< ciso
brief />
Tag Banner

All news with #vulnerability disclosure tag

573 articles · page 27 of 29

New Supermicro BMC Flaws Expose Firmware Validation

🔒 Researchers have published details of two high-severity vulnerabilities in Supermicro BMC firmware — CVE-2025-7937 and CVE-2025-6198 — each rated CVSS 7.2. Both flaws weaken firmware validation and the implementation of the Root of Trust, allowing an attacker with administrative access to install or manipulate signed firmware and gain persistent, low-level control of affected servers. Binarly found one issue while testing Supermicro’s January patch for a related flaw and advises prompt patching, strict firmware integrity checks, and enabling hardware RoT where available to mitigate risk.
read more →

Critical ForcedLeak Flaw Exposed in Salesforce AgentForce

⚠️ Researchers at Noma Security disclosed a critical 9.4-severity vulnerability called ForcedLeak that affected Salesforce's AI agent platform AgentForce. The chain used indirect prompt injection via Web-to-Lead form fields to hide malicious instructions within CRM data, enabling potential theft of contact records and pipeline details. Salesforce has patched the issue by enforcing Trusted URLs and reclaiming an expired domain used in the attack proof-of-concept. Organizations are advised to apply updates, audit lead data for suspicious entries, and strengthen real-time prompt-injection detection and tool-calling guardrails.
read more →

New Supermicro BMC Flaws Enable Persistent Backdoors

🔐 Researchers from Binarly disclosed multiple firmware vulnerabilities in Supermicro Baseboard Management Controllers (BMCs) that allow attackers to load unofficial images and install persistent backdoors. A bypass for a previously patched issue (CVE-2024-10237) and a new flaw (CVE-2025-6198) let adversaries manipulate signed regions so digests and signatures still validate. A related confirmed issue is tracked as CVE-2025-7937. Supermicro has released firmware updates; administrators must identify affected models and apply fixes promptly.
read more →

Unpatched OnePlus flaw exposes SMS data to rogue apps

🔒 Rapid7 disclosed an unpatched vulnerability in OnePlus's OxygenOS (CVE-2025-10184) that allows any installed app to access SMS content and metadata without SMS permissions. The fault arises from modified Telephony content providers whose manifests omit a required write permission and accept unsanitized input. By abusing a blind SQL-injection vector an attacker can infer SMS text one character at a time. OnePlus has acknowledged the report and is investigating; users should minimize installed apps and avoid SMS-based 2FA.
read more →

Two critical Wondershare RepairIt flaws risk data and AI

⚠️ Trend Micro disclosed two critical authentication-bypass vulnerabilities in Wondershare RepairIt that exposed private user files, AI models, and build artifacts due to embedded overly permissive cloud tokens and unencrypted storage. The flaws, tracked as CVE-2025-10643 (CVSS 9.1) and CVE-2025-10644 (CVSS 9.4), allow attackers to circumvent authentication and potentially execute arbitrary code via supply-chain tampering. Trend Micro reported the issues through ZDI in April 2025 and warns users to restrict interaction with the product until a vendor fix is issued.
read more →

Lovense app flaws let attackers deanonymize, hijack

🔒 Researchers disclosed two critical vulnerabilities in Lovense remote-control software that exposed real user email addresses and allowed attackers to generate authentication tokens using only an email, without passwords. Combined, these flaws enabled account takeover across multiple products including Lovense Remote, Lovense Connect and streaming extensions. Reported in spring 2025, fixes were delayed and fully applied only after public disclosure; users should consider separate emails and strong, unique passwords.
read more →

Two Supermicro BMC Flaws Allow Firmware RoT Bypass

🔒 Cybersecurity researchers disclosed two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware that allow crafted images to bypass signature verification and install malicious firmware. The issues, tracked as CVE-2025-7937 (CVSS 6.6) and CVE-2025-6198 (CVSS 6.4), exploit manipulation of embedded validation tables — fwmap and sig_table — to trick the verification logic into accepting unsigned regions. Binarly reported the findings, detailed how the auth_bmc_sig flow on an X13SEM-F board can be subverted, and recommends rotating signing keys, hardening validation logic, and applying vendor firmware updates promptly.
read more →

