VulnerabilityManagement

Security Advisory

Critical Remote Code Execution in Nokia WaveSuite NOC 

Summary : Security Advisory: Two command injection vulnerabilities have been found in Nokia’s WaveSuite Network Operations Center (WS-NOC), a key tool used to manage telecom and enterprise networks.

OEM Nokia 
Severity Critical 
CVSS Score 9.0 
CVEs CVE-2025-24936, CVE-2025-24938   
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities allow attackers with limited access to run malicious commands on the system’s operating system. The vulnerabilities affect WS-NOC versions 23.6, 23.12, and 24.6. Nokia has released fixes in version 24.6 FP3 and newer. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Command Injection Vulnerability  CVE-2025-24936 Nokia WS-NOC  Critical  v24.6 FP3 & later 
​ Command Injection Vulnerability  CVE-2025-24938 Nokia WS-NOC  High  v24.6 FP3 & later 

Technical Summary 

The first vulnerability, CVE-2025-24936, CVSS- 9.0 due to the system doesn’t properly check parts of a web address (URL). The attacker with low privileged access can trick the system into running malicious commands, as if they were part of the system itself. As this flaw has been published, attackers can remotely target exposed or inadequately secured administrative pages. 

The second issue, with the CVE-2025-24938, CVSS- 8.4 affects to new user accounts are created through the web interface. In this case, with high privileged access – administrators can intentionally enter harmful commands because their input isn’t being filtered properly. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 24936 WS-NOC 23.6, 23.12, 24.6 Unfiltered URL input enables command injection by low-privileged users. Remote code execution 
CVE-2025- 24938 WS-NOC 23.6, 23.12, 24.6 Insufficient input validation during account creation enables command injection. Privilege escalation, Remote code execution 

Remediation

  • Immediate Action: Upgrade WS-NOC to version 24.6 FP3 or latest one to mitigate both vulnerabilities. 

Recommendations: 

  • Configuration Check: Restrict admin panel and WS-NOC access to trusted, internal networks only. 
  • Environment Hardening: Regularly audit user privileges, conduct input validation reviews, and deploy security monitoring for unusual command executions originating from the WS-NOC application. 

Conclusion: 

CVE-2025-24936 and CVE-2025-24938 are critical command injection vulnerabilities in Nokia WaveSuite NOC, which is used in telecom systems around the world. These vulnerabilities allow attackers to execute malicious commands with limited access. As these systems are part of critical infrastructure, prompt patching is essential to prevent potential remote attacks and network disruption. 

References

Security Advisory

ToolShell Zero-Day Exploits in Microsoft SharePoint Enable Full Remote Takeover 

Summary : Security Advisory


Two newly discovered zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint Server are being actively exploited in the wild.

There is currently no patch available to plug this security hole, but Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

OEM Microsoft 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-53770, CVE-2025-53771 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws allow unauthenticated remote code execution on on-premises servers, bypassing authentication and gaining full control over affected systems. Microsoft has released urgent security updates for supported SharePoint versions to address this issue. 

                   Vulnerability Name CVE ID Product Affected Severity CVSS Score 
SharePoint Server Remote Code CVE-2025-53770 SharePoint Server (on-prem) Critical 9.8 
Execution Vulnerability CVE-2025-53771 SharePoint Server (on-prem) Medium 6.3 

Technical Summary 

The vulnerabilities CVE-2025-53770 and CVE-2025-53771 stem from insecure handling of cryptographic key material and deserialization logic in on-premises Microsoft SharePoint Servers. These flaws enable a chained remote code execution attack dubbed ToolShell, where an unauthenticated attacker can gain full control of vulnerable servers. 

ToolShell is a sophisticated evolution of vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were disclosed and patched in early July 2025 following demonstrations at Pwn2Own Berlin. Within days, attackers had bypassed these initial patches, forcing Microsoft to issue updated patches with new CVEs (53770, 53771). These latest variants are actively exploited in the wild. 

The exploit begins with a crafted request to the SharePoint endpoint /ToolPane.aspx, which exposes the internal configuration mechanism. By exploiting deserialization weaknesses, attackers extract cryptographic secrets, specifically the ValidationKey and DecryptionKey  which are used to sign the VIEWSTATE payloads. 

