Security Update – Microsoft Windows
Vulnerability: Heap-based Buffer Overflow – SPNEGO Extended Negotiation
CVE: CVE-2025-47981
Severity: 9.8 (Critical)
Summary:
A heap-based buffer overflow vulnerability exists in the SPNEGO Extended Negotiation component of Microsoft Windows.
An unauthenticated attacker can exploit this issue remotely over the network to execute arbitrary code. Successful exploitation could lead to full system compromise.
Affected Products:
Windows Server 2022 (< 10.0.20348.3932)
Windows Server 2022, 23H2 Edition (Server Core) (< 10.0.25398.1732)
Windows Server 2025 (< 10.0.26100.4652)
Windows Server 2025 (Server Core) (< 10.0.26100.4652)
Windows Server 2019 (< 10.0.17763.7558)
Windows Server 2019 (Server Core) (< 10.0.17763.7558)
Windows Server 2016 (< 10.0.14393.8246)
Windows Server 2016 (Server Core) (< 10.0.14393.8246)
Windows Server 2012 (< 6.2.9200.25573)
Windows Server 2012 (Server Core) (< 6.2.9200.25573)
Windows Server 2012 R2 (< 6.3.9600.22676)
Windows Server 2012 R2 (Server Core) (< 6.3.9600.22676)
Windows Server 2008 R2 SP1 (< 6.1.7601.27820)
Windows Server 2008 R2 SP1 (Server Core) (< 6.1.7601.27820)
Windows 11 24H2 (< 10.0.26100.4652)
Windows 11 23H2 (< 10.0.22631.5624)
Windows 11 22H3 (< 10.0.22631.5624)
Windows 11 22H2 (< 10.0.22621.5624)
Windows 10 22H2 (< 10.0.19045.6093)
Windows 10 21H2 (< 10.0.19044.6093)
Windows 10 1809 (< 10.0.17763.7558)
Windows 10 1607 (< 10.0.14393.8246)
Windows 10 1507 (< 10.0.10240.21073)
Not Affected:
None reported
Indicators of Compromise:
Exploitation may result in unexpected crashes of authentication-related services.
Potential anomalous Kerberos/SPNEGO negotiation failures observed in system logs.
Workaround:
No official workaround currently documented.
Mitigation / Recommendations:
Apply Microsoft’s security updates immediately.
Limit network exposure of vulnerable services to trusted systems until patched.
Monitor Windows Event Logs for abnormal authentication or negotiation errors.
References:
🔗 Microsoft Advisory – CVE-2025-47981
🔗 NVD Entry – CVE-2025-47981
🔗 Vicarius Detection Script
🔗 Vicarius Mitigation Script
#Microsoft #Windows #SPNEGO #BufferOverflow #Security
@newvulnerability
Vulnerability: Heap-based Buffer Overflow – SPNEGO Extended Negotiation
CVE: CVE-2025-47981
Severity: 9.8 (Critical)
Summary:
A heap-based buffer overflow vulnerability exists in the SPNEGO Extended Negotiation component of Microsoft Windows.
An unauthenticated attacker can exploit this issue remotely over the network to execute arbitrary code. Successful exploitation could lead to full system compromise.
Affected Products:
Windows Server 2022 (< 10.0.20348.3932)
Windows Server 2022, 23H2 Edition (Server Core) (< 10.0.25398.1732)
Windows Server 2025 (< 10.0.26100.4652)
Windows Server 2025 (Server Core) (< 10.0.26100.4652)
Windows Server 2019 (< 10.0.17763.7558)
Windows Server 2019 (Server Core) (< 10.0.17763.7558)
Windows Server 2016 (< 10.0.14393.8246)
Windows Server 2016 (Server Core) (< 10.0.14393.8246)
Windows Server 2012 (< 6.2.9200.25573)
Windows Server 2012 (Server Core) (< 6.2.9200.25573)
Windows Server 2012 R2 (< 6.3.9600.22676)
Windows Server 2012 R2 (Server Core) (< 6.3.9600.22676)
Windows Server 2008 R2 SP1 (< 6.1.7601.27820)
Windows Server 2008 R2 SP1 (Server Core) (< 6.1.7601.27820)
Windows 11 24H2 (< 10.0.26100.4652)
Windows 11 23H2 (< 10.0.22631.5624)
Windows 11 22H3 (< 10.0.22631.5624)
Windows 11 22H2 (< 10.0.22621.5624)
Windows 10 22H2 (< 10.0.19045.6093)
Windows 10 21H2 (< 10.0.19044.6093)
Windows 10 1809 (< 10.0.17763.7558)
Windows 10 1607 (< 10.0.14393.8246)
Windows 10 1507 (< 10.0.10240.21073)
Not Affected:
None reported
Indicators of Compromise:
Exploitation may result in unexpected crashes of authentication-related services.
Potential anomalous Kerberos/SPNEGO negotiation failures observed in system logs.
Workaround:
No official workaround currently documented.
Mitigation / Recommendations:
Apply Microsoft’s security updates immediately.
Limit network exposure of vulnerable services to trusted systems until patched.
Monitor Windows Event Logs for abnormal authentication or negotiation errors.
References:
🔗 Microsoft Advisory – CVE-2025-47981
🔗 NVD Entry – CVE-2025-47981
🔗 Vicarius Detection Script
🔗 Vicarius Mitigation Script
#Microsoft #Windows #SPNEGO #BufferOverflow #Security
@newvulnerability
Security Update – Wing FTP Server
Vulnerability: Remote Code Execution – Null-byte Lua Injection
CVE: CVE-2025-47812
Severity: 10.0 (Critical)
Summary:
The user and admin web interfaces in Wing FTP Server (versions prior to 7.4.4) mishandle \0 (null) bytes, allowing an attacker to inject arbitrary Lua code into user session files. An attacker can leverage this to execute system commands with the privileges of the FTP service (often root or SYSTEM). The vulnerability is remotely exploitable and can be triggered via anonymous FTP accounts, leading to full server compromise.
Affected Products:
Wing FTP Server versions prior to 7.4.4.
Not Affected:
Wing FTP Server 7.4.4 and later (vendor patches apply).
Indicators of Compromise:
Unexpected creation or modification of user session files containing Lua payloads.
Arbitrary system commands executed by the FTP service (new processes, unusual commands in process lists).
Suspicious anonymous FTP activity and uploads immediately followed by system changes.
Unexpected outbound network connections or data exfiltration from the server.
Workaround:
If you cannot patch immediately, disable the web-based user/admin interfaces and disable anonymous FTP accounts. Restrict access to the service via network controls (firewall / allowlists).
Mitigation / Recommendations:
Apply Wing FTP Server 7.4.4 or later immediately.
Restrict administrative interfaces to trusted management networks only.
Disable or tightly control anonymous FTP access.
Run the FTP service with the least privileges possible and use OS-level containment (chroot, containers).
Audit session files and system logs for indicators listed above and perform incident response if compromise is suspected.
Rotate credentials and secrets used by the service after remediation.
References:
🔗 https://www.wftpserver.com
🔗 https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
🔗 https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-server
🔗 https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-server
🔗 https://nvd.nist.gov/vuln/detail/CVE-2025-47812
🔗 https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
#WingFTP #RCE #NullByte #Lua #FTP #Security
@newvulnerability
Vulnerability: Remote Code Execution – Null-byte Lua Injection
CVE: CVE-2025-47812
Severity: 10.0 (Critical)
Summary:
The user and admin web interfaces in Wing FTP Server (versions prior to 7.4.4) mishandle \0 (null) bytes, allowing an attacker to inject arbitrary Lua code into user session files. An attacker can leverage this to execute system commands with the privileges of the FTP service (often root or SYSTEM). The vulnerability is remotely exploitable and can be triggered via anonymous FTP accounts, leading to full server compromise.
Affected Products:
Wing FTP Server versions prior to 7.4.4.
Not Affected:
Wing FTP Server 7.4.4 and later (vendor patches apply).
Indicators of Compromise:
Unexpected creation or modification of user session files containing Lua payloads.
Arbitrary system commands executed by the FTP service (new processes, unusual commands in process lists).
Suspicious anonymous FTP activity and uploads immediately followed by system changes.
Unexpected outbound network connections or data exfiltration from the server.
Workaround:
If you cannot patch immediately, disable the web-based user/admin interfaces and disable anonymous FTP accounts. Restrict access to the service via network controls (firewall / allowlists).
Mitigation / Recommendations:
Apply Wing FTP Server 7.4.4 or later immediately.
Restrict administrative interfaces to trusted management networks only.
Disable or tightly control anonymous FTP access.
Run the FTP service with the least privileges possible and use OS-level containment (chroot, containers).
Audit session files and system logs for indicators listed above and perform incident response if compromise is suspected.
Rotate credentials and secrets used by the service after remediation.