CISA Issues Six New Industrial Control Systems Advisories

🔔 CISA released six Industrial Control Systems (ICS) advisories on September 23, 2025, providing timely information on security issues, vulnerabilities, and potential exploits across multiple product families. The advisories cover AutomationDirect CLICK PLUS, Mitsubishi Electric MELSEC‑Q Series CPU Module, Schneider Electric SESU, Viessmann Vitogate 300, and two updates for Hitachi Energy RTU500 Series. Users and administrators are urged to review each advisory for technical details and apply recommended mitigations promptly.
read more →

Viessmann Vitogate 300: OS Command Injection Risks

🚨 CISA published an advisory on September 23, 2025, describing high‑severity vulnerabilities in Viessmann's Vitogate 300 gateway. The advisory identifies an OS command injection (CWE‑78, CVE‑2025‑9494) and a client‑side enforcement bypass (CWE‑602, CVE‑2025‑9495) that can enable command modification or unexpected client–server interactions. A CVSS v4 base score of 8.7 is reported overall, and affected devices running versions prior to 3.1.0.1 should be upgraded. CISA notes these issues are not remotely exploitable and recommends updating to 3.1.0.1 and implementing network hardening controls.
read more →

Mitsubishi MELSEC-Q CPU Module Denial-of-Service Risk

⚠️ CISA advises that a denial-of-service vulnerability (CVE-2025-8531) affects Mitsubishi Electric MELSEC-Q Series CPU modules when the user authentication function is enabled, due to improper handling of a length parameter (CWE-130). The issue has a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H) and is exploitable remotely but characterized by high attack complexity. Mitsubishi has identified fixed units with serial ranges beginning '27082' or later and recommends migrating to the successor MELSEC iQ-R Series where updates are unavailable; organizations should apply network-access restrictions and defense-in-depth mitigations.
read more →

Schneider Electric SESU Link-Following Flaw CVE-2025-5296

⚠ Schneider Electric has released an update addressing a link‑following vulnerability (CVE‑2025‑5296) in SESU that could allow an authenticated, low‑privileged actor to write arbitrary data to protected locations. The issue, rated CVSS v3.1 base score 7.3, affects SESU versions prior to 3.0.12 and numerous Schneider Electric products that bundle SESU. Version 3.0.12 contains the fix; apply the update or restrict access to the installation directory and follow CISA mitigation guidance.
read more →

AAPB Fixes IDOR Bug That Exposed Restricted Media Files

🔒 A vulnerability in the American Archive of Public Broadcasting allowed protected and private media to be downloaded for years by abusing an IDOR flaw. A simple Tampermonkey script could alter media ID parameters in background fetch/XHR calls and bypass access controls, returning content instead of a '403 Forbidden'. The issue was reported to AAPB, confirmed by a spokesperson, and patched within 48 hours, but the full scope of prior access remains unknown.
read more →

Critical Code-Execution CVEs Found in Chaos-Mesh Platform

⚠️ JFrog Security Research disclosed multiple CVEs in Chaos-Mesh, including three critical flaws that permit in-cluster attackers to execute arbitrary code on any pod. The Chaos Controller Manager exposes an unauthenticated ClusterIP GraphQL /query endpoint on port 10082 by default, enabling mutations such as killProcesses and cleanTcs. The critical issues (CVSS 9.8) arise from unsafe command construction in resolvers and an ExecBypass routine that allows OS command injection. Operators should upgrade to Chaos-Mesh 2.7.3 immediately; as a temporary mitigation redeploy the Helm chart with the control server disabled.
read more →