With these secrets, an attacker can generate malicious, signed payloads that are trusted by SharePoint’s security model, allowing arbitrary code execution without any authentication. This effectively turns SharePoint’s trust mechanism into a delivery vector for persistent compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-53770 SharePoint 2016, 2019 Exploits deserialization in /ToolPane.aspx to steal crypto keys and craft signed __VIEWSTATE payloads Remote Code Execution, full system compromise 
CVE-2025-53771 SharePoint 2016, 2019 Variant of CVE-2025-49706; bypasses earlier fixes using enhanced payload injection techniques Persistent access without credentials 

Remediation: To mitigate potential attacks customers should follow:

Organizations running on-premises Microsoft SharePoint Servers must take the following steps immediately: 

  1. Apply Security Updates: 
  • SharePoint Subscription Edition: KB5002768 
  1. Enable AMSI Protection: 
  • Enable Antimalware Scan Interface (AMSI) in Full Mode for SharePoint. 
  • AMSI was turned on by default in Sept 2023 updates for 2016/2019. 
  1. Rotate Cryptographic Keys: 
  • Use Update-SPMachineKey (PowerShell) or Central Admin. 
  • Restart IIS using iisreset.exe after key rotation. 
  1. Deploy Endpoint Protection: 
  • Use Microsoft Defender for Endpoint or equivalent XDR tools. 

CISA Alert and Advisory Inclusion: 

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and private-sector partners are required to apply mitigations immediately due to confirmed active exploitation. CISA emphasized that such vulnerabilities pose an unacceptable risk to federal systems and critical infrastructure. 

Indicators of Compromise (IOCs): 

Type Value (Obfuscated/Generalized) Description 
IP Address 107.191.58[.]76, 104.238.159[.]149 Observed in initial and second attack waves 
User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 User-Agent string seen in exploitation requests 
URL Path POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx Exploit entry point targeting ToolPane 

Conclusion: 
The ToolShell exploit chain represents a critical security threat to organizations using on-premises SharePoint Servers.

The vulnerabilities are not theoretical, attackers are actively exploiting them to gain full control of systems, exfiltrate cryptographic secrets and establish long-term persistence. With official patches now available, immediate action is required to prevent compromise, contain exposure and ensure ongoing system integrity. 

References

Security Advisory

Critical Zero-Day Vulnerabilities in VMware Exploited at Pwn2Own 2025 – Patch Immediately  

Summary : VMware fixed four vulnerabilities in VMware ESXi, Workstation, Fusion and VMware Tools that were exploited as zero-days during the Pwn2Own Berlin 2025 hacking contest in May 2025.

OEM Broadcom 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 
These vulnerabilities, now tracked as CVE-2025-41236, CVE-2025-41237, CVE-2025-41238 and CVE-2025-41239, could allow attackers with local administrative privileges on a virtual machine to execute arbitrary code on the host system or leak sensitive memory content.

VMware has released critical patches for affected products, including ESXi 7/8, Workstation Pro 17.x, Fusion 13.x and VMware Tools. 

                   Vulnerability Name CVE ID Product Affected Severity Fixed Version 
VMXNET3 Integer Overflow CVE-2025-41236 ESXi, Workstation, Fusion Critical (CVSS 9.3) ESXi80U3f-24784735, ESXi70U3w-24784741, ESXi80U2e24789317, 
Workstation 17.6.4, Fusion 13.6.4 
VMCI Integer UnderfloCVE-2025-41237 ESXi, Workstation, Fusion Critical (CVSS 9.3) Same as above 
PVSCSI Heap Overflow CVE-2025-41238 ESXi, Workstation, Fusion Critical (CVSS 9.3) Same as above 
vSockets Info Disclosure CVE-2025-41239 ESXi, Workstation, Fusion,  VMware Tools High (CVSS 7.1) VMware Tools 13.0.1.0, same ESXi/Workstation/Fusion versions 

Technical Summary 

These vulnerabilities impact key virtualization components, potentially enabling virtual machine breakout or data leakage from the host system.

