Security advisory

Security Advisory

Apple Releases iOS & iPadOS 26.1 Update, Fixed Multiple Security Vulnerabilities 

Summary: Apple released iOS 26.1 and iPadOS 26, addressed multiple security vulnerabilities across core system components including WebKit, Kernel, Accessibility, Apple Neural Engine, CloudKit etc.

OEM Apple 
Severity High 
CVEs CVE-2025-43438, CVE-2025-43429, CVE-2025-43442, CVE-2025-43455, CVE-2025-43398 & others 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview: 

These vulnerabilities could enable malicious apps to escape sandboxes, access sensitive user data, execute arbitrary code via web content, monitor keystrokes or disable theft protection mechanisms. Affected devices include iPhone 11 & later and iPad models from 3rd gen onward etc. Immediate update is strongly recommended to prevent any breaches, system crashes. 

                Vulnerability Name CVE ID Product Affected Fixed Version 
WebKit Use-After-Free (Safari Crash/RCE) CVE-2025-43438 iOS, iPadOS iOS/iPadOS 26.1 
WebKit Buffer Overflow (RCE Risk)  CVE-2025-43429 iOS, iPadOS iOS/iPadOS 26.1 
App Installed Detection via Accessibility  CVE-2025-43442 iOS, iPadOS iOS/iPadOS 26.1 
Sensitive Screenshot in Embedded Views CVE-2025-43455 iOS, iPadOS iOS/iPadOS 26.1 
Kernel Memory Corruption / DoS  CVE-2025-43398 iOS, iPadOS iOS/iPadOS 26.1 

Technical Summary: 

The iOS/iPadOS 26.1 update fixes major security issues in sandbox protection, memory handling, privacy settings, and the WebKit browser engine. These critical vulnerabilities could allow apps or websites to access restricted data or execute malicious code. Key impact issues mentioned below.

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-43438 WebKit Use-after-free in Safari triggers crash or code execution via malicious web content  Remote Code Execution, System Compromise 
 CVE-2025-43429 WebKit Buffer overflow in content processing allows arbitrary code execution Remote Code Execution, Service Compromise 
CVE-2025-43442 Accessibility Permissions flaw allows apps to detect installed apps (fingerprinting) Privacy Violation, User Tracking 
CVE-2025-43455 Apple Account Malicious apps can screenshot sensitive embedded UI (login views) Credential, PII Exposure 
CVE-2025-43398 Kernel Memory mishandling leads to system termination or kernel corruption Denial of Service, Potential Privilege Escalation 

Additionally, there are multiple high & medium vulnerabilities have been disclosed that enable sandbox escapes, data leaks, and web-based attacks with significant impact potential. Here are some cves in the below table 

Vulnerability Name CVE ID Affected Component 
Sandbox Escape via Assets CVE-2025-43407 Assets 
Sandbox Escape via CloudKit Symlink CVE-2025-43448 CloudKit 
Stolen Device Protection Bypass CVE-2025-43422 Stolen Device Protection 
Cross-Origin Data Exfiltration CVE-2025-43480 WebKit 
Keystroke Monitoring via WebKit CVE-2025-43495 WebKit 
Apple Neural Engine Kernel Corruption CVE-2025-43447, CVE-2025-43462 Apple Neural Engine 
Canvas Cross-Origin Image Theft CVE-2025-43392 WebKit Canvas 
Contacts Data Leak in Logs CVE-2025-43426 Contacts 
Lock Screen Content Leak CVE-2025-43350 Control Center 
Address Bar Spoofing CVE-2025-43493 Safari 
UI Spoofing in Safari CVE-2025-43503 Safari 

Recommendations: 

Update all eligible devices immediately (Settings > General > Software Update products) to the following fixed versions as soon as possible and check the updated version from the Apple security website

Patches are available and should be applied immediately.  

For environments where immediate patching is not immediately feasible, you can also follow the recommendations below. 

  • Enable Stolen Device Protection and Lockdown Mode (where applicable) 
  • Restrict app installations to trusted sources. 
  • Avoid visiting untrusted websites from browser 
  • Use VPN and enable Advanced Data Protection for iCloud 
  • Monitor for anomalous app behavior or battery drain  

Conclusion: 
The iOS/iPadOS 26.1 update fixes several security vulnerabilities that could affect user privacy, device stability, and system protection.

