BINGO TIME! With CVE-2025-58034, Fortinet secures the crown in my Insecurity Appliance Bingo. This is technically a "high" severity vuln, but since it's being actively exploited and has landed a spot on CISA KEV, I'm admitting it.

https://cku.gt/appbingo25

Reaching a bingo took longer than expected, with FortiNet and Ivanti sitting at 5/6 vulns since about July. But now, there is a well-deserved winner.

I'm now taking new vuln class and vendor suggestions for next year's edition.

sev:CRIT EITW CVE in Oracle Fusion.

https://www.cve.org/CVERecord?id=CVE-2025-61757

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Friday #KEV adds make me shed a tear.

At least @runZeroInc pushed out a Rapid Response yesterday for
CVE-2025-61757. If you're on your way out the door, glance at your dashboard now to know what's up with your exposure.

Oracle Identity Manager CRITICAL vuln (CVE-2025-61757): attackers can bypass auth by adding ";.wadl" to URLs — RCE possible via crafted POSTs. Active scanning seen before patch. Patch ASAP & monitor for ".wadl" patterns! https://radar.offseq.com/threat/oracle-identity-manager-exploit-observation-from-s-9db45a40 #OffSeq #Infosec #Oracle #ZeroDay

CISA warns Oracle Identity Manager RCE flaw is being actively exploited

[...] Cybersecurity & Infrastructure Security Agency (CISA) is warning government agencies to patch an Oracle Identity Manager tracked as CVE-2025-61757 that has been exploited in attacks, potentially as a zero-day. The U.S.

https://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-manager-rce-flaw-is-being-actively-exploited/

#Cybersecurity

🚨CVE-2025-61757: Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability has been added to the CISA KEV Catalog

CVSS: 9.8
Published: 2025/10/21
Advisory: https://www.oracle.com/security-alerts/cpuoct2025.html

https://darkwebinformer.com/cisa-kev-catalog/

Weiteres Zero-Day Sicherheitsloch bei Oracle angegriffen

Im Oktober hatte ich über CVE-2025-61882 berichtet, eine Zero-Day Sicherheitslücke bei Oracle. Die wurde vorher schon, und erst recht nach der Veröffentlichung, für viele Angriffe ausgenutzt. Diese wiederum haben zu Datenlecks geführt. Jetzt hat ein Sicherheitsunternehmen veröffentlicht, dass es schon vorher eine weitere Zero-Day Sicherheitslücke (CVE-2025-61757) gefunden und an Oracle gemeldet hatte. Oracle hat sie mit den Oktober-Updates geflickt, aber Honigtopf-Protokolle zeigen Angriffe darauf bereits seit dem 2025-08-30. Außerdem ist sie geradezu trivial einfach auszunutzen: Durch Anhängen von ";.wadl" wird

https://www.pc-fluesterer.info/wordpress/2025/11/21/weiteres-zero-day-sicherheitsloch-bei-oracle-angegriffen/

#Hintergrund #Warnung #0day #closedsource #cybercrime #exploits #hintertür #wissen

Go hack more Grafana shit. 🥳

https://github.com/B1ack4sh/Blackash-CVE-2025-41115

🚨CVE-2025-41115: Grafana Privilege Escalation and User Impersonation

CVSS: 10

PoC: https://github.com/B1ack4sh/Blackash-CVE-2025-41115

Advisory: https://grafana.com/blog/2025/11/19/grafana-enterprise-security-update-critical-severity-security-fix-for-cve-2025-41115/

Timeline:

2025-11-04 - Issue discovered internally
2025-11-04 - Incident declared
2025-11-05 - Cloud vendors privately notified & patched
2025-11-19 - Public disclosure and official fix released

Grafana has released updates to fix a critical CVSS 10.0 SCIM vulnerability (CVE-2025-41115) in versions 12.x that could lead to user impersonation and privilege escalation if SCIM provisioning is enabled and configured with a numeric external ID. The company advises users to apply the patches promptly to mitigate these risks.
https://thehackernews.com/2025/11/grafana-patches-cvss-100-scim-flaw.html

Critical alert for Grafana Enterprise users: A maximum severity vulnerability (CVE-2025-41115) allows full admin takeover via SCIM. Patch immediately if you're on versions 12.0.0-12.2.1. https://redteamnews.com/red-team/cve/grafana-enterprise-critical-scim-vulnerability-enables-full-administrative-takeover/