The exploitation requires local admin privileges on the guest VM and varies in impact depending on the platform (ESXi, Workstation, or Fusion). 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41236 ESXi 7/8, Workstation 17.x, Fusion 13.x Integer overflow in VMXNET3 adapter allows arbitrary code execution on the host via specially crafted network packets from a guest VM. Host code execution from guest VM 
CVE-2025-41237 Same as above Integer underflow in VMCI component can lead to out-of-bounds write and code execution in the VMX process on the host. VM breakout; Host compromise (Workstation/Fusion) 
CVE-2025-41238 Same as above Heap overflow in the PVSCSI controller allows out-of-bounds write more severe on Workstation/Fusion than ESXi due to sandbox restrictions. Host compromise (desktop platforms); limited on ESXi 
CVE-2025-41239 ESXi 7/8, Workstation 17.x, Fusion 13.x,  VMware Tools Use of uninitialized memory in vSockets allows information disclosure to attackers with local VM admin rights. Memory leak from host to guest 

Remediation

Users and administrators are strongly advised to immediately apply the following patches to mitigate the vulnerabilities: 

  • VMware ESXi users must update to ESXi80U3f-24784735, ESXi80U2e-24789317 for 8.x and ESXi70U3w-24784741 for 7.x versions. 
  • VMware Workstation Pro users should update to version 17.6.4 or later. 
  • VMware Fusion users to version 13.6.4 or later. 
  • For VMware Tools, apply the 13.0.1.0 or later, especially for Windows guests where the vSockets vulnerability (CVE-2025-41239) is relevant. 

Conclusion: 


These vulnerabilities pose a serious threat to virtualization security, especially in environments using VMware Workstation and Fusion. A successful exploit could enable attackers to escape the virtual machine and compromise the host system.

Administrators should prioritize patching to avoid exposure and reduce the risk of virtual infrastructure compromise. Regular audits of virtual networking components and least-privilege access controls within guest VMs are also recommended. 

References

Security Advisory

Google Addresses Actively Exploited Zero-Day Vulnerability CVE-2025-6558 in Chrome 

Google has issued a critical emergency update for the Chrome browser to address CVE-2025-6558, a zero-day vulnerability that is actively being exploited in the wild. This high-severity flaw exists in Chrome’s ANGLE and GPU components, which are responsible for rendering graphics in the browser.

Summary 

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-6558 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Exploitation of this vulnerability could allow attackers to execute malicious code or gain unauthorized access to user systems. The update is being rolled out for Windows, macOS and Linux platforms. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Improper Input Validation in ANGLE/GPU Stack vulnerability  CVE-2025-6558 Google Chrome  High (Zero-day)  138.0.7204.157/.158 (Windows/macOS), 138.0.7204.157 (Linux) 

Technical Summary 

CVE-2025-6558 is a high-severity vulnerability caused by improper validation of untrusted input in Chrome’s ANGLE (Almost Native Graphics Layer Engine) and GPU components. These components translate graphics instructions and interact closely with the system’s native APIs.

The flaw was discovered by Google’s Threat Analysis Group (TAG) and is being actively exploited in real-world attacks. If left unpatched, it could enable attackers to compromise the browser rendering process and potentially execute arbitrary code on the user’s device. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6558 Chrome on Windows, macOS, Linux Untrusted input is incorrectly validated, allowing malicious manipulation of graphics rendering Remote code execution through active exploitation 

Additional Vulnerabilities Patched in This Update 

In addition to the zero-day CVE-2025-6558, Google also addressed two other high-severity vulnerabilities as part of this update: 

  • CVE-2025-7656 – An integer overflow vulnerability in Chrome’s V8 JavaScript engine, which could be exploited to corrupt memory and potentially achieve remote code execution. This flaw was reported by security researcher Shaheen Fazim.  
  • CVE-2025-7657 – A use-after-free vulnerability in the WebRTC (Web Real-Time Communication) component. Improper memory handling in real-time communication features could allow attackers to crash the browser or execute arbitrary code remotely. This issue was reported by researcher jakebiles. 

