The agency added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog on November 18, 2025, signaling immediate risk to organizations using the affected product.

The vulnerability identified as CVE-2025-58034 is an OS command injection weakness categorized under CWE-78.

This security flaw allows authenticated attackers to execute unauthorized code on the underlying operating system of FortiWeb devices.

Critical OS Command Injection Flaw

Exploitation occurs through specially crafted HTTP requests or command-line interface (CLI) commands that bypass security controls and grant attackers direct access to system-level functions.

Despite requiring authentication, this vulnerability poses a significant threat because attackers who gain initial access can leverage it to escalate privileges and execute malicious code.

This can lead to complete system compromise, data theft, and potential deployment of ransomware or other malware.

CISA has mandated that federal agencies must apply security patches and mitigations by November 25, 2025, giving organizations just seven days to remediate the vulnerability.

The directive follows Binding Operational Directive (BOD) 22-01, which requires agencies to address known exploited vulnerabilities within strict timeframes.

Organizations using Fortinet FortiWeb are strongly urged to follow vendor instructions immediately. Fortinet has released security updates and mitigation guidance that administrators should implement without delay.

CISA recommends following applicable cloud service guidance or discontinuing use of vulnerable products until proper security measures can be implemented.

The active exploitation of this vulnerability underscores the importance of keeping security patches up to date and monitoring vendor advisories for enterprise security infrastructure.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Fortinet FortiWeb OS Command Injection Vulnerability Exploited in the Wild appeared first on Cyber Security News.

Tracked as CVE-2025-4619, the vulnerability poses significant risks to organizations relying on Palo Alto firewalls for network security.

The flaw, identified as CWE-754 (Improper Check for Unusual or Exceptional Conditions), exists in the PAN-OS software dataplane.

Attackers can exploit this vulnerability without authentication, credentials, or user interaction. When successful, the malicious packet triggers an unexpected reboot of the firewall.

More concerning, repeated exploitation attempts can force the firewall into maintenance mode. Severely interrupting network operations and potentially leaving organizations exposed to threats during downtime.

Palo Alto Networks assigned the vulnerability a CVSS 4.0 score of 6.6, rating it as MEDIUM severity with MODERATE urgency.

However, the CVSS-B score reaches 8.7, reflecting the potential business impact. The attack vector is network-based and low-complexity.

The vulnerability directly affects product availability, highlighting its potential to interrupt critical network infrastructure.

PA-Series, VM-Series, and Prisma Access Deployments

The vulnerability affects PA-Series firewalls, VM-Series firewalls, and Prisma Access deployments that are running vulnerable versions of PAN-OS. Cloud NGFW is not impacted.

Vulnerable versions include PAN-OS 10.2 (through 10.2.13), 11.1 (through 11.1.6), and 11.2 (through 11.2.4). PAN-OS 12.1 and 10.1 are unaffected.

Importantly, exploitation requires a specific configuration: the firewall must have a URL proxy or a decrypt policy enabled; even with explicit no-decrypt policies, the vulnerability may be exploitable.

Palo Alto Networks recommends upgrading to patched versions. For PAN-OS 11.2. Organizations should update to 11.2.5 or later.

For 11.1, upgrade to 11.1.7. PAN-OS 10.2 users should patch to 10.2.14 or apply the appropriate urgency, depending on their current version. The company reports that no known workarounds currently exist.

Currently, Palo Alto Networks has not identified any active malicious exploitation of this vulnerability. Administrators should prioritize patching given the ease of exploitation and potential operational impact.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Palo Alto PAN-OS Firewall Vulnerability Let Attackers Reboot Firewall by Sending Malicious Packet appeared first on Cyber Security News.

The flaw, tracked as CVE-2025-64740, has been assigned a high severity rating with a CVSS score of 7.5, according to Zoom’s security bulletin ZSB-25042.

The vulnerability stems from improper verification of cryptographic signatures in the Zoom Workplace VDI Client for Windows installer.

This weakness can be exploited by an authenticated user with local access to escalate their privileges on the system.

Zoom Workplace for Windows Vulnerability

When successfully exploited, attackers could gain higher-level permissions, potentially executing unauthorized commands, accessing sensitive data, or compromising system integrity.

The security flaw affects Zoom Workplace VDI Client for Windows versions before 6.3.14, 6.4.12, and 6.5.10 in their respective tracks.

While the vulnerability requires local access and user interaction, making it somewhat complex to exploit, the potential impact remains significant.

The CVSS vector string indicates it can affect confidentiality, integrity, and availability of the compromised system.

Privilege escalation vulnerabilities are particularly concerning in enterprise environments where Zoom is widely deployed for remote work and virtual desktop infrastructure.

Attackers who already have limited access to a system could exploit this flaw to gain administrative rights, bypass security controls, and potentially move laterally across networks to compromise additional resources.