References:
🔗 https://www.wftpserver.com
🔗 https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
🔗 https://www.vicarius.io/vsociety/posts/cve-2025-47812-mitigation-script-remote-code-execution-vulnerability-in-wing-ftp-server
🔗 https://www.vicarius.io/vsociety/posts/cve-2025-47812-detection-script-remote-code-execution-vulnerability-in-wing-ftp-server
🔗 https://nvd.nist.gov/vuln/detail/CVE-2025-47812
🔗 https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
#WingFTP #RCE #NullByte #Lua #FTP #Security
@newvulnerability
Wftpserver
Wing FTP Server
Wing FTP Server is an easy-to-use, powerful, and free FTP server software for Windows & Linux. Download it FREE Now!
Security Update – Cisco Secure Firewall, IOS, IOS XE, and IOS XR Web Services
Vulnerability: Remote Code Execution – Web Services Input Validation Flaw
CVE: CVE-2025-20363
Severity: 9.0 (Critical)
Summary:
A critical remote code execution (RCE) vulnerability exists in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. The flaw arises from improper validation of user-supplied input in HTTP requests. Successful exploitation could allow an unauthenticated (ASA/FTD) or low-privileged authenticated (IOS/IOS XE/IOS XR) remote attacker to execute arbitrary code as root, potentially leading to complete system compromise.
Affected Products:
Cisco Secure Firewall ASA Software
Cisco Secure Firewall FTD Software
Cisco IOS Software (with Remote Access SSL VPN enabled)
Cisco IOS XE Software (with Remote Access SSL VPN enabled)
Cisco IOS XR Software (32-bit, ASR 9001 Routers with HTTP server enabled)
Not Affected:
Cisco NX-OS Software
Cisco IOS XR 64-bit (Linux-based)
Devices without vulnerable web services enabled
Indicators of Compromise:
Unexpected code execution or system crashes on affected Cisco devices
Unusual or unauthorized activity in web service logs
SSL VPN or HTTP server processes behaving abnormally
Workaround:
No known workaround is available.
Mitigation / Recommendations:
Immediately upgrade to Cisco’s fixed software releases as outlined in the advisory.
Disable unnecessary web services and SSL VPN features if not required.
Monitor device logs for suspicious HTTP requests or abnormal system behavior.
Use the Cisco Software Checker
to verify affected versions and apply patches.
References:
🔗 Cisco Security Advisory – CVE-2025-20363
🔗 Cisco Event Response: Continued Attacks Against Cisco Firewall Platforms
#Cisco #Firewall #RCE #Security #Vulnerability #Cloud
@newvulnerability
Vulnerability: Remote Code Execution – Web Services Input Validation Flaw
CVE: CVE-2025-20363
Severity: 9.0 (Critical)
Summary:
A critical remote code execution (RCE) vulnerability exists in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. The flaw arises from improper validation of user-supplied input in HTTP requests. Successful exploitation could allow an unauthenticated (ASA/FTD) or low-privileged authenticated (IOS/IOS XE/IOS XR) remote attacker to execute arbitrary code as root, potentially leading to complete system compromise.
Affected Products:
Cisco Secure Firewall ASA Software
Cisco Secure Firewall FTD Software
Cisco IOS Software (with Remote Access SSL VPN enabled)
Cisco IOS XE Software (with Remote Access SSL VPN enabled)
Cisco IOS XR Software (32-bit, ASR 9001 Routers with HTTP server enabled)
Not Affected:
Cisco NX-OS Software
Cisco IOS XR 64-bit (Linux-based)
Devices without vulnerable web services enabled
Indicators of Compromise:
Unexpected code execution or system crashes on affected Cisco devices
Unusual or unauthorized activity in web service logs
SSL VPN or HTTP server processes behaving abnormally
Workaround:
No known workaround is available.
Mitigation / Recommendations:
Immediately upgrade to Cisco’s fixed software releases as outlined in the advisory.
Disable unnecessary web services and SSL VPN features if not required.
Monitor device logs for suspicious HTTP requests or abnormal system behavior.
Use the Cisco Software Checker
to verify affected versions and apply patches.
References:
🔗 Cisco Security Advisory – CVE-2025-20363
🔗 Cisco Event Response: Continued Attacks Against Cisco Firewall Platforms
#Cisco #Firewall #RCE #Security #Vulnerability #Cloud
@newvulnerability
Cisco
Cisco Security Advisory: Cisco Secure Firewall Adaptive Security Appliance Software, Secure Firewall Threat Defense Software, IOS…
A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated…
Security Update – Cisco Secure Firewall ASA & FTD VPN Web Server
Vulnerability: Remote Code Execution – VPN Web Server Input Validation Flaw
CVE: CVE-2025-20333
Severity: 9.9 (Critical)
Summary:
A critical remote code execution (RCE) vulnerability exists in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The issue stems from improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this flaw to execute arbitrary code as root, potentially leading to complete device compromise.
Affected Products:
Cisco Secure Firewall ASA Software (with AnyConnect, MUS, or SSL VPN features enabled)
Cisco Secure Firewall FTD Software (with AnyConnect or SSL VPN features enabled)
Not Affected:
Cisco Secure FMC Software
Cisco ASA/FTD devices without vulnerable VPN configurations enabled
Indicators of Compromise:
Unexpected process crashes or instability in VPN services
Unusual activity or anomalies in VPN authentication and web service logs
Signs of arbitrary code execution on Cisco ASA/FTD devices
Workaround:
No known workaround is available.
Mitigation / Recommendations:
Immediately upgrade to Cisco’s fixed software releases as outlined in the advisory.
Review and harden VPN configurations (IKEv2, SSL VPN, MUS).
Monitor VPN service logs for suspicious login attempts or crafted HTTP(S) requests.
Enable Cisco Threat Detection for VPN Services to protect against brute force and service abuse attempts.
References:
🔗 Cisco Security Advisory – CVE-2025-20333
🔗 Cisco Event Response: Continued Attacks Against Cisco Firewall Platforms
#Cisco #Firewall #VPN #RCE #Security #Vulnerability
@newvulnerability
Vulnerability: Remote Code Execution – VPN Web Server Input Validation Flaw
CVE: CVE-2025-20333
Severity: 9.9 (Critical)
Summary:
A critical remote code execution (RCE) vulnerability exists in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The issue stems from improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this flaw to execute arbitrary code as root, potentially leading to complete device compromise.
Affected Products:
Cisco Secure Firewall ASA Software (with AnyConnect, MUS, or SSL VPN features enabled)
Cisco Secure Firewall FTD Software (with AnyConnect or SSL VPN features enabled)
Not Affected:
Cisco Secure FMC Software
Cisco ASA/FTD devices without vulnerable VPN configurations enabled
Indicators of Compromise:
Unexpected process crashes or instability in VPN services
Unusual activity or anomalies in VPN authentication and web service logs
Signs of arbitrary code execution on Cisco ASA/FTD devices
Workaround:
No known workaround is available.
Mitigation / Recommendations:
Immediately upgrade to Cisco’s fixed software releases as outlined in the advisory.
Review and harden VPN configurations (IKEv2, SSL VPN, MUS).
Monitor VPN service logs for suspicious login attempts or crafted HTTP(S) requests.
Enable Cisco Threat Detection for VPN Services to protect against brute force and service abuse attempts.
References:
🔗 Cisco Security Advisory – CVE-2025-20333
🔗 Cisco Event Response: Continued Attacks Against Cisco Firewall Platforms
#Cisco #Firewall #VPN #RCE #Security #Vulnerability
@newvulnerability
Cisco
Cisco Security Advisory: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software…
Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause unpatched devices…
Security Update – Cisco IOS and IOS XE Software
Vulnerabilities: Multiple High-Severity Vulnerabilities in Cisco IOS and IOS XE
CVEs:
CVE-2025-20312 – SNMP Denial of Service (DoS)
CVE-2025-20352 – SNMP DoS and Remote Code Execution (RCE)
CVE-2025-20313 / CVE-2025-20314 – Secure Boot Bypass
CVE-2025-20315 – NBAR Denial of Service
CVE-2025-20334 – HTTP API Command Injection
CVE-2025-20160 – TACACS+ Authentication Bypass
CVE-2025-20327 – Industrial Ethernet Switch Device Manager DoS
CVE-2025-20311 – Catalyst 9000 Series Switches DoS
Severity: High (CVSS up to 9.x)
Summary:
Cisco has disclosed multiple critical and high-severity vulnerabilities affecting IOS and IOS XE software across a wide range of platforms, including Catalyst 9000 switches and Industrial Ethernet devices. Exploitation of these vulnerabilities could result in denial-of-service conditions, remote code execution, authentication bypass, secure boot bypass, and command injection, depending on the specific CVE. Attackers may exploit these flaws remotely through crafted SNMP, HTTP API, or TACACS+ requests, or via malicious traffic targeting NBAR. Successful exploitation could compromise availability, integrity, or control of affected Cisco infrastructure.
Affected Products:
Cisco devices running affected versions of IOS or IOS XE.
Catalyst 9000 Series switches (CVE-2025-20311).
Industrial Ethernet switches with Device Manager enabled (CVE-2025-20327).
Any deployments with SNMP, TACACS+, HTTP API, NBAR, or secure boot features enabled on vulnerable releases.