Remediation

  • Users should immediately update Google Chrome to the latest patched version: 
  • Windows & Mac: 138.0.7204.157/.158 
  • Linux: 138.0.7204.157 

Conclusion: 
CVE-2025-6558 highlights the growing complexity of securing browser components such as ANGLE and GPU. With confirmed active exploitation, users and administrators must prioritize this update to prevent potential remote code execution attacks.

Timely patching remains one of the most effective defenses against modern browser-based threats. 

References

Security Advisory

CVE-2025-34067: Critical RCE in HikCentral Puts Global Surveillance at Risk, PoC Available 

Summary:  A critical RCE vulnerability has been found in the Hikvision HikCentral security management system, mainly in the apply CT component.

OEM Hikvision 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-34067 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

It helps attackers to take full control of servers that manage security cameras and building systems without user interaction and authentication. The issue comes from a weakness in an old part of the software – Fastjson, a Java library.

Hackers can use this flaw to run harmful code remotely over the network. A PoC to exploit this vulnerability has been published already. 

Vulnerability Name CVE ID Product Affected Severity 
​ Remote Code Execution Vulnerability CVE-2025-34067 HikCentral (applyCT) Critical 

Technical Summary 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-34067 HikCentral  The /bic/ssoService/v1/applyCT endpoint is vulnerable due to the use of an outdated Fastjson library with unsafe auto-type deserialization enabled. Attackers can send malicious JSON payloads containing LDAP references to attacker-controlled Java classes. Remote code execution  

A security flaw exists in the “/bic/ssoService/v1/applyCT” endpoint, which accepts JSON input. This allows attackers to send specially designed data that tricks the system into loading malicious code from an attacker-controlled server.

Since the system processes this data before checking if the user is logged in, even someone without any login credentials can exploit it. If successful, the attacker can run harmful code under the HikCentral service’s permissions. This helped them move through the network, access or control camera feeds, DVRs/NVRs, and other connected systems across the enterprise.Proof of Concept (PoC): 

(Source: PeiQi0 )

Remediation

  • Apply Patches: Users should contact HIKVISION support for immediate remediation guidance and apply any security updates or hotfixes provided by the vendor. 
  • Update Fastjson Library: Ensure the Fastjson library is updated to a secure patched version. 

Recommendations: 

  • Configuration Check: If patching isn’t possible, block or redirect all traffic to the “/bic/ssoService/” endpoints – especially on systems that are accessible from the internet. 
  • Network Segmentation: Isolate surveillance and physical security networks from business-critical systems. 
  • Monitoring: Check logs for outbound LDAP traffic, suspicious Java class loads, or unexpected command execution from the HikCentral host. 

Conclusion: 
This vulnerability helps attackers to take full control of the system, Publicly available code makes it easy for attackers to exploit this flaw. Because of the critical risk, it has received the maximum severity score (CVSS 10.0).  

If not fixed, attackers could turn off security cameras, change alarm settings, delete important evidence, and even watch staff movements live. To protect against this threat, it’s urgent to install the latest patch, isolate the system from the internet and closely monitor for suspicious activity. 

References

Security Advisory

Mercedes, VW, Skoda Cars at Risk from Critical PerfektBlue Bluetooth Vulnerabilities 

Summary 

Severity High 
CVSS Score 8.0 
CVEs CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, CVE-2024-45434, 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 
Researchers discovered critical Bluetooth flaws, called PerfektBlue, in the OpenSynergy BlueSDK stack used in millions of vehicles. These allow attackers nearby to remotely run malicious code through the infotainment system, potentially accessing GPS, audio and even vehicle controls depending on the car’s design.

Cars from brands like Mercedes-Benz, Volkswagen and Skoda are affected. While patches were released, it is urged to update the systems and stay cautious during Bluetooth pairing to stay protected. 

