All news with #vulnerability disclosure tag

⚠️ Fuji Electric's FRENIC-Loader 4 (versions prior to 1.4.0.1) contains a deserialization of untrusted data vulnerability (CVE-2025-9365) that can allow arbitrary code execution when a crafted file is imported. CISA assigns a CVSS v4 base score of 8.4 and reports the issue has low attack complexity but is not remotely exploitable. Researcher kimiya, working with Trend Micro ZDI, reported the flaw. Fuji Electric advises updating to v1.4.0.1 and CISA recommends network segmentation, minimizing exposure, using up-to-date VPNs, and performing impact analysis.

⚠️ CISA added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog: CVE-2020-24363 affecting the TP-Link TL-WA855RE (missing authentication for a critical function) and CVE-2025-55177 affecting Meta Platforms' WhatsApp (incorrect authorization). These entries reflect evidence of active exploitation and significant risk to federal networks. Under BOD 22-01, FCEB agencies must remediate listed KEVs by the specified due dates. CISA urges all organizations to prioritize timely remediation.

🛡️ CISA released four Industrial Control Systems (ICS) advisories on September 2, 2025, detailing vulnerabilities and recommended mitigations for Delta Electronics EIP Builder, Fuji Electric FRENIC-Loader 4, SunPower PVS6, and an update to Hitachi Energy Relion 670/650 and SAM600-IO Series. Each advisory includes technical analysis, affected versions, and practical guidance to reduce exploitation risk. Administrators and asset owners are urged to review the notices, prioritize affected systems, and apply vendor-recommended mitigations promptly.

🔒 CISA warns of a high-severity vulnerability in SunPower PVS6 inverters (CVE-2025-9696) caused by hard-coded credentials in the Bluetooth Low Energy (BLE) interface. An attacker within Bluetooth range can exploit published protocol details and fixed encryption parameters to gain full device access, and CISA reports a CVSS v4 base score of 9.4. Successful exploitation could allow firmware replacement, disabling power production, modifying grid or firewall settings, creating SSH tunnels, and manipulating attached devices. SunPower did not respond to coordination; CISA advises minimizing network exposure, isolating control systems, using secure remote access methods such as up-to-date VPNs, and applying targeted intrusion detection and ICS best practices.

🔒 Delta Electronics' EIP Builder (versions 1.11 and earlier) contains an XML External Entity (XXE, CWE-611) vulnerability tracked as CVE-2025-57704 with a CVSS v4 base score of 6.7 and low attack complexity. The flaw can allow processing of malicious external entities and potential disclosure of sensitive information; exploitation requires local access and user interaction. Delta has released v1.12 to address the issue, and CISA recommends applying the update and following ICS defensive practices.

🔍 The NCSC and the AI Security Institute have broadly welcomed public, bug-bounty style disclosure programs to help identify and remediate AI safeguard bypass threats. They said initiatives from vendors such as OpenAI and Anthropic could mirror traditional vulnerability disclosure to encourage responsible reporting and cross-industry collaboration. The agencies cautioned that programs require clear scope, strong foundational security, prior internal reviews and sufficient triage resources, and that disclosure alone will not guarantee model safety.

🔒 A critical unauthenticated SQL injection vulnerability (CVE-2025-49870) was discovered in the WordPress Paid Memberships Subscriptions plugin affecting versions up to 2.15.1, used by over 10,000 sites. Patchstack Alliance researcher ChuongVN reported the flaw, which stems from unsafe handling of PayPal IPN payment IDs. The vendor released 2.15.2 to enforce numeric validation of payment IDs, adopt prepared statements and strengthen input handling; administrators should update immediately.

📣 BlueHat Asia 2025, hosted by the Microsoft Security Response Center (MSRC), will take place in Bengaluru, India on November 5–6, 2025. The Call for Papers is open through September 14, 2025, and submissions require only a talk title and a sufficiently detailed abstract—no formal paper is necessary. Speakers are invited to present practical research and lessons across topics such as vulnerability discovery and mitigation, exploit development and detection, securing AI and machine learning, IoT/OT and critical infrastructure security, DFIR, social engineering, malware, and reverse engineering. If you’ve reported a case to MSRC, consider presenting once at least 30 days have passed since the fix was published and impacted customers were notified.

📢 BlueHat Asia 2025 in Bengaluru is now accepting talk submissions through September 5, 2025. Hosted by the Microsoft Security Response Center (MSRC), the two-day event on November 5–6 invites security researchers and responders of all experience levels to present findings, lessons learned, and industry guidance. Topics of interest include vulnerability discovery and mitigation, exploit development and detection, AI/ML security, IoT/OT and critical infrastructure protection, DFIR, social engineering, and reverse engineering. Submissions require a title and a sufficiently detailed abstract; a full academic paper is not necessary, and MSRC cases may be presented only after at least 30 days have passed since the associated fix was published. To explore co-presentation or partnership opportunities, contact bluehat@microsoft.com.