🚩 CVE-2025-41115: CRITICAL in Grafana Enterprise 12.0.0. SCIM provisioning flaw enables user impersonation & privilege escalation if enabled. Disable SCIM features & monitor for updates. Details: https://radar.offseq.com/threat/cve-2025-41115-vulnerability-in-grafana-grafana-en-a6c59db4 #OffSeq #Grafana #CVE2025_41115 #infosec

Google a patché une nouvelle faille zero-day exploitée dans le navigateur Chrome (CVE-2025-13223) https://www.it-connect.fr/google-chrome-patch-securite-cve-2025-13223/ #ActuCybersécurité #Cybersécurité #Vulnérabilité #Chrome #Google

Tracked as CVE-2025-40601, this denial-of-service vulnerability is caused by a stack-based buffer overflow impacting Gen8 and Gen7 (hardware and virtual) firewalls. https://www.bleepingcomputer.com/news/security/new-sonicwall-sonicos-flaw-allows-hackers-to-crash-firewalls/

Rischio sventato per milioni di utenti Microsoft! La falla critica in Microsoft SharePoint da 9.8

Microsoft ha reso nota una vulnerabilità critica in SharePoint Online (scoperta da RHC grazie al monitoraggio costante delle CVE critiche presente sul nostro portale), identificata come CVE-2025-59245, con un punteggio CVSS v3.1 di 9.8/10.

La falla riguarda la deserializzazione di dati non attendibili (CWE‑502) e permette a un attaccante remoto di ottenere un’elevazione di privilegi senza necessità di credenziali o interazione dell’utente. Se sfruttata attivamente da criminali informatici, questa vulnerabilità potrebbe mettere a rischio milioni di utenti.

L’episodio sottolinea come, dopo gli incidenti su servizi cloud come AWS, Azure e Cloudflare, il cloud stia sempre più diventando un “single point of failure”, dove un singolo bug critico può compromettere enormi quantità di dati aziendali e personali.

Modalità e impatto dell’attacco

La vulnerabilità sfrutta la deserializzazione di dati provenienti da fonti non attendibili. In pratica, un attaccante può manipolare oggetti serializzati che SharePoint Online deserializza in modo insicuro, ottenendo la possibilità di eseguire codice arbitrario o elevare i propri privilegi. Questo rende possibile il controllo amministrativo sulla piattaforma, compromettendo documenti, flussi aziendali e dati sensibili. Il punteggio CVSS riflette sia la facilità di sfruttamento sia l’impatto grave su confidenzialità, integrità e disponibilità.

Diffusione e contesto aziendale

SharePoint Online è un servizio cloud ampiamente utilizzato da aziende, pubbliche amministrazioni e organizzazioni internazionali per gestione documentale e collaborazione. La compromissione di un tenant può portare a accesso non autorizzato ai dati, manipolazione dei documenti e interruzioni operative, con potenziali conseguenze legali e reputazionali. La mancanza di requisiti di autenticazione e interazione utente aumenta ulteriormente il rischio di sfruttamento remoto.

La vulnerabilità è stata riservata su NVD a settembre 2025 e pubblicata ufficialmente il 20 novembre 2025, con aggiornamento il 21 novembre. Microsoft l’ha inclusa nel proprio Security Update Guide, ma al momento della pubblicazione non erano disponibili exploit pubblici né patch. Il servizio essendo cloud-based, la gestione delle mitigazioni e degli aggiornamenti dipende direttamente dal provider, rendendo cruciale il monitoraggio da parte delle organizzazioni.

Misure di protezione consigliate

Anche se SharePoint Online è un servizio cloud e Microsoft applicherà direttamente le patch lato server, le organizzazioni non devono abbassare la guardia. È fondamentale verificare lo stato del proprio tenant, monitorare eventuali attività sospette e assicurarsi che controlli di accesso, privilegi e integrazioni API siano configurati correttamente. Queste misure riducono il rischio residuo derivante da configurazioni errate o da eventuali tentativi di sfruttamento precedenti all’applicazione della patch, garantendo così la sicurezza dei dati aziendali anche in ambienti cloud gestiti.

Conclusione: urgenza e prevenzione

La CVE‑2025‑59245 evidenzia quanto la sicurezza del cloud aziendale sia critica.

Con un punteggio di 9.8, sfruttabile da remoto senza autenticazione, la vulnerabilità rappresenta un pericolo reale per la confidenzialità, integrità e disponibilità dei dati. Organizzazioni e amministratori devono agire subito, implementando controlli, mitigazioni e monitoraggio costante per prevenire accessi non autorizzati e possibili danni operativi o reputazionali.

L'articolo Rischio sventato per milioni di utenti Microsoft! La falla critica in Microsoft SharePoint da 9.8 proviene da Red Hot Cyber.

