All news with #vulnerability disclosure tag

🔒 Governments in the UK and Portugal have introduced proposals and legislation to provide legal protection for computer security researchers, recognizing that outdated laws can deter responsible vulnerability testing. UK security minister Dan Jarvis proposed amending the 1990 Computer Misuse Act to create a statutory defense for good-faith research that meets defined safeguards. Portugal's new law similarly shields researchers who do not seek financial advantage and who respect data protection rules, aligning with measures already adopted in the Netherlands, France, and Belgium.

⚠️ Apache Tika maintainers warn that an XML External Entity (XXE) vulnerability originally disclosed in August (CVE-2025-54988) is broader than first reported and is now covered by a superset CVE (CVE-2025-66516). The issue affects tika-core, tika-parsers and the standalone tika-parser-pdf-module, and could allow attackers to read sensitive data or trigger requests to internal resources. Users are advised to upgrade to the patched releases or disable XML parsing via tika-config.xml to mitigate risk.

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2022-37055, a buffer overflow affecting D-Link routers, and CVE-2025-66644, an OS command injection in Array Networks ArrayOS AG. Both were included based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by their due dates, and CISA urges all organizations to prioritize timely remediation and risk-reduction measures.

🔔 The UK National Cyber Security Centre (NCSC) is piloting Proactive Notifications, a service delivered via Netcraft that scans publicly available internet data to identify exposed software and missing security services. The NCSC will email affected organizations — messages originate from netcraft.com, contain no attachments, and do not request payments or personal data. The pilot covers UK domains and IPs on UK ASNs and focuses on notifying about specific CVEs and general weaknesses like weak encryption.

🔒 Cisco Talos disclosed an out‑of‑bounds read in PDF‑XChange Editor (CVE‑2025‑58113) and ten vulnerabilities affecting Socomec DIRIS Digiware M series and Easy Config. The issues range from information disclosure and authentication bypass to multiple denial‑of‑service and buffer overflow flaws. Vendors have released patches; administrators should apply updates and deploy Snort rules to detect exploitation.

🛡️ A critical remote code execution flaw, CVE-2025-55182 (React4Shell), was disclosed affecting React Server Components and multiple derivatives including Next.js, React Router RSC preview, and several bundler plugins. The bug arises from unsafe deserialization of Flight protocol payloads and permits unauthenticated HTTP requests to execute code on vulnerable servers. Immediate updating to the patched React and Next.js releases, plus deployment of WAF rules and access restrictions, is strongly recommended.

🚨 React and Next.js applications are affected by a maximum-severity deserialization vulnerability dubbed React2Shell, which enables unauthenticated remote code execution via the React Server Components (RSC) "Flight" protocol. Discovered by researcher Lachlan Davidson and reported on November 29, the flaw received a 10/10 severity rating and has been assigned CVE-2025-55182 for React (Next.js received CVE-2025-66478, later rejected by the NVD). Affected default packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, and researchers warn many deployments are exploitable without additional misconfiguration. Developers should apply the published patches and audit environments immediately.

⚠️ Advantech iView versions 5.7.05.7057 and earlier are affected by an SQL injection vulnerability in SNMP v1 trap handling (port 162) that can be exploited remotely with low attack complexity. CISA assigns CVE-2025-13373 with a CVSS v4 base score of 8.7 (and CVSS v3.1 7.5). Successful exploitation could disclose, modify, or delete data. Advantech recommends updating to iView v5.8.1; CISA advises network isolation, firewalls, and secure remote access.

⚠️ CISA warns of an authorization bypass (IDOR) in the SolisCloud Monitoring Platform affecting Cloud API and Device Control API v1 and v2. An authenticated user can access detailed plant data by manipulating the plant_id parameter, exposing sensitive information. The issue is tracked as CVE-2025-13932 with a CVSS v4 score of 8.3 and is remotely exploitable with low complexity. SolisCloud has not engaged with CISA; users should limit network exposure and follow CISA mitigation guidance.

🔒 Johnson Controls reported an improper validation of certificate expiration in iSTAR access control panels that can prevent devices from re-establishing communication when the default certificate expires. The flaw, tracked as CVE-2025-61736, carries a CVSS v4 base score of 7.1 and a CVSS v3.1 score of 6.5. Affected units are those running versions prior to TLS 1.2. Recommended mitigations include deploying host-based certificates, migrating clusters to TLS 1.3 (requires firmware/C•CURE updates), or upgrading legacy panels to G2 hardware.