Organizations and Individual using Apple devices must prioritize deployment of this update to mitigate risks of data exfiltration, spyware and other attack vectors. Timely patching remains the most effective control against zero-day exploitation on new vulnerabilities in digital ecosystems. 

References

Blogs Security Advisory

Critical Brash Vulnerability: Blink Engine Flaw Breaks Chromium Browsers 

Overview : Brash Vulnerability works on Google Chrome and all web browsers that run on Chromium.

A newly disclosed vulnerability, Brash, exposed a critical architectural flaw in Chromium’s Blink rendering engine. Blink is Chromium’s open-source rendering engine responsible for parsing HTML, CSS, and JavaScript, building the DOM and render trees, and executing script-driven updates to the browser interface.

It underpins the user experience of all Chromium-based browsers and is a core component of their performance and stability.

The issue allows a malicious web page to crash Chromium-based browsers within seconds, including Chrome, Microsoft Edge, Brave, Opera etc. The attack works by overloading Blink’s main UI thread using a flood of unthrottled DOM operations. A public proof-of-concept (PoC) exploit is available and can be tested on machines, that escalating the urgency for patching across all Chromium-based platforms.  

Technical Details  

Blink lacks any rate limiting or coalescing on rapid document. title updates, allowing an attacker to flood the browser with millions of DOM mutations per second.  

This saturates the browser’s main UI thread, causing extreme CPU usage and blocking event processing, which leads to the browser tab freezing or crashing within 15 to 60 seconds. The exploit can also be use to trigger after a delay or at a precise scheduled time, turning it into a highly controllable logic bomb.  

The exploit requires no special permissions beyond navigating to a malicious page, presenting a severe and immediate operational risk until patches are deployed. 

Attack Flow 

Recommendations 

You can follow the recommendations below 

  • Avoid clicking on suspicious or untrusted links, especially those prompting unexpected redirects or downloads. 
  • Keep all Chromium-based browsers (Chrome, Edge, Brave etc.) updated with the latest security patches as vendors release fixes. 
  • Enforce automatic browser updates within organizations to ensure all users receive critical patches promptly. 
  • Monitor computer endpoints for unusual CPU spikes related to browser processes, which can indicate ongoing exploitation attempts. 
  • Educate users and employees about the risk of drive-by attacks through malicious websites and the importance of security awareness. 

Conclusion: 
The Brash vulnerability reveals how a simple architectural oversight. It lets attackers crash browsers by flooding them with too many title updates too fast, causing the browser to freeze or crash. This attack can be scheduled to happen later, making it harder to detect.

Mozilla Firefox and Apple Safari are immune to the attack, as are all third-party browsers on iOS, given that they are all based on WebKit.

The best defense is to keep browsers updated, avoid suspicious links and stay alert for unusual computer slowdowns.  

References

Security Advisory

High-severity path traversal vulnerability was identified in Docker Compose

Docker Compose Path Traversal Vulnerability Enables Arbitrary File Write and System Compromise  

Summary: 

OEM Docker  
Severity High 
CVSS Score 8.9 
CVEs CVE-2025-62725 
Date of Announcement 2025-10-28 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A high-severity path traversal vulnerability was identified in Docker Compose, a widely-used tool for defining and managing multi-container Docker applications.

This flaw occurs in the handling of remote OCI-based Compose artifacts, allowing an attacker to craft malicious artifact annotations that bypass directory restrictions. As a result, malicious files can be written outside the intended cache directory on the host system.

This vulnerability can be triggered even by seemingly harmless commands such as docker compose ps or docker compose config that resolve remote artifacts. Organizations should upgrade immediately to avoid possible system compromise. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Path Traversal in OCI Artifacts Allowing Arbitrary File Write CVE-2025-62725 Docker Compose CLI High 8.9 

Technical Summary 

Docker Compose added support for fetching Compose files as OCI artifacts from remote registries. These artifacts contain layers with annotations indicating file paths for writing.

The vulnerability exists because Docker Compose did not sanitize or validate these path annotations prior to writing files, allowing path traversal sequences to escape the cache directory.

Attackers can exploit this by publishing malicious OCI artifacts with crafted annotations, leading to arbitrary file writes anywhere the Compose process has permissions, potentially overwriting sensitive files such as SSH authorized_keys, escalating privileges and compromising the host. The flaw affects Docker Compose versions prior to v2.40.2. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-62725   Docker Compose (Linux, Windows, macOS) Path traversal via malicious remote OCI artifact annotations allowing arbitrary file write outside the Compose cache directory. 
 		Arbitrary file write, potential system compromise, privilege escalation. 

