All news with #security advisory tag

QNAP: NetBak PC Backup Affected by Critical ASP.NET Flaw

🔔 QNAP has warned that its NetBak PC Agent, a Windows backup utility, may include an affected ASP.NET Core runtime vulnerable to CVE-2025-55315. The flaw resides in the Kestrel ASP.NET Core web server and can allow low-privileged attackers to hijack other users' credentials or bypass front-end security via HTTP request smuggling. QNAP recommends reinstalling the app or manually installing the latest ASP.NET Core Runtime (Hosting Bundle) from the .NET 8.0 downloads to secure systems.

X Tells Security Key Users to Re-enroll by Nov 10, 2025

🔐 X is asking users who registered passkeys or hardware security keys (for example, YubiKey) as their two-factor authentication method to re-enroll their key by November 10, 2025. The company says current key enrollments are tied to the twitter[.]com domain and must be associated with x[.]com before the legacy domain can be retired. Accounts not re-enrolled will be locked until users re-enroll, choose a different 2FA method, or opt out of 2FA.

CISA orders patch for critical WSUS RCE exploited now

🔔 CISA ordered U.S. federal agencies to urgently patch a critical, actively exploited Windows Server Update Services vulnerability (CVE-2025-59287) that enables unauthenticated remote code execution with SYSTEM privileges. Microsoft released out-of-band security updates after proof-of-concept exploit code appeared, and administrators are urged to install them immediately or disable the WSUS Server role as an interim mitigation. Security firms reported scanning and attacks against WSUS instances exposed on default ports 8530/8531, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog, mandating federal patching under BOD 22-01.

Critical WordPress Plugin Flaws Exploited at Scale Globally

🔴 Wordfence warns that threat actors are actively exploiting three critical 2024 CVEs in popular WordPress plugins, GutenKit and Hunk Companion, which report more than 40,000 and 8,000 active installations respectively. The vulnerabilities permit unauthenticated attackers to install and activate arbitrary plugins or upload spoofed plugin files, enabling remote code execution (RCE) and straightforward site takeover when exploited or chained with other flaws. Discovered via Wordfence's bug bounty in late September and early October, the campaign reignited on 8 October and the vendor has already blocked nearly 8.8 million exploitation attempts while urging administrators to update or remove affected versions.

Critical Microsoft WSUS RCE Flaw Exploited in Wild Now

⚠️Microsoft released out-of-band updates to fully remediate a critical deserialization vulnerability in Windows Server Update Service (WSUS), tracked as CVE-2025-59287. The initial Oct. 14 fixes were incomplete, prompting emergency patches for multiple Windows Server versions. Exploits in the wild were reported after a public proof-of-concept was published, allowing remote code execution as SYSTEM on affected servers.

Mass Attacks Exploit Outdated WordPress Plugins in 2024

🔒 A large-scale campaign is exploiting outdated GutenKit and Hunk Companion WordPress plugins to achieve remote code execution by chaining unauthenticated or missing-authorization REST endpoint flaws (CVE-2024-9234, CVE-2024-9707, CVE-2024-11972). Wordfence observed 8.7 million blocked attempts across October 8–9. Attackers host a malicious ZIP plugin on GitHub that installs backdoors, and often drop the vulnerable wp-query-console plugin to gain RCE. Administrators should update affected plugins and scan for indicators of compromise immediately.

Microsoft issues emergency WSUS patch for critical RCE

⚠️ Microsoft released an out-of-band security update to address a critical WSUS remote code execution vulnerability, CVE-2025-59287 (CVSS 9.8). The flaw stems from unsafe deserialization of AuthorizationCookie objects at the GetCookie() endpoint, where AES-128-CBC-encrypted cookie payloads are decrypted and deserialized via BinaryFormatter without type validation, enabling SYSTEM-level code execution on servers running the WSUS role. Microsoft published updates for supported Windows Server releases and recommends installing the patch and rebooting; short-term mitigations include disabling the WSUS role or blocking TCP ports 8530 and 8531.

Critical WSUS RCE Flaw in Windows Server Exploited Now

⚠️Microsoft confirmed attackers are exploiting a critical Windows Server Update Service vulnerability tracked as CVE-2025-59287, a remote code execution flaw that affects servers running the WSUS Server role when configured as an update source for other WSUS servers. The bug can be abused remotely with low complexity and no user interaction to run code as SYSTEM, raising wormable concerns. Microsoft released out-of-band patches for all affected Windows Server versions and advised immediate installation or temporary disabling of the WSUS Server role; public proof-of-concept code and active scanning have been observed in the wild.

CISA Adds Two Vulnerabilities to Known Exploited Catalog

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation: CVE-2025-54236, affecting Adobe Commerce and Magento, and CVE-2025-59287, affecting Microsoft Windows Server Update Services (WSUS). The issues—an improper input validation flaw and a deserialization of untrusted data vulnerability—are common attack vectors that pose significant risk to enterprise networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by required due dates, and CISA strongly urges all organizations to prioritize timely remediation as part of their vulnerability management.

Microsoft Releases Out-of-Band WSUS Patch for CVE-2025-59287

⚠ Microsoft released an out-of-band security update (October 23, 2025) to remediate a critical Windows Server Update Service (WSUS) remote code execution vulnerability, CVE-2025-59287, after a prior fix proved incomplete. The flaw affects WSUS on Windows Server 2012, 2016, 2019, 2022, and 2025 and could allow an unauthenticated actor to execute code with SYSTEM privileges. CISA urges organizations to identify affected WSUS servers, apply the update and reboot, or temporarily disable the WSUS Server Role or block inbound TCP ports 8530/8531 as mitigations until the patch is installed.