Not Affected:
Devices upgraded to Cisco’s fixed releases.
Devices with vulnerable features disabled (e.g., SNMP disabled, HTTP API disabled).
Indicators of Compromise:
Service crashes or repeated restarts (SNMP, NBAR, or HTTP services).
Unexpected authentication success via TACACS+.
Abnormal boot integrity failures or unsigned modules loading (secure boot bypass).
Catalyst 9000 instability, forwarding issues, or control-plane crashes.
Suspicious HTTP or SNMP request patterns in management logs.
Workaround:
No universal workaround. In some cases, disabling or restricting vulnerable services (e.g., SNMP, HTTP API, TACACS+, Device Manager) may reduce risk temporarily.
Mitigation / Recommendations:
Apply Cisco’s official fixed software releases immediately.
Use Cisco’s Software Checker tool to identify impacted devices and recommended fixes.
Restrict management plane access (SNMP, TACACS+, HTTP API) to trusted sources.
Monitor system logs and network traffic for abnormal patterns related to SNMP, HTTP API, TACACS+, or NBAR.
Enforce least privilege on administrative accounts and ensure physical security of devices.
References:
🔗 Cisco Security Advisories
#Cisco #IOS #IOSXE #Catalyst9000 #SNMP #TACACS #DoS #RCE #Security
@newvulnerability
Vulnerabilities: Multiple High-Severity Vulnerabilities in Cisco IOS and IOS XE
CVEs:
CVE-2025-20312 – SNMP Denial of Service (DoS)
CVE-2025-20352 – SNMP DoS and Remote Code Execution (RCE)
CVE-2025-20313 / CVE-2025-20314 – Secure Boot Bypass
CVE-2025-20315 – NBAR Denial of Service
CVE-2025-20334 – HTTP API Command Injection
CVE-2025-20160 – TACACS+ Authentication Bypass
CVE-2025-20327 – Industrial Ethernet Switch Device Manager DoS
CVE-2025-20311 – Catalyst 9000 Series Switches DoS
Severity: High (CVSS up to 9.x)
Summary:
Cisco has disclosed multiple critical and high-severity vulnerabilities affecting IOS and IOS XE software across a wide range of platforms, including Catalyst 9000 switches and Industrial Ethernet devices. Exploitation of these vulnerabilities could result in denial-of-service conditions, remote code execution, authentication bypass, secure boot bypass, and command injection, depending on the specific CVE. Attackers may exploit these flaws remotely through crafted SNMP, HTTP API, or TACACS+ requests, or via malicious traffic targeting NBAR. Successful exploitation could compromise availability, integrity, or control of affected Cisco infrastructure.
Affected Products:
Cisco devices running affected versions of IOS or IOS XE.
Catalyst 9000 Series switches (CVE-2025-20311).
Industrial Ethernet switches with Device Manager enabled (CVE-2025-20327).
Any deployments with SNMP, TACACS+, HTTP API, NBAR, or secure boot features enabled on vulnerable releases.
Not Affected:
Devices upgraded to Cisco’s fixed releases.
Devices with vulnerable features disabled (e.g., SNMP disabled, HTTP API disabled).
Indicators of Compromise:
Service crashes or repeated restarts (SNMP, NBAR, or HTTP services).
Unexpected authentication success via TACACS+.
Abnormal boot integrity failures or unsigned modules loading (secure boot bypass).
Catalyst 9000 instability, forwarding issues, or control-plane crashes.
Suspicious HTTP or SNMP request patterns in management logs.
Workaround:
No universal workaround. In some cases, disabling or restricting vulnerable services (e.g., SNMP, HTTP API, TACACS+, Device Manager) may reduce risk temporarily.
Mitigation / Recommendations:
Apply Cisco’s official fixed software releases immediately.
Use Cisco’s Software Checker tool to identify impacted devices and recommended fixes.
Restrict management plane access (SNMP, TACACS+, HTTP API) to trusted sources.
Monitor system logs and network traffic for abnormal patterns related to SNMP, HTTP API, TACACS+, or NBAR.
Enforce least privilege on administrative accounts and ensure physical security of devices.
References:
🔗 Cisco Security Advisories
#Cisco #IOS #IOSXE #Catalyst9000 #SNMP #TACACS #DoS #RCE #Security
@newvulnerability
Vulnerability
Security Update – Cisco Secure Firewall, IOS, IOS XE, and IOS XR Web Services Vulnerability: Remote Code Execution – Web Services Input Validation Flaw CVE: CVE-2025-20363 Severity: 9.0 (Critical) Summary: A critical remote code execution (RCE) vulnerability…
Identify and Mitigate Potential Compromise of Cisco Devices
https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
@newvulnerability
https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
@newvulnerability
Cybersecurity and Infrastructure Security Agency CISA
ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices | CISA
This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 25-03: Identify and Mitigate Potential
Security Update – Sudo Local Privilege Escalation (chroot flaw)
Vulnerability: Local Privilege Escalation – Improper Handling of --chroot Option
CVE: CVE-2025-32463 (EUVD-2025-19673)
Severity: 9.3 (Critical, CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Summary:
A critical local privilege escalation vulnerability exists in Sudo versions prior to 1.9.17p1. The flaw arises because /etc/nsswitch.conf can be loaded from a user-controlled directory when the --chroot option is used. A local attacker could exploit this to gain root privileges, leading to complete system compromise.
Affected Products:
Sudo versions 1.9.14 to <1.9.17p1
Not Affected:
Sudo versions 1.9.17p1 and later
Indicators of Compromise:
Unexpected privilege escalations on systems using Sudo with the --chroot option
Unusual modifications or presence of /etc/nsswitch.conf in non-standard directories
Suspicious root-level activities traced back to unprivileged accounts
Workaround:
Avoid using the --chroot option in Sudo until patched
Restrict unprivileged user write access to directories involved in chroot environments
Mitigation / Recommendations:
Immediately upgrade to Sudo 1.9.17p1 or later
Apply distribution vendor security patches (Red Hat, Ubuntu, Debian, SUSE, AWS, Gentoo)
Monitor logs for unauthorized use of Sudo with --chroot
Review system integrity for signs of privilege escalation attempts
References:
🔗 Sudo Security Advisories
🔗 Sudo Changelog
🔗 Stratascale Advisory
🔗 Red Hat Advisory – RHSA-2025:11537
🔗 Ubuntu Security Notice – USN-7604-1
🔗 Debian Security Tracker
🔗 SUSE Advisory
🔗 AWS ALAS
🔗 Vicarius Detection & Mitigation Guides
#Sudo #PrivilegeEscalation #CVE202532463 #Security #Vulnerability #Linux
@newvulnerability
Vulnerability: Local Privilege Escalation – Improper Handling of --chroot Option
CVE: CVE-2025-32463 (EUVD-2025-19673)
Severity: 9.3 (Critical, CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Summary:
A critical local privilege escalation vulnerability exists in Sudo versions prior to 1.9.17p1. The flaw arises because /etc/nsswitch.conf can be loaded from a user-controlled directory when the --chroot option is used. A local attacker could exploit this to gain root privileges, leading to complete system compromise.
Affected Products:
Sudo versions 1.9.14 to <1.9.17p1
Not Affected:
Sudo versions 1.9.17p1 and later
Indicators of Compromise:
Unexpected privilege escalations on systems using Sudo with the --chroot option
Unusual modifications or presence of /etc/nsswitch.conf in non-standard directories
Suspicious root-level activities traced back to unprivileged accounts
Workaround:
Avoid using the --chroot option in Sudo until patched
Restrict unprivileged user write access to directories involved in chroot environments
Mitigation / Recommendations:
Immediately upgrade to Sudo 1.9.17p1 or later
Apply distribution vendor security patches (Red Hat, Ubuntu, Debian, SUSE, AWS, Gentoo)
Monitor logs for unauthorized use of Sudo with --chroot
Review system integrity for signs of privilege escalation attempts
References:
🔗 Sudo Security Advisories
🔗 Sudo Changelog
🔗 Stratascale Advisory
🔗 Red Hat Advisory – RHSA-2025:11537
🔗 Ubuntu Security Notice – USN-7604-1
🔗 Debian Security Tracker
🔗 SUSE Advisory
🔗 AWS ALAS
🔗 Vicarius Detection & Mitigation Guides
#Sudo #PrivilegeEscalation #CVE202532463 #Security #Vulnerability #Linux
@newvulnerability
Sudo
ChangeLog
2026-02-26 Aditya Bawangade src/exec_monitor.c, src/exec_nopty.c, src/exec_pty.c:
[race] : Move the installation of the SIGCHLD handler before fork [878103214] 2026-02-25 Todd C. Miller logsrvd/logsrvd.c:
connection_closure_free: log an error if SSL_shutdown()…
[race] : Move the installation of the SIGCHLD handler before fork [878103214] 2026-02-25 Todd C. Miller logsrvd/logsrvd.c:
connection_closure_free: log an error if SSL_shutdown()…
Security Update – Oracle Concurrent Processing Remote Code Execution (BI Publisher Integration)
Vulnerability: Remote Code Execution – Oracle Concurrent Processing (BI Publisher Integration)
CVE: CVE‑2025‑61882 (EUVD‑2025‑32443, GHSA‑hgff‑wp2m‑jgfw)
Summary:
A critical, easily‑exploitable remote code execution vulnerability exists in Oracle Concurrent Processing (component: BI Publisher Integration) of Oracle E‑Business Suite. Supported versions 12.2.3 through 12.2.14 are affected. An unauthenticated attacker with network access via HTTP can exploit this flaw to take over Oracle Concurrent Processing, resulting in full confidentiality, integrity, and availability compromise. CVSS 3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Affected Products:
Vendor: Oracle Corporation
Product: Oracle Concurrent Processing
Version: 12.2.3 ≤ 12.2.14
Not Affected:
Oracle Concurrent Processing versions later than 12.2.14 where vendor patches or fixes have been applied.