Remediation 

Apply security patches immediately to mitigate risks from privilege escalation and container escape. 

  • Update Docker-compose to v2.40.2 or the latest one. 

Conclusion 

Docker Compose vulnerability poses a serious risk of arbitrary file writes and system compromise through malicious OCI artifacts.

Due to the ease of exploitation when using remote Compose files, all users and organizations should upgrade to the patched Docker Compose version immediately, scrutinize remote artifact usage, and enhance their container security hygiene to mitigate this significant threat. 

References 

Security Advisory

Critical Apache Tomcat Vulnerabilities Enable RCE 

Summary : Security Advisory : Apache Tomcat’s security updates address two critical issues affecting widely deployed server components. Attackers can now exploit flaws in Apache Tomcat where improper URL handling and inadequate input neutralization allow unauthorized access to restricted directories.

OEM Oracle 
Severity Critical 
CVSS Score 9.6 
CVEs CVE-2025-55754, CVE-2025-55752 
POC Available No 
Actively Exploited No 
Advisory Version 1.0 

Overview  One issue allows attackers to bypass URL protections and upload malicious files, leading to remote code execution if misconfigured and another permits attackers to manipulate console outputs on Windows systems using crafted log entries.

Organizations should promptly update their servers, review configuration settings and enhance monitoring to mitigate these risks. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Improper Neutralization of Escape, Meta, or Control Sequences Vulnerability CVE-2025-55754 Apache Tomcat Critical 11.0.0-M1 through 11.0.10,  10.1.0-M1 through 10.1.44,  9.0.0.40 through 9.0.108. 
Path Traversal Vulnerability  CVE-2025-55752 Apache Tomcat  High 11.0.0-M1 through 11.0.10, 
10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108. 

Technical Summary This enable malicious file uploads, and inject control sequences affecting console behavior or system integrity.

These weaknesses increase the risk of unauthorized code execution and compromise of application environments. 

CVE ID Component Affected Vulnerability Details Impact 
CVE-2025-55752 URL Rewrite Handler (Apache Tomcat Core) A directory traversal flaw resulting from improper URL normalization and decoding order, allowing attackers to bypass /WEB-INF/ and /META-INF/ protections. If PUT requests are enabled, malicious actors can upload files to sensitive directories, potentially executing arbitrary code. Remote code execution, full server compromise if Tomcat is misconfigured with PUT enabled. 
CVE-2025-55754 Logging/Console Output Improper neutralization of ANSI escape sequences in Tomcat log messages allows crafted URLs to inject control sequences. On Windows systems with ANSI-capable consoles, attackers can manipulate the console display and clipboard or potentially induce command execution via social engineering. Console manipulation, potential administrator trickery, clipboard hijacking; less severe but can be chained for larger attacks. 

Recommendations 

Update Apache Tomcat to the following versions immediately: 

  • For 11.x version updated to v11.0.11 or latest 
  • For 10.x version updated to v10.1.45 or latest 
  • For 9.x version updated to v9.0.109 or latest 

If you not updating immediately you can follow some recommendations below 

  • Disable or restrict PUT requests unless absolutely needed to prevent unauthorized file uploads. 
  • Limit network access to Tomcat management interfaces to trusted administrators and secure sensitive directories. 
  • Monitor logs and serves activity regularly for unusual or suspicious behavior indicative of exploitation attempts. 

Conclusion: 
The patches released by Apache Tomcat fix critical remote code execution and console manipulation bugs that could compromise servers.

Though no widespread exploitation is confirmed yet, immediate patching is strongly recommended to prevent serious security incidents. Security teams should apply these updates and monitor any suspicious server activity. 

References

Security Advisory

TARmageddon Exploitable Tar Extraction Flaw Exposes Systems to Privilege Escalation 

Summary A critical vulnerability known as Tarmageddon (CVE-2025-62518) impacts multiple tar extraction utilities and libraries, including GNU tar, libarchive, Python’s tarfile module, and the Rust async-tar library. 

