All news with #vulnerability disclosure tag

🔔 Amazon RDS Custom for SQL Server now supports the latest Microsoft GDR updates, including SQL Server 2019 CU32 (KB5063757) — RDS version 15.00.4440.1.v1 — and SQL Server 2022 CU20 (KB5063814) — RDS version 16.00.4210.1.v1. These GDRs remediate multiple vulnerabilities (CVE-2025-49758, CVE-2025-24999, CVE-2025-49759, CVE-2025-53727, CVE-2025-47954). We recommend upgrading instances via the Amazon RDS Management Console or programmatically with the AWS SDK/CLI, and following the Amazon RDS Custom User Guide for detailed upgrade instructions.

📰 This week’s Threat Source newsletter highlights three significant vulnerabilities Talos researchers uncovered and helped remediate: a Dell firmware persistence flaw (Revault), an Office for macOS permissions bypass, and router compromises that blend malicious traffic with legitimate ISP flows. The author, William Largent, also emphasizes mental health and recommends a paper on AI behavioral pathologies to help anticipate malicious or errant AI-driven activity. Top headlines include a 4.4M-record TransUnion breach, a Salesloft Drift AI token compromise, a Passwordstate high-severity fix, an Azure AD credential leak, and a WhatsApp zero-day. Watch the Talos Threat Perspective episode and read the Dell write-up for mitigation guidance.

🔒 Researchers demonstrated SNI5GECT, an over‑the‑air injection attack targeting unencrypted initial exchanges in 5G that can crash device modems or force a fallback to 4G. By observing the plain‑text handshake and injecting a crafted information block at precise timing, an attacker within roughly 20 meters can trigger a reboot or downgrade. The technique enabled 4G‑based tracking and spoofing on multiple handsets across different modem vendors, and arises from protocol characteristics rather than a single vendor implementation.

⚠️ Honeywell's OneWireless Wireless Device Manager (WDM) contains multiple high‑severity vulnerabilities in the Control Data Access (CDA) component — including buffer overread, sensitive resource reuse, integer underflow, and wrong handler deployment (CVE‑2025‑2521, CVE‑2025‑2522, CVE‑2025‑2523, CVE‑2025‑3946). These issues can enable information disclosure, denial of service, or remote code execution. Honeywell advises updating affected WDM releases to R322.5 or R331.1; CISA recommends minimizing network exposure and isolating control networks to reduce exploitation risk.

🔔 CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-38352 (Linux kernel TOCTOU race condition), CVE-2025-48543 (Android Runtime unspecified vulnerability), and CVE-2025-53690 (Sitecore multiple-products deserialization). Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by the required due dates. Although the directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation, patching, and vulnerability management to reduce exposure to active exploitation.

🔔 CISA has added two TP-Link router vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing in-the-wild exploitation activity. The flaws—CVE-2023-50224 (CVSS 6.5), an authentication bypass via spoofing in the httpd service exposing stored credentials at /tmp/dropbear/dropbearpwd, and CVE-2025-9377 (CVSS 8.6), an OS command injection enabling remote code execution—affect multiple TL-WR841 and Archer C7 models. TP-Link says several affected models are End-of-Life, released firmware updates in November 2024, and recommends upgrading hardware; CISA urges federal agencies to apply mitigations by September 24, 2025.

⚠️ Check Point warns that Hexstrike-AI, an agentic AI orchestration platform integrating more than 150 offensive tools, is being abused by threat actors to accelerate vulnerability discovery and exploitation. The system abstracts vague commands into precise, sequenced technical steps, automating reconnaissance, exploit crafting, payload delivery and persistence. Check Point observed dark‑web discussions showing the tool used to weaponize recent Citrix NetScaler zero-days, including CVE-2025-7775, and cautions that tasks which once took weeks can now be completed in minutes. Organizations are urged to patch immediately, harden systems and adopt adaptive, AI-enabled detection and response measures.

🛡️ MSRC reports that Cross-Site Scripting (XSS) remains a persistent threat across legacy portals and modern single-page applications, with hundreds of cases triaged in the past year. Between July 2024 and July 2025, MSRC mitigated over 970 XSS cases and awarded more than $900,000 in bounties, spanning low-impact self-XSS to zero-click critical exploits. The post describes MSRC’s severity matrix that combines data classification and exploit conditions, outlines servicing scope and exclusion criteria, and publishes a practical submission checklist. Developers and researchers are encouraged to adopt context-aware encoding, Content Security Policy (CSP), and secure-by-default frameworks to reduce exposure.

🔒 Mandiant and Sitecore investigated an active ViewState deserialization exploit that allowed remote code execution on internet-facing Sitecore instances that used publicly exposed sample ASP.NET machine keys. Tracked as CVE-2025-53690, the vulnerability enabled attackers to craft malicious __VIEWSTATE payloads, deploy a reconnaissance backdoor (WEEPSTEEL), and stage tunneling and remote access tooling. Sitecore has updated deployments to auto-generate unique machine keys and notified affected customers; Mandiant recommends rotating keys, enabling ViewState MAC, and encrypting secrets in web.config to mitigate similar attacks.

🔒 Delta Electronics' EIP Builder (versions 1.11 and earlier) contains an XML External Entity (XXE, CWE-611) vulnerability tracked as CVE-2025-57704 with a CVSS v4 base score of 6.7 and low attack complexity. The flaw can allow processing of malicious external entities and potential disclosure of sensitive information; exploitation requires local access and user interaction. Delta has released v1.12 to address the issue, and CISA recommends applying the update and following ICS defensive practices.