Indicators of Compromise:
Unauthorised or anomalous HTTP requests to Oracle Concurrent Processing / BI Publisher endpoints.
Unexpected process or service behavior in E‑Business Suite (new shells, processes, or crashes tied to Concurrent Processing).
Suspicious log entries showing unauthenticated access attempts or unexpected payloads against XMLP/BI Publisher webservices.
Workaround:
Immediately restrict network access to Oracle Concurrent Processing / BI Publisher endpoints (firewall rules, IP allowlists, network segmentation).
Apply virtual network controls (WAF rules, reverse proxies) to block suspicious or unauthenticated traffic to affected endpoints.
Monitor logs for anomalous requests and isolate any compromised instances pending remediation.
Mitigation / Recommendations:
Patch now. Apply Oracle’s Security Alert / emergency patch for CVE‑2025‑61882 to all affected Oracle E‑Business Suite instances (12.2.3–12.2.14) as provided by Oracle.
If you cannot immediately patch, isolate affected systems from untrusted networks and remove public access until patched.
Hunt for signs of compromise (review webserver logs, application logs for BI Publisher/XMLPservice, OS process lists, cronjobs, and new or modified files).
Apply vendor‑recommended post‑incident procedures if compromise is suspected (forensic capture, rotate credentials, rebuild from known‑good images).
References:
🔗 Oracle Security Alert – CVE‑2025‑61882
🔗 NVD / CVE entry — CVE‑2025‑61882
#Oracle #RemoteCodeExecution #CVE202561882 #EBS #Security
@newvulnerability
Vulnerability: Remote Code Execution – Oracle Concurrent Processing (BI Publisher Integration)
CVE: CVE‑2025‑61882 (EUVD‑2025‑32443, GHSA‑hgff‑wp2m‑jgfw)
Summary:
A critical, easily‑exploitable remote code execution vulnerability exists in Oracle Concurrent Processing (component: BI Publisher Integration) of Oracle E‑Business Suite. Supported versions 12.2.3 through 12.2.14 are affected. An unauthenticated attacker with network access via HTTP can exploit this flaw to take over Oracle Concurrent Processing, resulting in full confidentiality, integrity, and availability compromise. CVSS 3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Affected Products:
Vendor: Oracle Corporation
Product: Oracle Concurrent Processing
Version: 12.2.3 ≤ 12.2.14
Not Affected:
Oracle Concurrent Processing versions later than 12.2.14 where vendor patches or fixes have been applied.
Indicators of Compromise:
Unauthorised or anomalous HTTP requests to Oracle Concurrent Processing / BI Publisher endpoints.
Unexpected process or service behavior in E‑Business Suite (new shells, processes, or crashes tied to Concurrent Processing).
Suspicious log entries showing unauthenticated access attempts or unexpected payloads against XMLP/BI Publisher webservices.
Workaround:
Immediately restrict network access to Oracle Concurrent Processing / BI Publisher endpoints (firewall rules, IP allowlists, network segmentation).
Apply virtual network controls (WAF rules, reverse proxies) to block suspicious or unauthenticated traffic to affected endpoints.
Monitor logs for anomalous requests and isolate any compromised instances pending remediation.
Mitigation / Recommendations:
Patch now. Apply Oracle’s Security Alert / emergency patch for CVE‑2025‑61882 to all affected Oracle E‑Business Suite instances (12.2.3–12.2.14) as provided by Oracle.
If you cannot immediately patch, isolate affected systems from untrusted networks and remove public access until patched.
Hunt for signs of compromise (review webserver logs, application logs for BI Publisher/XMLPservice, OS process lists, cronjobs, and new or modified files).
Apply vendor‑recommended post‑incident procedures if compromise is suspected (forensic capture, rotate credentials, rebuild from known‑good images).
References:
🔗 Oracle Security Alert – CVE‑2025‑61882
🔗 NVD / CVE entry — CVE‑2025‑61882
#Oracle #RemoteCodeExecution #CVE202561882 #EBS #Security
@newvulnerability
Security Update – Microsoft October 2025 Patch Tuesday
Vulnerabilities: Multiple Critical and Zero-Day Vulnerabilities Across Microsoft Products
CVEs:
CVE-2025-0033 – AMD Restricted Memory Page Corruption (Zero-Day / Critical)
CVE-2025-24052 – Agere Modem Driver Elevation of Privilege (Zero-Day)
CVE-2025-24990 – Agere Modem Driver Elevation of Privilege (Zero-Day)
CVE-2025-2884 – TPM 2.0 Out-of-Bounds Read (Zero-Day)
CVE-2025-47827 – IGEL OS Secure Boot Bypass (Zero-Day)
CVE-2025-59230 – Windows Remote Access Connection Manager Elevation of Privilege (Zero-Day)
CVE-2025-59218 – Azure Entra ID Elevation of Privilege (Critical)
CVE-2025-59246 – Azure Entra ID Elevation of Privilege (Critical)
CVE-2025-55321 – Azure Monitor Log Analytics Spoofing (Critical)
CVE-2025-59247 – Azure PlayFab Elevation of Privilege (Critical)
CVE-2025-59291 – Confidential Azure Container Instances Elevation of Privilege (Critical)
CVE-2025-59292 – Azure Compute Gallery Elevation of Privilege (Critical)
CVE-2025-59236 – Microsoft Office Excel Remote Code Execution (Critical)
Severity: Critical / Actively Exploited (CVSS up to 9.x)
Summary:
Microsoft has released its October 2025 Patch Tuesday updates, addressing 172 vulnerabilities, including 6 actively exploited zero-days and 8 critical issues. Exploitation of these vulnerabilities could result in elevation of privilege, remote code execution, spoofing, information disclosure, or secure boot bypass. Affected components include Windows OS, Azure services (Entra ID, PlayFab, Monitor, Container Instances, Compute Gallery), Microsoft Office, TPM 2.0, and AMD firmware. Attackers may exploit these flaws locally or remotely to gain administrative privileges, execute arbitrary code, or bypass platform security controls.
Affected Products:
Windows 10 / 11, Windows Server 2016–2025.
Microsoft Office (Excel).
Azure Entra ID, PlayFab, Monitor (Log Analytics), Compute Gallery, Container Instances.
AMD SEV-SNP firmware and TPM 2.0 components.
IGEL OS Secure Boot configurations.
Not Affected:
Systems fully updated with October 2025 patches.
Azure instances running latest image versions.
Devices with Secure Boot and TPM firmware already updated.
Indicators of Compromise:
Privilege escalation or unexpected admin logins.
Unsigned modules loaded during Secure Boot.
Abnormal TPM log entries or integrity check failures.
Excel crash or execution anomalies from untrusted files.
Suspicious Azure authentication events or spoofed identities.
Workaround:
No universal workaround. Disable or restrict vulnerable services (e.g., external RDP, legacy modem drivers, or untrusted Excel macros) until patches are applied.
Mitigation / Recommendations:
Apply Microsoft’s October 2025 security updates immediately.
Prioritize zero-day and critical CVEs listed above.
Use Microsoft Endpoint Manager, WSUS, or Windows Update to deploy patches.
Restrict administrative and remote access to trusted users and networks.
Monitor event logs for suspicious activity related to Secure Boot, TPM, or privilege escalation.