🔒 Microsoft has restricted distribution of proof-of-concept exploit code to MAPP participants in countries where firms must report vulnerabilities to their governments, including China. Affected companies will receive a more general written description issued at the same time as patches rather than PoC code, Microsoft said. The change follows the late-July SharePoint zero-day attacks and concerns about a possible leak from the early-bug-notification program.

🔬 Google researchers demonstrated practical improvements to the Retbleed speculative-execution attack, showing that on AMD Zen 2 CPUs attackers can read arbitrary RAM at roughly 13 KB/s with perfect cache-extraction accuracy. They adapted a modified Speculative ROP technique to evade Spectre v2 mitigations and showed ways to bypass Linux kernel defenses. The exploit still requires prior knowledge of kernel configuration, but common default builds and probing reduce that hurdle, and Google has already restricted Zen 2 in certain cloud workloads.

⚠️ The Siemens Mendix SAML module contains an improper verification of cryptographic signature that can be exploited remotely and has been assigned CVE-2025-40758 with a CVSS v3.1 base score of 8.7. Affected versions prior to V3.6.21, V4.0.3, and V4.1.2 (depending on Mendix compatibility) may allow unauthenticated attackers to hijack accounts in specific SSO configurations. Siemens recommends updating to the fixed versions, enabling UseEncryption, and reducing network exposure using firewalls and secure VPNs.

🔒 Siemens has disclosed a Least Privilege Violation in the Wibu CodeMeter runtime that affects the Desigo CC product family and SENTRON Powermanager series. The issue (CVE-2025-47809) can allow local privilege escalation immediately after installation if the CodeMeter Control Center is present and not restarted. A CVSS v3.1 base score of 8.2 has been assigned. Siemens and WIBU recommend updating to CodeMeter v8.30a and restarting systems; CISA advises network segmentation and minimizing exposure.

🔒 Researchers have identified a chain of four Bluetooth vulnerabilities collectively named PerfektBlue in the OpenSynergy Blue SDK, used in millions of vehicles. An attacker that pairs via Bluetooth can exploit AVRCP flaws to execute code on the head unit and inherit its Bluetooth privileges, potentially accessing microphones, location data, and personal information. Vehicle owners should update head-unit firmware when patches are available and disable Bluetooth when not in use.

⚠️ Microsoft released its August 2025 Patch Tuesday updates addressing 111 vulnerabilities, including 13 marked critical. The fixes span remote code execution, elevation-of-privilege and information-disclosure flaws across Windows, Hyper-V, Microsoft Office, GDI+ and cloud services. Microsoft reports no observed in-the-wild exploitation but notes several issues where exploitation is assessed as “more likely.” Talos is issuing Snort detection rules and urges administrators to apply vendor updates and intrusion-detection signatures promptly.

🛡️ Microsoft’s August 2025 Patch Tuesday addresses 107 CVEs, including one publicly disclosed Windows Kerberos zero‑day (CVE-2025-53779) and 13 Critical flaws. Notable fixes cover high‑severity RCEs in the Windows Graphics Component and GDI+ and an NTLM elevation‑of‑privilege issue. Microsoft has released patches; organizations should apply updates promptly and use Falcon Exposure Management to prioritize and visualize exposure.

🔒 Microsoft has expanded the .NET Bounty Program, increasing maximum awards to $40,000 and broadening coverage to include all supported .NET and ASP.NET versions, adjacent technologies like F#, templates, and GitHub Actions. The program simplifies award tiers, aligns impact categories with other Microsoft bounty programs, and defines report quality as complete (working exploit) or not complete, encouraging detailed, actionable submissions.

🛡️ Microsoft has updated the .NET Bounty Program, expanding scope and increasing maximum payouts to $40,000 for high-impact vulnerabilities. The program now covers all supported versions of .NET and ASP.NET (including Blazor and F#), repository templates, and GitHub Actions in .NET repositories. Awards are now tied to explicit severity and report quality criteria, with higher payments for complete, exploit-backed reports.

🏆 The Microsoft Security Response Center (MSRC) announced its 2025 Most Valuable Researchers (MVRs), recognizing security researchers who submitted valid vulnerability reports under Coordinated Vulnerability Disclosure. The Top 10 MVRs were ranked by total points earned for valid reports submitted between July 1, 2024 and June 30, 2025, and MSRC also highlights annual Technical Leaderboards by product area such as Azure, Office, Windows, and Dynamics 365. Awardees receive digital badges and MSRC swag boxes, and badges recognize achievements for Accuracy, Impact, and Volume.

🏆 Congratulations to the researchers recognized on the MSRC 2025 Q2 Leaderboard. The top three overall are wkai, Brad Schlintz (nmdhkr), and 0x140ce, with category leaders across Azure, Office, Windows, and Dynamics. The leaderboard reflects assessments completed April 1–June 30, 2025, and includes cases submitted earlier but assessed in Q2. MSRC also notes that Researcher Recognition points are now visible in the researcher portal to improve transparency.