Vulnerability Name CVE ID Product Affected Severity 
Use-After-Free in AVRCP  CVE-2024-45434 Open Synergy BlueSDK (Bluetooth AVRCP service_ 8.0   
RFCOMM Improper Function Termination CVE-2024-45433 OpenSynergy BlueSDK (Bluetooth RFCOMM protocol) 5.7 
RFCOMM Parameter Misuse CVE-2024-45432 OpenSynergy BlueSDK (Bluetooth RFCOMM protocol) 5.7 
L2CAP Remote CID Validation Flaw CVE-2024-45431 OpenSynergy BlueSDK (Bluetooth L2CAP layer)  3.5 

Technical Summary 

A set of vulnerabilities has been identified in the Bluetooth stack of infotainment systems, affecting core protocols like AVRCP, L2CAP, and RFCOMM. These issues stem from improper memory handling, incorrect parameter usage and flawed validation logic. While some may only cause system instability or crashes, they can be combined in a coordinated attack to bypass defenses, disrupt communication or potentially execute code remotely. Overall, they expose critical weaknesses that could be exploited to compromise the system through crafted Bluetooth traffic. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2024-45434 Vehicles using Open Synergy Blue SDK, including Mercedes-Benz, Volkswagen, Skoda and undisclosed OEM. This vulnerability allows attackers to exploit free memory in the AVRCP service. By sending crafted Bluetooth commands, they can trigger a use-after-free condition, potentially leading to crashes or remote code execution inside the infotainment system. It can be part of a larger attack chain to take over the system. May allow attackers to run remote code on the infotainment system. 
CVE-2024-45433 Automotive systems running Blue SDK’s RFCOMM protocol implementation.  Due to faulty logic in RFCOMM, certain functions may not exist properly. This can cause the system to behave unpredictably, giving attackers a chance to manipulate control flow or trigger crashes. It can be used to stabilize or advance remote attacks on the Bluetooth stack.  May cause system crash or help in running further malicious actions. 
CVE-2024-45432 Vehicles using Open Synergy Blue SDK with Bluetooth RFCOMM services.  This issue involves functions in the RFCOMM protocol being called with wrong parameters. Attackers can exploit this to introduce unexpected behavior or weaken Bluetooth processing. On its own, it may cause a crash, but as part of an exploit chain, it helps attackers gain deeper access. Can create logic errors and make the system unstable. 
CVE-2024-45431 Infotainment systems in vehicles using Open Synergy Blue SDK Bluetooth stack. This flaw stems from incorrect validation of channel IDs in the L2CAP layer. Attackers can send malformed Bluetooth packets that bypass checks, possibly disrupting communication or preparing the system for further exploitation. Though low in severity alone, it can support chained attacks. Could help attackers bypass checks 

Remediation

To stay protected from the PerfektBlue vulnerabilities, users should update with the available latest patches provided by the manufacturer ensure once their vehicle’s software is fully updated.  

Here are some best practices below you can follow  

  • Disable Bluetooth when not in use and avoiding unnecessary pairing, especially in public areas, can reduce exposure to potential attacks.  
  • Always verify Bluetooth pairing requests and codes carefully before accepting any connection.  

Conclusion: 
The PerfektBlue flaws show that even car Bluetooth systems can be a way for hackers to attack. If not fixed, these issues can let attackers take control of your car’s infotainment features and maybe more. Timely patching and adopting secure Bluetooth practices are essential to minimize exposure. As vehicles grow increasingly connected, securing their wireless interfaces becomes crucial to maintaining overall system safety and privacy. 

References

Security Advisory

Critical Flaws Expose Schneider DCE to Remote Exploits – Patch Now 

Summary : Schneider Electric has found critical security flaws in its EcoStruxure IT Data Center Expert software (version 8.3 and earlier) which allow attackers to run harmful codes, steal data or disrupt data center operations. The EcoStruxure IT Data Center is a scalable monitoring solution for data center equipment. Through the web interface the flaw allows unauthenticated remote code execution when HTTP is enabled, though it is disabled by default.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-50121, CVE-2025-50122, CVE-2025-50123, CVE-2025-50125 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The most severe flaw lets attackers execute commands remotely without logging in and other risks include weak password generation and privilege misuse.