References:
🔗 Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide
#Microsoft #PatchTuesday #ZeroDay #Windows #Azure #TPM #SecurityUpdate #CyberSecurity
@newvulnerability
Vulnerabilities: Multiple Critical and Zero-Day Vulnerabilities Across Microsoft Products
CVEs:
CVE-2025-0033 – AMD Restricted Memory Page Corruption (Zero-Day / Critical)
CVE-2025-24052 – Agere Modem Driver Elevation of Privilege (Zero-Day)
CVE-2025-24990 – Agere Modem Driver Elevation of Privilege (Zero-Day)
CVE-2025-2884 – TPM 2.0 Out-of-Bounds Read (Zero-Day)
CVE-2025-47827 – IGEL OS Secure Boot Bypass (Zero-Day)
CVE-2025-59230 – Windows Remote Access Connection Manager Elevation of Privilege (Zero-Day)
CVE-2025-59218 – Azure Entra ID Elevation of Privilege (Critical)
CVE-2025-59246 – Azure Entra ID Elevation of Privilege (Critical)
CVE-2025-55321 – Azure Monitor Log Analytics Spoofing (Critical)
CVE-2025-59247 – Azure PlayFab Elevation of Privilege (Critical)
CVE-2025-59291 – Confidential Azure Container Instances Elevation of Privilege (Critical)
CVE-2025-59292 – Azure Compute Gallery Elevation of Privilege (Critical)
CVE-2025-59236 – Microsoft Office Excel Remote Code Execution (Critical)
Severity: Critical / Actively Exploited (CVSS up to 9.x)
Summary:
Microsoft has released its October 2025 Patch Tuesday updates, addressing 172 vulnerabilities, including 6 actively exploited zero-days and 8 critical issues. Exploitation of these vulnerabilities could result in elevation of privilege, remote code execution, spoofing, information disclosure, or secure boot bypass. Affected components include Windows OS, Azure services (Entra ID, PlayFab, Monitor, Container Instances, Compute Gallery), Microsoft Office, TPM 2.0, and AMD firmware. Attackers may exploit these flaws locally or remotely to gain administrative privileges, execute arbitrary code, or bypass platform security controls.
Affected Products:
Windows 10 / 11, Windows Server 2016–2025.
Microsoft Office (Excel).
Azure Entra ID, PlayFab, Monitor (Log Analytics), Compute Gallery, Container Instances.
AMD SEV-SNP firmware and TPM 2.0 components.
IGEL OS Secure Boot configurations.
Not Affected:
Systems fully updated with October 2025 patches.
Azure instances running latest image versions.
Devices with Secure Boot and TPM firmware already updated.
Indicators of Compromise:
Privilege escalation or unexpected admin logins.
Unsigned modules loaded during Secure Boot.
Abnormal TPM log entries or integrity check failures.
Excel crash or execution anomalies from untrusted files.
Suspicious Azure authentication events or spoofed identities.
Workaround:
No universal workaround. Disable or restrict vulnerable services (e.g., external RDP, legacy modem drivers, or untrusted Excel macros) until patches are applied.
Mitigation / Recommendations:
Apply Microsoft’s October 2025 security updates immediately.
Prioritize zero-day and critical CVEs listed above.
Use Microsoft Endpoint Manager, WSUS, or Windows Update to deploy patches.
Restrict administrative and remote access to trusted users and networks.
Monitor event logs for suspicious activity related to Secure Boot, TPM, or privilege escalation.
References:
🔗 Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide
#Microsoft #PatchTuesday #ZeroDay #Windows #Azure #TPM #SecurityUpdate #CyberSecurity
@newvulnerability
Security Update – F5 BIG-IP, BIG-IP Next, F5OS, and Silverline
Vulnerabilities: Multiple Critical Vulnerabilities and Active Security Incident
Advisory Reference: F5 Security Incident and October 2025 Quarterly Security Notification
Severity: Critical / High
Summary:
F5 has disclosed a cybersecurity incident impacting certain internal F5 systems, along with its October 2025 quarterly security notification detailing multiple critical vulnerabilities across F5’s product portfolio. The issues affect a range of F5 platforms, including BIG-IP, BIG-IP Next, F5OS-A/C, and Silverline, as well as containerized and cloud-native components such as Next SPK and CNF.
Exploitation of these vulnerabilities could result in remote code execution, privilege escalation, denial of service, or compromise of management interfaces. The coordinated patch release from F5 includes remediations for both newly identified and previously unresolved issues to maintain secure and supported environments.
Affected Products:
F5 BIG-IP (versions 15.x – 17.x)
F5 BIG-IP Next (including SPK and CNF releases)
F5OS-A and F5OS-C systems
F5 Silverline cloud-based services
Not Affected:
Systems updated to fixed versions or applying engineering hotfixes listed in the October 2025 advisory.
Devices not running affected versions or without exposed management interfaces.
Indicators of Compromise:
Unexpected configuration changes or system reboots.
Unauthorised access attempts to F5 management interfaces.
Abnormal service crashes or elevated resource usage.
Unexpected network connections to or from management plane interfaces.
Workaround:
No universal workaround. In some cases, restricting access to management interfaces and ensuring exposure is limited to trusted administrative networks may reduce risk.
Mitigation / Recommendations:
Review F5 article K000154696 – F5 Security Incident
for immediate response actions.
Review F5 article K000156572 – Quarterly Security Notification (October 2025)
for affected versions and patch details.
Review F5 article K67091411 – Guidance for Quarterly Security Notifications
for ongoing management practices.
Apply fixed versions or engineering hotfixes as recommended.
Upgrade any End-of-Technical-Support (EoTS) appliances to supported platforms.
Subscribe to F5 Security Advisories and monitor for future updates.
References:
🔗 F5 Security Incident – K000154696
🔗 F5 October 2025 Quarterly Security Notification – K000156572
🔗 F5 Quarterly Security Guidance – K67091411
#F5 #BIGIP #F5OS #F5Next #Silverline #Security #Vulnerability #Patch #CyberSecurity
@newvulnerability
Vulnerabilities: Multiple Critical Vulnerabilities and Active Security Incident
Advisory Reference: F5 Security Incident and October 2025 Quarterly Security Notification
Severity: Critical / High
Summary:
F5 has disclosed a cybersecurity incident impacting certain internal F5 systems, along with its October 2025 quarterly security notification detailing multiple critical vulnerabilities across F5’s product portfolio. The issues affect a range of F5 platforms, including BIG-IP, BIG-IP Next, F5OS-A/C, and Silverline, as well as containerized and cloud-native components such as Next SPK and CNF.
Exploitation of these vulnerabilities could result in remote code execution, privilege escalation, denial of service, or compromise of management interfaces. The coordinated patch release from F5 includes remediations for both newly identified and previously unresolved issues to maintain secure and supported environments.
Affected Products:
F5 BIG-IP (versions 15.x – 17.x)
F5 BIG-IP Next (including SPK and CNF releases)
F5OS-A and F5OS-C systems
F5 Silverline cloud-based services
Not Affected:
Systems updated to fixed versions or applying engineering hotfixes listed in the October 2025 advisory.
Devices not running affected versions or without exposed management interfaces.
Indicators of Compromise:
Unexpected configuration changes or system reboots.
Unauthorised access attempts to F5 management interfaces.
Abnormal service crashes or elevated resource usage.
Unexpected network connections to or from management plane interfaces.
Workaround:
No universal workaround. In some cases, restricting access to management interfaces and ensuring exposure is limited to trusted administrative networks may reduce risk.
Mitigation / Recommendations:
Review F5 article K000154696 – F5 Security Incident
for immediate response actions.
Review F5 article K000156572 – Quarterly Security Notification (October 2025)
for affected versions and patch details.
Review F5 article K67091411 – Guidance for Quarterly Security Notifications
for ongoing management practices.
Apply fixed versions or engineering hotfixes as recommended.
Upgrade any End-of-Technical-Support (EoTS) appliances to supported platforms.
Subscribe to F5 Security Advisories and monitor for future updates.
References:
🔗 F5 Security Incident – K000154696
🔗 F5 October 2025 Quarterly Security Notification – K000156572
🔗 F5 Quarterly Security Guidance – K67091411
#F5 #BIGIP #F5OS #F5Next #Silverline #Security #Vulnerability #Patch #CyberSecurity
@newvulnerability
F5
F5 Security Incident
We want to share information with you about steps we’ve taken to resolve a security incident at F5 and our ongoing efforts to protect our customers. In August 2025, we learned a highly sophisticated nation-state threat actor maintained long-term, persistent…
Vulnerability
Security Update – F5 BIG-IP, BIG-IP Next, F5OS, and Silverline Vulnerabilities: Multiple Critical Vulnerabilities and Active Security Incident Advisory Reference: F5 Security Incident and October 2025 Quarterly Security Notification Severity: Critical / High…
https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
@newvulnerability
@newvulnerability
Cybersecurity and Infrastructure Security Agency CISA
ED 26-01: Mitigate Vulnerabilities in F5 Devices | CISA
Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security
Security Update – Cisco Desk Phone, IP Phone, and Video Phone SIP Software
Vulnerabilities: Multiple High-Severity Vulnerabilities in Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software
CVEs:
CVE-2025-20350 – Web UI Denial of Service (DoS)
CVE-2025-20351 – Web UI Cross-Site Scripting (XSS)
Severity: High (CVSS up to 7.5)
Summary:
Cisco has disclosed multiple high-severity vulnerabilities in Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 devices running Cisco Session Initiation Protocol (SIP) Software. Successful exploitation could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or conduct a cross-site scripting (XSS) attack through the web user interface.
To exploit these vulnerabilities, the affected phone must be registered to Cisco Unified Communications Manager (CUCM) and have Web Access enabled. Web Access is disabled by default. Cisco has released software updates that address both vulnerabilities.
Affected Products:
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 running vulnerable versions of Cisco SIP Software, when registered to CUCM and with Web Access enabled.
