Biztonsági hírek

The Kiwire Captive Portal, provided by SynchroWeb, is an internet access gateway intended for providing guests internet access where many users will want to connect. Three vulnerabilities were discovered within the product, including SQL injection, open redirection, and cross site scripting (XSS), allowing an attacker multiple vectors to compromise the device. All three of the vulnerabilities have been addressed by the vendor. Customers using the Kiwire Captive Portal are recommended to update to the latest version of the product to remediate the vulnerabilities.

The Kiwire Captive Portal is a guest wifi solution that provides users with internet access through a login system. The product is used in various different capacities across different enterprises, including hotels, office systems, and other companies. Three vulnerabilities have been discovered within the product that allow an attacker to compromise the Kiwire Captive Portal database, redirect users to a malicious website, and trigger JavaScript upon visiting the captive portal with the malicious payload appended in the URL.

The following is a list of the CVE assignments and their respective vulnerability details:

CVE-2025-11188 The Kiwire Captive Portal contains a blind SQL injection in the nas-id parameter, allowing for SQL commands to be issued and to compromise the corresponding database. CVE-2025-11190 The Kiwire Captive Portal contains an open redirection issue via the login-url parameter, allowing an attacker to redirect users to an attacker-controlled website. CVE-2025-11189 The Kiwire Captive Portal contains a reflected cross-site scripting (XSS) vulnerability within the login-url parameter, allowing for JavaScript execution.

The vulnerabilities allow an attacker to exfiltrate sensitive data from the Kiwire Captive Portal database (CVE-2025-11188), redirect a user attempting to login to the captive portal to a malicious website (CVE-2025-11190), and execute JavaScript on the device that is attempting to login to the captive portal (CVE-2025-11189). It should be noted that in regards to CVE-2025-11189 and CVE-2025-11190, the domain is automatically trusted on most devices, due to it being a local address that users must access prior to being granted internet access.

A security advisory is available on the Kiwire website: https://www.synchroweb.com/release-notes/kiwire/security SynchroWeb will be contacting individuals who use affected version to assist in their patching process.

Thanks to the reporters, Joshua Chan (josh.chan@lrqa.com) and Ari Apridana (ari.apridana@lrqa.com) of LRQA. This document was written by Christopher Cullen.

A remote code execution (RCE) vulnerability, tracked as CVE-2025-10547, was discovered through the EasyVPN and LAN web administration interface of Vigor routers by Draytek. A script in the LAN web administration interface uses an unitialized variable, allowing an attacker to send specially crafted HTTP requests that cause memory corruption and potentially allow arbitrary code execution.

Vigor routers are business-grade routers, designed for small to medium-sized businesses, made by Draytek. These routers provide routing, firewall, VPN, content-filtering, bandwidth management, LAN (local area network), and multi-WAN (wide area network) features. Draytek utilizes a proprietary firmware, DrayOS, on the Vigor router line. DrayOS features the EasyVPN and LAN Web Administrator tool s to facilitate LAN and VPN setup. According to the DrayTek website, "with EasyVPN, users no longer need to generate WireGuard keys, import OpenVPN configuration files, or upload certificates. Instead, VPN can be successfully established by simply entering the username and password or getting the OTP code by email."

The LAN Web Administrator provides a browser-based user interface for router management. When a user interacts with the LAN Web Administration interface, the user interface elements trigger actions that generate HTTP requests to interact with the local server. This process contains an uninitialized variable. Due to the uninitialized variable, an unauthenticated attacker could perform memory corruption on the router via specially crafted HTTP requests to hijack execution or inject malicious payloads. If EasyVPN is enabled, the flaw could be remotely exploited through the VPN interface.

A remote, unathenticated attacker can exploit this vulnerability through accessing the LAN interface—or potentially the WAN interface—if EasyVPN is enabled or remote administration over the internet is activated. If a remote, unauthenticated attacker leverages this vulnerability, they can execute arbitrary code on the router (RCE) and gain full control of the device. A successful attack could result in a attacker gaining root access to a Vigor router to then install backdoors, reconfigure network settings, or block traffic. An attacker may also pivot for lateral movement via intercepting internal communications and bypassing VPNs.

The DrayTek Security team has developed a series of patches to remediate the vulnerability, and all users of Vigor routers should upgrade to the latest version ASAP. The patches can be found on the resources page of the DrayTek webpage, and the security advisory can be found within the about section of the DrayTek webpage. Consult either the CVE listing or the advisory page for a full list of affected products.