Severity High 
CVSS Score 7.8 
CVEs CVE-2025-62518 
POC Available Yes, public PoC and patches available (edera-dev GitHub) 
Actively Exploited Not confirmed widespread exploitation public PoC raises opportunistic risks 
Exploited in Wild No confirmed mass exploitation at time of writing 
Advisory Version 1.0 

Overview 


Tarmageddon (CVE-2025-62518) vulnerability Improper path sanitization and symlink-target validation during extraction enable a crafted tar archive to write files outside the intended extraction directory, leading to arbitrary file overwrite, privilege escalation, or remote code execution when executed by privileged or automated services. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Tar path traversal / symlink bypass (async-tar RCE vector) CVE-2025-62518 GNU tar, libarchive, Python tarfile, Rust async-tar and downstream tools High Patches released by maintainers; reference fixes in Edera patch repository  and vendor advisories 

Technical Summary 

Root cause: insufficient canonicalization of file paths and incomplete sanitization of symlink targets within tar archive headers. Behavioral details: Path traversal via ../ sequences and chained symlinks allows crafted archives to escape the extraction root and overwrite system binaries, configuration files, or startup scripts.

A public proof-of-concept confirms this behavior in affected async-tar implementations. Fix: apply upstream and distribution patches that normalize paths and validate symlink targets (edera-dev patches).

Exploitability: public PoC exists for CVE-2025-62518, highest risk when automated extractions run with elevated privileges (CI/CD, build, backup). Manual extraction is lower risk. Impact: Malicious extraction can overwrite critical files, allow service takeover or remote code execution, and lead to full host compromise if run as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-62518 Tar libraries and tools async-tar, GNU tar, libarchive, Python tarfile, and any tools that use them. Crafted tar entries can bypass path checks and write outside the extraction folder (PoC available). Can overwrite files, allow privilege escalation/RCE if run as root, and contaminate build/CI artifacts. 

Remediation

  • Apply patches immediately — update tar libraries and utilities with vendor or distribution fixes (Edera patches where applicable). 
  • Disable automatic extraction of untrusted archives in gateways, ingestion services and CI/CD systems. 
  • Use least privilege for extraction processes — avoid root / Administrator contexts. 
  • Replace unsafe extraction calls (e.g., tarfile.extractall()) with secure wrappers that validate path components and reject traversal or symlink abuses. 
  • Sandbox extraction inside containers or VMs with strict filesystem scoping (read-only mounts, AppArmor/SELinux confinement). 
  • Inventory and update all images, containers, and build artifacts that bundle tar utilities or tar libraries. 

Detection Guidance: Lab verification: Use the public PoC only in isolated virtual environments to validate that patched version block path traversal and symlink exploits. 

SIEM / EDR indicators: 

  • File create/write events to sensitive paths (/etc, /usr/bin, /var, application config dirs) immediately following tar extraction processes. 
  • Creation of symlinks or reparse-points by tar-related processes. 
  • Processes invoking tar or Python extraction libraries writing outside expected extraction directories. 

Conclusion: 
Tarmageddon (CVE-2025-62518) is a high-risk archive extraction vulnerability that affects widely used tar utilities and libraries, including GNU tar, libarchive, Python’s tarfile, and the Rust async-tar implementation.

This vulnerability should be treated as a Priority-1 patch event for any environment performing automated or privileged tar extractions. Organizations are strongly advised to apply vendor patches immediately, enforce sandboxed extraction workflows, and implement strict least-privilege and path-validation controls to prevent arbitrary file overwrites, privilege escalation, and potential supply-chain compromise. 

References:  

Security Advisory

Microsoft Teams Access Token Vulnerability Allows Attack Vector for Data Exfiltration

Summary: Microsoft Teams Access Token Vulnerability: New Attack Vector for Data Exfiltration

A recently uncovered vulnerability in Microsoft Teams for Windows allows attackers with local access to extract encrypted authentication tokens, granting unauthorized access to chats, emails and SharePoint files.

This technique, detailed by researcher Brahim El Fikhi on October 23, 2025, leverages the Windows Data Protection API (DPAPI) to decrypt tokens stored in a Chromium-like Cookies database.

Attackers can use these tokens for impersonation, lateral movement, or social engineering, bypassing recent security enhancements and posing significant risks to enterprise environments.