Schneider urges users to upgrade to version 9.0. as a priority, if users are unable to update right now, users should secure their systems by limiting access, disabling unused services, using VPNs and security best practices. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
OS Command Injection  CVE-2025-50121 EcoStruxure IT Data Center Expert (DCE)  Critical  v 9.0 
Insufficient Entropy (Weak Root Password Generation)  CVE-2025-50122 EcoStruxure IT Data Center Expert (DCE)  High  v 9.0 
Insufficient Entropy (Weak Root Password Generation) CVE-2025-50123 EcoStruxure IT Data Center Expert (DCE) High v 9.0 
Insufficient Entropy (Weak Root Password Generation)  CVE-2025-50125 EcoStruxure IT Data Center Expert (DCE) High v 9.0 

Technical Summary 

The vulnerabilities have been identified in the system that exposes it to remote takeover, unauthorized access and internal data exposure.

At the core of the risk is a command injection flaw in the web interface, where unsanitized input allows attackers to execute system-level commands without authentication.

Compounding the issue is a weak password generation mechanism that uses low-entropy values, making root credentials easier to predict if installation or update packages are obtained.

Privileged users can also exploit unsafe input handling, specifically in fields like the hostname to inject and execute arbitrary code.

Furthermore, improper validation of internal HTTP requests allows attackers to perform server-side request forgery (SSRF), potentially accessing internal services and sensitive resources without credentials. 

CVE ID CVSS Score System Affected  Vulnerability Details Impact 
CVE-2025-50121 10.0 Web interface Allows unauthenticated attackers to run system commands via malicious folder in web interface. Unauthenticated RCE, full system compromise. 
CVE-2025-50122 8.3 Password generation system Allows unauthenticated attackers to run system commands via malicious folder in web interface. Root access by reverse-engineering password generation, leading to full control. 
CVE-2025-50123 7.2 Server console interface Allows unauthenticated attackers to run system commands via malicious folder in web interface. Arbitrary command execution by privileged users, risking internal misuse or escalation  
CVE-2025-50125 7.2 HTTP request handler Attackers manipulate hidden URLs to access internal services or run code without login. Unauthorized access to internal services, RCE and data exposure. 

In addition to the Critical and High Severity vulnerabilities, Two other medium severity issues were addressed. 

CVE-2025-50124 – Improper Privilege Management (CVSS 6.9) 
This issue allows privilege escalation through a setup script by a user already holding elevated access via the console. 

CVE-2025-6438 – XML External Entity (XXE) Injection (CVSS 6.8) 

 Attackers could exploit SOAP API calls to inject malicious XML entities and gain unauthorized file access. 

Remediation

  • Immediately upgrade to EcoStruxure DCE version 9.0 or the latest one to fix critical security flaws. 

Schneider recommends hardening DCE instances per the EcoStruxure IT Data Center Expert Security Handbook and adopting cybersecurity best practices.

Attackers could gain full access, run harmful commands, or steal data. It is strongly advised to update to version 9.0 or apply strict security measures to reduce the risks immediately.

IoT and Evolving Threat landscape

Industrial IoT security threats have evolved from theoretical concerns to active, persistent dangers that target manufacturing operations worldwide.

The convergence of traditional operational technology with modern information technology has created attack vectors that cybercriminals, nation-state actors, and industrial espionage operations actively exploit.

The financial impact of industrial cybersecurity incidents continues to escalate, with the average cost of a manufacturing sector data breach reaching $4.97 million in 2024, not including potential regulatory fines, business interruption losses, and long-term reputation damage. 

The security flaws in Schneider’s EcoStruxure IT Data Center Expert software exposes the dynamic threat landscape that may exist in Industrial IoT .


These vulnerabilities in Schneider Electric’s EcoStruxure DCE can seriously affect system security and data center operations. 

References

Security Advisory

12-Year-Old Sudo Vulnerability & Chroot Flaw Enable Privilege Escalation  

Summary : Security Advisory: Two critical vulnerabilities CVE-2025-32462 and CVE-2025-32463 have been identified in the widely used Sudo utility, enabling local privilege escalation to root. System administrators rely on Sudo to enforce the principle of least privilege and maintain an audit trail of administrative actions.