Not Affected:
Devices running Cisco Multiplatform Firmware or phones with Web Access disabled are not affected.
Indicators of Compromise:
Unexpected phone reboots or service interruptions.
Unusual behavior in the phone’s web interface, such as injected scripts or pop-ups.
Suspicious HTTP traffic directed toward the phone’s IP address.
Workaround:
There are no direct workarounds. However, disabling Web Access mitigates the vulnerabilities. Web Access can be disabled per device or in bulk through Cisco Unified Communications Manager (CUCM).
Mitigation / Recommendations:
Apply Cisco’s fixed software updates as outlined in the official advisory.
Disable Web Access on affected devices where it is not required.
Restrict management plane access to trusted networks only.
Regularly monitor Cisco PSIRT advisories for security updates.
Upgrade any devices running unsupported or end-of-life firmware to supported versions.
References:
🔗 Cisco Security Advisory – cisco-sa-phone-dos-FPyjLV7A
#Cisco #DeskPhone #IPPhone #VideoPhone #SIP #DoS #XSS #Security #Vulnerability #Patch
@newvulnerability
Vulnerabilities: Multiple High-Severity Vulnerabilities in Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software
CVEs:
CVE-2025-20350 – Web UI Denial of Service (DoS)
CVE-2025-20351 – Web UI Cross-Site Scripting (XSS)
Severity: High (CVSS up to 7.5)
Summary:
Cisco has disclosed multiple high-severity vulnerabilities in Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 devices running Cisco Session Initiation Protocol (SIP) Software. Successful exploitation could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or conduct a cross-site scripting (XSS) attack through the web user interface.
To exploit these vulnerabilities, the affected phone must be registered to Cisco Unified Communications Manager (CUCM) and have Web Access enabled. Web Access is disabled by default. Cisco has released software updates that address both vulnerabilities.
Affected Products:
Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 running vulnerable versions of Cisco SIP Software, when registered to CUCM and with Web Access enabled.
Not Affected:
Devices running Cisco Multiplatform Firmware or phones with Web Access disabled are not affected.
Indicators of Compromise:
Unexpected phone reboots or service interruptions.
Unusual behavior in the phone’s web interface, such as injected scripts or pop-ups.
Suspicious HTTP traffic directed toward the phone’s IP address.
Workaround:
There are no direct workarounds. However, disabling Web Access mitigates the vulnerabilities. Web Access can be disabled per device or in bulk through Cisco Unified Communications Manager (CUCM).
Mitigation / Recommendations:
Apply Cisco’s fixed software updates as outlined in the official advisory.
Disable Web Access on affected devices where it is not required.
Restrict management plane access to trusted networks only.
Regularly monitor Cisco PSIRT advisories for security updates.
Upgrade any devices running unsupported or end-of-life firmware to supported versions.
References:
🔗 Cisco Security Advisory – cisco-sa-phone-dos-FPyjLV7A
#Cisco #DeskPhone #IPPhone #VideoPhone #SIP #DoS #XSS #Security #Vulnerability #Patch
@newvulnerability
Cisco
Cisco Security Advisory: Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities
Multiple vulnerabilities in Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 running Cisco Session Initiation Protocol (SIP) Software could allow an unauthenticated, remote attacker to cause a denial of service…
Security Update – Cisco IOS XE Software Secure Boot Bypass Vulnerabilities
Vulnerabilities: Multiple High-Severity Secure Boot Bypass Vulnerabilities in Cisco IOS XE Software
CVEs:
CVE-2025-20313 – Secure Boot Chain of Trust Bypass
CVE-2025-20314 – Secure Boot Chain of Trust Bypass
Severity: High (CVSS 6.7)
Summary:
Cisco has disclosed multiple vulnerabilities in Cisco IOS XE Software that could allow an authenticated, local attacker with level-15 privileges, or an unauthenticated attacker with physical access, to execute persistent code at boot time and break the secure boot chain of trust.
These vulnerabilities are caused by improper validation of software packages. An attacker could exploit them by placing a crafted file in a specific location on an affected device. Successful exploitation could allow the execution of persistent code on the underlying operating system, effectively bypassing a major security control.
Cisco has raised the Security Impact Rating (SIR) from Medium to High due to the potential compromise of the device’s secure boot mechanism.
Affected Products:
Cisco IOS XE Software running on the following platforms may be affected if operating on vulnerable releases:
1000 Series Integrated Services Routers, 1100 Terminal Services Gateways, 4000 Series Integrated Services Routers, 8100 and 8400 Secure Routers, ASR 1000 Series Aggregation Services Routers, Catalyst 8200, 8300, 8500L, 9200, and Industrial Ethernet 3100, 3500, 9300, and IR/IE/ESS embedded or rugged platforms, as well as VG410 Analog Voice Gateways.
Only Cisco IOS XE devices running the affected releases listed in the advisory are vulnerable.
Not Affected:
Cisco IOS Software, IOS XR Software, and NX-OS Software are not affected.
Indicators of Compromise:
There are no known indicators of active exploitation at this time. Potential compromise indicators may include unexpected file changes in boot storage locations or boot integrity verification failures.
Workaround:
No workarounds are available.
Mitigation / Recommendations:
Cisco recommends upgrading to fixed software releases to fully remediate these vulnerabilities.
Use the Cisco Software Checker tool to determine if a device is affected and identify the earliest fixed release.
Restrict physical access to devices and limit administrative privileges to trusted personnel only.
Monitor for updates from Cisco PSIRT and apply future security advisories promptly.
References:
🔗 Cisco Security Advisory – cisco-sa-secboot-UqFD8AvC
#Cisco #IOSXE #SecureBoot #Bypass #Router #Switch #Security #Vulnerability #Patch #PSIRT
@newvulnerability
Vulnerabilities: Multiple High-Severity Secure Boot Bypass Vulnerabilities in Cisco IOS XE Software
CVEs:
CVE-2025-20313 – Secure Boot Chain of Trust Bypass
CVE-2025-20314 – Secure Boot Chain of Trust Bypass
Severity: High (CVSS 6.7)
Summary:
Cisco has disclosed multiple vulnerabilities in Cisco IOS XE Software that could allow an authenticated, local attacker with level-15 privileges, or an unauthenticated attacker with physical access, to execute persistent code at boot time and break the secure boot chain of trust.
These vulnerabilities are caused by improper validation of software packages. An attacker could exploit them by placing a crafted file in a specific location on an affected device. Successful exploitation could allow the execution of persistent code on the underlying operating system, effectively bypassing a major security control.
Cisco has raised the Security Impact Rating (SIR) from Medium to High due to the potential compromise of the device’s secure boot mechanism.
Affected Products:
Cisco IOS XE Software running on the following platforms may be affected if operating on vulnerable releases:
1000 Series Integrated Services Routers, 1100 Terminal Services Gateways, 4000 Series Integrated Services Routers, 8100 and 8400 Secure Routers, ASR 1000 Series Aggregation Services Routers, Catalyst 8200, 8300, 8500L, 9200, and Industrial Ethernet 3100, 3500, 9300, and IR/IE/ESS embedded or rugged platforms, as well as VG410 Analog Voice Gateways.
Only Cisco IOS XE devices running the affected releases listed in the advisory are vulnerable.
Not Affected:
Cisco IOS Software, IOS XR Software, and NX-OS Software are not affected.
Indicators of Compromise:
There are no known indicators of active exploitation at this time. Potential compromise indicators may include unexpected file changes in boot storage locations or boot integrity verification failures.
Workaround:
No workarounds are available.
Mitigation / Recommendations:
Cisco recommends upgrading to fixed software releases to fully remediate these vulnerabilities.
Use the Cisco Software Checker tool to determine if a device is affected and identify the earliest fixed release.
Restrict physical access to devices and limit administrative privileges to trusted personnel only.
Monitor for updates from Cisco PSIRT and apply future security advisories promptly.
References:
🔗 Cisco Security Advisory – cisco-sa-secboot-UqFD8AvC
#Cisco #IOSXE #SecureBoot #Bypass #Router #Switch #Security #Vulnerability #Patch #PSIRT
@newvulnerability
Cisco
Cisco Security Advisory: Cisco IOS XE Software Secure Boot Bypass Vulnerabilities
Multiple vulnerabilities in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute persistent code at boot time and break the chain of…
Vulnerability
Security Update – F5 BIG-IP, BIG-IP Next, F5OS, and Silverline Vulnerabilities: Multiple Critical Vulnerabilities and Active Security Incident Advisory Reference: F5 Security Incident and October 2025 Quarterly Security Notification Severity: Critical / High…
F5 just confirmed a nation-state breach that went undetected for months.
Hackers stole BIG-IP source code and data on undisclosed vulnerabilities.
Full story ↓ https://thehackernews.com/2025/10/f5-breach-exposes-big-ip-source-code.html
@newvulnerability
Hackers stole BIG-IP source code and data on undisclosed vulnerabilities.