Thanks to the reporter, Pierre-Yves MAES of ChapsVision (pymaes@chapsvision.com). This document was written by Ayushi Kriplani.

A major npm supply chain compromise was disclosed by the software supply chain security company Socket on September 15, 2025. At the time of writing, over 500 packages have been affected, and the number continues to grow. The attack involves a self-propagating malware variant dubbed Shai-Hulud, which spreads via credential theft and automated package publishing. The campaign escalated rapidly, including compromise of packages published by CrowdStrike.

This notice aims to raise awareness about growing risks in software development and packaging practices within the npm ecosystem that can lead to large-scale compromises. The incident highlights ongoing exploitation of known attack vectors, including credential theft, package impersonation, and automated propagation, all of which undermine the integrity of widely used package ecosystems like npm.

npm is the default package manager for Node.js. It provides a global registry and command-line interface that helps developers install, manage, and share JavaScript packages and dependencies. It simplifies the integration of third-party code through the use of the package.json and package-lock.json files, which ensure dependency consistency and reproducibility.

The compromise likely began with a credential harvesting campaign, where a postinstall script led to the execution of a malicious bundle.js file. postinstall scripts are an npm feature that allow code execution following package installation. The bundle.js script scanned the target environment for exposed secrets in code and configuration files. The bundle.js file downloaded and used TruffleHog, typically used for legitimate secret scanning, to harvest credentials stored as environment variables or secrets used by continuous integration and continuous delivery (CI/CD) platforms such as GitHub Actions, GitLab CI, Jenkins, and others. The malware self-propagated using the stolen credentials to publish itself to other repositories and package registries, effectively turning compromised environments into new infection vectors.

A key mechanism of propagation was the automatic "trojanization" of CI/CD tools, a known attack vector with wide-reaching implications across ecosystems. GitHub Actions was one such capability that was abused, previously seen in attacks like the Nx package compromise in August of 2025. Another known contributor to the attack was the abuse of the postinstall script capability in npm. This technique has been exploited in previous incidents, such as the event-stream attack in 2018. These vulnerable software development and design methods in npm have been duly abused in this combined attack.

At the time of publication, over 500 packages have been confirmed to be compromised by the Shai-Hulud malware. Socket is maintaining a live list of affected packages on their website. Organizations using CrowdStrike products should also inspect their npm package dependencies, as the npm account used to manage and publish packages for CrowdStrike was allegedly compromised.

GitHub has released a public advisory detailing additional security changes being made to their package systems. CISA has also released a security advisory.

• Audit and replace compromised packages: Remove any affected package versions and replace them with known safe versions.
• Lock dependencies: Use package-lock.json or npm i --package-lock-only to lock resolved dependency versions without executing install scripts, allowing safe auditing. For packages that will be redistributed, locally or otherwise, use npm shrinkwrap to lock all direct and transitive dependency versions for reproducible installs.
• Use internal mirrors: Set up an internal npm registry using tools like Verdaccio or Artifactory, and centrally approve packages before allowing internal use.
• Disable postinstall scripts: Use npm install --ignore-scripts where feasible to prevent malicious code execution during package installation.

• Rotate all exposed credentials: Immediately revoke and rotate any CI/CD-related tokens or secrets (GitHub, GitLab, Jenkins, etc.) that may have been exposed.
• Enforce least privilege: Use scoped tokens with minimal permissions, and isolate build environments to ensure untrusted code never has access to publishing credentials, especially when using GitHub Actions or similar CI/CD platforms.

This document was written by Christopher Cullen.

Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. This important republishing instruction was missing from the Desktop edition release notes, but it was included in the release notes for the recently patched Lectora Online (July 20, 2025). The CERT® Coordination Center is publishing this vulnerability note to amplify awareness as the Lectora software user base includes high-profile clients such as government agencies and large enterprises.

The Lectora platform is used to create and publish interactive e-learning courses by ELB Learning. Lectora Inspire and Lectora Publisher are Desktop versions of the e-learning software, and Lectora Online is a cloud-based version.

• Lectora Inspire and Lectora Publisher desktop editions versions 21.0–21.3
• Lectora Online versions 7.1.6 and older

Content published with Seamless Play Publish (SPP) enabled and Web Accessibility settings disabled in the affected versions can allow JavaScript injection via crafted URL parameters. Exploitation under this scenario could result in client-side script execution (e.g., alert or redirect), which poses a risk of session hijacking or user redirection.

