All news with #vulnerability disclosure tag

⚠️ The Cyber Security Agency of Singapore (CSA) has warned of a maximum-severity vulnerability, CVE-2025-52691 (CVSS 10.0), in SmarterTools SmarterMail that permits unauthenticated arbitrary file uploads and could enable remote code execution. The flaw affects builds 9406 and earlier and was fixed in Build 9413 (Oct 9, 2025); CSA recommends updating to Build 9483 (Dec 18, 2025). While no active exploitation has been reported, administrators should apply the vendor update promptly to mitigate the risk of web shells or malicious binaries being deployed and executed with SmarterMail service privileges.

🔒 CISA has ordered federal civilian agencies to secure systems against MongoBleed (CVE-2025-14847), a high-severity MongoDB Server vulnerability patched on December 19, 2025. The flaw, rooted in how the server uses the zlib compression library, can be exploited by unauthenticated actors to leak credentials, API/cloud keys, session tokens, logs, and PII. An Elastic researcher released a PoC and telemetry shows tens of thousands of potentially vulnerable instances; agencies must patch by January 19, 2026, or apply vendor mitigations or temporarily disable zlib until updates can be deployed.

🔒 WHILL Inc. electric wheelchairs (Model C2 and Model F) are affected by a critical Bluetooth authentication vulnerability, CVE-2025-14346, that allows an attacker within wireless range to pair without credentials and issue movement and configuration commands. The flaw is rated CVSS 3.1 9.8 (CRITICAL) and is classified as CWE-306 Missing Authentication for Critical Function. WHILL deployed mitigations on 29 December 2025 that restrict unlock commands during motion, protect speed profiles, and obfuscate application JSON configuration files on Android and iOS.

🔒 Traditional security frameworks like NIST CSF, ISO 27001, and CIS Controls were designed for legacy IT assets and do not map cleanly to AI-specific risks. Recent incidents — including the December 2024 Ultralytics compromise, ChatGPT memory-extraction flaws across 2024, and August 2025 malicious Nx packages — show organizations can meet compliance yet remain exposed. The article argues security teams must adopt AI-tailored controls such as prompt validation, model integrity verification, semantic DLP, and AI-focused red teaming.

⚠️ CISA has published an updated Industrial Control Systems advisory, ICSA-25-177-01 (Update B), addressing multiple vulnerabilities affecting Mitsubishi Electric air conditioning systems and associated operational components. The advisory outlines technical findings, potential impacts to building automation and HVAC control networks, and prioritized mitigation steps. Administrators and operators should review the guidance promptly, apply vendor updates where available, and implement network segmentation and enhanced monitoring to reduce risk.

⚠️ CISA has added CVE-2023-52163 — a missing authorization flaw in Digiever DS-2105 Pro — to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate cataloged vulnerabilities by specified due dates, and CISA emphasizes this entry represents a common and significant attack vector. While the binding directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation and incorporate this KEV into their vulnerability management processes.

🔒 WatchGuard has issued an urgent advisory for a critical remote code execution vulnerability (CVE-2025-14733) affecting Firebox appliances running Fireware OS 11.x, 12.x and 2025.1 releases. The flaw enables unauthenticated attackers to execute code via an out-of-bounds write when IKEv2 VPN is enabled. WatchGuard reports active exploitation in the wild and provides a temporary workaround for Branch Office VPN configurations where immediate patching is not possible. Administrators are urged to apply vendor updates and review provided indicators of compromise.

⚠️ Certain motherboard models from vendors including ASRock, ASUS, GIGABYTE, and MSI are affected by a firmware flaw that reports DMA protection as active but fails to initialize the IOMMU during early boot. That discrepancy allows a physically present attacker with a DMA-capable PCIe device to read or modify system memory and potentially enable pre-boot code injection before OS protections load. CERT/CC warned the gap undermines boot integrity and access to sensitive memory. Affected vendors have released firmware updates to correct the IOMMU initialization sequence; users and administrators should apply patches promptly.

🔔 CISA published nine Industrial Control Systems (ICS) advisories on 2025-12-18 that detail current security issues, vulnerabilities, and known exploits affecting a range of vendors and products. The advisories cover Inductive Automation Ignition, Schneider Electric EcoStruxure Foxboro DCS Advisor, National Instruments LabView, Mitsubishi Electric components, Siemens IP-Stack, Advantech WebAccess/SCADA, Rockwell Automation Micro controllers, Axis Communications Camera Station offerings, and an updated notice for Mitsubishi Electric CNC Series (Update C). Each advisory provides technical details, impact assessments, and recommended mitigations for administrators and asset owners. CISA urges users to review the advisories promptly and implement the suggested mitigations to reduce operational risk.

🔔 Cisco Talos disclosed multiple vulnerabilities affecting libbiosig, Grassroot DiCoM, and Smallstep step-ca. The issues include stack-based buffer overflows in libbiosig’s MFER parser that may allow arbitrary code execution, several out-of-bounds reads in DiCoM that can leak sensitive data, and an authentication bypass in step-ca enabling unauthorized certificate issuance. Vendors have released patches in accordance with Cisco’s disclosure policy; administrators should apply updates promptly and obtain the latest Snort rule sets to detect exploitation attempts.