🔒 CISA warns of two critical vulnerabilities in Sunbird DCIM dcTrack and Power IQ appliances that could enable unauthorized access or credential theft. One is an authentication bypass via alternate remote-access channels (CVE-2025-66238); the other involves hard‑coded/default credentials (CVE-2025-66237) with a CVSS v4 high score of 8.4. Sunbird has released fixes (dcTrack 9.2.3, Power IQ 9.2.1); until systems are updated, CISA recommends restricting SSH and nonessential ports, changing deployment passwords, isolating control networks behind firewalls, and using secure VPNs for remote access.

🚨 A weak password recovery mechanism in MAXHUB Pivot client allows remote attackers to request password resets and potentially take over accounts. MAXHUB reports all Pivot client versions prior to v1.36.2 are affected and has released v1.36.2 to address the issue. CISA assigned CVE-2025-53704 and rates the flaw high severity (CVSS v4 8.7) with low attack complexity. Administrators should apply the update and follow recommended network-segmentation and access controls to reduce exposure.

🔒 CISA warns that Mitsubishi Electric GX Works2 contains a cleartext storage vulnerability (CVE-2025-3784) that can expose credentials stored in project files. The issue affects all versions and may allow a local attacker with file access to open password-protected projects and read or modify project data. A vendor fix is under development; organizations should restrict access, block untrusted remote logins, and follow the mitigations recommended by Mitsubishi Electric and CISA.

🔒 Johnson Controls reported a Direct Request (Forced Browsing) vulnerability (CVE-2025-26381) in the OpenBlue Mobile Web Application for OpenBlue Workplace. Versions 2025.1.2 and earlier may allow remote attackers to gain unauthorized access to sensitive information; CISA cites a CVSS v3.1 score of 9.3 and a CVSS v4 score of 6.5. Johnson Controls recommends upgrading to patch level 2025.1.3 when available; until then, administrators should disable the mobile app in IIS or use the primary Workplace web interface as a mitigation.

🔔 On December 4, 2025, CISA published nine Industrial Control Systems advisories addressing vulnerabilities in products from Mitsubishi Electric, MAXHUB, Johnson Controls, Sunbird, SolisCloud, and Advantech. The release also includes updated advisories for Consilium Safety CS5000 and Johnson Controls FX families. Each advisory provides technical details, affected versions, and recommended mitigations. Administrators are encouraged to review the advisories and apply vendor guidance promptly.

🚨 CISA added CVE-2021-26828 — an OpenPLC ScadaBR unrestricted file upload vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The flaw allows dangerous file types to be uploaded, a frequent attack vector that poses significant risks to federal networks. Under BOD 22-01 federal agencies must remediate cataloged CVEs by required dates; CISA also urges all organizations to prioritize remediation.

⚠️ Picklescan, a Python pickle scanner, has three critical flaws that can be abused to execute arbitrary code when loading untrusted PyTorch models. Discovered by JFrog researchers, the issues — a file-extension bypass (CVE-2025-10155), a ZIP CRC bypass (CVE-2025-10156) and an unsafe-globals bypass (CVE-2025-10157) — let attackers present malicious models as safe. The vulnerabilities were responsibly disclosed on June 29, 2025 and fixed in Picklescan 0.0.31 on September 9; users should upgrade and review model-loading practices and downstream automation that accepts third-party models.

⚠️ Researchers identified a malicious Rust crate, evm-units, on crates.io that targeted developer machines running Windows, macOS, and Linux by posing as an Ethereum Virtual Machine helper. Uploaded in mid‑April 2025 and downloaded thousands of times, the package fetched OS-specific payloads from download.videotalks[.]xyz, wrote them to temporary directories, and executed them silently. A related package, uniswap-utils, included evm-units as a dependency, widening exposure; both packages have been removed and indicators released to help defenders.

🛡️ CISA released five Industrial Control Systems (ICS) advisories detailing vulnerabilities, impacts, and recommended mitigations for affected products. Affected vendors include Industrial Video & Control (Longwatch), Iskra (iHUB/iHUB Lite), Mirion Medical (EC2 NMIS BioDose), and two updates for Mitsubishi Electric products. Administrators and operators are urged to review the advisories and apply recommended mitigations promptly to reduce operational and safety risks.

⚠️ CISA has added an actively exploited cross-site scripting flaw, CVE-2021-26829, to its Known Exploited Vulnerabilities catalog after reports of operational abuse against OpenPLC ScadaBR. The XSS affects Windows 1.12.4 and Linux 0.9.1 via system_settings.shtm and was used to deface HMI pages and disable logs. Federal civilian agencies must remediate by December 19, 2025; operators should apply vendor fixes, change default credentials, enable logging and monitor for web-layer manipulation and outbound callbacks.