The improper cryptographic signature verification means the installer cannot properly validate whether the software being installed is legitimate or has been corrupted.

This creates an opportunity for threat actors to manipulate the installation process and inject malicious code with elevated permissions.

Zoom has released security updates to address this vulnerability and strongly recommends that all users update their Zoom Workplace VDI Client for Windows immediately.

Organizations using affected versions should prioritize patching to mitigate the risk of exploitation. Users can download the latest secure versions from Zoom’s official download page at zoom.us/download.

System administrators should verify that all installations across their organization are updated to versions 6.3.14, 6.4.12, 6.5.10, or later, depending on their deployment track.

This disclosure underscores the importance of maintaining up-to-date software, especially for widely used communication platforms in enterprise settings.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Zoom Workplace for Windows Vulnerability Allow Users to Escalate Privilege appeared first on Cyber Security News.

The vulnerability, tracked as CVE-2025-12735, allows attackers to execute arbitrary system commands through maliciously crafted input.

The expr-eval library is a JavaScript tool designed to parse and evaluate mathematical expressions safely, serving as a more secure alternative to JavaScript’s native eval() function.

With over 250 dependent packages, including oplangchain, a JavaScript implementation of the popular LangChain framework, this vulnerability has significant implications for the AI and NLP ecosystem.

NPM Library Vulnerability

Carnegie Mellon University researchers discovered that attackers can define arbitrary functions within the parser’s context object, enabling the injection of malicious code that executes system-level commands.

This vulnerability achieves Total Technical Impact under the SSVC framework, meaning adversaries gain complete control over affected software behavior and can access all system information.

The flaw is particularly dangerous for generative AI systems and NLP applications. These systems often run in server environments with access to sensitive local resources and process user-supplied mathematical expressions.

Developers using expr-eval or expr-eval-fork should take immediate action by upgrading to the expr-eval-fork version 3.0.0, which includes comprehensive security patches.

The update introduces an allowlist of safe functions, mandatory registration for custom functions, and enhanced test cases to enforce security constraints.

The vulnerability was responsibly disclosed by security researcher Jangwoo Choe (UKO) and patched through GitHub Pull Request #288.

Organizations can use npm audit to automatically detect this vulnerability in their projects through the GitHub Security Advisory GHSA-jc85-fpwf-qm7x.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Vulnerability in Popular NPM Library Exposes AI and NLP Apps to Remote Code Execution appeared first on Cyber Security News.

The Synacktiv security researchers have demonstrated that these supposedly safe network management tools can be weaponized to launch powerful attacks against enterprise environments.​

The vulnerability emerges because Active Directory sites can be linked to Group Policy Objects (GPOs), which control system configurations across an organization.

When attackers gain write permissions to sites or their associated GPOs, they can inject malicious configurations that compromise all computers connected to those sites, including domain controllers.

This creates a direct pathway to domain-wide compromise without triggering conventional security defenses.​

How Privilege Escalation Works

Attackers exploit three primary permission types to accomplish this: GenericAll, GenericWrite, and WriteGPLink permissions on site objects. Even administrators often delegate these permissions without fully understanding the implications.

Once an attacker controls these permissions, they can either poison existing GPOs or create new malicious ones that execute arbitrary commands on connected systems.

These commands can add attacker-controlled accounts to administrator groups, effectively giving them domain admin privileges within minutes.​ The most dangerous aspect is how Active Directory sites enable lateral movement across entire forests.

The configuration partition containing site information replicates forest-wide, meaning that a compromised domain controller can modify site configurations that affect other domains.

This technique bypasses traditional SID filtering protections that normally prevent such cross-domain attacks.

The Synacktiv researchers demonstrated that attackers from a child domain can compromise the forest root domain by simply linking malicious GPOs to sites that host the root domain’s controllers.​

This attack vector represents a significant blind spot in many organizations’ security strategies. It warrants immediate attention from defensive teams managing large Active Directory environments.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Can Attack Active Directory Sites to Escalate Privileges and Domain Compromise appeared first on Cyber Security News.

The vulnerabilities affect the Java Remote Method Invocation (RMI) process and authentication mechanisms, potentially compromising entire contact center deployments.

RCE and Authentication Bypass Vulnerability

The primary vulnerability, CVE-2025-20354, has a critical CVSS score of 9.8, allowing attackers to upload arbitrary files via the Java RMI process without authentication.

Successful exploitation allows attackers to execute commands with root privileges on affected systems.

The vulnerability stems from improper authentication mechanisms in Cisco Unified CCX, leaving organizations’ contact center infrastructure exposed to complete compromise.

Attackers can leverage this flaw to establish persistent access, steal sensitive customer data, or deploy ransomware across entire contact center networks.

CVE-2025-20358 presents an equally dangerous authentication bypass affecting the CCX Editor application.