The vulnerability is patched in Lectora Desktop (Publisher and Inspire version 21.4, released October 25, 2022) and Lectora Online (version 7.1.7, deployed July 20, 2025). To fully implement the solution:

• For Lectora Desktop customers: Please download the version 21.4 patch or a later update from portal.elblearning.com. You must then republish any courses that were created using older software versions.
• For Lectora Online customers: The update to version 7.1.7 was automatically applied on July 20, 2025. You must republish any courses that were created using older software versions.

Thanks to the reporter Mohammad Jassim for reporting this vulnerability. This document was written by Laurie Tyzenhaus.

LangChainGo, the Go implementation of LangChain, a large language model (LLM) application building framework, has been discovered to contain an arbitrary file read vulnerability. The vulnerability, tracked as CVE-2025-9556, allows for arbitrary file read through the Gonja template engine with Jinja2 syntax. Attackers can exploit this by injecting malicious prompt content to access sensitive files, leading to a server-side template injection (SSTI) attack.

LangChainGo is the Go Programming Language port/fork of LangChain, an open-source orchestration framework for the development of applications that leverage LLMs. LangChainGo uses Gonja for syntax parsing and creating dynamic and reusable prompt templates. Gonja is the Go implementation of Jinja2, a templating engine. Gonja is largely compatable with the the original Python Jinja2 implementation, and supports Jinja2 syntax.

As Gonja supports Jinja2 syntax, an attacker could leverage directives such as {% include %}, {% from %}, or {% extends %} for malicious purposes within LangChainGo. While these directives were meant to be used for building reusable templates, they can also allow an external file to be pulled and read from the server’s filesystem. An attacker could use this to inject malicious template code containing advanced templating directives to read sensitive files such as /etc/password. This results in a server-side template injection vulnerability that can expose sensitive information. This vulnerability is tracked as CVE-2025-9556.

This vulnerability compromises the confidentiality of the system by enabling arbitrary file read on a server running LangChainGo. By injecting malicious template syntax, an attacker could access sensitive information stored on the victim device. This information can lead to further comprise of the system. In LLM-based chatbot environments that use LangChainGo, attackers would only need access to the prompt to maliciously craft and exploit the prompt.

The maintainer of LangChainGo has released with new security features to prevent template injection. A new RenderTemplateFS function has been added, which supports secure file template referencing, on top of blocking filesystem access by default. Users of LangChainGo should update to the latest version of the software in order to be protected.

Thanks to the reporter, bestlzk. This document was written by Ayushi Kriplani and Christopher Cullen.

Two local security vulnerabilities have been identified in Sunshine for Windows, version v2025.122.141614 (and likely prior versions). These issues could allow attackers to execute arbitrary code and escalate privileges on affected systems.

Sunshine is a self-hosted game stream host for Moonlight.

• CVE-2025-10198 Unquoted Service Path (CWE-428) Sunshine for Windows installs a service with an unquoted service path. This allows an attacker with local access to place a malicious executable in a directory within the service path (before the legitimate binary), which could then be executed with elevated privileges during system startup or service restart.

• CVE-2025-10199 DLL Search-Order Hijacking (CWE-427) Sunshine for Windows does not properly control the search path for required DLLs. This allows an attacker to place a malicious DLL in a user-writable directory that is included in the PATH environment variable. When the application loads, it may inadvertently load the malicious DLL, resulting in arbitrary code execution.

• CVE-2025-10198 Attackers with local access can escalate privileges to SYSTEM, resulting in full compromise of the affected machine.
• CVE-2025-10199 Attackers can execute malicious code in the context of the user running the application.

Apply an update from the Sunshine project once available.

As mitigation, until a patch is released:

• Ensure user-writable directories are not included in the PATH environment variable.

• Quote all service paths in Windows service configurations.

• Restrict permissions on service-related directories to prevent unauthorized file placement.

Thanks to the reporter, Pundhapat Sichamnong. This document was written by Timur Snoke.

The Amp’ed RF BT-AP 111 Bluetooth Access Point exposes an HTTP-based administrative interface without authentication controls. This allows an unauthenticated remote attacker to gain full administrative access to the device.

The Amp’ed RF BT-AP 111 is a Bluetooth-to-Ethernet bridge that can function as an access point or a Bluetooth gateway. According to the vendor’s website, the device supports Universal Plug and Play (UPnP) on the Ethernet side and acts as a UART Serial device to support up to seven simultaneous Bluetooth connections.

The BT-AP 111 provides a web-based administrative interface over HTTP. However, this interface does not implement any authentication mechanism. As a result, any user with network access to the device’s HTTP port can view and modify the administrative interface. An attacker with such access can alter Bluetooth configurations, network parameters, and other security-related settings.

