All news with #security advisory tag

Microsoft fixes Windows 10 ESU update installation error

🔧 Microsoft acknowledged that the November Patch Tuesday update KB5068781 for Windows 10 (builds 19044.6575 and 19045.6575) could fail to install on commercial devices activated via Windows subscription activation through the Microsoft 365 admin center, producing error 0x800f0922. On Nov. 17 Microsoft issued a preparation package, KB5072653, to resolve the problem and allow deployment of the November security update. Administrators should verify the latest servicing stack update, run the Windows Update Troubleshooter, and, if needed, install the .msu manually via wusa.exe.

Windows 10 KB5072653 OOB Update Fixes ESU Install Errors

🛠️ Microsoft released the out-of-band update KB5072653 to address installation failures affecting the November Extended Security Update for Windows 10. The preparation package resolves 0x800f0922 (CBS_E_INSTALLERS_FAILED) errors and requires devices to run Windows 10 22H2 with the October cumulative update KB5066791. KB5072653 will be offered automatically via Windows Update; after installing and restarting, administrators should rerun Windows Update to deploy the November ESU update (KB5068781). Microsoft will also publish updated Scan Cab metadata for WSUS/SCCM customers who rely on cab files for compliance checks.

RondoDox Botnet Exploits Critical XWiki RCE (CVE-2025-24893)

⚠️ RondoDox operators are exploiting a critical remote code execution flaw in XWiki Platform (CVE-2025-24893), which CISA flagged as actively exploited on October 30. VulnCheck observed attacks beginning November 3 that inject base64-encoded Groovy into the XWiki SolrSearch endpoint via a crafted HTTP GET to download and run a remote shell (rondo..sh) that stages the main payload. Administrators should upgrade to 15.10.11 or 16.4.1, apply network controls, and use published IoCs to block scanning and payload hosts.

DoorDash Email Spoofing Bug and Disclosure Dispute

✉️ A vulnerability in DoorDash's DoorDash for Business platform allowed an attacker to create a free account, add an 'Employee' entry containing arbitrary HTML in a budget name field, and send emails that appeared to originate from no-reply@doordash.com using official templates. The researcher known as doublezero7 supplied a proof-of-concept showing stored HTML rendered in outgoing messages, enabling persuasive phishing. DoorDash patched the flaw after public pressure, and a dispute over disclosure and alleged extortion followed.

Akira Ransomware Expands to Nutanix AHV and Linux Servers

⚠️CISA, the FBI and international partners warn that the Akira ransomware gang has extended its attack surface beyond Windows, VMware ESXi and Hyper‑V to now target Nutanix AHV and Linux servers. The group exploits exposed VPNs, unpatched network appliances and backup platforms, rapidly exfiltrates data and employs a double‑extortion model. Akira uses tunneling tools like Ngrok, remote‑access abuse (AnyDesk, LogMeIn), and cryptography (ChaCha20 with RSA) to encrypt and leak files. Organizations should prioritize MFA, timely patching, segmented networks and protection of backup and hypervisor consoles.

Microsoft Patch Tuesday — November 2025: 60+ Vulnerabilities

🔒 Microsoft released updates addressing more than 60 vulnerabilities across Windows and related products, including a zero-day memory-corruption bug (CVE-2025-62215) that is already being exploited. Microsoft rates this issue important because exploitation requires prior access to the target device. Other high-priority fixes include a 9.8-rated GDI+ vulnerability (CVE-2025-60274) and an Office remote-code-execution flaw (CVE-2025-62199). Windows 10 users should install the enrollment fix KB5071959 before applying subsequent updates.

Windows 10 KB5068781 ESU Update Fails With 0x800f0922

⚠️ Microsoft is investigating a bug that can cause the Windows 10 KB5068781 Extended Security Update to fail installation with error 0x800f0922 on devices licensed via Windows subscription activation. The update, released November 11 as the first ESU release, may appear to install but then roll back after a restart. Microsoft says the issue is isolated to activations through the Microsoft 365 Admin Center and has provided no ETA or workaround.

RondoDox Exploits XWiki Flaw to Rapidly Expand Botnet

⚠️ RondoDox has been observed exploiting unpatched XWiki instances to weaponize a critical eval injection, CVE-2025-24893, enabling arbitrary remote code execution via the /bin/get/Main/SolrSearch endpoint. The flaw was patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1 in late February 2025, but scanning and exploitation surged in November, including botnet-driven DDoS and cryptocurrency miner deployments. Security vendors noted spikes in activity on November 7 and November 11 and observed RondoDox adding this vector on November 3, 2025. Administrators should apply vendor patches immediately and review logs and network traffic for indicators of compromise.

ShadowMQ Deserialization Flaws in Major AI Inference Engines

⚠️ Oligo Security researcher Avi Lumelsky disclosed a widespread insecure-deserialization pattern dubbed ShadowMQ that affects major AI inference engines including vLLM, NVIDIA TensorRT-LLM, Microsoft Sarathi-Serve, Modular Max Server and SGLang. The root cause is using ZeroMQ's recv_pyobj() to deserialize network input with Python's pickle, permitting remote arbitrary code execution. Patches vary: some projects fixed the issue, others remain partially addressed or unpatched, and mitigations include applying updates, removing exposed ZMQ sockets, and auditing code for unsafe deserialization.

Copy-Paste RCE Flaw Impacts Major AI Inference Servers

🔒 Cybersecurity researchers disclosed a chain of remote code execution (RCE) vulnerabilities affecting AI inference frameworks from Meta, NVIDIA, Microsoft and open-source projects such as vLLM and SGLang. The flaws stem from reused code that called ZeroMQ’s recv-pyobj() and passed data directly into Python’s pickle.loads(), enabling unauthenticated RCE over exposed sockets. Vendors have released patches replacing unsafe pickle usage with JSON-based serialization and adding authentication and transport protections. Operators are urged to upgrade to patched releases and harden ZMQ channels, restrict network exposure, and avoid deserializing untrusted data.

