All news with #vulnerability disclosure tag

🔔 Cisco Talos disclosed multiple vulnerabilities affecting libbiosig, Grassroot DiCoM, and Smallstep step-ca. The issues include stack-based buffer overflows in libbiosig’s MFER parser that may allow arbitrary code execution, several out-of-bounds reads in DiCoM that can leak sensitive data, and an authentication bypass in step-ca enabling unauthorized certificate issuance. Vendors have released patches in accordance with Cisco’s disclosure policy; administrators should apply updates promptly and obtain the latest Snort rule sets to detect exploitation attempts.

🔔 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-20393 (Cisco multiple products, improper input validation), CVE-2025-40602 (SonicWall SMA1000, missing authorization), and CVE-2025-59374 (ASUS Live Update, embedded malicious code). These flaws are frequent attack vectors that pose significant risks to federal and nonfederal organizations. Agencies covered by BOD 22-01 must remediate by the required due dates; CISA urges all organizations to prioritize mitigation.

⚠️ Security researchers have identified a critical vulnerability (CVE-2025-34352) in the JumpCloud Remote Assist Windows agent that allows low-privileged local users to escalate to NT AUTHORITY\SYSTEM or trigger denial-of-service during uninstallation. The root cause is unsafe file operations in user-writable directories (notably %TEMP%), enabling link-following attacks that redirect privileged actions. XM Cyber reported the issue and JumpCloud has released version 0.317.0 to address it — administrators should update affected endpoints immediately.

⚠️ A vulnerability in the web interface of Güralp Systems Fortimus, Minimus, and Certimus Series (CVE-2025-14466) allows an unauthenticated network attacker to send specially crafted HTTP requests that cause the web service process to restart. The restart produces a brief denial-of-service condition with a CVSS v3.1 base score of 5.3 (Medium). Güralp recommends operating affected systems behind a NAT or VPN firewall and contacting the vendor for further guidance. CISA advises minimizing network exposure, isolating control networks, and using secure, up-to-date remote access methods.

⚠️ A critical vulnerability (CVE-2024-3596, CVSS 9.0) in Hitachi Energy AFS/AFR/AFF series RADIUS implementations allows a local attacker to forge valid RADIUS responses by exploiting an MD5 chosen-prefix collision against the response authenticator. Successful exploitation can compromise product data integrity and disrupt availability. Hitachi Energy recommends immediately enabling the RADIUS message authenticator option; vendor-specific CLI commands and MIB objects vary by product family.

🛡️ CISA has published seven new Industrial Control Systems advisories detailing vulnerabilities and guidance for affected products. The advisories cover Güralp Systems, Johnson Controls, Hitachi Energy, Mitsubishi Electric, and Fuji Electric, including updates to previously released notices. Administrators are urged to review technical details, apply vendor mitigations, and implement compensating controls to reduce operational risk.

🔒 Microsoft Defender researchers describe CVE-2025-55182 (React2Shell), a critical pre-authentication remote code execution vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, a single crafted HTTP POST can result in server-side deserialization of attacker-controlled payloads and arbitrary code execution without authentication. Exploitation was observed beginning December 5, 2025, with attackers delivering coin miners, RATs, and other payloads across Windows and Linux environments. Microsoft urges immediate patching to published fixes, enabling Defender telemetry, and applying Azure WAF rules as compensating controls while broader detection coverage is deployed.

🔒 Microsoft has shifted to 'In Scope by Default', making any critical vulnerability with a demonstrable impact on its online services—whether in Microsoft-owned code, third-party components, or open-source—eligible for bounty awards. Announced at Black Hat Europe, the policy expands eligibility across Microsoft domains and cloud services and invites coordinated disclosure under agreed rules of engagement. The company says the change aims to incentivize research on the highest-risk areas, while established Rules of Engagement prohibit credential misuse, phishing, disruptive DoS testing, and other harmful methods.

🔐 Hackers are exploiting an undocumented cryptographic flaw in Gladinet's CentreStack and Triofox products that exposes hardcoded AES keys and enables remote code execution. Huntress researchers found static 100-byte strings in GladCtrl64.dll that produce identical encryption keys and IVs across installations, allowing attackers to decrypt or forge access tickets. Attackers have used this to retrieve web.config and abuse the machineKey with a ViewState deserialization flaw for RCE. Gladinet released patches and IoCs; customers should upgrade immediately and rotate machine keys.

🔒 Microsoft will now pay bounties for critical vulnerabilities that directly impact any of its online services, whether the flawed code is Microsoft-owned, third-party, or open source. Announced by Tom Gallagher at Black Hat Europe, the change makes all current and newly launched Microsoft online services in-scope by default. The move aims to steer researcher attention to high-risk areas and accelerate remediation. Microsoft said it paid over $17 million to security researchers in the past year.