Rated 9.4 on the CVSS scale, this vulnerability allows attackers to redirect the authentication flow to malicious servers, tricking the CCX Editor into believing legitimate authentication occurred.

Once bypassed, attackers gain administrative permissions to create and execute arbitrary scripts as internal non-root users.

This dual-vulnerability combination creates a sophisticated attack chain that allows remote attackers to escalate privileges and maintain control over contact center operations progressively.

Cisco has released software updates addressing both vulnerabilities, with no workarounds available.

Organizations running Unified CCX version 12.5 SU3 and earlier must upgrade immediately to version 12.5 SU3 ES07, while users on version 15.0 must install version 15.0 ES01.

The vulnerabilities affect all Unified CCX configurations regardless of deployment settings. Other Cisco products, including Unified Contact Center Enterprise (CCE) and Packaged Contact Center Enterprise, remain unaffected.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cisco Unified Contact Center Express Vulnerabilities Let Remote Attacker Execute Malicious Code appeared first on Cyber Security News.

The flaw allows attackers with minimal guest privileges to execute arbitrary commands on vulnerable systems, posing a significant security risk to organizations using this open-source enterprise wiki platform.

XWiki, which positions itself as an advanced open-source enterprise wiki and alternative to platforms like Confluence and MediaWiki, released a security advisory and patch in February addressing this severe vulnerability.

The flaw resides in the SolrSearch component and remarkably requires only guest-level privileges for exploitation, making it accessible to virtually any user with basic system access.

Vulnerability Discovery and Delayed Exploitation

The early release of proof-of-concept code alongside the advisory meant that the vulnerability experienced an unusually delayed exploitation timeline. Initial reconnaissance scans appeared in July, but actual exploitation attempts did not surge until recently.

The exploitation method demonstrates relatively straightforward execution patterns. Attackers send specially crafted GET requests to the vulnerable XWiki endpoint, specifically targeting the SolrSearch RSS media function.

SANS observed that the malicious requests embed Groovy script commands within asynchronous execution blocks, allowing remote code execution through shell commands.

Captured exploit attempts reveal attackers attempting to download and execute shell scripts from external servers, specifically from the IP address 74.194.191.52.

The User-Agent string in these requests contains the email address bang2013@atomicmail.io, potentially belonging to the threat actor.

Investigation of the hosting server uncovered an unexpected connection to Chicago rap culture, with references to captivity rapper King Lil Jay and rival RondoNumbaNine, both previously associated with opposing gang affiliations.

The vulnerability presents critical risks because it enables complete system compromise through remote code execution capabilities. Organizations running XWiki installations must prioritize immediate patching to prevent potential breaches.

The attack requires no user interaction and minimal complexity, making it particularly attractive to opportunistic threat actors conducting mass internet scanning campaigns.

Security teams should verify their XWiki installations are updated with the February security patch, monitor for suspicious SolrSearch requests, and implement network-level protections to detect exploitation attempts.

The combination of low attack complexity and widespread scanning activity indicates this vulnerability will remain a high-priority target for malicious actors.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Actively Scanning Internet to Exploit XWiki Remote Code Execution Vulnerability appeared first on Cyber Security News.

The flaw, tracked as CVE-2025-62626, impacts the RDSEED instruction used by systems to generate cryptographically secure random numbers essential for encryption, authentication, and other security operations.

The vulnerability stems from a defect in the RDSEED instruction implementation on Zen 5 processors. Under certain conditions, the instruction returns a value of zero while incorrectly signaling success through the carry flag (CF=1).

This behavior creates a dangerous scenario where software believes it has received a valid random number when it has actually obtained a predictable zero value. The issue affects both 16-bit and 32-bit forms of the RDSEED instruction, though the 64-bit version remains unaffected.

Understanding the RDSEED Flaw

AMD learned about this bug through an unconventional channel. The issue was first reported publicly on the Linux kernel mailing list rather than through AMD’s standard Coordinated Vulnerability Disclosure process.

This public disclosure path highlights the collaborative nature of open-source security research but also underscores the challenge of managing security information across diverse reporting channels.

The severity of this vulnerability cannot be understated. Random number generation forms the backbone of cryptographic security in modern systems.

When RDSEED fails silently by returning zeros while indicating success, applications may generate weak encryption keys, predictable authentication tokens, or compromised security protocols.

An attacker with local system access could potentially exploit this weakness to predict or influence cryptographic operations, leading to data breaches or unauthorized access.

System administrators can utilize the 64-bit form of RDSEED exclusively, mask the RDSEED capability from software detection by modifying boot parameters, or implement software logic to treat zero returns as failures requiring retry attempts. The company plans to release microcode updates and AGESA firmware revisions across its product portfolio.