Full story ↓ https://thehackernews.com/2025/10/f5-breach-exposes-big-ip-source-code.html
@newvulnerability
Security Update – Adobe Experience Manager
Vulnerability: Remote Code Execution – Misconfiguration allowing arbitrary code execution
CVE: CVE-2025-54253
Severity: 10.0 (Critical)
Summary:
Adobe Experience Manager (AEM) up to and including version 6.5.23 contains a misconfiguration that allows an unauthenticated, remote attacker to bypass security mechanisms and execute arbitrary code on affected servers. Exploitation does not require user interaction and results in full compromise of confidentiality, integrity, and availability.
Affected Products:
Adobe Experience Manager versions 6.5.23 and earlier.
Not Affected:
AEM versions later than 6.5.23 (update to the latest patch level as advised by Adobe).
Indicators of Compromise:
Unexpected creation or modification of AEM application files or repository nodes.
Arbitrary processes spawned by the AEM service or unexpected command execution.
Sudden configuration changes, new users or altered permissions in the AEM instance.
Unusual outbound network connections originating from the AEM host or evidence of data exfiltration.
Web requests with unusual parameters targeting AEM endpoints around the time of compromise.
Workaround:
No full workaround available. If immediate patching is not possible, consider isolating AEM instances from public access (use network ACLs, WAF rules, VPN-only access), disable any unnecessary connectors/features exposed to untrusted networks, and apply strict allowlists for management and admin interfaces.
Mitigation / Recommendations:
Apply Adobe’s security updates or upgrade to a fixed version immediately.
Restrict public access to AEM instances; place AEM behind a web application firewall and enforce strict ingress filtering.
Rotate all credentials, API keys, and secrets used by the AEM service after remediation.
Inspect and clean any suspicious files, repository nodes, or processes; perform full incident response if compromise is suspected.
Review logs and backups for evidence of tampering and preserve forensic data.
Subscribe to Adobe security advisories and apply future updates promptly.
References:
🔗 Adobe Security Bulletin – APSB25-82: https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html
#Adobe #AEM #RCE #Misconfiguration #CVE-2025-54253 #PatchNow
@newvulnerability
Vulnerability: Remote Code Execution – Misconfiguration allowing arbitrary code execution
CVE: CVE-2025-54253
Severity: 10.0 (Critical)
Summary:
Adobe Experience Manager (AEM) up to and including version 6.5.23 contains a misconfiguration that allows an unauthenticated, remote attacker to bypass security mechanisms and execute arbitrary code on affected servers. Exploitation does not require user interaction and results in full compromise of confidentiality, integrity, and availability.
Affected Products:
Adobe Experience Manager versions 6.5.23 and earlier.
Not Affected:
AEM versions later than 6.5.23 (update to the latest patch level as advised by Adobe).
Indicators of Compromise:
Unexpected creation or modification of AEM application files or repository nodes.
Arbitrary processes spawned by the AEM service or unexpected command execution.
Sudden configuration changes, new users or altered permissions in the AEM instance.
Unusual outbound network connections originating from the AEM host or evidence of data exfiltration.
Web requests with unusual parameters targeting AEM endpoints around the time of compromise.
Workaround:
No full workaround available. If immediate patching is not possible, consider isolating AEM instances from public access (use network ACLs, WAF rules, VPN-only access), disable any unnecessary connectors/features exposed to untrusted networks, and apply strict allowlists for management and admin interfaces.
Mitigation / Recommendations:
Apply Adobe’s security updates or upgrade to a fixed version immediately.
Restrict public access to AEM instances; place AEM behind a web application firewall and enforce strict ingress filtering.
Rotate all credentials, API keys, and secrets used by the AEM service after remediation.
Inspect and clean any suspicious files, repository nodes, or processes; perform full incident response if compromise is suspected.
Review logs and backups for evidence of tampering and preserve forensic data.
Subscribe to Adobe security advisories and apply future updates promptly.
References:
🔗 Adobe Security Bulletin – APSB25-82: https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html
#Adobe #AEM #RCE #Misconfiguration #CVE-2025-54253 #PatchNow
@newvulnerability
Adobe
Adobe Security Bulletin
Security updates available for Adobe Experience Manager | APSB25-82
Security Update – Apache ActiveMQ NMS AMQP Client
Vulnerability: Remote Code Execution – Deserialization of Untrusted Data
CVE: CVE-2025-54539
Severity: 9.8 (Critical)
Summary:
Apache ActiveMQ NMS AMQP Client versions up to and including 2.3.0 are affected by a critical deserialization vulnerability. The flaw allows an unauthenticated remote attacker to send specially crafted AMQP messages that trigger deserialization of untrusted data, leading to arbitrary code execution in the context of the vulnerable client application. Successful exploitation may result in full system compromise, data theft, or lateral movement within affected environments.
Affected Products:
Apache ActiveMQ NMS AMQP Client versions ≤ 2.3.0
Not Affected:
Apache ActiveMQ NMS AMQP Client versions later than 2.3.0 (patched releases).
Indicators of Compromise:
Unexpected or unauthorized code execution initiated by client processes.
Suspicious AMQP traffic or malformed message payloads received by the client.
Sudden instability or crashes in applications integrating with ActiveMQ NMS AMQP Client.
Unexplained outbound connections or dropped sessions linked to AMQP activity.
Workaround:
No practical workaround is available. If upgrading immediately is not possible, restrict exposure of AMQP client components, enforce strict network controls, and validate all message sources before processing. Disable or isolate any systems handling untrusted AMQP messages until patched.
Mitigation / Recommendations:
Upgrade to the latest version of Apache ActiveMQ NMS AMQP Client (above 2.3.0).
Review and sanitize all message deserialization logic within dependent applications.
Implement input validation and integrity checking for AMQP message payloads.
Monitor for abnormal AMQP or client process behavior and review associated logs.
Limit network access to trusted AMQP brokers and enforce secure communication (TLS).
References:
🔗 Apache Security Advisory: https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n
🔗 GitHub Repository: https://github.com/apache/activemq-nms-amqp
#ActiveMQ #Apache #RCE #Deserialization #AMQP #CVE-2025-54539 #Security
@newvulnerability
Vulnerability: Remote Code Execution – Deserialization of Untrusted Data
CVE: CVE-2025-54539
Severity: 9.8 (Critical)
Summary:
Apache ActiveMQ NMS AMQP Client versions up to and including 2.3.0 are affected by a critical deserialization vulnerability. The flaw allows an unauthenticated remote attacker to send specially crafted AMQP messages that trigger deserialization of untrusted data, leading to arbitrary code execution in the context of the vulnerable client application. Successful exploitation may result in full system compromise, data theft, or lateral movement within affected environments.
Affected Products:
Apache ActiveMQ NMS AMQP Client versions ≤ 2.3.0
Not Affected:
Apache ActiveMQ NMS AMQP Client versions later than 2.3.0 (patched releases).
Indicators of Compromise:
Unexpected or unauthorized code execution initiated by client processes.
Suspicious AMQP traffic or malformed message payloads received by the client.
Sudden instability or crashes in applications integrating with ActiveMQ NMS AMQP Client.
Unexplained outbound connections or dropped sessions linked to AMQP activity.
Workaround:
No practical workaround is available. If upgrading immediately is not possible, restrict exposure of AMQP client components, enforce strict network controls, and validate all message sources before processing. Disable or isolate any systems handling untrusted AMQP messages until patched.
Mitigation / Recommendations:
Upgrade to the latest version of Apache ActiveMQ NMS AMQP Client (above 2.3.0).
Review and sanitize all message deserialization logic within dependent applications.
Implement input validation and integrity checking for AMQP message payloads.
Monitor for abnormal AMQP or client process behavior and review associated logs.
Limit network access to trusted AMQP brokers and enforce secure communication (TLS).
References:
🔗 Apache Security Advisory: https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n
🔗 GitHub Repository: https://github.com/apache/activemq-nms-amqp
#ActiveMQ #Apache #RCE #Deserialization #AMQP #CVE-2025-54539 #Security
@newvulnerability
GitHub
GitHub - apache/activemq-nms-amqp: Mirror of Apache ActiveMQ NMS.AMQP Client
Mirror of Apache ActiveMQ NMS.AMQP Client. Contribute to apache/activemq-nms-amqp development by creating an account on GitHub.
Security Update – Apache Tomcat
Vulnerability: Remote Code Execution / Information Disclosure / Data Corruption via partial PUT
CVE: CVE-2025-24813
Severity: 10.0 (Critical)
Summary:
Apache Tomcat versions listed (see Affected Products) are impacted by a critical vulnerability in the HTTP PUT handling that can be abused to perform partial PUT requests leading to remote code execution, information disclosure, or corruption of application data. The flaw can be exploited remotely without authentication and results in full compromise of confidentiality, integrity, and availability of affected Tomcat instances.
Affected Products:
Apache Tomcat 8.5.0 through 8.5.100
Apache Tomcat 9.0.0.M1 through 9.0.98
Apache Tomcat 10.1.0-M1 through 10.1.34
Apache Tomcat 11.0.0-M1 through 11.0.2
(Any Tomcat deployment running the above vulnerable releases is at risk.)