According to NIST guidance, authentication is an expected baseline security control even for near-field or Bluetooth devices. The NIST Guide to Bluetooth Security (SP 800-121 Rev. 2), defines security levels that require at least authentication (Service Level 2) and preferably authentication and authorization (Service Level 1). More broadly, NIST SP 800-124 Rev. 1 emphasizes that devices should enforce authentication before granting access to configuration or administrative resources. The absence of authentication on the BT-AP 111 administrative web interface is therefore inconsistent with established best practices.

An attacker with network access (local or remote) to the web interface can gain full administrative control of the device and modify any settings exposed through the interface.

At this time, CERT/CC has not received a response from the vendor regarding this vulnerability. Since the device cannot be secured with authentication or any access controls, it is recommended that any deployments be restricted to isolated networks that are inaccessible to untrusted users.

Thanks to the reporter, Souvik Kandar. This document was written by Timur Snoke.

Hiawatha is an open-source web server that supports Windows, MacOS X and a variety of Linux distributions. Hiawatha was focused on performance and is used in place of larger, more complex web servers. The fetch_request is vulnerable due to improper handling of HTTP headers regarding content length and transfer encoding. Tomahawk is a component of the Hiawatha web server which is vulnerable to authentication timing attack due to usage of 'strcmp' and may allow a local attacker to access the management client. The double free in the XSLT show_index function is a memory handling problem. The developer acknowledges the vulnerabilities and has tested the update to ensure all three are mitigated or remediated. Hiawatha is no longer actively supported by the developer, but the developer acknowledges the vulnerabilities and has included mitigations and remediations to all three vulnerabilities in the next release.

CVE-2025-57783 A request smuggling vulnerability caused by improper header parsing has been identified in the fetch_request function of Hiawatha web server versions 8.5 through 11.7. This vulnerability allows an unauthenticated attacker to smuggle requests and access restricted resources managed by the server.

CVE-2025-57784 An authentication timing attack has been identified in the Tomahawk component of Hiawatha web server versions 8.5 through 11.7, which occurs due to the use of strcmp in the handle_admin function. This vulnerability allows a local attacker to access the management client.

CVE-2025-57785 A double free in the XSLT show_index function has been identified in Hiawatha web server version 10.8.2 through 11.7. This vulnerability allows an unauthenticated attacker to corrupt data, which may lead to arbitrary code execution.

Exploiting the request smuggling vulnerability may result in attackers bypassing authentication, hijack user sessions or inject malicious payloads into requests.

Exploiting the timing 'strcmp' function in the handle_admin function may result in password attempts to measure the time for each attempt, then assume the password is known by the longest attempt which would match more characters. This vulnerability may be time consuming to exploit.

Exploiting the double free error is when a program tries to free memory in the same location more than once. In a web server the XSLT show_index function may originate from an error in memory management during the execution of the XSLT which may result in corrupt data leading to the execution of arbitrary code.

Install updated version when distributed by Hiawatha.

Thanks to the reporter Ali Norouzi of Keysight.This document was written by Laurie Tyzenhaus.

Workhorse Software Services, Inc municipal accounting software prior to version 1.9.4.48019 contains design flaws that could allow unauthorized access to sensitive data and facilitate data exfiltration. Specifically, database connection information is stored in plaintext alongside the application executable, and the software allows unauthenticated users to create unencrypted database backups from the login screen.

Two primary issues exist in Workhorse's design:

CVE-2025-9037 The software stores the SQL Server connection string in a plaintext configuration file located alongside the executable. In typical deployments, this directory is on a shared network folder hosted by the same server running the SQL database. If SQL authentication is used, credentials in this file could be recovered by anyone with read access to the directory.

CVE-2025-9040 The application’s “File” menu, accessible even from the login screen, provides a database backup feature that executes an MS SQL Server Express backup and allows saving the resulting .bak file inside an unencrypted ZIP archive. This backup can be restored to any SQL Server instance without requiring a password.

An attacker with physical access to a workstation, malware capable of reading network files, or via social engineering could exfiltrate full database backups without authentication.

An attacker could obtain the complete database, potentially exposing sensitive personally identifiable information (PII) such as Social Security numbers, full municipal financial records, and other confidential data. Possession of a database backup could also enable data tampering, potentially undermining audit trails and compromising the integrity of municipal financial operations.

