CVE Updates (December 15 – 21, 2025)

Vuln Recap Editor,

Here are the CVE updates for the week of December 15th through the 21st.

🔴 Critical Severity Vulnerabilities

Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability (CISA KEV) | CVE-2025-59718

Description:
This vulnerability affects multiple Fortinet products, including FortiOS, FortiProxy, and FortiSwitchManager, across the listed versions. Specifically, the issue occurs during the processing of SAML response messages used for FortiCloud Single Sign-On (SSO) authentication.

Because the system fails to properly validate cryptographic signatures, an unauthenticated remote attacker can deliberately craft a malicious SAML response. As a result, the attacker can bypass FortiCloud SSO authentication entirely. Consequently, the attacker gains unauthorized access without supplying valid credentials.

Potential Impacts

  • Authentication Bypass: Attackers can access systems without valid FortiCloud credentials.
  • Unauthorized Administrative Access: As a consequence, attackers may reach sensitive management interfaces.
  • Network Security Compromise: Attackers can alter firewall, proxy, or switch configurations.
  • Sensitive Data Exposure: Logs, credentials, policies, and network traffic data may become accessible.
  • Privilege Escalation: Attackers can leverage initial access to gain higher administrative privileges.
  • Lateral Movement: Compromised Fortinet devices may serve as pivot points into internal networks.
  • Service Disruption: Attackers may disable protections, modify security policies, or interrupt services.

Mitigation Recommendations

  • Apply vendor patches immediately by upgrading all affected Fortinet products to fixed versions.
  • Disable FortiCloud SSO if unnecessary until patching is complete.
  • Restrict management access to trusted IP addresses and internal networks only.
  • Enforce strong authentication controls, including multi-factor authentication (MFA).
  • Monitor authentication logs closely for unusual SAML login attempts.
  • Segment networks to isolate management interfaces from user and untrusted zones.
  • Review SAML configurations to ensure proper certificate validation and IdP alignment.
  • Track active exploitation trends by following Fortinet advisories and threat intelligence.

ASUS Live Update Embedded Malicious Code Vulnerability (CISA KEV) | CVE-2025-59374

Description:
Researchers identified a supply chain compromise in specific versions of the ASUS Live Update client. In these versions, attackers introduced unauthorized code into distributed builds. However, the compromised software executed unintended actions only when attacker-defined targeting conditions were met.

Notably, ASUS discontinued the Live Update client in October 2021. Therefore, currently supported ASUS products are not affected. Nevertheless, systems that installed the compromised versions during the affected timeframe may still face residual risk.

Potential Impacts

  • Targeted Unauthorized Actions: Attackers can trigger attacker-controlled behaviors on selected systems.
  • Supply Chain Trust Erosion: Compromised updates weaken confidence in software integrity.
  • Potential Remote Code Execution: Modified components may allow unauthorized code execution.
  • System Integrity Issues: Attackers may silently alter system files or configurations.
  • Stealthy Attacks: Since attackers targeted only specific systems, detection became more difficult.
  • Historical Exposure Risk: Older, unmaintained systems may remain compromised.

Mitigation Recommendations

  • Remove the ASUS Live Update client from any system where it remains installed.
  • Eliminate unsupported software from all production environments.
  • Perform full endpoint scans using up-to-date security tools.
  • Reinstall the operating system for high-risk systems when necessary.
  • Verify software integrity by validating hashes and digital signatures.
  • Disable deprecated update services to prevent future misuse.
  • Maintain an accurate asset inventory to identify potentially exposed legacy systems.
  • Adopt defense-in-depth controls, including EDR, application whitelisting, and least privilege.

Cisco Multiple Products Improper Input Validation Vulnerability (CISA KEV) | CVE-2025-20393

Description:
Cisco has disclosed a potential vulnerability affecting one or more products. However, the company has not yet released technical details regarding affected components, exploit vectors, or severity. Meanwhile, Cisco continues its investigation and plans to publish further guidance.

