Deserialization
CISA orders feds to patch max-severity Cisco flaw by Sunday
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22. Cisco published a security bulletin about the flaw on March 4, urging system administrators to apply the security updates as soon as possible and warning that no workarounds are available. The […]
SAP fixes three critical vulnerabilities across multiple products
SAP has released its December security updates addressing 14 vulnerabilities across a range of products, including three critical-severity flaws. The most severe (CVSS score: 9.9) of all the issues is CVE-2025-42880, a code injection problem impacting SAP Solution Manager ST 720. “Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious […]
CISA warns of two more actively exploited Dassault vulnerabilities
The Cybersecurity & Infrastructure Security Agency (CISA) warned today that attackers are actively exploiting two vulnerabilities in Dassault Systèmes’ DELMIA Apriso, a manufacturing operations management (MOM) and execution (MES) solution. The first one (CVE-2025-6205) is a critical-severity missing authorization security flaw that can allow unauthenticated threat actors to remotely gain privileged access to an unpatched […]
Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet
Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT’s License Servlet that can be exploited in command injection attacks. GoAnywhere MFT is a web-based managed file transfer tool that helps organizations securely transfer files and maintain audit logs of who accesses the shared files. Tracked as CVE-2025-10035, this security flaw […]
CISA warns of actively exploited Dassault RCE vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers exploiting a critical remote code execution flaw in DELMIA Apriso, a manufacturing operations management (MOM) and execution (MES) solution from French company Dassault Systèmes. The agency added the vulnerability, tracked as CVE-2025-5086 and rated with a critical severity score (CVSS v3: 9.0), to the Known Exploited Vulnerabilities (KEV). […]
Hackers exploited Sitecore zero-day flaw to deploy backdoors
Threat actors have been exploiting a zero-day vulnerability in legacy Sitecore deployments to deploy WeepSteel reconnaissance malware. The flaw, tracked under CVE-2025-53690, is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2017 Sitecore guides. Some customers reused this key in production, allowing attackers with knowledge of the key […]