The CERT/CC recommends updating the software to version 1.9.4.48019 as soon as possible. Other potential mitigations include: * Restricting access to the application directory via NTFS permissions * Enabling SQL Server encryption and Windows Authentication * Disabling the backup feature at the vendor or configuration level * Using network segmentation and firewall rules to limit database access

This issue was reported during a security audit and new server installation by James Harrold, Sparrow IT Solutions. This document was written by Timur Snoke.

System Management Mode (SMM) memory corruption vulnerabilities have been identified in UEFI modules present in AMI Aptio UEFI firmware. An attacker could exploit this vulnerability to elevate privileges and execute arbitrary code in the highly privileged SMM environment. Users should apply UEFI firmware updates provided by their supply-chain-supported vendors to address these issues.

The Unified Extensible Firmware Interface (UEFI) specification defines an interface between an operating system (OS) and platform firmware. The UEFI specification defines mechanisms that allow firmware code to execute in System Management Mode (SMM), a highly privileged CPU mode intended for low-level system operations and direct hardware access. SMM operations are executed within a CPU protected memory region called System Management RAM (SMRAM). This environment is often referred to as "ring -2" because it operates at a deeper privilege level than the OS kernel (ring 0) and hypervisor (ring -1).

A vulnerability has been identified in certain firmware modules of AMI APTIOV related to improper pointer validation. Specifically, the code fails to adequately validate pointer values to prevent overlap with SMRAM. This allows memory references to be redirected into SMRAM, potentially enabling unauthorized code execution within SMM. An attacker exploiting this flaw could corrupt memory and overwrite sensitive SMRAM data, including firmware components that may later be written to PCI flash memory—establishing persistent control over the device.

Successful exploitation of this vulnerability may allow execution of code within System Management Mode (SMM), a highly privileged environment in firmware. This could bypass certain firmware-level protections, such as those protecting the SPI flash memory, and enable persistent modifications to the firmware that operate independently of the OS.

Install the latest UEFI firmware updates provided by your PC vendor. Refer to the Vendor Information section below and AMI's security advisory. As these vulnerabilities may affect firmware distributed through the supply chain, multiple PC OEMs may be impacted. Continue monitoring the Vendor Information section for updates relevant to your device.

Thanks to Binarly REsearch team for the responsible disclosure of this vulnerability to CERT/CC. Thanks also to AMI for their collaboration and timely response. This document was written by Ben Koo.

A vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. Some vendors have assigned a specific CVE to their products to describe the vulnerability. MadeYouReset exploits a mismatch caused by stream resets between HTTP/2 specifications and the internal architectures of many real-world web servers. This results in resource exhaustion, and a threat actor can leverage this vulnerability to perform a distributed denial of service attack (DDoS). This vulnerability is similar to CVE-2023-44487, colloquially known as "Rapid Reset." Multiple vendors have issued patches or responses to the vulnerability, and readers should review the statements provided by vendors at the end of this Vulnerability Note and patch as appropriate.

A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). This vulnerability is tracked as CVE-2025-8671 and is known colloquially as "MadeYouReset." This vulnerability is similar to CVE-2023-44487, colloquially known as "Rapid Reset", which abused client-sent stream resets. HTTP/2 introduced stream cancellation - the ability of both client and server to immediately close a stream at any time. However, after a stream is canceled, many implementations keep processing the request, compute the response, but don't send it back to the client. This creates a mismatch between the amount of active streams from the HTTP/2 point of view, and the actual active HTTP requests the backend server is processing.

By opening streams and then rapidly triggering the server to reset them using malformed frames or flow control errors, an attacker can exploit a discrepancy created between HTTP/2 streams accounting and the servers active HTTP requests. Streams reset by the server are considered closed, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent HTTP/2 requests on a single connection.

The flaw largely stems from many implementations of the HTTP/2 protocol equating resetting streams to closing them; however, in practice, the server will still process them. An attacker can exploit this to continually send reset requests, where the protocol is considering these reset streams as closed, but the server will still be processing them, causing a DoS.

HTTP/2 does support a parameter called SETTINGS_MAX_CONCURRENT_STREAMS, which defines a set of currently active streams per session. In theory, this setting would prevent an attacker from overloading the target server, as they would max out the concurrent stream counter for their specific malicious session. In practice, when a stream is reset by the attacker, the protocol considers it no longer active and no longer accounts for it within this counter.

The main impact of this vulnerability is its potential usage in DDoS attacks. Threat actors exploiting the vulnerability will likely be able to force targets offline or heavily limit connection possibilities for clients by making the server process an extremely high number of concurrent requests. Victims will have to address either high CPU overload or memory exhaustion depending on their implementation of HTTP/2.