Vulnerability Details

The vulnerability, identified in Microsoft Teams desktop applications, involves the extraction of encrypted access tokens stored in the SQLite Cookies database at %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Cookies. Unlike earlier versions that stored tokens in plaintext (a flaw exposed by Vectra AI in 2022), current versions use AES-256-GCM encryption protected by DPAPI, tied to user or machine credentials. However, attackers with local access can decrypt these tokens using tools like ProcMon and Mimikatz, exploiting the embedded msedgewebview2.exe process that handles authentication via login.microsoftonline.com.

Source: blog.randorisec.fr, cybersecuritynews
Attack Flow

StepDescription
CraftAttackers use ProcMon to monitor msedgewebview2.exe and identify the Cookies database write operations.
AccessThe ms-teams.exe process is terminated to unlock the Cookies file, which is locked during operation.
ExtractThe encrypted token is retrieved from the Cookies database, with fields like host_key (e.g., teams.microsoft.com), name, and encrypted_value (prefixed with “v10”).
DecryptThe DPAPI-protected master key is extracted from %AppData%\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Local State and decrypted using Windows APIs or tools like Mimikatz.
ExploitDecrypted tokens are used with tools like GraphSpy to access Teams chats, send messages, read emails, or interact with SharePoint via Microsoft Graph API

Why It’s Effective

  • Local Access Exploitation: The attack requires only local access, achievable via malware or compromised endpoints, bypassing MFA and remote defenses.
  • Stealthy Execution: The use of standard Windows APIs (DPAPI) and embedded browser processes evades traditional monitoring.
  • Authority Abuse: Tokens enable impersonation through trusted APIs, amplifying risks of phishing or data theft via Teams, Outlook, or SharePoint.

Recommendations:

  • Monitor Processes Deploy EDR rules to detect abnormal ms-teams.exe terminations or msedgewebview2.exe file writes.
  • Enforce Encryption – Use app-bound encryption and prefer web-based Teams to avoid local token storage.
  • Token Rotation – Implement Entra ID policies to rotate access tokens regularly and audit Graph API logs for anomalies.
  • Limit Privileges – Restrict local admin access to prevent DPAPI key extraction.
  • User Awareness – Train users to recognize phishing attempts via Teams or email, especially those leveraging impersonation

Conclusion:
This vulnerability underscores the evolving threat landscape for collaboration platforms like Microsoft Teams. As attackers refine techniques to exploit trusted systems, organizations must enhance endpoint monitoring and adopt stricter access controls. By implementing the outlined mitigations, security teams can reduce the risk of token-based attacks and safeguard sensitive data.

References:

Security Advisory

WatchGuard Patched Critical Vulnerability, Allowing RCE in Firebox Appliances 

Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.

OEM WatchGuard 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9242 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Out-of-Bounds Write Vulnerability in IKEv2 Process  CVE-2025-9242 WatchGuard Firebox Appliances with Fireware OS Critical v2025.1.1, v12.11.4, v12.5.13 (T15 & T35 models), 12.3.1_Update3 (FIPS-certified) 

Technical Summary 

Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.

Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.

This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 9242 WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1 Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution Arbitrary Code Execution, System Compromise,  Data Exfiltration,  Ransomware Deployment, Pivoting to Internal Networks 

Recommendations: 

You can update to the latest versions from the below table 

Vulnerable Version Resolved Version 
2025.1 2025.1.1 
12.x 12.11.4 
12.5.x (T15 & T35 models) 12.5.13 
12.3.1 (FIPS-certified release) 12.3.1_Update3 (B722811) 
11.x End of Life 

Here are some recommendations below –  

  • Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only. 
  • Monitor logs for anomalous traffic. 
  • Implement network segmentation to limit lateral movement and regularly audit VPN setups. 

Conclusion: 
This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.

Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security. 

References

Security Advisory

TP-Link Security Update, Omada Gateway Exploits Fixed in October Release 

Summary: TP-Link’s October 2025 security updates fixes 4 vulnerabilities in its Omada Gateway devices, including multiple models commonly used in business networks.