AMD EPYC 9005 Series processors will receive updates by mid-November 2025, while consumer Ryzen 9000 Series, Ryzen AI 300 Series, and Threadripper 9000 processors target late November releases. Embedded processor variants will see patches deployed through January 2026.

Organizations running affected Zen 5 systems should prioritize applying these updates once available through their original equipment manufacturers.

Until patches are deployed, implementing the recommended software workarounds provides essential protection against potential exploitation of this random integrity vulnerability.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post AMD Zen 5 Processors RDSEED Vulnerability Breaks Integrity With Randomness appeared first on Cyber Security News.

This vulnerability, hidden within the netfilter: nf_tables component, allows local attackers to escalate their privileges and potentially deploy ransomware, which could severely disrupt enterprise systems worldwide.

First disclosed earlier this year, the vulnerability has now been linked to active exploitation campaigns targeting unpatched Linux servers, according to CISA’s Known Exploited Vulnerabilities (KEV) catalog updated on October 31, 2025.

As Linux powers everything from cloud infrastructure to IoT devices, this warning underscores the growing threat to open-source ecosystems amid rising ransomware incidents.

Security researchers have confirmed that attackers exploit CVE-2024-1086 by crafting malicious netfilter rules that trigger improper memory deallocation. Once a user with local access often gained through phishing or weak credentials runs the exploit, the system frees memory associated with a network table but fails to nullify the pointer, allowing reuse of dangling references.

This leads to arbitrary code execution with root privileges, paving the way for ransomware deployment like LockBit or Conti variants.

CISA emphasizes immediate patching, noting that affected versions span widely used distributions such as Ubuntu, Red Hat Enterprise Linux, and Debian, particularly in versions predating kernel 6.1.77.

Linux Kernel Use-After-Free Vulnerability Exploited

The vulnerability stems from a classic use-after-free error (CWE-416), where the kernel’s netfilter subsystem mishandles table destruction during rule evaluations. An attacker needs only local execution rights, making it a potent second-stage payload after initial access.

In ransomware scenarios, threat actors chain this with social engineering to encrypt files and exfiltrate data, demanding ransoms in cryptocurrency. Exploitation proofs-of-concept have circulated on underground forums since March 2024, with real-world attacks spiking in Q3 2025 against healthcare and financial sectors.

For a detailed overview, see the CVE specifications below:

Organizations should scan environments using tools like Lynis or OpenVAS for vulnerable kernels and apply mitigations per vendor guidance.

If updates are unavailable, CISA advises discontinuing use of affected products. This incident highlights the risks of legacy Linux deployments in hybrid clouds, where attackers increasingly target open-source flaws for high-impact ransomware.

As exploitation evolves, proactive kernel hardening, such as enabling SELinux and monitoring netfilter logs, remains essential to thwart these stealthy threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Linux Kernel Use-After-Free Vulnerability Exploited in Attacks to Deploy Ransomware appeared first on Cyber Security News.

The vulnerability, tracked as CVE-2025-12450, poses a significant risk to site visitors and administrators alike.

The LiteSpeed Cache plugin is one of the most widely used performance optimization tools in the WordPress ecosystem, with over 7 million active installations.

The plugin helps websites load faster by caching content and optimizing server responses. However, the newly discovered flaw undermines this security by allowing attackers to inject malicious scripts into web pages.

Understanding the Vulnerability

The vulnerability stems from insufficient input sanitization and output escaping in the plugin’s URL handling. This means the plugin fails to properly clean user-supplied data before displaying it on web pages.

Attackers can exploit this weakness by crafting specially designed links and tricking users into clicking them.

When a user clicks a malicious link, arbitrary JavaScript code executes in their browser, potentially stealing sensitive information, session cookies, or performing unauthorized actions on their behalf.

The reflected XSS attack requires user interaction, making it less severe than stored XSS variants, but still dangerous. Attackers typically distribute these malicious links through email, social media, or compromised websites.

Users who click on these links while logged into their WordPress sites become vulnerable to account hijacking or data theft.

The vulnerability uncovered by Nicholas Giemsa of Trustwave affects all versions of LiteSpeed Cache up to and including version 7.5.0.1. The security team has already released a patch in version 7.6, which implements proper input sanitization and output escaping mechanisms.

WordPress site administrators should immediately update their plugins to version 7.6 or newer to close this security gap.

The CVSS score of 6.1 (Medium severity) reflects the vulnerability’s potential impact. While not classified as critical, the widespread use of this plugin means millions of websites could be at risk if administrators delay applying the patch.

Website administrators using the LiteSpeed Cache plugin should prioritize updating to version 7.6 immediately through the WordPress plugin dashboard.

Additionally, they should monitor their sites for suspicious activity and consider implementing Web Application Firewalls (WAF) to add an extra layer of protection against XSS attacks.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post WordPress Plugin Vulnerability Exposes 7 Million Sites to XSS Attack appeared first on Cyber Security News.