protect customers while the industry addresses the flaw.