Vulnerabilità critica nel plugin WordPress W3 Total Cache. 430.000 siti a rischio!

Una vulnerabilità critica, CVE-2025-9501, è stata scoperta nel popolare plugin WordPress W3 Total Cache Questa vulnerabilità consente l’esecuzione di comandi PHP arbitrari sul server senza autenticazione. Per eseguire l’attacco, è sufficiente lasciare un commento contenente il payload sulla risorsa vulnerabile.

Il problema riguarda tutte le versioni del plugin precedenti alla 2.8.13 ed è correlato alla funzione _parse_dynamic_mfunc(), che gestisce le chiamate di funzioni dinamiche nei contenuti memorizzati nella cache.

Secondo gli analisti di WPScan, un aggressore può iniettare comandi tramite questa funzione semplicemente pubblicando un commento appositamente creato su un sito web. Lo sfruttamento riuscito del bug conferisce all’aggressore il controllo completo sul sito, consentendogli di eseguire qualsiasi comando sul server.

W3 Total Cache è uno dei plugin di ottimizzazione delle prestazioni di WordPress più popolari, installato su oltre un milione di siti web. Gli sviluppatori del plugin hanno rilasciato una versione patchata, la 2.8.13, il 20 ottobre 2025. Tuttavia, secondo le statistiche di WordPress.org, da allora il plugin è stato scaricato circa 430.000 volte, il che significa che centinaia di migliaia di siti web sono ancora vulnerabili a CVE-2025-9501.

I ricercatori di WPScan hanno sviluppato un exploit proof-of-concept, ma prevedono di pubblicarlo solo il 24 novembre 2025, per dare agli amministratori dei siti web più tempo per aggiornarlo. Questo perché, dopo la pubblicazione di un exploit proof-of-concept, gli aggressori in genere avviano una massiccia ricerca di obiettivi vulnerabili e li attaccano.

Si consiglia agli amministratori del sito di aggiornare W3 Total Cache alla versione 2.8.13 il prima possibile. Se l’aggiornamento non è possibile, è consigliabile disattivare il plugin o adottare misure per impedire che i commenti vengano utilizzati per distribuire payload (ad esempio, disabilitare i commenti sul sito o abilitare la pre-moderazione).

L'articolo Vulnerabilità critica nel plugin WordPress W3 Total Cache. 430.000 siti a rischio! proviene da Red Hot Cyber.

This Week in Security: Cloudflare Wasn’t DNS, BADAUDIO, and Not a Vuln

You may have noticed that large pieces of the Internet were down on Tuesday. It was a problem at Cloudflare, and for once, it wasn’t DNS. This time it was database management, combined with a safety limit that failed unsafe when exceeded.

Cloudflare’s blog post on the matter has the gritty details. It started with an update to how Cloudflare’s ClickHouse distributed database was responding to queries. A query of system columns was previously only returning data from the default database. As a part of related work, that system was changed so that this query now returned all the databases the given user had access to. In retrospect it seems obvious that this could cause problems, but it wasn’t predicted to cause problems. The result was that a database query to look up bot-management features returned the same features multiple times.

That featurelist is used to feed the Cloudflare bot classification system. That system uses some AI smarts, and runs in the core proxy system. There are actually two versions of the core proxy, and they behaved a bit differently when the featurelist exceeded the 200 item limit. When the older version failed, it classified all traffic as a bot. The real trouble was the newer Rust code. That version of the core proxy threw an error in response, leading to 5XX HTTP errors, and the Internet-wide fallout.

Dangling Azure

There’s a weird pitfall with cloud storage when a storage name is used and then abandoned. It’s very much like what happens when a domain name is used and then allowed to expire: Someone else can come along and register it. Microsoft Azure has its own variation on this, in the form of Azure blob storage. And the folks at Eye Security’s research team found one of these floating blobs in an unexpected place: In Microsoft’s own Update Health Service.

The 1.0 version of this tool was indeed exploitable. A simple payload hosted on one of these claimed blob endpoints could trigger an explorer.exe execution with an arbitrary parameter, meaning trivial code execution. The 1.1 version of the Update Health Service isn’t vulnerable by default, requiring a registry change before reaching out to the vulnerable blob locations. That said, there are thousands of machines looking to these endpoints that would be vulnerable to takeover. After the problem was reported, Microsoft took over the blob names to prevent any future misuse.

