cyberfeed.io — security news aggregator

CISA Adds Two Known Exploited Vulnerabilities to Catalog

All CISA Advisories • 2025-10-24 • www.cisa.gov

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2025-54236 Adobe Commerce and Magento Improper Input Validation Vulnerability CVE-2025-59287 Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive...

#exploit #vulnerability #incident #patch-management #deserialization

Microsoft Releases Emergency Patch For Windows Server Update Service RCE Vulnerability

Cyber Security News • 2025-10-24 • cybersecuritynews.com

Microsoft has rolled out an out-of-band emergency patch for a remote code execution (RCE) vulnerability affecting the Windows Server Update Services (WSUS). Identified as CVE-2025-59287, the issue stems from the deserialization of untrusted data in a legacy serialization mechanism, allowing unauthorized attackers to execute arbitrary code over the network. The patch, released on October 23,

#vulnerability #patch-management #rce #deserialization

Why nested deserialization is STILL harmful - Magento RCE (CVE-2025-54236)

Technical Information Security Content & Discussion • 2025-10-22 • www.reddit.com

submitted by /u/Mempodipper [link] [comments]

#vulnerability #rce #deserialization

PoC Exploit Released for Windows Server Update Services Remote Code Execution Vulnerability

Cyber Security News • 2025-10-20 • cybersecuritynews.com

A proof-of-concept (PoC) exploit has been released for a critical vulnerability in Microsoft's Windows Server Update Services (WSUS), enabling unauthenticated attackers to execute remote code with SYSTEM privileges on affected servers. Dubbed CVE-2025-59287 and assigned a CVSS v3.1 score of 9.8, the flaw stems from unsafe deserialization of untrusted data in WSUS's AuthorizationCookie handling. Disclosed

#exploit #vulnerability #incident #patch-management #deserialization

Critical Apache ActiveMQ Vulnerability Let Attackers Execute Arbitrary Code

Cyber Security News • 2025-10-16 • cybersecuritynews.com

The Apache Software Foundation has disclosed a critical vulnerability in its ActiveMQ NMS AMQP Client that could allow attackers to execute arbitrary code on vulnerable systems. Tracked as CVE-2025-54539, this deserialization flaw poses a serious risk to applications relying on the client for messaging over AMQP protocols. The issue was publicly detailed in an advisory

#vulnerability #patch-management #deserialization

New SAP NetWeaver Vulnerabilities Allow Attackers to Bypass Authorization and Execute OS Commands

Cyber Security News • 2025-10-15 • cybersecuritynews.com

SAP released its October 2025 Security Patch Day fixes, addressing 13 new vulnerabilities and updating four prior notes, with several critical flaws in NetWeaver enabling attackers to sidestep authorization and run arbitrary operating system commands on affected systems. Among the most alarming is CVE-2025-42944, an insecure deserialization issue in SAP NetWeaver AS Java's RMI-P4 module,

#vulnerability #patch-management #authorization #deserialization #insecure-deserialization

New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login

The Hacker News • 2025-10-15 • thehackernews.com

SAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution. The vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization. "Due to a deserialization vulnerability in SAP NetWeaver, an

#vulnerability #patch-management #deserialization #insecure-deserialization