Fortinet FortiWeb Path Traversal Vulnerability Alert

⚠️ Fortinet has released an advisory for FortiWeb addressing CVE-2025-64446, a CWE-23 relative path traversal that can allow unauthenticated actors to execute administrative commands via crafted HTTP/HTTPS requests. Affected releases include multiple 7.x and 8.x versions; Fortinet provides specific upgrade targets (8.0.2+, 7.6.5+, 7.4.10+, 7.2.12+, 7.0.12+). If immediate upgrades are not possible, disable HTTP/HTTPS on internet-facing interfaces and, after remediation, review configurations and logs for unexpected modifications or unauthorized administrator accounts.

ASUS Warns of Critical Auth-Bypass in DSL Routers

⚠️ ASUS has released new firmware to patch a critical authentication bypass vulnerability tracked as CVE-2025-59367 that enables remote, unauthenticated attackers to log into vulnerable DSL routers exposed online. The update — firmware 1.1.2.3_1010 — addresses the issue for DSL-AC51, DSL-N16, and DSL-AC750. ASUS urges users to install the update immediately and, if they cannot, to disable Internet-facing services (remote access, port forwarding, DDNS, VPN server, DMZ, FTP) and use strong, unique passwords as temporary mitigations.

Authentication Bypass in Fortinet FortiWeb Actively Exploited

🚨 Researchers report an authentication bypass in Fortinet FortiWeb that is being actively exploited in the wild, allowing attackers to create privileged administrator accounts and fully compromise devices. watchTowr reproduced the issue, released a proof-of-concept and an artifact generator to help identify vulnerable appliances. The flaw is patched in FortiWeb 8.0.2, but Fortinet has not published a PSIRT advisory or assigned a CVE, and Rapid7 urges emergency patching for older versions.

FortiWeb Path Traversal Flaw Allows Admin Account Creation

⚠️ A path traversal vulnerability in Fortinet FortiWeb appliances is being actively exploited to create local administrative users without authentication. Researchers from Defused and PwnDefend described requests targeting the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi endpoint that inject admin accounts. Rapid7 and others confirm versions 8.0.1 and earlier are affected, while 8.0.2 is believed to contain the fix. Administrators are urged to update immediately, review logs for fwbcgi access, and search for unexpected admin accounts.

RCE Flaw in ImunifyAV Threatens Millions of Hosted Sites

⚠️ ImunifyAV, a widely used Linux malware scanner, contains a remote code execution flaw in its AI-bolit component affecting versions prior to 32.7.4.0. The vulnerability is rooted in unsafe use of call_user_func_array during deobfuscation, which can execute attacker-supplied PHP function names when the scanner performs active unpacking. CloudLinux released fixes in late October and backported them on November 10; administrators should update to 32.7.4.0 or newer immediately to mitigate risk.

Rust in Android: Faster Development and Fewer Bugs

🦀 Rust adoption in Android is delivering both security and speed gains, with 2025 data showing memory-safety flaws falling below 20% of total vulnerabilities. Android reports a ~1000x reduction in memory-safety vulnerability density for Rust versus C/C++, plus 20% fewer revisions, 25% shorter code review time, and a ~4x lower rollback rate. Expansion includes kernel, firmware, and first-party apps; a near-miss CVE was fixed pre-release and led to improved allocator crash reporting and additional unsafe-Rust training.

Amazon RDS for PostgreSQL: New Minor Versions Available

🐘 Amazon RDS for PostgreSQL now supports minor versions 17.7, 16.11, 15.15, 14.20, and 13.23; AWS recommends upgrading to address known security vulnerabilities and receive community bug fixes. The release adds the pgcollection extension for RDS PostgreSQL 15.15 and above (including 16.11 and 17.7), providing an ordered, efficient key-value collection type usable inside PostgreSQL functions to speed in-memory data processing. Extension updates include pg_tle 1.5.2 and H3_PG 4.2.3, and operators can use automatic minor version upgrades or Blue/Green deployments to minimize disruption during upgrades.

CISA Orders Feds to Patch Actively Exploited Cisco Flaws

🔒 CISA has ordered U.S. federal agencies to fully patch two actively exploited vulnerabilities in Cisco firewall appliances within 24 hours. Tracked as CVE-2025-20362 and CVE-2025-20333, the flaws permit unauthenticated access to restricted URL endpoints and remote code execution; chained together they can yield full device takeover. The agency emphasized applying the latest updates to all ASA and Firepower devices immediately, not just Internet-facing units.

CISA Updates Advisory: Akira Ransomware Evolution Update

🔐 CISA and partner agencies published an updated advisory on Nov. 13, 2025, detailing new indicators, tactics, and detection guidance related to Akira ransomware. The update documents expanded targeting across Manufacturing, Education, IT, Healthcare, Financial, and Food and Agriculture, and links activity to groups such as Storm-1567 and Punk Spider. Key findings include exploitation of edge and backup vulnerabilities, use of remote management tools for defense evasion, and a faster, more destructive Akira_v2 variant that complicates recovery.

Siemens SICAM P850/P855: CSRF and Session Token Flaws

🔒 Siemens reported Cross-Site Request Forgery and incorrect permission assignment vulnerabilities affecting SICAM P850 and P855 devices (versions prior to 3.11). Exploitation could allow attackers to perform actions as authenticated users or impersonate sessions. Siemens recommends updating to v3.11+, restricting TCP/443 to trusted IPs, and hardening network access; CISA advises isolating control networks and avoiding internet exposure.