All news with #security advisory tag

W3 Total Cache Plugin Critical PHP Command Injection

⚠️ A critical unauthenticated command injection (CVE-2025-9501) in the W3 Total Cache WordPress plugin allows attackers to execute arbitrary PHP via a crafted comment that abuses the _parse_dynamic_mfunc() routine. The developer released 2.8.13 on October 20 to address the flaw, but WordPress.org data indicate hundreds of thousands of sites may still be vulnerable. WPScan has produced a proof-of-concept exploit and plans public release on November 24, increasing the immediate risk for unpatched installations.

Active Exploitation of 7-Zip Symbolic Link Flaw Now

⚠️A high-severity vulnerability (CVE-2025-11001, CVSS 7.0) in 7-Zip that mishandles symbolic links in ZIP archives is being actively exploited in the wild, NHS England Digital warns. The flaw can trigger directory traversal and enable remote code execution and was addressed in 7-Zip 25.00 released in July 2025. A related issue, CVE-2025-11002, was also fixed in that release. Proof-of-concept exploits are public, and exploitation requires an elevated Windows user or service account or developer mode enabled, so users should apply the update immediately.

CISA Orders Rapid Patching for New FortiWeb Flaw Directive

🔒 CISA has ordered U.S. federal agencies to remediate a FortiWeb OS command injection vulnerability (CVE-2025-58034) within seven days after reports of active exploitation. Fortinet warns the flaw can allow an authenticated attacker to execute unauthorized code via crafted HTTP requests or CLI commands. The agency added the issue to its Known Exploited Vulnerabilities Catalog and set a November 25 deadline under BOD 22-01. CISA cited related zero-day activity (CVE-2025-64446) and recommended expedited fixes.

CISA Adds Chromium V8 Type Confusion Vulnerability

⚠️CISA has added CVE-2025-13223, a Google Chromium V8 type confusion vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is a frequent attack vector and poses significant risk to the federal enterprise and other organizations using Chromium-based engines. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the required due date; CISA strongly urges all organizations to prioritize timely patching and vulnerability management to reduce exposure.

Fortinet Warns: FortiWeb Command Injection CVE-2025-58034

🔔 Fortinet has issued an advisory about a newly discovered FortiWeb vulnerability, CVE-2025-58034, rated CVSS 6.7 and reported as being exploited in the wild. The flaw is an OS command injection that allows an authenticated attacker, who has gained access by other means, to execute arbitrary commands via crafted HTTP requests or CLI input. Fortinet provides version-based upgrade guidance to remediate the issue and credited a Trend Micro researcher for reporting the bug.

Fortinet warns of FortiWeb zero-day being exploited

🚨 Fortinet has released security updates to remediate a new FortiWeb zero-day tracked as CVE-2025-58034, which the vendor says is being actively exploited in the wild. The vulnerability is an authenticated OS command injection (CWE-78) that can allow an attacker to execute code via crafted HTTP requests or CLI commands without user interaction. Fortinet confirmed observed exploitation and published fixes; administrators should upgrade affected FortiWeb appliances to the patched releases as soon as possible.

Google patches V8 zero-day in Chrome; admins urged

⚠️ Google released an emergency patch for a high‑severity Type Confusion vulnerability in the V8 JavaScript engine (CVE-2025-13223), which the company says is being exploited in the wild. The flaw, rated CVSS 8.8 and discovered by Clément Lecigne of Google TAG, affects Chromium‑based browsers and can enable heap corruption and potential code execution. Administrators should prioritize updating Chrome to the patched 142.0.7444.175/.176 builds. A second V8 issue, CVE-2025-13224, is also fixed.

Meta Expands WhatsApp Security Research Effort

🛡️ Meta has provided selected long‑time bug bounty researchers with a new tool, WhatsApp Research Proxy, to streamline analysis of WhatsApp's network protocol and reduce barriers to in‑depth research. The company is also running a pilot that invites research teams to focus on platform abuse with internal engineering and tooling support. Meta said it has paid more than $25 million to over 1,400 researchers in 15 years and recently added anti‑scraping protections after a study showed an account‑enumeration technique able to map billions of users.

Silent FortiWeb Patch Raises Alarm as Critical Flaw Exploited

🔒 Fortinet's FortiWeb appliances are affected by a critical vulnerability tracked as CVE-2025-64446 that researchers say was exploited in the wild before an official advisory. The issue chains a relative path traversal to an internal CGI backend with an HTTP_CGIINFO header authentication bypass that allows unauthenticated admin impersonation and potential remote code execution. Fortinet released fixes in multiple 7.x and 8.x maintenance updates and recommends disabling HTTP/HTTPS on internet-facing management interfaces if upgrades cannot be applied immediately.

Schneider Electric PowerChute Serial Shutdown Fixes

🔒 Schneider Electric has released updates for PowerChute Serial Shutdown to address multiple vulnerabilities that may be exploited locally on the network. The issues include path traversal (CWE-22, CVE-2025-11565), excessive authentication attempts (CWE-307, CVE-2025-11566), and incorrect default permissions (CWE-276, CVE-2025-11567) with CVSS scores up to 7.8. Schneider Electric published version 1.4 with fixes for Windows and Linux; administrators should upgrade and apply recommended permissions and network isolation measures.