OEM TP-Link 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-6541, CVE-2025-6542, CVE-2025-7850, CVE-2025-7851 
Date of Announcement 2025-10-21 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview: 

The vulnerabilities allow attackers to execute remote commands, even without authentication, potentially compromising systems. Some vulnerabilities also let authenticated users inject commands or gain root access, which could lead to traffic interception, configuration changes or malware installation. Security teams are advised to update firmware immediately, review network configurations and change passwords to reduce the risk of exploitation. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
OS Command Injection Vulnerability CVE-2025-6542 TP-Link Omada Gateways Critical 9.3 
Command Injection Vulnerability CVE-2025-7850 TP-Link Omada Gateways Critical 9.3 

Technical Summary: 

TP-Link Omada Gateways allows attackers to run arbitrary commands. The most critical one, CVE-2025-6542, a remote attacker can take full control of the device without logging in through the web interface. Another one allows logged-in users to inject commands and gain root access. The issues show the risks of exposed management portals. TP-Link recommends updating firmware, limiting network access and monitoring systems for any signs of attack. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6542 TP-Link Omada Gateways (ER605, ER7206, ER8411 & Others) Unauthenticated remote attackers can execute arbitrary OS commands on the device Remote Code Execution,  System Compromise, Malware Deployment 
CVE-2025-7850 TP-Link Omada Gateways (ER7412-M2, ER7212PC, & Others) Command injection exploitable after admin authentication on the web portal System Compromise,  Root-Level Control 

Additional Vulnerabilities: 

The following high-severity vulnerabilities were also addressed in October 2025 TP-Link security updates for Omada Gateways – 

Vulnerability Name CVE ID Affected Component Severity 
Authenticated Arbitrary OS Command Execution in Omada Gateways CVE-2025-6541 TP-Link Omada Gateways High 
Root Shell Access Under Restricted Conditions in Omada Gateways CVE-2025-7851 TP-Link Omada Gateways High 

Remediation: 

Install the October 2025 firmware updates immediately via the TP-Link support portal to mitigate risks. Here is the below table with the updated version information for the models. 

Model Affected Versions Fixed Version 
ER8411 < 1.3.3 Build 20251013 Rel.44647 >= 1.3.3 Build 20251013 Rel.44647 
ER7412-M2 < 1.1.0 Build 20251015 Rel.63594 >= 1.1.0 Build 20251015 Rel.63594 
ER707-M2 < 1.3.1 Build 20251009 Rel.67687 >= 1.3.1 Build 20251009 Rel.67687 
ER7206 < 2.2.2 Build 20250724 Rel.11109 >= 2.2.2 Build 20250724 Rel.11109 
ER605 < 2.3.1 Build 20251015 Rel.78291 >= 2.3.1 Build 20251015 Rel.78291 
ER706W < 1.2.1 Build 20250821 Rel.80909 >= 1.2.1 Build 20250821 Rel.80909 
ER706W-4G < 1.2.1 Build 20250821 Rel.82492 >= 1.2.1 Build 20250821 Rel.82492 
ER7212PC < 2.1.3 Build 20251016 Rel.82571 >= 2.1.3 Build 20251016 Rel.82571 
G36 < 1.1.4 Build 20251015 Rel.84206 >= 1.1.4 Build 20251015 Rel.84206 
G611 < 1.2.2 Build 20251017 Rel.45512 >= 1.2.2 Build 20251017 Rel.45512 
FR365 < 1.1.10 Build 20250626 Rel.81746 >= 1.1.10 Build 20250626 Rel.81746 
FR205 < 1.0.3 Build 20251016 Rel.61376 >= 1.0.3 Build 20251016 Rel.61376 
FR307-M2 < 1.2.5 Build 20251015 Rel.76743 >= 1.2.5 Build 20251015 Rel.76743 

Here are some recommendations below 

  • Restrict network access to the management interface and enable trusted networks only. 
  • Apply least privilege principles and regular security audits for network devices. 
  • Disable remote management if not required and segment networks to limit lateral movement. 

Conclusion: 

There is no active exploitation noticed but organizations must prioritize firmware updates to prevent data breaches, malware and intrusions. Security teams should deploy updates immediately, enhance monitoring and implement mitigations to safeguard critical infrastructure. 

References

 

Security Advisory

Fortinet Released Security Update’s; Patched Multiple High & Medium Severity Vulnerabilities

Summary: Fortinet disclosed multiple critical security vulnerabilities impacting several of its core products, including FortiPAM, FortiSwitch Manager and FortiOS platforms and patched them.

The vulnerabilities encompass issues such as improper privilege escalation, heap-based buffer overflow, weak authentication, improper certificate validation, denial-of-service risk, and race condition flaws in authentication modules.