Various vendors have provided patches and statements to address the vulnerability. Please review their statements below. CERT/CC recommends that vendors who use HTTP/2 in their products review their implementation and limit the number/rate of RST_STREAMs sent from the server. Additionally, please review the supplemental materials provided by the reporters, which include additional mitigations and other potential solutions here: https://github.com/galbarnahum/MadeYouReset

Thanks to the reporters, Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University. This document was written by Christopher Cullen.

Partner Software and Partner Web, both products of their namesake company, Partner Software, fail to sanitize report or note files, allowing for XSS attacks. Partner Software is subdivision of N. Harris Computer Corporation and is a field application development company, with products intended for use by industry, municipalities, state government, and private contractors. An authorized user of Partner Software or Partner Web application can upload "Reports" when viewing a job. The file upload feature does not limit files that can be uploaded or their extensions, allowing an attacker with valid credentials to perform XSS attacks and execute malicious code on the device. The Partner Web product also ships with the same default administrator username and password across versions. An attacker with access to the Partner Web application could abuse these vulnerabilities to perform arbitrary code execution on the hosting device.

Partner Software's products Partner Software and Partner Web are used by various municipalities, state government, and private contractors for field application work. These products include support for various GIS-related uses, map viewers, and other support tools. The Partner Software and Partner Web products contain various fields for uploading content for analysis by field workers. An authenticated user with access to the Partner Web application could perform RCE through usage of the vulnerabilities.

CVE-2025-6076 Partner Software's corresponding Partner Web application does not sanitize files uploaded on the Reports tab, allowing an authenticated attacker to upload a malicious file that will be stored on the victim server.

CVE-2025-6077 Partner Software's corresponding Partner Web application all use the same default username and password for the administrator account.

CVE-2025-6078 Partner Software/Partner Web allows an authenticated user to add text on the Notes page within the Job view, but does not completely sanitize input, making it possible to add notes with HTML tags and JavaScript and enabling an attacker to add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting).

An attacker using these vulnerabilities can either gain administrator access to the device or perform XSS, compromising the device.

Partner Software has provided a patch for the affected product in version 4.32.2. The Admin and Edit users are now removed in the 4.32.2 patch, and the Notes section now restricts and sanitizes input to only including simple text. Additionally, file attachments allowed include only .csv, .jpg, .png, .txt, .doc, and .pdf files, and will not longer read then files, only display them. The affected versions of Partner Web are 4.32 and previous. Patch information is available here: https://partnersoftware.com/resources/software-release-info-4-32/

Thanks to the reporter, Ryan Pohlner (Cybersecurity and Infrastructure Security Agency). for the report and to Partner Software for coordination efforts. This document was written by Christopher Cullen.

The TP-Link Archer C50 router, which has reached End-of-Life (EOL), contains a hardcoded encryption key in its firmware, enabling decryption of sensitive configuration files. This vulnerability allows attackers to trivially access administrative credentials, Wi-Fi passwords, and other internal settings, after authentication to the device.

A vulnerability exists in the TP-Link Archer C50 router’s firmware, where encrypted configuration files are protected using DES in ECB (Electronic Codebook) mode with a hardcoded static key. The embedded DES key is never randomized or derived per device.

CVE-2025-6982 TP-Link Archer C50 router contains hardcoded DES decryption keys, which makes them vulnerable to configuration file decryption.

The encryption lacks randomness and message authentication, allowing for trivial offline decryption of sensitive data.

Exploitation of this vulnerability may result in:

• Admin credentials
• Wireless network SSIDs and passwords
• Static IPs, DHCP settings, and DNS server details

• Internal network structure
• Connected device roles and topology
• Pre-positioning for further attacks

• Works on default firmware configurations
• Does not require the router to be actively running Primary Impact: Full authorized access to router configuration, leading to potential compromise of the connected network.

The CERT/CC is currently unaware of a practical solution to this problem. Note: The TP-Link Archer C50 has reached End-of-Life (EOL) and no longer receives firmware updates or security support from the vendor.

• Retire and replace the Archer C50 with a supported router model
• Avoid using devices with known cryptographic flaws
• Secure or delete any exported configuration files
• Change passwords if configuration files were exposed or restored from backup

Thanks to the reporter Jai Bhortake from CoE - CNDS Lab, VJTI, Mumbai, India. This document was written by Timur Snoke.