ToolShell Exploit Drives Surge in SharePoint Attacks

🛡️ Cisco Talos reports a rapid rise in exploitation of public-facing applications following the mid‑July 2025 disclosure of the ToolShell chain, which targets on‑premises Microsoft SharePoint servers via CVE-2025-53770 and CVE-2025-53771. In Q3, application exploitation featured in over 60% of Talos Incident Response engagements, with ToolShell activity implicated in nearly 40% of cases. Talos urges expedited patching and network segmentation to limit lateral movement and downstream impacts such as ransomware.

Microsoft issues emergency WSUS updates for critical RCE

⚠️ Microsoft has released out-of-band security updates to remediate a critical WSUS vulnerability tracked as CVE-2025-59287. The flaw affects only Windows servers with the WSUS Server Role enabled and allows remote, unauthenticated attackers to execute code as SYSTEM in low-complexity attacks without user interaction. Microsoft published cumulative KB updates for all affected Server builds and requires a reboot; administrators who cannot patch immediately are advised to disable the WSUS role or block TCP ports 8530/8531 as temporary mitigations.

HP Pulls Update That Broke Entra ID Auth on AI PCs

⚠️ HP has pulled an over-the-air update to HP OneAgent for Windows 11 after a cleanup script removed Microsoft certificates required for some organizations to authenticate to Microsoft Entra ID. The silent update deployed on HP AI PCs ran package SP161710 and an install.cmd that deleted any certificate containing the substring "1E", producing false positives. Affected devices disconnected from Entra ID/Intune; HP says the update is no longer available and is assisting impacted customers.

CISA Warns of Critical Lanscope Endpoint Manager Flaw

⚠️ CISA warns that attackers are exploiting a critical flaw (CVE-2025-61932) in Motex's Lanscope Endpoint Manager, enabling unauthenticated remote code execution via specially crafted packets. The issue affects client components in versions 9.4.7.2 and earlier; Motex has released patched client builds and noted managers do not require updates. No mitigations are available—install the vendor updates; CISA added the flaw to its KEV with a Nov. 12 remediation deadline for federal agencies.

Microsoft Disables Explorer Preview for Internet Files

🔒 Microsoft has updated File Explorer to disable the preview pane by default for files downloaded from the Internet or marked with the Mark of the Web. The change, included in Windows security updates released on and after October 14, 2025, is designed to block exploits that can leak NTLM hashes when previewed documents reference external resources. When preview is blocked, File Explorer shows a warning and users can manually unblock trusted files via Properties > Unblock or add the location to Trusted sites/Local intranet; a sign-out may be required for the change to take effect.

Microsoft Blocks Ransomware Campaign Targeting Teams Users

🛡️ Microsoft said it disrupted a ransomware campaign that used fake Teams installers to deliver a backdoor and prepare for encryption operations. Attackers lured victims with impersonated MSTeamsSetup.exe files hosted on malicious domains, which installed a loader and a fraudulently signed Oyster backdoor. The group identified as Vanilla Tempest intended to follow with Rhysida ransomware. Microsoft revoked over 200 fraudulent code-signing certificates and says a fully enabled Defender Antivirus will block the threat.

AutomationDirect Productivity Suite: Multiple High-Risk Flaws

⚠️ AutomationDirect's Productivity Suite and several Productivity PLC models contain multiple high-severity vulnerabilities — including relative path traversal (ZipSlip), a weak password recovery mechanism, incorrect permission assignment, and binding to an unrestricted IP address. Exploitation could allow remote attackers to read, write, or delete files, execute arbitrary code, or gain full control of projects. AutomationDirect has released updates (Productivity Suite v4.5.0.x and newer) and recommends applying the latest firmware and implementing network isolation and firewall/NAC controls if immediate upgrades are not possible.

ASKI Energy ALS-Mini S4/S8: Missing Authentication Flaw

⚠ An unauthenticated access vulnerability in the embedded web server of ASKI Energy ALS‑Mini‑S4 and ALS‑Mini‑S8 IP controllers allows remote actors to read and modify device configuration, potentially yielding full control. Tracked as CVE-2025-9574, the issue is a Missing Authentication for Critical Function (CWE‑306) with a CVSS v4 base score of 9.9. ABB reports these products reached end of life in 2022 and will not be patched; operators should remove internet exposure, place devices behind firewalls or secure proxies that enforce authentication and logging, restrict access to whitelisted IPs, monitor for unauthorized access with IDS/IPS, or physically disconnect the Ethernet port if web features are not required.

Delta ASDA-Soft Stack Overflow Vulnerabilities (2025)

⚠️ Delta Electronics' ASDA-Soft contains two stack-based buffer overflow vulnerabilities (CVE-2025-62579, CVE-2025-62580) affecting versions 7.0.2.0 and earlier. Both issues were assigned a CVSS v4 base score of 8.4 and can allow writing outside the intended stack buffer when a valid user opens a crafted project file. Exploitation requires local access and user interaction; no public exploitation has been reported to CISA. Delta has released ASDA-Soft v7.1.1.0 and users should update and apply network isolation and standard email/attachment precautions.

Veeder-Root TLS4B: Remote Command Injection and 2038 Bug

🔒 Veeder-Root's TLS4B Automatic Tank Gauge System contains two serious vulnerabilities: a SOAP-based command injection (CVE-2025-58428) that allows remote authenticated attackers to execute system-level commands, and an integer overflow/2038 time wraparound (CVE-2025-55067) that can disrupt authentication and core functions. The command injection carries very high severity (CVSS v3.1 9.9 / CVSS v4 9.4); Veeder-Root recommends upgrading to Version 11.A. For the time-related overflow, Veeder-Root is developing a patch and advises applying network-security best practices, isolating devices, and restricting access until a fix is available.