🔔 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-20393 (Cisco multiple products, improper input validation), CVE-2025-40602 (SonicWall SMA1000, missing authorization), and CVE-2025-59374 (ASUS Live Update, embedded malicious code). These flaws are frequent attack vectors that pose significant risks to federal and nonfederal organizations. Agencies covered by BOD 22-01 must remediate by the required due dates; CISA urges all organizations to prioritize mitigation.

⚠️ Security researchers have identified a critical vulnerability (CVE-2025-34352) in the JumpCloud Remote Assist Windows agent that allows low-privileged local users to escalate to NT AUTHORITY\SYSTEM or trigger denial-of-service during uninstallation. The root cause is unsafe file operations in user-writable directories (notably %TEMP%), enabling link-following attacks that redirect privileged actions. XM Cyber reported the issue and JumpCloud has released version 0.317.0 to address it — administrators should update affected endpoints immediately.

⚠️ A vulnerability in the web interface of Güralp Systems Fortimus, Minimus, and Certimus Series (CVE-2025-14466) allows an unauthenticated network attacker to send specially crafted HTTP requests that cause the web service process to restart. The restart produces a brief denial-of-service condition with a CVSS v3.1 base score of 5.3 (Medium). Güralp recommends operating affected systems behind a NAT or VPN firewall and contacting the vendor for further guidance. CISA advises minimizing network exposure, isolating control networks, and using secure, up-to-date remote access methods.

⚠️ A critical vulnerability (CVE-2024-3596, CVSS 9.0) in Hitachi Energy AFS/AFR/AFF series RADIUS implementations allows a local attacker to forge valid RADIUS responses by exploiting an MD5 chosen-prefix collision against the response authenticator. Successful exploitation can compromise product data integrity and disrupt availability. Hitachi Energy recommends immediately enabling the RADIUS message authenticator option; vendor-specific CLI commands and MIB objects vary by product family.

🛡️ CISA has published seven new Industrial Control Systems advisories detailing vulnerabilities and guidance for affected products. The advisories cover Güralp Systems, Johnson Controls, Hitachi Energy, Mitsubishi Electric, and Fuji Electric, including updates to previously released notices. Administrators are urged to review technical details, apply vendor mitigations, and implement compensating controls to reduce operational risk.

🔒 Microsoft Defender researchers describe CVE-2025-55182 (React2Shell), a critical pre-authentication remote code execution vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, a single crafted HTTP POST can result in server-side deserialization of attacker-controlled payloads and arbitrary code execution without authentication. Exploitation was observed beginning December 5, 2025, with attackers delivering coin miners, RATs, and other payloads across Windows and Linux environments. Microsoft urges immediate patching to published fixes, enabling Defender telemetry, and applying Azure WAF rules as compensating controls while broader detection coverage is deployed.

🔒 Microsoft has shifted to 'In Scope by Default', making any critical vulnerability with a demonstrable impact on its online services—whether in Microsoft-owned code, third-party components, or open-source—eligible for bounty awards. Announced at Black Hat Europe, the policy expands eligibility across Microsoft domains and cloud services and invites coordinated disclosure under agreed rules of engagement. The company says the change aims to incentivize research on the highest-risk areas, while established Rules of Engagement prohibit credential misuse, phishing, disruptive DoS testing, and other harmful methods.

🔐 Hackers are exploiting an undocumented cryptographic flaw in Gladinet's CentreStack and Triofox products that exposes hardcoded AES keys and enables remote code execution. Huntress researchers found static 100-byte strings in GladCtrl64.dll that produce identical encryption keys and IVs across installations, allowing attackers to decrypt or forge access tickets. Attackers have used this to retrieve web.config and abuse the machineKey with a ViewState deserialization flaw for RCE. Gladinet released patches and IoCs; customers should upgrade immediately and rotate machine keys.

🔒 Microsoft will now pay bounties for critical vulnerabilities that directly impact any of its online services, whether the flawed code is Microsoft-owned, third-party, or open source. Announced by Tom Gallagher at Black Hat Europe, the change makes all current and newly launched Microsoft online services in-scope by default. The move aims to steer researcher attention to high-risk areas and accelerate remediation. Microsoft said it paid over $17 million to security researchers in the past year.

⚠️ CISA warns of a DLL hijacking (Uncontrolled Search Path Element, CWE-427) in AJAT Panoramic Dental Imaging Software from Varex Imaging (CVE-2024-22774). Versions prior to 6.6.1.490 may allow a local, low-complexity exploit that lets a standard user escalate to NT AUTHORITY\SYSTEM. Varex has released a patch; administrators should run AJAT_DENTAL_IMAGING_9.4.55.9888.exe on affected workstations and contact the vendor for assistance.