remote code execution | Breaking Cybersecurity News | The Hacker News

Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances. The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0. "An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution," according to a GitHub advisory for the issue. "The problem exists in all versions of Redis with Lua scripting." However, for exploitation to be successful, it requires an attacker to first gain authenticated access to a Redis instance, making it crucial that users don't leave their Redis instances exposed to the internet and secure them with strong authentication. The issue impacts all versions of Redis. It has been addressed in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 released on October 3, 2025. As tempor...

CrowdStrike on Monday said it's attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p ), and that the first known exploitation occurred on August 9, 2025. The malicious activity involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates remote code execution without authentication. The cybersecurity company also noted that it's currently not known how a Telegram channel "insinuating" collaboration between Scattered Spider, LAPSUS$ (aka Slippy Spider), and ShinyHunters came into the possession of an exploit for the flaw, and if they and other threat actors have leveraged it in real-world attacks. The Telegram channel has been observed sharing the purported Oracle EBS exploit, while criticizing Graceful Spider's tactics. It's worth noting that the binaries dropped by the Cl0p actors contain...

Cybersecurity company watchTowr Labs has disclosed that it has "credible evidence" of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed. "This is not 'just' a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025," Benjamin Harris, CEO and Founder of watchTowr, told The Hacker News. The vulnerability in question is CVE-2025-10035 , which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem. According to an analysis released by watchTowr earlier this week, the vulnerability has ...

Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild. The zero-day vulnerabilities in question are listed below - CVE-2025-20333 (CVSS score: 9.9) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests CVE-2025-20362 (CVSS score: 6.5) - An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests Cisco said it's aware of "attempted exploitation" of both vulnerabilities, but did not reveal who may be behind it, ...

Cisco has warned of a high-severity security flaw in IOS Software and IOS XE Software that could allow a remote attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition under specific circumstances. The company said the vulnerability, CVE-2025-20352 (CVSS score: 7.7), has been exploited in the wild, adding it became aware of it "after local Administrator credentials were compromised." The issue, per the networking equipment major, is rooted in the Simple Network Management Protocol (SNMP) subsystem, arising as a result of a stack overflow condition. An authenticated, remote attacker could exploit the flaw by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks, resulting in DoS if they have low privileges or arbitrary code execution as root if they have high privileges and ultimately take control of the susceptible system. However, Cisco noted that for this to happen, the following conditions need to be met - To caus...

SolarWinds has released hot fixes to address a critical security flaw impacting its Web Help Desk software that, if successfully exploited, could allow attackers to execute arbitrary commands on susceptible systems. The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects SolarWinds Web Help Desk 12.8.7 and all previous versions. "SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine," SolarWinds said in an advisory released on September 17, 2025. An anonymous researcher working with the Trend Micro Zero Day Initiative (ZDI) has been credited with discovering and reporting the flaw. SolarWinds said CVE-2025-26399 is a patch bypass for CVE-2024-28988 (CVSS score: 9.8), which, in turn, ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization's network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM). "Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server," CISA said in an alert. The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428 , both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025. While CVE-2025-4427 concerns an authentication bypass that allows attackers to access protected resources, CVE-2025-4428 enables remote code execution. As a result, the two flaws could be chained to execute arbitrary code on a vulnerable device without authentication. According to CISA, the threat actors gained access to server running EPMM by combing the two vulner...

Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments. "Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform's fault injections (such as shutting down pods or disrupting network communications), and perform further malicious actions, including stealing privileged service account tokens," JFrog said in a report shared with The Hacker News. Chaos Mesh is an open-source cloud-native Chaos Engineering platform that offers various types of fault simulation and simulates various abnormalities that might occur during the software development lifecycle. The issues, collectively called Chaotic Deputy, are listed below - CVE-2025-59358 (CVSS score: 7.5) - The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes clus...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2025-5086 , carries a CVSS score of 9.0 out of 10.0. According to Dassault, the issue impacts versions from Release 2020 through Release 2025. "Dassault Systèmes DELMIA Apriso contains a deserialization of untrusted data vulnerability that could lead to a remote code execution," the agency said in an advisory. The addition of CVE-2025-5086 to the KEV catalog comes after the SANS Internet Storm Center reported seeing exploitation attempts targeting the flaw that originate from the IP address 156.244.33[.]162 , which geolocates to Mexico. The attacks involve sending an HTTP request to the "/apriso/WebServices/FlexNetOperationsService.sv...

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release. Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month , 38 of the disclosed flaws are related to privilege escalation, followed by remote code execution (22), information disclosure (14), and denial-of-service (3). "For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws," Satnam Narang, senior staff research engineer at Tenable, said. "Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities." The patches are in addition to 12 vulnerabilities addressed in Microsoft's Chromium-based Edge browser since the release of August 2025's Patch Tuesday update, including a securit...

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability , tracked as CVE-2025-53690 , carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said . "This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution." Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team ...