⚠️ Fuji Electric's FRENIC-Loader 4 (versions prior to 1.4.0.1) contains a deserialization of untrusted data vulnerability (CVE-2025-9365) that can allow arbitrary code execution when a crafted file is imported. CISA assigns a CVSS v4 base score of 8.4 and reports the issue has low attack complexity but is not remotely exploitable. Researcher kimiya, working with Trend Micro ZDI, reported the flaw. Fuji Electric advises updating to v1.4.0.1 and CISA recommends network segmentation, minimizing exposure, using up-to-date VPNs, and performing impact analysis.

⚠️ CISA added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog: CVE-2020-24363 affecting the TP-Link TL-WA855RE (missing authentication for a critical function) and CVE-2025-55177 affecting Meta Platforms' WhatsApp (incorrect authorization). These entries reflect evidence of active exploitation and significant risk to federal networks. Under BOD 22-01, FCEB agencies must remediate listed KEVs by the specified due dates. CISA urges all organizations to prioritize timely remediation.

🛡️ CISA released four Industrial Control Systems (ICS) advisories on September 2, 2025, detailing vulnerabilities and recommended mitigations for Delta Electronics EIP Builder, Fuji Electric FRENIC-Loader 4, SunPower PVS6, and an update to Hitachi Energy Relion 670/650 and SAM600-IO Series. Each advisory includes technical analysis, affected versions, and practical guidance to reduce exploitation risk. Administrators and asset owners are urged to review the notices, prioritize affected systems, and apply vendor-recommended mitigations promptly.

🔒 CISA warns of a high-severity vulnerability in SunPower PVS6 inverters (CVE-2025-9696) caused by hard-coded credentials in the Bluetooth Low Energy (BLE) interface. An attacker within Bluetooth range can exploit published protocol details and fixed encryption parameters to gain full device access, and CISA reports a CVSS v4 base score of 9.4. Successful exploitation could allow firmware replacement, disabling power production, modifying grid or firewall settings, creating SSH tunnels, and manipulating attached devices. SunPower did not respond to coordination; CISA advises minimizing network exposure, isolating control systems, using secure remote access methods such as up-to-date VPNs, and applying targeted intrusion detection and ICS best practices.

🔍 The NCSC and the AI Security Institute have broadly welcomed public, bug-bounty style disclosure programs to help identify and remediate AI safeguard bypass threats. They said initiatives from vendors such as OpenAI and Anthropic could mirror traditional vulnerability disclosure to encourage responsible reporting and cross-industry collaboration. The agencies cautioned that programs require clear scope, strong foundational security, prior internal reviews and sufficient triage resources, and that disclosure alone will not guarantee model safety.

🔒 A critical unauthenticated SQL injection vulnerability (CVE-2025-49870) was discovered in the WordPress Paid Memberships Subscriptions plugin affecting versions up to 2.15.1, used by over 10,000 sites. Patchstack Alliance researcher ChuongVN reported the flaw, which stems from unsafe handling of PayPal IPN payment IDs. The vendor released 2.15.2 to enforce numeric validation of payment IDs, adopt prepared statements and strengthen input handling; administrators should update immediately.

📢 BlueHat Asia 2025 in Bengaluru is now accepting talk submissions through September 5, 2025. Hosted by the Microsoft Security Response Center (MSRC), the two-day event on November 5–6 invites security researchers and responders of all experience levels to present findings, lessons learned, and industry guidance. Topics of interest include vulnerability discovery and mitigation, exploit development and detection, AI/ML security, IoT/OT and critical infrastructure protection, DFIR, social engineering, and reverse engineering. Submissions require a title and a sufficiently detailed abstract; a full academic paper is not necessary, and MSRC cases may be presented only after at least 30 days have passed since the associated fix was published. To explore co-presentation or partnership opportunities, contact bluehat@microsoft.com.

📣 BlueHat Asia 2025, hosted by the Microsoft Security Response Center (MSRC), will take place in Bengaluru, India on November 5–6, 2025. The Call for Papers is open through September 14, 2025, and submissions require only a talk title and a sufficiently detailed abstract—no formal paper is necessary. Speakers are invited to present practical research and lessons across topics such as vulnerability discovery and mitigation, exploit development and detection, securing AI and machine learning, IoT/OT and critical infrastructure security, DFIR, social engineering, malware, and reverse engineering. If you’ve reported a case to MSRC, consider presenting once at least 30 days have passed since the fix was published and impacted customers were notified.

🔒 Microsoft has restricted distribution of proof-of-concept exploit code to MAPP participants in countries where firms must report vulnerabilities to their governments, including China. Affected companies will receive a more general written description issued at the same time as patches rather than PoC code, Microsoft said. The change follows the late-July SharePoint zero-day attacks and concerns about a possible leak from the early-bug-notification program.

🔬 Google researchers demonstrated practical improvements to the Retbleed speculative-execution attack, showing that on AMD Zen 2 CPUs attackers can read arbitrary RAM at roughly 13 KB/s with perfect cache-extraction accuracy. They adapted a modified Speculative ROP technique to evade Spectre v2 mitigations and showed ways to bypass Linux kernel defenses. The exploit still requires prior knowledge of kernel configuration, but common default builds and probing reduce that hurdle, and Google has already restricted Zen 2 in certain cloud workloads.