Vulnerabilities Found in Securam Prologic Electronic Safes

🔓 Two security researchers, Omo and Rowley, disclosed critical vulnerabilities in Securam Prologic electronic safe locks that can be abused to open many devices without specialized tools. One flaw exploits a legitimate locksmith unlock feature and, according to the researchers, can expose codes remotely or with trivial access. The pair delayed public disclosure after receiving legal threats from Securam and only proceeded after securing pro bono counsel from the EFF’s Coders’ Rights Project. Securam says it will update its locks by year’s end but will not patch units already sold.
read more →

Schneider Electric Altivar and ATVdPAC XSS Vulnerability

⚠️ Schneider Electric disclosed a cross-site scripting flaw (CWE-79) affecting numerous Altivar drives, the ATVdPAC communication module, and the ILC992 InterLink Converter. Tracked as CVE-2025-7746, the issue is remotely exploitable with low attack complexity and can allow an attacker to read or modify data via device web interfaces. Schneider has released a fix for the ATVdPAC (Version 25.0) and recommends disabling webservers when not needed, segmenting networks, blocking HTTP/port 80 access, and using VPNs until further patches are provided.
read more →

Cursor Code Editor Flaw Enables Silent Code Execution

⚠ Cursor, an AI-powered fork of Visual Studio Code, ships with Workspace Trust disabled by default, enabling VS Code-style tasks configured with runOptions.runOn: 'folderOpen' to auto-execute when a folder is opened. Oasis Security showed a malicious .vscode/tasks.json can convert a casual repository browse into silent arbitrary code execution with the user's privileges. Users should enable Workspace Trust, audit untrusted projects, or open suspicious repos in other editors to mitigate risk.
read more →

CISA Adds One Vulnerability to KEV Catalog (2025-09-11)

🔔 CISA added CVE-2025-5086 — a Dassault Systèmes DELMIA Apriso deserialization of untrusted data vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog on September 11, 2025, based on evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed issues by required due dates. CISA urges all organizations to prioritize timely remediation as part of vulnerability management and will continue updating the catalog with vulnerabilities that meet its criteria.
read more →

CISA Leads CVE Program: Mandate, Mission, Momentum

🔒CISA reaffirms federal leadership of the CVE Program, arguing that a neutral, government steward is essential to preserve trust and national security. The agency ties the program to operational initiatives such as the Known Exploited Vulnerabilities (KEV) Catalog and warns that privatization or fragmentation would erode reliability and increase risk. CISA outlines a shift from a 'Growth Era' to a 'Quality Era' focused on improving completeness, accuracy, timeliness, governance, and sustainable infrastructure, and invites practitioners, industry, and international partners to help shape the program's future.
read more →

Amazon RDS Adds Latest Microsoft SQL Server GDR Updates

🔒 Amazon Relational Database Service (RDS) for Microsoft SQL Server now supports the latest General Distribution Release (GDR) updates for SQL Server 2016 SP3, 2017 CU31, 2019 CU32, and 2022 CU20. The supported RDS engine versions map to KB5063762, KB5063759, KB5063757, and KB5063814 respectively. These GDRs address vulnerabilities tracked as CVE-2025-49758, CVE-2025-24999, CVE-2025-49759, CVE-2025-53727, and CVE-2025-47954. We recommend that customers upgrade their RDS instances via the RDS Management Console, AWS SDK, or AWS CLI and follow the RDS SQL Server upgrade guidance.
read more →

CISA Orders Immediate Patch for Critical Sitecore Flaw

🔒 CISA has ordered immediate patching of a critical deserialization vulnerability in Sitecore (CVE-2025-53690), rated 9.0, after active exploitation was observed. The flaw arises from exposed ASP.NET machine keys—some copied from older deployment guides—and allows ViewState deserialization that leads to remote code execution. Agencies must rotate machine keys, harden configurations, and scan for compromise indicators by September 25, 2025, to mitigate further intrusions.
read more →