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. The vulnerabilities are listed below - CVE-2025-38352 (CVSS score: 7.4) - A privilege escalation flaw in the Linux Kernel component  CVE-2025-48543 (CVSS score: N/A) - A privilege escalation flaw in the Android Runtime component Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation. The tech giant did not reveal how the issues have been weaponized in real-world attacks and if they are being put to use in tandem, but acknowledged there are indications of "limited, targeted exploitation." Benoît Sevens of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Lin...

Three new security vulnerabilities have been disclosed in the Sitecore Experience Platform that could be exploited to achieve information disclosure and remote code execution.  The flaws, per watchTowr Labs , are listed below - CVE-2025-53693 - HTML cache poisoning through unsafe reflections CVE-2025-53691 - Remote code execution (RCE) through insecure deserialization CVE-2025-53694 - Information Disclosure in ItemService API with a restricted anonymous user, leading to exposure of cache keys using a brute-force approach Patches for the first two shortcomings were released by Sitecore in June and for the third in July 2025 , with the company stating that "successful exploitation of the related vulnerabilities might lead to remote code execution and non-authorized access to information." The findings build on three more flaws in the same product that were detailed by watchTowr back in June - CVE-2025-34509 (CVSS score: 8.2) - Use of hard-coded credentials CV...

The Sangoma FreePBX Security Team has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with an administrator control panel (ACP) exposed to the public internet. FreePBX is an open-source private branch exchange (PBX) platform widely used by businesses, call centers, and service providers to manage voice communications. It's built on top of Asterisk , an open-source communication server. The vulnerability, assigned the CVE identifier CVE-2025-57819 , carries a CVSS score of 10.0, indicating maximum severity. "Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory. The issue impacts the following versions - FreePBX 15 prior to 15.0.66 FreePBX 16 prior to 16.0.89, and FreePBX 17 prior to 17.0.3 Sangoma said an unauthorized user began accessing mult...

Citrix has released fixes to address three security flaws in NetScaler ADC and NetScaler Gateway, including one that it said has been actively exploited in the wild. The vulnerabilities in question are listed below - CVE-2025-7775 (CVSS score: 9.2) - Memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service CVE-2025-7776 (CVSS score: 8.8) - Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial-of-Service CVE-2025-8424 (CVSS score: 8.7) - Improper access control on the NetScaler Management Interface The company acknowledged that "exploits of CVE-2025-7775 on unmitigated appliances have been observed," but stopped short of sharing additional details. However, for the flaws to be exploited, there are a number of prerequisites - CVE-2025-7775 - NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server; NetScaler ADC and NetScaler Gateway 13.1, 14.1...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws impacting Citrix Session Recording and Git to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2024-8068 (CVSS score: 5.1) - An improper privilege management vulnerability in Citrix Session Recording that could allow for privilege escalation to NetworkService Account access when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain CVE-2024-8069 (CVSS score: 5.1) - A deserialization of untrusted data vulnerability in Citrix Session Recording that allows limited remote code execution with the privileges of a NetworkService Account access when an attacker is an authenticated user on the same intranet as the session recording server CVE-2025-48384 (CVSS score: 8.1) - A link following vulnerability in Git that arises as a ...

Commvault has released updates to address four security gaps that could be exploited to achieve remote code execution on susceptible instances. The list of vulnerabilities, identified in Commvault versions before 11.36.60, is as follows - CVE-2025-57788 (CVSS score: 6.9) - A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials CVE-2025-57789 (CVSS score: 5.3) - A vulnerability during the setup phase between installation and the first administrator login that allows remote attackers to exploit the default credentials to gain admin control CVE-2025-57790 (CVSS score: 8.7) - A path traversal vulnerability that allows remote attackers to perform unauthorized file system access through a path traversal issue, resulting in remote code execution CVE-2025-57791 (CVSS score: 6.9) - A vulnerability that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to...

A new exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged in the wild, putting organizations at risk of system compromise and data theft. The exploit in question chains together CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution, SAP security company Onapsis said . CVE-2025-31324 (CVSS score: 10.0) - Missing Authorization check in SAP NetWeaver's Visual Composer development server CVE-2025-42999 (CVSS score: 9.1) - Insecure Deserialization in SAP NetWeaver's Visual Composer development server The vulnerabilities were addressed by SAP back in April and May 2025, but not before they were abused by threat actors as zero-days since at least March. Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been observed weaponizing the flaws , not to mention several China-nexus espionage crews who have also put them to use in attacks targeting critical infra...

Cybersecurity researchers have discovered a malicious package in the Python Package Index (PyPI) repository that introduces malicious behavior through a dependency that allows it to establish persistence and achieve code execution. The package, named termncolor , realizes its nefarious functionality through a dependency package called colorinal by means of a multi-stage malware operation, Zscaler ThreatLabz said . While termncolor was downloaded 355 times, colorinal attracted 529 downloads. Both libraries are no longer available on PyPI. "This attack could leverage DLL side-loading to facilitate decryption, establish persistence, and conduct command-and-control (C2) communication, ending in remote code execution," according to researchers Manisha Ramcharan Prajapati and Satyam Singh. Once installed and executed, termncolor is designed to import colorinal, which, in turn, loads a rogue DLL that's responsible for decrypting and running the next-stage payload. Specifica...