BADAUDIO

There’s a new malware strain from APT24, going by the name BADAUDIO. Though “new” is a bit of a misnomer here, as the first signs of this particular malware were seen back in 2022. What is new is that Google Threat Intelligence reporting on it. The campaign uses multiple techniques, like compromising existing websites to serve the malware in “watering hole” attacks, to spam and spearphishing.

Notable here is how obfuscated the BADAUDIO malware loader is, using control flow flattening to resist analysis. First consider how good code uses functions to group code into logical blocks. This technique does the opposite, putting code into blocks randomly. The primary mechanism for execution is DLL sideloading, where a legitimate application is run with a malicious DLL in its search path, again primarily to avoid detection. It’s an extraordinarily sneaky bit of malware.

Don’t Leave The Defaults

There’s an RCE (Remote Code Execution) in the W3 Total Cache WordPress plugin. The vulnerability is an eval() that can be reached by putting code in a page to be cached. So if a WordPress site allows untrusted comments, and has caching enabled, there’s just one more hurdle to clear. And that is the W3TC_DYNAMIC_SECURITY value, which seems to be intended to stave off exactly this sort of weakness. So here’s the lesson, don’t leave this sort of security feature default.

Not a Vulnerability

We have a trio of stories that aren’t technically vulnerabilities. The first two are in the mPDF library, that takes HTML code and generates PDFs — great for packaging documentation. The first item of interest in mPDF is the handling of @import css rules. Interestingly, these statements seem to be evaluated even outside of valid CSS, and are handled by passing the URL off to curl to actually fetch the remote content. Those URLs must end in .css, but there’s no checking whether that is in a parameter or not. So evil.org/?.css is totally valid. The use of curl is interesting for another reason, that the Gopher protocol allows for essentially unrestricted TCP connections.

The next quirk in mPDF is in how .svg files are handled. Specifically, how an image xlink inside an svg behaves, when it uses the phar:// or php:// prefixes. These are PHP Archive links, or a raw php link, and the mPDF codebase already guards against such shenanigans, matching links starting with either prefix. The problem here is that there’s path mangling that happens after that guard code. To skip straight to the punchline, :/phar:// and :/php:// will bypass that filter, and potentially run code or leak information.

Now the big question: Why are neither of those vulnerabilities? Even when one is a bypass for a CVE fix from 2019? Because mPDF is only to be used with sanitized input, and does not do that sanitization as part of its processing. And that does check out. It’s probably the majority of tools and libraries that will do something malicious if fed malicious input.

There’s one more “vulnerable” library, esbuild, that has an XSS (Cross Site Scripting) potential. It comes down to the use of escapeForHTML(), and the fact that function doesn’t sanitize quotation marks. Feed that malicious text, and the unescaped quotation mark allows for plenty of havoc. So why isn’t this one a vulnerability? Because the text strings getting parsed are folder names. And if you can upload an arbitrary folder to the server where esbuild runs, you already have plenty of other ways to run code.

Bits and Bytes

There’s another Fortinet bug being exploited in the wild, though this one was patched with FortiWeb 8.0.2. This one gets the WatchTowr treatment. It’s a path traversal that bypasses any real authentication. There are a couple of validation checks that are straightforward to meet, and then the cgi_process() API can be manipulated as any user without authentication. Ouch.

The Lite XL text editor seems pretty nifty, running on Windows, Linux, and macOS, and supporting lua plugins for extensibility. That Lua code support was quite a problem, as opening a project would automatically run the .lua configuration files, allowing direct use of os.execute(). Open a malicious project, run malicious code.

And finally, sometimes it’s the easy approach that works the best. [Eaton] discovered A Cracker Barrel administrative panel built in React JS, and all it took to bypass authentication was to set isAuthenticated = true in the local browser. [Eaton] started a disclosure process, and noticed the bug had already been fixed, apparently discovered independently.

Dogfooding is usually a good thing: That’s when a company uses their own code internally. It’s not so great when it’s a cloud company, and that code has problems. Oracle had this exact problem, running the Oracle Identity Governance Suite. It had a few authentication bypasses, like the presence of ?WSDL or ;.wadl at the end of a URL. Ah, Java is magical.

