All news with #vulnerability disclosure tag

🔒 A vulnerability in the Grassroots DICOM (GDCM) library (CVE-2025-11266) allows an out-of-bounds write when parsing malformed encapsulated PixelData fragments. Exploitation can trigger a segmentation fault and a denial-of-service simply by opening a crafted DICOM file. Affected projects include GDCM (<=3.0.24), SimpleITK (<=2.5.2) and medInria (<=4.0). Users should update GDCM to v3.2.2 or later and apply vendor fixes; CISA also recommends isolating systems and minimizing network exposure.

🔒 Siemens Energy Services Elspec G5 devices (firmware up to 1.2.2.19) contain an authentication bypass that lets an attacker with physical access reset the Admin password by inserting a USB drive with a documented reset string. The flaw is tracked as CVE-2025-59392 (CVSS v4: 7.0; CVSS v3.1: 6.8) and is not remotely exploitable. Siemens recommends updating to V1.2.3.13 or later and following operational security guidance.

⚠ OpenPLC_V3 contains a Cross‑Site Request Forgery (CSRF) vulnerability that can be exploited remotely to modify PLC settings or upload malicious programs. Tracked as CVE-2025-13970, the issue affects versions prior to pull request #310 and results from missing CSRF validation. A CVSS v4 score of 7.0 (and v3 base 8.0) was calculated. Apply pull request #310 or later to mitigate this risk and limit network exposure of control devices.

🔒 Johnson Controls disclosed two OS command injection vulnerabilities (CVE-2025-43873, CVE-2025-43874) affecting multiple iSTAR Ultra, iSTAR Ultra G2, and iSTAR Edge G2 door controller firmware versions. Successful exploitation could allow remote attackers to execute OS commands, modify firmware, and gain full device control. Both issues are rated high severity (CVSS v3.1 8.8; CVSS v4 8.7) and are exploitable with low attack complexity. Users are advised to apply vendor firmware updates and reduce network exposure immediately.

🔔 CISA has added CVE-2025-58360 — an OSGeo GeoServer XML External Entity (XXE) vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The issue involves improper restriction of XML External Entity references, a common vector attackers use to access sensitive data or cause service disruption. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates; CISA also urges all organizations to prioritize timely patching, mitigations, and monitoring. CISA will continue updating the KEV Catalog as additional exploited CVEs meet its criteria.

🔒 Johnson Controls disclosed two command-injection vulnerabilities in its iSTAR series (CVE-2025-43875, CVE-2025-43876). Both are classified as CWE-78 and carry high severity (CVSS v3.1 8.8; CVSS v4 8.7), exploitable remotely with low complexity. Johnson Controls and CISA advise upgrading affected devices to the fixed firmware and applying network isolation and secure remote-access controls.

🔔 CISA released 12 Industrial Control Systems (ICS) advisories detailing vulnerabilities and mitigation guidance across multiple vendors, including Johnson Controls, Siemens, and AzeoTech. The notices call out specific products such as iSTAR, SINEMA Remote Connect Server, and DAQFactory, plus open-source and medical-imaging components. Administrators and operators are encouraged to review the technical details and apply recommended mitigations to reduce exploitation risk.

⚠️ A high-severity unpatched vulnerability in Gogs (tracked as CVE-2025-8110, CVSS 8.7) is under active exploitation, with Wiz reporting more than 700 compromised internet-facing instances. The flaw is a file-overwrite bug in the PutContents API that mishandles symbolic links, enabling attackers to overwrite arbitrary files and achieve local code execution. A vendor fix is reportedly in development; operators should disable open registration, limit exposure, and scan for randomly named repositories.

🔐 Huntress warns that hard-coded cryptographic keys in Gladinet CentreStack and Triofox allow attackers to decrypt or forge access tickets, exposing sensitive files such as web.config. The flaw stems from a function that returns the same 100-byte strings to derive persistent keys, enabling indefinite reuse of crafted URLs to download server configuration. Organisations should update to version 16.12.10420.56791 and rotate machine keys immediately.

🔒 Governments in the UK and Portugal have introduced proposals and legislation to provide legal protection for computer security researchers, recognizing that outdated laws can deter responsible vulnerability testing. UK security minister Dan Jarvis proposed amending the 1990 Computer Misuse Act to create a statutory defense for good-faith research that meets defined safeguards. Portugal's new law similarly shields researchers who do not seek financial advantage and who respect data protection rules, aligning with measures already adopted in the Netherlands, France, and Belgium.