Lakeside Software, an IT digital employee experience platform, offers a product called SysTrack, intended for endpoint observability. This program uses an executable called LsiAgent.exe, which attempts to load various Dynamic Link Library (DLL) files when run. The program does not properly check which files or places from which it loads the DLL files, allowing an attacker to place a malicious DLL file within a known System PATH variable on the victim device. When LsiAgent.exe runs, it will load the malicious code, resulting in code execution and privilege escalation, as LsiAgent.exe runs within the NT AUTHORITY\SYSTEM context. A patch has been provided by Lakeside Software, and the vulnerability is fixed in version 10.10.0.42 and higher.

Lakeside Software, an IT digital employee experience company, offers a product called Systems Management Agent (SysTrack) that is intended for endpoint health and performance monitoring. The product contains various different programs and executables that are installed on a device. One of these programs is called LsiAgent.exe, which runs within the context of NT AUTHORITY\SYSTEM. Additionally, LsiAgent.exe runs on startup with default installation settings. A vulnerability has been discovered, tracked as CVE-2025-6241, which allows an attacker to achieve elevated code execution through placing malicious DLL files within a known System PATH environment variable, or by bundling the LsiAgent.exe program alongside another malicious DLL. The bundled DLL will be executed when the victim runs the supposedly safe LsiAgent.exe program.

System PATH variable settings are typically manipulated by other programs installed during normal use of a machine. When LsiAgent.exe is executed, it will iterate through the System PATH environment variable to search for a DLL titled 'wfapi.dll.' SysTrack uses the wdapi.dll file to verify if the system is running in a virtualized Citrix Environment. During the System PATH iteration process, LsiAgent.exe attempts to load and run the first file named wfapi.dll that it encounters within the System PATH variable. Therefore, an attacker would only need to provide their malicious DLL file named wfapi.dll within one of the System PATH variables to achieve code execution.

An attacker with the ability to place a file within any known System PATH environment variable on a victim machine can achieve remote code execution and privilege escalation, as LsiAgent.exe runs within the NT AUTHORITY\SYSTEM context. Furthermore, LsiAgent.exe is a signed program, so operations carried out by the program will be shown as being done by a legitimate program, heightening potential impact.

A patch has been provided by Lakeside Software to fix the affected LsiAgent.exe program. The vulnerable version, 10.05.0027, has been fixed in versions 10.10.0.42 and higher of LsiAgent.exe. The release notes of the version are available here: https://documentation.lakesidesoftware.com/en/Content/Release%20Notes/Agent/10_10_0%20Hotfix%20Agent%20Release%20Notes%20On%20Premises.htm?tocpath=Release%20Notes%7CAgent%7C_____13

Thanks to the reporter Owen Sortwell and contributors Adam Merrill and Brian Healy of Sandia National Laboratories. This document was written by Christopher Cullen.

System Management Mode (SMM) callout vulnerabilities have been identified in UEFI modules present in Gigabyte firmware. An attacker could exploit one or more of these vulnerabilities to elevate privileges and execute arbitrary code in the SMM environment of a UEFI-supported processor. While AMI (the original firmware supplier) has indicated that these vulnerabilities were previously addressed, they have resurfaced in Gigabyte firmware and are now being publicly disclosed.

The Unified Extensible Firmware Interface (UEFI) specification defines an interface between an operating system (OS) and platform firmware. UEFI can interact directly with hardware using System Management Mode (SMM), a highly privileged CPU mode designed for handling low-level system operations. SMM operations are executed within a protected memory region called System Management RAM (SMRAM) and are only accessible through System Management Interrupt (SMI) handlers.

SMI handlers act as a gateway to SMM and process data passed via specific communication buffers. Improper validation of these buffers or untrusted pointers from CPU save state registers can lead to serious security risks, including SMRAM corruption and unauthorized SMM execution. An attacker could abuse these SMI handlers to execute arbitrary code within the early boot phases, recovery modes, or before the OS fully loads.

The following vulnerabilities were identified in Gigabyte firmware implementations:

• CVE-2025-7029 : Unchecked use of the RBX register allows attacker control over OcHeader and OcData pointers used in power and thermal configuration logic, resulting in arbitrary SMRAM writes. (BRLY-2025-011)
• CVE-2025-7028 : Lack of validation of function pointer structures derived from RBX and RCX allows attacker control over critical flash operations via FuncBlock, affecting functions like ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo. (BRLY-2025-010)
• CVE-2025-7027 : Double pointer dereference vulnerability involving the location of memory write from an unvalidated NVRAM Variable SetupXtuBufferAddress NVRAM and the content for write from from an attacker-controlled pointer based on the RBX register, can be used write arbitrary content to SMRAM. (BRLY-2025-009)
• CVE-2025-7026 : Attacker-controlled RBX register used as an unchecked pointer within the CommandRcx0 function allows writes to attacker-specified memory in SMRAM. (BRLY-2025-008)

According to AMI, these vulnerabilities were previously addressed via private disclosures, yet the vulnerable implementations remain in some OEM firmware builds such as in the case of Gigabyte. Gigabyte has issued updated firmware to address the vulnerabilities. Users are strongly advised to visit the Gigabyte support site to determine if their systems are affected and to apply the necessary updates.