Shelly Pro 3EM Out-of-Bounds Read Causes Reboots and DoS

⚠️ A remote-accessible out-of-bounds read vulnerability (CVE-2025-12056) in Shelly Pro 3EM can be triggered by a specially crafted Modbus request to force the device to access illegal memory addresses and reboot. CISA assigns a CVSS v4 score of 8.3 and warns this may result in a denial-of-service condition. Shelly did not respond to coordination; users should contact the vendor, keep devices updated, minimize network exposure, and follow recommended ICS defensive practices.

Schneider Electric: Risky Cryptography in EcoStruxure

🔒 This advisory describes a cryptographic weakness in Schneider Electric's EcoStruxure Machine SCADA Expert and Pro-face BLUE Open Studio that could allow credential recovery from project files. An attacker with read access to Edge project or offline cache files can brute-force weak hashes to recover app-native or Active Directory passwords (CVE-2025-9317); the flaw requires local/file access and is not remotely exploitable. Apply 2023.1 Patch 1 immediately or implement recommended mitigations such as strict ACLs, strong project master passwords, removing embedded passwords, and following ICS cybersecurity best practices.

CISA Issues Six New Industrial Control Systems Advisories

🔔 CISA released six Industrial Control Systems (ICS) advisories detailing current security issues, vulnerabilities, and potential exploits affecting multiple vendors and products. The advisories cover Schneider Electric products (including EcoStruxure Machine SCADA Expert, Pro-face BLUE Open Studio, and PowerChute Serial Shutdown), Shelly Pro devices, and METZ CONNECT hardware. One advisory is an update (B) to a prior Schneider Electric notice. Users and administrators are encouraged to review the technical details and apply recommended mitigations promptly.

Shelly Pro 4PM DoS Vulnerability (CVE-2025-11243)

⚠ A vulnerability in Shelly Pro 4PM (CVE-2025-11243) can cause device reboots and denial-of-service conditions. Due to insufficient input bounds checking in the device's JSON parser, specially crafted RPC requests can trigger memory overallocation and force a reboot. Devices running firmware prior to v1.6 are affected; CISA notes the exploit is reachable from adjacent networks with low attack complexity. Operators should update to v1.6.0 or later and limit network exposure.

CISA Adds Fortinet FortiWeb Command Injection CVE Advisory

⚠️ CISA has added CVE-2025-58034, a Fortinet FortiWeb OS command code injection vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The agency recommends a reduced remediation timeframe of one week due to recent and ongoing exploitation and points to BOD 23-02 for steps to limit exposure from internet-accessible management interfaces. Although BOD 22-01 applies to Federal Civilian Executive Branch agencies, CISA strongly urges all organizations to prioritize timely remediation and vulnerability management for KEV entries.

METZ CONNECT EWIO2 Firmware Critical Vulnerabilities

🔒 METZ CONNECT released firmware updates addressing multiple critical vulnerabilities in EWIO2 devices that allow unauthenticated remote attackers to bypass authentication, upload and execute arbitrary code, and read PHP source files. The flaws include an authentication bypass, PHP remote file inclusion, unrestricted file uploads, path traversal, and improper access control. METZ CONNECT firmware 2.2.0 remediates these issues; administrators should schedule and install the update and ensure devices are not exposed to the internet.

Google fixes new Chrome zero-day exploited in attacks

🔒 Google released an emergency update to address a newly discovered Chrome zero-day, CVE-2025-13223, which is being actively exploited. The high-severity flaw stems from a type confusion vulnerability in Chrome's V8 JavaScript engine and was reported by Clement Lecigne of Google's Threat Analysis Group. Patches are available in versions 142.0.7444.175/.176 for Windows, 142.0.7444.176 for macOS, and 142.0.7444.175 for Linux; users should check About Google Chrome and relaunch to apply the update.

Amazon RDS for Oracle: October 2025 RU and Spatial Fixes

🔔 Amazon RDS for Oracle now supports the Oracle October 2025 Release Update (RU) for 19c and 21c, and the corresponding Spatial Patch Bundle for 19c. AWS recommends upgrading because the RU includes six new security patches for Oracle database products, and the Spatial Patch Bundle provides important fixes and performance improvements for Oracle Spatial and Graph. You can apply the RU from the Amazon RDS Management Console or programmatically via the AWS SDK or CLI, and enable Automatic Minor Version Upgrade to install updates during your maintenance window. To deploy the Spatial Patch Bundle, select the 'Spatial Patch Bundle Engine Versions' checkbox when creating new instances or upgrade existing instances to engine version '19.0.0.0.ru-2025-10.spb-1.r1'.

Amazon RDS Supports MariaDB 10.6.24, 10.11.15, 11.4.9

🔔 Amazon RDS for MariaDB now supports community minor versions 10.6.24, 10.11.15, and 11.4.9. Customers are recommended to upgrade to these latest minor releases to address known security vulnerabilities and gain bug fixes, performance improvements, and new community features. You can enable automatic minor version upgrades or use Amazon RDS Managed Blue/Green deployments to apply updates during scheduled maintenance windows. See the Amazon RDS User Guide for upgrade and deployment details.

Google Chrome fixes actively exploited V8 type bug

🛡️ Google has released emergency Chrome updates addressing two V8 engine type confusion flaws, including an actively exploited vulnerability tracked as CVE-2025-13223 (CVSS 8.8) that can lead to arbitrary code execution or crashes. The patch also fixes CVE-2025-13224 flagged by Google's AI agent Big Sleep and completes a set of seven zero-days addressed this year. Users should update Chrome to 142.0.7444.175/.176 (Windows/macOS/Linux) and apply fixes for other Chromium-based browsers when available.