Unauthenticated Remote Code Execution in Grandstream GXP1600 VoIP Phones

Google released December 2025 Android security updates addressing 107 vulnerabilities, including two Framework bugs (CVE-2025-48633, CVE-2025-48572) actively exploited in limited, targeted attacks. The updates also fixed a critical Framework flaw (CVE-2025-48631) enabling remote DoS without additional privileges. Patches are available in two levels (2025-12-01, 2025-12-05) for faster manufacturer adoption. The vulnerabilities affect Android versions 13, 14, 15, and 16, and the patches will address 56 additional vulnerabilities affecting Android components in the kernel or third-party components. Similar flaws in the past were used for targeted exploitation by commercial spyware or nation-state operations targeting a small number of high-interest individuals. The updates address four critical-severity fixes for elevation-of-privilege flaws in the Kernel's Pkvm and UOMMU subcomponents, and two critical fixes for Qualcomm-powered devices (CVE-2025-47319 and CVE-2025-47372). Samsung published its security bulletin, including ported fixes from the Google update and vendor-specific fixes. Devices on Android 10 and later may receive some crucial fixes via Google Play system updates. Play Protect can detect and block documented malware and attack chains, so users of any Android version should keep the component up to date and active.

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software. Cybersecurity researchers have disclosed details of a new campaign, codenamed "Operation Zero Disco", that exploited CVE-2025-20352 to deploy Linux rootkits on older, unprotected systems. The attacks targeted Cisco 9400, 9300, and legacy 3750G series devices, and involved the exploitation of a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The attacks singled out victims running older Linux systems without endpoint detection response solutions, using spoofed IPs and Mac email addresses. The rootkit sets a universal password that includes the word "disco" in it, and the malware installs several hooks onto the IOSd, resulting in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR). The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access. Cisco has also patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges. The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices. Cisco strongly recommends upgrading to fixed software releases to fully address the vulnerability. Cisco also addressed multiple IOS XE vulnerabilities that allow unauthenticated, remote attackers to restart the Snort 3 Detection Engine. Cisco warned customers in December that a Chinese threat group tracked as UAT-9686 is exploiting a maximum-severity Cisco AsyncOS zero-day (CVE-2025-20393) that's still awaiting a patch in attacks targeting Secure Email and Web Manager (SEWM) and Secure Email Gateway (SEG) appliances.

The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is actively exploited, with a CVSS score of 9.0. The flaw affects versions from Release 2020 through Release 2025 and allows for remote code execution (RCE). In addition to CVE-2025-5086, two more vulnerabilities (CVE-2025-6205 and CVE-2025-6204) in DELMIA Apriso have been identified and are actively exploited. CVE-2025-6205 is a critical-severity missing authorization flaw, and CVE-2025-6204 is a high-severity code injection vulnerability. Both were patched by Dassault Systèmes in early August 2025. The vulnerabilities can be chained together to create accounts with elevated privileges and place executable files into a web-served directory. The product exposes a SOAP-based message processor endpoint that accepts XML payloads for bulk employee/identity provisioning and a file upload API used by portal components but that is accessible only post-authentication. DELMIA Apriso is used in production processes for digitalizing and monitoring, and is deployed in automotive, aerospace, electronics, high-tech, and industrial machinery divisions. CISA has added these flaws to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies are advised to apply updates by November 18, 2025, to secure their networks. Additionally, a new vulnerability (CVE-2025-24893) in XWiki has been identified and is actively exploited. This flaw allows for arbitrary remote code execution through a request to the /bin/get/Main/SolrSearch endpoint and is being exploited in a two-stage attack chain that delivers a cryptocurrency miner. The vulnerability was reported by John Kwak of Trend Micro in May 2024 and was addressed in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 in June 2024. Technical details on the bug emerged roughly half a year later, and an NVD advisory was published in February 2025. Numerous proof-of-concept (PoC) exploits targeting the vulnerability have been available since early 2025. CrowdSec observed the vulnerability being abused for reconnaissance earlier this year but noted a decline in activity. VulnCheck identified in-the-wild attacks exploiting CVE-2025-24893 to deploy a cryptocurrency miner. The attacks proceed in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader, and the second pass executes it. The observed traffic originates from an IP address geolocated to Vietnam that has been associated with other malicious activity. The RondoDox botnet has been observed targeting unpatched XWiki instances to exploit CVE-2025-24893. VulnCheck observed a spike in exploitation attempts, with peaks on November 7 and November 11, 2025. RondoDox is adding new exploitation vectors to rope susceptible devices into a botnet for conducting DDoS attacks using HTTP, UDP, and TCP protocols. The first RondoDox exploit was observed on November 3, 2025. Other attacks have been observed exploiting the flaw to deliver cryptocurrency miners, establish a reverse shell, and conduct general probing activity using a Nuclei template for CVE-2025-24893.

Cisco has disclosed and patched a critical vulnerability in the RADIUS subsystem of Secure Firewall Management Center (FMC) Software. The flaw, CVE-2025-20265, allows unauthenticated, remote attackers to execute arbitrary shell commands on affected systems. This vulnerability affects FMC Software versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled for web-based management or SSH. The issue arises from improper handling of user input during the authentication phase, enabling attackers to inject malicious commands. Successful exploitation can lead to high-privilege command execution. There are no workarounds other than applying the provided patches. The flaw was discovered by Brandon Sakai during internal security testing. Cisco has also resolved several high-severity bugs in various products.