The flaw, present in Sudo’s codebase for over 12 years, was discovered by Rich Mirch of the Stratascale Cyber Research Unit and affects both stable (v1.9.0–1.9.17) and legacy (v1.8.8–1.8.32) versions of Sudo.

Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-32463, CVE-2025-32462 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These flaws affect both legacy and modern versions of Sudo and impact Linux and Unix-like systems, including Ubuntu and macOS. One vulnerability (CVE-2025-32462)remained undiscovered for over 12 years. Both have been fixed in Sudo version 1.9.17p1. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Chroot Option Arbitrary Code Execution vulnerability  CVE-2025-32463 Sudo  Critical  1.9.17p1 
Host Option Privilege Escalation vulnerability  CVE-2025-32462 Sudo   Low  1.9.17p1 

Technical Summary 

CVE-2025-32463 – Chroot Privilege Escalation via Path Confusion 

Introduced in Sudo version 1.9.14, this vulnerability abuses the –chroot (-R) feature, allowing attackers to run commands as root even if not permitted in the sudoers file.

The flaw arises because Sudo began resolving paths inside the chroot environment before validating permissions. This allowed attackers to trick Sudo into referencing malicious configuration files (e.g., fake /etc/nsswitch.conf) and loading arbitrary shared libraries (e.g.-libnss_/woot1337.so.2) during the privilege escalation process. 

CVE-2025-32462 – Host Option Bypass 

CVE-2025-32462 exploits improper handling of the –host (-h) option in Sudo, allowing users to bypass hostname-based access restrictions and execute commands as root. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-32463 Stable 1.9.0 – 1.9.17  Exploits the -R chroot option to load attacker-controlled shared libraries, leading to root access even when user lacks necessary permissions.  Arbitrary code execution as root 
CVE-2025-32462 Stable 1.9.0 – 1.9.17 Legacy 1.8.8 – 1.8.32  Allows local users to abuse the -h option to bypass Host or Host_Alias restrictions and execute commands as root across unintended systems.  Local privilege escalation to root 

Remediation

Upgrade Sudo to version 1.9.17p1 or later or the appropriate patched package version provided by your Linux distribution. 

Conclusion: 
These Sudo vulnerabilities, especially CVE-2025-32463 with a CVSS score of 9.3, represent a serious threat to system integrity. Exploitable without complex tooling and with a public Proof-of-Concept (PoC) already available, this vulnerability underscores the risks posed by long-standing design flaws in foundational system utilities.

Administrators are strongly advised.

Update Sudo to version 1.9.17p1 or later on all systems. Organizations must act swiftly to patch affected systems, audit privileged access, and secure their Sudo configurations.

This incident reinforces the urgent need for continuous security reviews even for the most trusted and widely deployed open-source components and prevent unauthorized privilege escalation on affected systems.

References

Security Advisory

Critical Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Summary 

OEM Cisco 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-20281, CVE-2025-20282 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Both issues stem from insecure API implementations that fail to validate user input and uploaded files respectively.  

Given the critical nature of these bugs both scoring CVSS 9.8 & 10.0 Cisco has issued immediate fixes, with no workarounds available. Organizations using the affected versions are urged to apply the patches without delay. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​API Unauthenticated RCE vulnerability  CVE-2025-20281 ISE & ISE-PIC   Critical  3.3 Patch 6, 3.4 Patch 2 
Internal API Arbitrary File Execution vulnerability  CVE-2025-20282 ISE & ISE-PIC   Critical  3.4 Patch 2 

Technical Summary 

Two independent vulnerabilities allow an attacker to gain full control over affected Cisco ISE systems without authentication: 

  • CVE-2025-20281: Triggered via crafted requests to a public API, exploiting insufficient input validation to achieve RCE as root. 
  • CVE-2025-20282: Abuses an internal API that lacks file validation, enabling the upload and execution of malicious files in privileged directories. 