⚠️ Apache Tika maintainers warn that an XML External Entity (XXE) vulnerability originally disclosed in August (CVE-2025-54988) is broader than first reported and is now covered by a superset CVE (CVE-2025-66516). The issue affects tika-core, tika-parsers and the standalone tika-parser-pdf-module, and could allow attackers to read sensitive data or trigger requests to internal resources. Users are advised to upgrade to the patched releases or disable XML parsing via tika-config.xml to mitigate risk.

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2022-37055, a buffer overflow affecting D-Link routers, and CVE-2025-66644, an OS command injection in Array Networks ArrayOS AG. Both were included based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by their due dates, and CISA urges all organizations to prioritize timely remediation and risk-reduction measures.

🔔 The UK National Cyber Security Centre (NCSC) is piloting Proactive Notifications, a service delivered via Netcraft that scans publicly available internet data to identify exposed software and missing security services. The NCSC will email affected organizations — messages originate from netcraft.com, contain no attachments, and do not request payments or personal data. The pilot covers UK domains and IPs on UK ASNs and focuses on notifying about specific CVEs and general weaknesses like weak encryption.

🔒 Cisco Talos disclosed an out‑of‑bounds read in PDF‑XChange Editor (CVE‑2025‑58113) and ten vulnerabilities affecting Socomec DIRIS Digiware M series and Easy Config. The issues range from information disclosure and authentication bypass to multiple denial‑of‑service and buffer overflow flaws. Vendors have released patches; administrators should apply updates and deploy Snort rules to detect exploitation.

🛡️ A critical remote code execution flaw, CVE-2025-55182 (React4Shell), was disclosed affecting React Server Components and multiple derivatives including Next.js, React Router RSC preview, and several bundler plugins. The bug arises from unsafe deserialization of Flight protocol payloads and permits unauthenticated HTTP requests to execute code on vulnerable servers. Immediate updating to the patched React and Next.js releases, plus deployment of WAF rules and access restrictions, is strongly recommended.

🚨 React and Next.js applications are affected by a maximum-severity deserialization vulnerability dubbed React2Shell, which enables unauthenticated remote code execution via the React Server Components (RSC) "Flight" protocol. Discovered by researcher Lachlan Davidson and reported on November 29, the flaw received a 10/10 severity rating and has been assigned CVE-2025-55182 for React (Next.js received CVE-2025-66478, later rejected by the NVD). Affected default packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, and researchers warn many deployments are exploitable without additional misconfiguration. Developers should apply the published patches and audit environments immediately.

🔔 On December 4, 2025, CISA published nine Industrial Control Systems advisories addressing vulnerabilities in products from Mitsubishi Electric, MAXHUB, Johnson Controls, Sunbird, SolisCloud, and Advantech. The release also includes updated advisories for Consilium Safety CS5000 and Johnson Controls FX families. Each advisory provides technical details, affected versions, and recommended mitigations. Administrators are encouraged to review the advisories and apply vendor guidance promptly.

🔒 CISA warns of two critical vulnerabilities in Sunbird DCIM dcTrack and Power IQ appliances that could enable unauthorized access or credential theft. One is an authentication bypass via alternate remote-access channels (CVE-2025-66238); the other involves hard‑coded/default credentials (CVE-2025-66237) with a CVSS v4 high score of 8.4. Sunbird has released fixes (dcTrack 9.2.3, Power IQ 9.2.1); until systems are updated, CISA recommends restricting SSH and nonessential ports, changing deployment passwords, isolating control networks behind firewalls, and using secure VPNs for remote access.

🚨 A weak password recovery mechanism in MAXHUB Pivot client allows remote attackers to request password resets and potentially take over accounts. MAXHUB reports all Pivot client versions prior to v1.36.2 are affected and has released v1.36.2 to address the issue. CISA assigned CVE-2025-53704 and rates the flaw high severity (CVSS v4 8.7) with low attack complexity. Administrators should apply the update and follow recommended network-segmentation and access controls to reduce exposure.

⚠️ CISA warns of an authorization bypass (IDOR) in the SolisCloud Monitoring Platform affecting Cloud API and Device Control API v1 and v2. An authenticated user can access detailed plant data by manipulating the plant_id parameter, exposing sensitive information. The issue is tracked as CVE-2025-13932 with a CVSS v4 score of 8.3 and is remotely exploitable with low complexity. SolisCloud has not engaged with CISA; users should limit network exposure and follow CISA mitigation guidance.