hackaday.com/2025/11/21/this-w…

クラッシュ修正 — Vivaldi ブラウザ Snapshot 3872.3

更新履歴

• [概要ページ] F9 でフォーカスできない (VB-122092)
• [概要ページ] 確認時に「アップデートを確認中」と表示するようにする (VB-121417)
• [自動更新] スナップショットのアップデートを 12 時間ごとに確認する (Mac) (VB-121850)
• [ブックマーク] ポップアップでフォルダーのみが表示されるようにする (VB-121800)
• [Chromium] 142.0.7444.180（CVE-2025-10200 の脆弱性に対する修正を含む） に更新
• [コマンド] パネルにフォーカスするコマンドが機能しない (VB-104364)
• [コマンド] 「ページのアドレスをコピー」のコマンドが表示されない (VB-120369)
• [クラッシュ] 「開発者ツールを切り替える」のコマンドチェインをテストするとクラッシュする (VB-121951)
• [クラッシュ] タイル表示したスタックをウィンドウからドラッグするとクラッシュする (VB-121855)
• [クラッシュ] Chromium 拡張機能のインポート中にクラッシュする (VB-122171)
• [クラッシュ] ウィンドウを最小化しようとするとクラッシュする (VB-122147)
• [クラッシュ] ウィンドウをアクティブにするとクラッシュする時がある (VB-121890)
• [クラッシュ] メールのホームページと自動入力データのインポート (VB-121908)
• [クラッシュ][広告ブロッカー] フィルタリング操作のリクエスト中にクラッシュする (VB-121723)
• [クラッシュ][広告ブロッカー] ブロッカーのポップアップに関するクラッシュ (VB-121919)
• [クラッシュ][アドレス欄][macOS] 特定の言葉を入力するとクラッシュする (VB-121517)
• [クラッシュ][VPN] プライベートウィンドウでインストールしようとするとクラッシュする (VB-121884)
• [クラッシュ][macOS] 自動入力のバブルが表示されている時にタブを閉じるとクラッシュする (VB-121832)
• [フィード][インポート] フィードをインポートする UI が正しくない場所に表示される (VB-121605)
• [ページ検索] 選択したリンクをフォローできない (VB-120955)
• [macOS] ネイティブウィンドウのタブバーで空白が表示される (VB-121905)
• [メール] 複数の IMAP 受信箱にあるメールを 1 件削除しようとすると、UI がデフォルトのオプションが選択された状態で 表示されない (VB-120143)
• [メール] リストの並べ替えを変更してもメッセージが選択されるまでリストで反映されない (VB-121577)
• [メール] タブを右に配置した時にアドレスバーがボタンと重なって非表示になる (VB-121847)
• [メール][設定] メールを複数のタブやウィンドウで利用できるようにする (VB-120089)
• [メニュー] どの単語を選択してもコンテキストメニューに「http://… に移動」と表示される (VB-120669)
• [メニュー] ホットキーを使用するとメニューがインアクティブなウィンドウで開く (VB-104760)
• [メニュー] Vivaldi メニューを二度目にクリックした時にメニューが閉じない (VB-121902)
• [プライバシーダッシュボード] Tab キーを使って下部のリンクまで移動できない (VB-121576)
• [設定] ウェブサイトの権限設定に対する改善と修正 (VB-114658)
• [設定][履歴] ブラウジング履歴の保存が機能しない (VB-121871)
• [スタートページ] ダッシュボードの最後のウィジェットを削除すると空のページが表示される (VB-121512)
• [スタートページ] ダッシュボードを通してブックマークを追加するとウィジェットが表示されなくなる (VB-121760)
• [スタートページ][ブックマーク] 再起動する度にフォルダーセレクターが表示される (VB-121861)
• [スタートページ][ウィジェット] TypeError：未定義のプロパティを読み込めない (VB-121881)
• [スタートページ] マウスでポイントすると自動展開するようにする (VB-120930)
• [スタートページ] カーソルが画面上にある時にタブを切り替えられない (VB-121882)
• [サムネイル] ページの読み込み時にサムネイルをアップデートする (VB-120589)
• [ツールバー] 「共有」ボタンを追加 (VB-121758)

ダウンロード (3872.3)

• Windows 10+ 64-bit
• Windows 10+ ARM64
• macOS 12+
• Linux 64-bit: DEB | RPM | TAR [*]
• Linux ARM64: DEB | RPM | TAR [*]

メインの写真は Gareth Harrison より

訳 – Mayumi
Team Vivaldi
X | Mastodon | Facebook | Instagram | note

https://vivaldi.com/ja/blog/desktop/desktop-snapshots/crash-fixes-vivaldi-browser-snapshot-3872-3/

🔥 CVE-2025-64767 (CRITICAL, CVSS 9.1): hpke-js <1.7.5 suffers AEAD nonce reuse via race condition in Seal(), risking full message compromise. Patch to 1.7.5+ ASAP—no known exploits yet! https://radar.offseq.com/threat/cve-2025-64767-cwe-323-reusing-a-nonce-key-pair-in-186c6bb0 #OffSeq #CVE202564767 #JavaScript #Infosec