These vulnerabilities align with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-269 (Improper Privilege Management). 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-20281 Cisco ISE & ISE-PIC 3.3 and later Insufficient validation in a public API allows remote attackers to send crafted requests, leading to unauthenticated command execution as the root user.  Remote code execution  
CVE-2025-20282 Cisco ISE & ISE-PIC 3.4 only An internal API fails to validate uploaded files. Attackers can upload files to system directories and execute them with root privileges.   Remote code execution 

Remediation

Cisco has released patches for affected versions of ISE and ISE-PIC. There are no known workarounds, and customers are strongly encouraged to apply the following updates: 

Cisco ISE / ISE-PIC Version CVE-2025-20281 Fixed In CVE-2025-20282 Fixed In 
3.2 and earlier Not affected Not affected 
3.3 3.3 Patch 6 Not affected 
3.4 3.4 Patch 2 3.4 Patch 2 

Conclusion: 
These vulnerabilities represent a severe risk to network security infrastructure, particularly because they impact Cisco ISE a cornerstone for identity and access control in many enterprises. The unauthenticated remote nature of the exploits, combined with root-level access and no required user interaction, significantly increases the threat surface.  

Although Cisco’s PSIRT has stated that there are no known instances of public exploitation, the ease of exploitation and severity (CVSS 10.0) make these vulnerabilities highly attractive to threat actors. Organizations should immediately apply the available patches and review their system logs for any signs of suspicious activity targeting ISE infrastructure. 

References

Security Advisory

Privilege Escalation in Notepad++ v8.8.1 Installer via Binary Planting with Public PoC Available 

Security Advisory: A high-severity privilege escalation vulnerability has been discovered in the Notepad++ v8.8.1 and prior installer, which allows local attackers to gain SYSTEM-level privileges through uncontrolled executable search paths (binary planting).

The installer searches for executable dependencies in the current working directory without verification, allowing attackers to place malicious executables that will be loaded with SYSTEM privileges during installation.

OEM Notepad++ 
Severity High 
CVSS Score 7.3 
CVEs CVE-2025-49144 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Exploitation requires minimal user interaction and a public Proof of Concept (PoC) is available. The issue is resolved in version v8.8.2. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Privilege Escalation Vulnerability  CVE-2025-49144 Notepad++  High  v8.8.2 

Technical Summary 

The Notepad++ installer improperly searches for executable dependencies in the current directory without verifying their authenticity.

This insecure behavior allows attackers to place a malicious executable (e.g. regsvr32.exe) in the same directory as the installer. Upon execution the malicious file is loaded with SYSTEM-level privileges, granting full control over the machine. 

In real world scenario, an attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder – which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges.

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-49144  Notepad++ v8.8.1 and prior. The installer invokes executables without absolute path (e.g. regsvr32), allowing a malicious binary in the same directory to be executed with elevated privileges.  SYSTEM privilege escalation and full machine control 

Proof of Concept (PoC): 

  • Execution Flow: Attacker places a fake regsvr32.exe in the same directory as the Notepad++ installer. 
  • Trigger: When the user runs the installer, it loads the attacker’s file with SYSTEM privileges. 
  • Evidence: 
  • Process Monitor logs confirm that the installer is searching for executables in the local directory. 
  • Public PoC materials are hosted and shared, confirming reproducibility 

Remediation

  • Immediate Action: Upgrade to Notepad++ v8.8.2 or later which explicitly sets absolute paths when invoking executables like regsvr32. 

Recommendations: 

  • Configuration Check: Avoid executing installers from user-writable locations like the Downloads folder. Ensure installers are run from isolated, trusted directories. 
  • Environment Hardening: Implement endpoint detection for binary planting, restrict execution in commonly targeted directories. 

Conclusion: 
CVE-2025-49144 is a critical privilege escalation vulnerability with a working public PoC. It leverages a fundamental flaw in the Notepad++ installer’s handling of executable paths.

Given the low barrier to exploit and high impact, especially in environments where Notepad++ is widely used, immediate remediation is strongly advised. The presence of similar flaws in past versions highlights the persistent risk of insecure software packaging. 

This is a critical security vulnerability requiring immediate attention. While Microsoft classifies some binary planting issues as “Defense-in-Depth,” the severity of gaining SYSTEM privileges with minimal user interaction warrants priority remediation.

References

Scroll to top