Patch Management
-
ASUS issues firmware updates to fix critical AiCloud authentication bypass
ASUS has issued firmware updates to fix nine vulnerabilities, including a critical authentication bypass (CVE-2025-59366) in routers with AiCloud enabled, and advised users to update firmware or apply mitigations for end-of-life devices.
-
Grafana patches CVSS 10.0 SCIM flaw that could allow impersonation
Grafana released updates to fix CVE-2025-41115, a CVSS 10.0 vulnerability in its SCIM provisioning component that could allow privilege escalation or user impersonation when specific configuration options are enabled; affected Enterprise versions and fixed releases were listed and users are urged to apply patches.
-
Critical command injection flaw found in W3 Total Cache WordPress plugin
A critical unauthenticated command injection in the W3 Total Cache WordPress plugin (CVE-2025-9501) can allow PHP code execution via a malicious comment. The developer issued a patch in version 2.8.13 on Oct. 20, but hundreds of thousands of sites may still be unpatched; WPScan plans to publish a proof-of-concept on Nov. 24.
-
Active exploitation reported for 7‑Zip ZIP symbolic link vulnerability
NHS England Digital warned that CVE-2025-11001, a 7‑Zip vulnerability affecting symbolic link handling and allowing remote code execution, is being actively exploited; 7‑Zip 25.00 released in July 2025 contains fixes and users are urged to update.
-
Fortinet warns of FortiWeb OS command injection flaw CVE-2025-58034 exploited in the wild
Fortinet warned that CVE-2025-58034, a medium-severity OS command injection in FortiWeb with a CVSS score of 6.7, has been exploited in the wild; patches are available in specific FortiWeb releases and the company credited a Trend Micro researcher for the report.
-
Google issues Chrome security update for actively exploited V8 bug
Google released Chrome updates to fix two V8 type confusion vulnerabilities, including CVE-2025-13223 which is being actively exploited; users should update to the listed Chrome versions and other Chromium-based browser vendors should apply fixes when available.
-
Critical authentication bypass in JobMonster WordPress theme exploited, users urged to patch
A critical authentication bypass (CVE-2025-5397) in the JobMonster WordPress theme is being actively targeted; Wordfence blocked multiple attempts. The flaw affects versions up to 4.8.1, requires social login to be enabled, and was fixed in version 4.8.2. Administrators should update or disable social login and enable two-factor authentication.
-
High-severity cache-poisoning vulnerability in BIND 9; patches issued after PoC published
CVE-2025-40778 is a high-severity cache-poisoning vulnerability in BIND 9 that can allow remote attackers to inject forged DNS records. Proof-of-concept code is public and fixed versions are available; administrators are urged to apply patches immediately.
-
CISA says two Dassault DELMIA Apriso flaws are being actively exploited
CISA warned that two vulnerabilities in Dassault Systèmes’ DELMIA Apriso are being actively exploited. The flaws, CVE-2025-6205 and CVE-2025-6204, were patched by the vendor in August and have been added to CISA’s KEV catalog; U.S. federal agencies must remediate under BOD 22-01 by Nov. 18.
-
QNAP: Windows NetBak PC Agent affected by critical ASP.NET Core flaw
QNAP warned that its NetBak PC Agent for Windows is impacted by CVE-2025-55315, a critical ASP.NET Core vulnerability in the Kestrel web server that can enable credential hijacking or request-smuggling attacks, and urged users to reinstall the agent or install the latest ASP.NET Core runtime.