🔒 Johnson Controls disclosed two OS command injection vulnerabilities (CVE-2025-43873, CVE-2025-43874) affecting multiple iSTAR Ultra, iSTAR Ultra G2, and iSTAR Edge G2 door controller firmware versions. Successful exploitation could allow remote attackers to execute OS commands, modify firmware, and gain full device control. Both issues are rated high severity (CVSS v3.1 8.8; CVSS v4 8.7) and are exploitable with low attack complexity. Users are advised to apply vendor firmware updates and reduce network exposure immediately.

🔒 A vulnerability in the Grassroots DICOM (GDCM) library (CVE-2025-11266) allows an out-of-bounds write when parsing malformed encapsulated PixelData fragments. Exploitation can trigger a segmentation fault and a denial-of-service simply by opening a crafted DICOM file. Affected projects include GDCM (<=3.0.24), SimpleITK (<=2.5.2) and medInria (<=4.0). Users should update GDCM to v3.2.2 or later and apply vendor fixes; CISA also recommends isolating systems and minimizing network exposure.

🔒 Siemens Energy Services Elspec G5 devices (firmware up to 1.2.2.19) contain an authentication bypass that lets an attacker with physical access reset the Admin password by inserting a USB drive with a documented reset string. The flaw is tracked as CVE-2025-59392 (CVSS v4: 7.0; CVSS v3.1: 6.8) and is not remotely exploitable. Siemens recommends updating to V1.2.3.13 or later and following operational security guidance.

🔒 Johnson Controls disclosed two command-injection vulnerabilities in its iSTAR series (CVE-2025-43875, CVE-2025-43876). Both are classified as CWE-78 and carry high severity (CVSS v3.1 8.8; CVSS v4 8.7), exploitable remotely with low complexity. Johnson Controls and CISA advise upgrading affected devices to the fixed firmware and applying network isolation and secure remote-access controls.

⚠ OpenPLC_V3 contains a Cross‑Site Request Forgery (CSRF) vulnerability that can be exploited remotely to modify PLC settings or upload malicious programs. Tracked as CVE-2025-13970, the issue affects versions prior to pull request #310 and results from missing CSRF validation. A CVSS v4 score of 7.0 (and v3 base 8.0) was calculated. Apply pull request #310 or later to mitigate this risk and limit network exposure of control devices.

🔔 CISA has added CVE-2025-58360 — an OSGeo GeoServer XML External Entity (XXE) vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The issue involves improper restriction of XML External Entity references, a common vector attackers use to access sensitive data or cause service disruption. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates; CISA also urges all organizations to prioritize timely patching, mitigations, and monitoring. CISA will continue updating the KEV Catalog as additional exploited CVEs meet its criteria.

🔔 CISA released 12 Industrial Control Systems (ICS) advisories detailing vulnerabilities and mitigation guidance across multiple vendors, including Johnson Controls, Siemens, and AzeoTech. The notices call out specific products such as iSTAR, SINEMA Remote Connect Server, and DAQFactory, plus open-source and medical-imaging components. Administrators and operators are encouraged to review the technical details and apply recommended mitigations to reduce exploitation risk.

⚠️ CISA warns of a DLL hijacking (Uncontrolled Search Path Element, CWE-427) in AJAT Panoramic Dental Imaging Software from Varex Imaging (CVE-2024-22774). Versions prior to 6.6.1.490 may allow a local, low-complexity exploit that lets a standard user escalate to NT AUTHORITY\SYSTEM. Varex has released a patch; administrators should run AJAT_DENTAL_IMAGING_9.4.55.9888.exe on affected workstations and contact the vendor for assistance.

⚠️ A high-severity unpatched vulnerability in Gogs (tracked as CVE-2025-8110, CVSS 8.7) is under active exploitation, with Wiz reporting more than 700 compromised internet-facing instances. The flaw is a file-overwrite bug in the PutContents API that mishandles symbolic links, enabling attackers to overwrite arbitrary files and achieve local code execution. A vendor fix is reportedly in development; operators should disable open registration, limit exposure, and scan for randomly named repositories.

🔐 Huntress warns that hard-coded cryptographic keys in Gladinet CentreStack and Triofox allow attackers to decrypt or forge access tickets, exposing sensitive files such as web.config. The flaw stems from a function that returns the same 100-byte strings to derive persistent keys, enabling indefinite reuse of crafted URLs to download server configuration. Organisations should update to version 16.12.10420.56791 and rotate machine keys immediately.