One of the high severity issue is a weak authentication mechanism vulnerability (CVE-2025-49201) in FortiPAM & FortiSwitch Manager, and a heap overflow flaw (CVE-2025-57740) in the SSL VPN RDP bookmark functionality.

OEM Fortinet 
Severity High 
CVSS Score 7.8 
CVEs CVE-2025-49201, CVE-2025-58325, CVE-2025-57740, CVE-2025-57741 & others 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities pose significant risks to enterprise environments, potentially allowing attackers to bypass authentication controls or execute arbitrary code within targeted systems. Users & Administrators are urged to update to the patched version. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Weak Authentication Mechanism CVE-2025-49201 FortiPAM, FortiSwitch Manager  High FortiPAM 1.5.1, 1.4.3 or later / FortiSwitch Manager 7.2.5 or later 
CLI Command Functionality Bypass  CVE-2025-58325 FortiOS High FortiOS 7.6.1+, 7.4.6+, 7.2.11+, 7.0.16+ 
Heap Overflow – Remote Code Execution (FortiProxy SSL VPN Bookmarks) CVE-2025-57741 FortiProxy High FortiProxy 7.2.5+, 7.0.5+ 
Heap Overflow – Remote Code Execution (SSL VPN RDP Bookmark) CVE-2025-57740 FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager. Medium FortiOS 7.4.4+ / 7.2.8+ / 7.0.15+, FortiProxy 7.4.4+ / 7.2.10+, FortiPAM 1.3.0+, FortiSwitch Manager 7.2.4+ 

Technical Summary 

Multiple critical and medium-severity vulnerabilities have been identified across several Fortinet products, including FortiOS, FortiPAM, FortiProxy, FortiAnalyzer, and FortiSwitchManager.

Other vulnerabilities could allow attackers to escalate privileges, execute unauthorized code, or bypass authentication, threatening system integrity and confidentiality.

Additional flaws may enable unauthenticated users to disrupt services, intercept network traffic, or exploit race conditions to gain improper access within centralized management and authentication platforms. As the Fortinet released the security updates, quick deploy of the patches to ensure resilience against exploitation and to protect enterprise assets. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-49201 FortiPAM, FortiSwitch Manager This flaw enables remote attackers to bypass authentication by sending specially crafted HTTP requests, allowing unauthorized code or command execution within privileged access management and switch management interfaces.  Authentication Bypass / Remote Code Execution 
 CVE-2025-57740 FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager This heap-based buffer overflow in the SSL VPN RDP bookmark feature can be triggered by authenticated users through crafted bookmark data, resulting in memory corruption and possible code execution in the VPN context. Remote Code Execution / System Compromise 
CVE-2025-58325 FortiOS A CLI command functionality bypass allows attackers to execute restricted administrative commands through improper input validation, potentially escalating privileges or modifying critical system parameters. Privilege Escalation / Remote Code Execution 
CVE-2025-57741 FortiProxy This heap overflow vulnerability in FortiProxy’s SSL VPN RDP bookmarks can result in memory corruption, giving attackers a pathway to execute arbitrary code remotely during VPN session initialization. Remote Code Execution / Service Compromise 

Additionally, multiple vulnerabilities have been disclosed that enable remote authentication bypass and include other issues with significant impact potential. 

Vulnerability Name CVE ID Affected Component Severity 
 FGFM protocol allows unauthenticated reset of the connection CVE-2025-26008 FortiOS, FortiProxy, FortiPAM, FortiSwitchManager. Medium 
Heap Overflow in fgfmsd CVE-2025-50571 FortiAnalyzer/Cloud, FortiManager/Cloud. Medium 
Heap buffer overflow in websocket CVE-2025-22258 FortiOS,FortiPAM, FortiProxy, FortiSRA Medium 
Improper autorization over static files CVE-2025-54822 FortiOS, FortiProxy Medium 
Insufficient Session Expiration in SSLVPN using SAML authentication CVE-2025-25252 FortiOS Medium 
Missing authentication check in OFTP service CVE-2025-53845 FortiAnalyzer Medium 
Race condion in FortiCloud SSO SAML authentication CVE-2025-54973 FortiAnalyzer Medium 
Stack-based buffer overflow on fortitoken import feature CVE-2025-46718 FortiOS, FortiProxy Medium 

Recommendations 

Update Fortinet products to the following fixed versions as soon as possible and check the updated version from the Fortinet website 