Not Affected:
Tomcat releases later than the versions listed above that include the upstream fixes.
Indicators of Compromise:
Unexpected files or partial/fragmented uploads in webapp directories.
Unusual HTTP PUT/POST traffic patterns, particularly partial or malformed PUT requests.
Application crashes, unexpected process execution, or anomalous outbound connections originating from Tomcat hosts.
New or altered web application files or unexpected changes to configuration/webapp content.
Workaround:
If immediate patching is not possible:
Restrict or disable HTTP PUT and other write methods at the front-end (reverse proxy, load balancer, or web server).
Apply WAF rules to detect and block malformed or partial PUT requests.
Restrict access to management and upload endpoints to trusted networks only.
Isolate vulnerable Tomcat instances from public access until patched.
Mitigation / Recommendations:
Upgrade Tomcat to the fixed releases that address CVE-2025-24813 as provided by Apache or downstream vendors.
Apply vendor-provided patches (Red Hat, Debian LTS, NetApp, etc.) if you use vendor-packaged Tomcat.
Review and harden upload handling in web applications (validate and sanitize uploaded content, enforce authentication/authorization for write operations).
Monitor HTTP logs and WAF/IDS alerts for signs of exploitation and collect forensic data if compromise is suspected.
If compromise is confirmed, perform incident response: preserve logs, rebuild affected hosts from known-good images, rotate credentials and keys, and review backups for integrity.
References:
🔗 NVD – CVE-2025-24813
🔗 Apache Tomcat commit 1
🔗 Apache Tomcat commit 2
🔗 Apache Tomcat commit 3
🔗 POC Repository
🔗 Apache Tomcat Project
🔗 Apache Mailing List Discussion
🔗 Openwall OSS-Security Thread
🔗 Vicarius Detection Guide
🔗 CISA KEV Catalog
#ApacheTomcat #RCE #PartialPUT #CVE-2025-24813 #PatchNow
@newvulnerability
Vulnerability: Remote Code Execution / Information Disclosure / Data Corruption via partial PUT
CVE: CVE-2025-24813
Severity: 10.0 (Critical)
Summary:
Apache Tomcat versions listed (see Affected Products) are impacted by a critical vulnerability in the HTTP PUT handling that can be abused to perform partial PUT requests leading to remote code execution, information disclosure, or corruption of application data. The flaw can be exploited remotely without authentication and results in full compromise of confidentiality, integrity, and availability of affected Tomcat instances.
Affected Products:
Apache Tomcat 8.5.0 through 8.5.100
Apache Tomcat 9.0.0.M1 through 9.0.98
Apache Tomcat 10.1.0-M1 through 10.1.34
Apache Tomcat 11.0.0-M1 through 11.0.2
(Any Tomcat deployment running the above vulnerable releases is at risk.)
Not Affected:
Tomcat releases later than the versions listed above that include the upstream fixes.
Indicators of Compromise:
Unexpected files or partial/fragmented uploads in webapp directories.
Unusual HTTP PUT/POST traffic patterns, particularly partial or malformed PUT requests.
Application crashes, unexpected process execution, or anomalous outbound connections originating from Tomcat hosts.
New or altered web application files or unexpected changes to configuration/webapp content.
Workaround:
If immediate patching is not possible:
Restrict or disable HTTP PUT and other write methods at the front-end (reverse proxy, load balancer, or web server).
Apply WAF rules to detect and block malformed or partial PUT requests.
Restrict access to management and upload endpoints to trusted networks only.
Isolate vulnerable Tomcat instances from public access until patched.
Mitigation / Recommendations:
Upgrade Tomcat to the fixed releases that address CVE-2025-24813 as provided by Apache or downstream vendors.
Apply vendor-provided patches (Red Hat, Debian LTS, NetApp, etc.) if you use vendor-packaged Tomcat.
Review and harden upload handling in web applications (validate and sanitize uploaded content, enforce authentication/authorization for write operations).
Monitor HTTP logs and WAF/IDS alerts for signs of exploitation and collect forensic data if compromise is suspected.
If compromise is confirmed, perform incident response: preserve logs, rebuild affected hosts from known-good images, rotate credentials and keys, and review backups for integrity.
References:
🔗 NVD – CVE-2025-24813
🔗 Apache Tomcat commit 1
🔗 Apache Tomcat commit 2
🔗 Apache Tomcat commit 3
🔗 POC Repository
🔗 Apache Tomcat Project
🔗 Apache Mailing List Discussion
🔗 Openwall OSS-Security Thread
🔗 Vicarius Detection Guide
🔗 CISA KEV Catalog
#ApacheTomcat #RCE #PartialPUT #CVE-2025-24813 #PatchNow
@newvulnerability
GitHub
Enhance lifecycle of temporary files used by partial PUT · apache/tomcat@0a668e0
Delete temporary file right after finishing request processing.
Simplify using createTempFile.
Simplify using createTempFile.
Security Update – Wazuh Server
Vulnerability: Remote Code Execution
CVE: CVE-2025-24016
Severity: 9.9 (Critical)
Summary:
Wazuh Server versions 4.4.0 through 4.9.0 are vulnerable to remote code execution. The flaw allows an authenticated attacker with limited privileges to execute arbitrary code with elevated permissions, potentially leading to full compromise of the affected system. The issue arises due to improper input validation and insufficient sanitization in specific Wazuh components responsible for handling management communications.
Affected Products:
Wazuh versions 4.4.0 to versions earlier than 4.9.1.
Not Affected:
Wazuh 4.9.1 and later (patched versions).
Indicators of Compromise:
Unexpected creation or modification of system configuration files.
Execution of unauthorized or suspicious commands by the Wazuh service user.
Unusual network activity or lateral movement from the Wazuh management server.
Unexpected Wazuh agent configuration changes or policy updates.
Workaround:
Restrict access to the Wazuh management interface to trusted networks only.
Monitor and validate all Wazuh configuration changes until patching is complete.
Apply strict role-based access controls to reduce exposure.
Mitigation / Recommendations:
Update to Wazuh version 4.9.1 or later immediately.
Review access controls and authentication configurations for Wazuh services.
Regularly audit Wazuh server logs for anomalies or signs of exploitation.
Implement network segmentation to isolate management servers.
Rotate credentials and secrets used by Wazuh after patching.
References:
🔗 https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
🔗 https://nvd.nist.gov/vuln/detail/CVE-2025-24016
🔗 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24016
#Wazuh #RCE #Security #CVE202524016 #CISAKEV
@newvulnerability
Vulnerability: Remote Code Execution
CVE: CVE-2025-24016
Severity: 9.9 (Critical)
Summary:
Wazuh Server versions 4.4.0 through 4.9.0 are vulnerable to remote code execution. The flaw allows an authenticated attacker with limited privileges to execute arbitrary code with elevated permissions, potentially leading to full compromise of the affected system. The issue arises due to improper input validation and insufficient sanitization in specific Wazuh components responsible for handling management communications.
Affected Products:
Wazuh versions 4.4.0 to versions earlier than 4.9.1.
Not Affected:
Wazuh 4.9.1 and later (patched versions).
Indicators of Compromise:
Unexpected creation or modification of system configuration files.
Execution of unauthorized or suspicious commands by the Wazuh service user.
Unusual network activity or lateral movement from the Wazuh management server.
Unexpected Wazuh agent configuration changes or policy updates.
Workaround:
Restrict access to the Wazuh management interface to trusted networks only.
Monitor and validate all Wazuh configuration changes until patching is complete.
Apply strict role-based access controls to reduce exposure.
Mitigation / Recommendations:
Update to Wazuh version 4.9.1 or later immediately.
Review access controls and authentication configurations for Wazuh services.
Regularly audit Wazuh server logs for anomalies or signs of exploitation.
Implement network segmentation to isolate management servers.
Rotate credentials and secrets used by Wazuh after patching.
References:
🔗 https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
🔗 https://nvd.nist.gov/vuln/detail/CVE-2025-24016
🔗 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24016
#Wazuh #RCE #Security #CVE202524016 #CISAKEV
@newvulnerability
GitHub
Remote code execution in Wazuh server
### Summary
An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers.
The vulnerability can be triggered by anybody with API access (compromised dashboard or Wa...
An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers.
The vulnerability can be triggered by anybody with API access (compromised dashboard or Wa...
🛑 URGENT: Microsoft rushed out out-of-band fixes for an actively exploited Office zero-day.
CVE-2026-21509 (CVSS 7.8) lets attackers bypass Office security using a malicious file that must be opened by the victim.
🔗 Details → https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html
@newvulnerability
CVE-2026-21509 (CVSS 7.8) lets attackers bypass Office security using a malicious file that must be opened by the victim.
🔗 Details → https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html
@newvulnerability
Administrative FortiCloud SSO authentication bypass
PSIRT | FortiGuard Labs https://share.google/4I25IKEgkZhijHlYE
@newvulnerability
PSIRT | FortiGuard Labs https://share.google/4I25IKEgkZhijHlYE
@newvulnerability
FortiGuard Labs
PSIRT | FortiGuard Labs
None