Potential Impacts

  • Undetermined Security Risk: The issue may affect confidentiality, integrity, or availability.
  • Unauthorized Access: Attackers could gain unauthorized access if exploitation becomes possible.
  • Operational Disruption: Core network services may experience outages or instability.
  • Data Exposure: Sensitive configurations, credentials, or traffic may be at risk.
  • Expanded Attack Surface: Infrastructure devices remain attractive targets for attackers.

Mitigation Recommendations

  • Monitor Cisco PSIRT advisories for official updates and CVSS scoring.
  • Apply patches promptly once Cisco releases fixes.
  • Restrict management interfaces to trusted IP ranges.
  • Enforce strong authentication, including MFA, on all control interfaces.
  • Increase logging and monitoring for unusual activity or configuration changes.
  • Segment infrastructure devices from lower-trust network zones.
  • Apply temporary hardening measures, such as disabling unnecessary services.

WatchGuard Firebox Out of Bounds Write Vulnerability (CISA KEV) | CVE-2025-14733

Description:
This critical vulnerability affects WatchGuard Fireware OS when IKEv2 VPNs use dynamic gateway peers. Specifically, improper memory handling enables an unauthenticated remote attacker to exploit an out-of-bounds write condition. Consequently, the attacker may execute arbitrary code and fully compromise the firewall without valid credentials.

Affected versions include Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.5, and 2025.1 through 2025.1.3.

Potential Impacts

  • Remote Code Execution: Attackers can run arbitrary code on the firewall.
  • Full Firewall Compromise: Attackers may gain complete control of the device.
  • Network Security Bypass: Compromised firewalls can intercept or manipulate traffic.
  • Data Exposure: VPN traffic, credentials, and internal data may leak.
  • Service Disruption: VPN services or the firewall itself may crash.
  • Lateral Movement: Attackers may pivot deeper into internal networks.

Mitigation Recommendations

  • Upgrade Fireware OS immediately to WatchGuard’s fixed versions.
  • Disable unused IKEv2 dynamic gateways where feasible.
  • Restrict VPN exposure to trusted IP ranges.
  • Monitor firewall logs actively for malformed IKEv2 activity.
  • Isolate management interfaces from untrusted networks.
  • Enable IPS and alerting features for early exploitation detection.
  • Follow WatchGuard advisories for updated indicators of compromise.

🟠 High Severity Vulnerabilities

Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability (CISA KEV) | CVE-2025-14611: Gladinet CentreStack and Triofox versions prior to 16.12.10420.56791 rely on hardcoded AES values. Consequently, this weak cryptographic design undermines endpoint security. Moreover, attackers can combine this flaw with unauthenticated requests to achieve local file inclusion (LFI). While the vulnerability alone may not guarantee exploitation, it significantly lowers the barrier for chained attacks.

Apple Multiple Products Use-After-Free WebKit Vulnerability (CISA KEV) | CVE-2025-43529: Apple resolved this WebKit memory management flaw across multiple platforms. However, processing malicious web content could still allow arbitrary code execution. Notably, Apple confirmed active exploitation in highly targeted attacks against older iOS versions. This issue also relates to CVE-2025-14174, which addressed the same exploitation campaign.

🟡 Medium Severity Vulnerabilities

SonicWall SMA1000 Missing Authorization Vulnerability (CISA KEV) | CVE-2025-40602: This flaw allows an authenticated local user to escalate privileges within the Appliance Management Console due to insufficient authorization checks. As a result, attackers can gain administrative control and modify system configurations.

WebsiteBaker Stored Cross-Site Scripting (XSS) Vulnerability | CVE-2023-53953: WebsiteBaker version 2.13.3 fails to properly sanitize page title inputs. Therefore, authenticated users can inject malicious JavaScript that executes automatically when others view affected pages.

HTML Injection Vulnerability in Esri ArcGIS Web AppBuilder (Developer Edition) | CVE-2025-67712: This vulnerability allows attackers to render arbitrary HTML by tricking victims into clicking crafted links. Although attackers cannot execute JavaScript, they can still display deceptive content. Importantly, the affected Developer Edition is retired and unsupported, while version 2.30 remains unaffected.

Post Views: 2
What You Missed Last Week

Leave a Reply

Your email address will not be published. Required fields are marked *