  • FortiPAM: Upgrade to version 1.5.1 or later, or 1.4.3 or latest version 
  • FortiSwitch Manager: Upgrade to version 7.2.5 or higher 
  • FortiOS: Upgrade to versions 7.6.6+, 7.4.9+, 7.2.11+,7.0.16+ depending on the release series 
  • FortiProxy: Upgrade to 7.6.3+, 7.4.9+ and latest version 
  • FortiAnalyzer: Upgrade to 7.6.3+, 7.4.7+, 7.2.11+, 7.0.14+ latest version 

Patches are available and should be applied immediately. For environments where immediate patching is not immediately feasible, you can also follow the below recommendations : 

  • Enable multi-factor authentication (MFA) to reduce unauthorized access risk 
  • Restrict network access to management interfaces to trusted personnel only 
  • Monitor logs for unusual brute-force attempts or anomalous login activity 
  • Apply the principle of least privilege to limit access to VPN and management services 
  • Use firewalls with strict whitelisting to block external attack vectors to vulnerable services 

Conclusion: 
The recent Fortinet advisories underscore the critical importance of timely vulnerability management, particularly for products controlling privileged access and remote connectivity.

The flaws in authentication and memory management can jeopardize the security posture of enterprise environments.

Organizations should urgently apply patches, monitor for suspicious login and session activity, and implement proactive security measures to reduce exploitation risks. Proactive response and regular updates are essential to maintaining robust security against evolving threats targeting critical infrastructure. 

References

Hashtags 

#Infosec #CyberSecurity #Fortinet #FortiPAM #SQL #RCE #SecurityAdvisory #Vulnerabilitymanagement # PatchManagement #CISO #CXO #Intrucept  

Security Advisory

Elastic Patched Critical Jinjava Template Injection in Elastic Cloud Enterprise(ECE) 

Summary : Security Advisory: Elastic disclosed vulnerability in Elastic Cloud Enterprise (ECE) that allows attackers with admin access to steal sensitive data or execute any commands through Jinjava template injection. This flaw impacts ECE versions from 2.5.0 up to and including 3.8.1, as well as versions 4.0.0 through 4.0.1.

OEM Elastic Cloud Enterprise (ECE) 
Severity Critical 
CVSS Score 9.1 
CVEs CVE-2025-37729 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview  

The vulnerability with CVE-2025-37729, affects multiple ECE versions starting from 2.5.0 up to and including 3.8.1, and versions starting from 4.0.0 up to and including 4.0.1. Users & Administrators are strongly advised to upgrade to the latest version of ECE immediately to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Improper Neutralization of Special Elements Vulnerability  CVE-2025-37729 Elastic Cloud Enterprise  Critical v3.8.2 &  
v4.0.2 

Technical Summary 

Improper neutralization of special elements can be used to issuing commands via a specially crafted string where Jinjava variables are evaluated.

Malicious actors are exploiting due to an improper neutralization of special characters vulnerability in the Jinjava template engine used by ECE.

Attackers with admin-level access to the ECE admin console and deployments with the Logging+Metrics feature enabled can inject malicious Jinjava expressions through specially crafted payloads. This vulnerability can allow them to exfiltrate sensitive data or execute arbitrary command on the system.  

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 37729 Elastic Cloud Enterprise (ECE) v2.5.0-3.8.1, v4.0.0-v4.0.1 Improper sanitization of user-supplied input in Jinjava templates allows admin users to inject malicious expressions, enabling code execution and data exfiltration Sensitive Data Leakage, Arbitrary Command Execution, Potential Full System Compromise 

Recommendations: 

Upgrade the Elastic Cloud Enterprise versions to v3.8.2 and v4.0.2 or the latest one. 

Here are some recommendations below 

  • Keep admin access restricted to trusted accounts only for the ECE admin console. 
  • You can monitor the request logs for malicious payloads using the query payload.name : int3rpr3t3r or payload.name : forPath. Implement strict access controls and regularly audit admin privileges. 

Conclusion: 
This is critical vulnerability in Elastic Cloud Enterprise that could allow attackers to data exfiltration and arbitrary command execution.

Although exploitation needs administrative access, but its high impact makes it a major security risk & needs immediate action. Upgrading to the fixed version and applying recommended actions are strongly advised by the organizations to stay secure. 

References

 

Scroll to top