An attacker with local or remote administrative privileges may exploit these vulnerabilities to execute arbitrary code in System Management Mode (Ring -2), bypassing OS-level protections. These vulnerabilities can be triggered via SMI handlers from within the operating system, or in certain cases, during early boot phases, sleep states, or recovery modes—before the OS fully loads.

Exploitation can disable UEFI security mechanisms such as Secure Boot and Intel BootGuard, enabling stealthy firmware implants and persistent control over the system. Because SMM operates below the OS, such attacks are also difficult to detect or mitigate using traditional endpoint protection tools.

Install the latest UEFI firmware updates provided by your PC vendor. Refer to the Vendor Information section below and Gigabyte’s security website for specific advisories and update instructions. Because these vulnerabilities may affect firmware supplied through the supply chain, other PC OEM vendors may also be impacted. Monitor the Vendor Information section for updates as they become available.

We thank the Binarly REsearch team for responsibly disclosing these vulnerabilities to CERT/CC. We also acknowledge Gigabyte’s PSIRT for their collaboration and timely response. This document was written by Vijay Sarvepalli.

Multiple vulnerabilities have been identified in Ruckus Wireless management products, specifically Virtual SmartZone (vSZ) and Network Director (RND), including authentication bypass, hardcoded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. These issues may allow full compromise of the environments managed by the affected software. At this time, we have not able to reach Ruckus Wireless or their parent company to include their response to these disclosed vulnerabilities, we recommend using these products only within isolated management networks accessible to trusted users.

Ruckus Wireless is a company that provides networking devices for venues where many end points will be connected to the internet, such as schools, hospitals, multi-tenant residences, and smart cities that provide public Wi-Fi. Virtual SmartZone (vSZ) by Ruckus Wireless is a wireless network control software to virtually manage large-scale networks, up to a scale of 10,000 Ruckus access points and 150,000 connected clients. Ruckus Network Director (RND) is software for the management of multiple vSZ clusters on a single network.

Multiple vulnerabilities were reported in these Ruckus Wireless products that are described here:

[CVE-2025-44957] Hardcoded Secrets, including JWT Signing Key, API keys in Code (CWE-287: Improper Authentication). Multiple secrets are hardcoded into the vSZ application, making them vulnerable to access thus allowing elevated privileges. Using HTTP headers and a valid API key, it is possible to logically bypass the authentication methods, providing administrator-level access to anyone that does this.

[CVE-2025-44962] Authenticated Arbitrary File Read (CWE-23: Relative Path Traversal). Ruckus vSZ allows for users to download files from an allowed directory, but by hardcoding a directory path, a user could traverse other directory paths with ../ to read sensitive files.

[CVE-2025-44954] Unauthenticated RCE in SSH due to Hardcoded Default Public/Private Keys (CWE-1394: Use of Default Cryptographic Key). Ruckus vSZ has a built-in user with all of the same privileges as root. This user also has default public and private RSA keys in its /home/$USER/.ssh/ directory. Anyone with a Ruckus device would also have this private key and be able to ssh as this and then have root-level permissions.

[CVE-2025-44960] Remote Code Execution (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')). A parameter in a vSZ API route is user-controlled and not sanitized before being executed in an OS command. An attacker could supply a malicious payload to result in code execution.

[CVE-2025-44961] Remote Code Execution (CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')). An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.

[CVE-2025-44963] Hardcoded Secrets, including JWT token (CWE-321: Use of Hard-coded Cryptographic Key). RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.

[CVE-2025-44955] Hardcoded Secrets (CWE-259: Use of Hard-coded Password). RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.

[CVE-2025-6243] Hardcoded SSH Public Key (CWE-321: Use of Hard-coded Cryptographic Key). A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.

[CVE-2025-44958] Recoverable passwords (CWE-257: Storing Passwords in a Recoverable Format). RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.

Impact of these vulnerabilities vary from information leakage to total compromise of the wireless environment managed by the affected products. As an example, an attacker with network access to Ruckus Wireless vSZ can exploit CVE-2025-44954 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment. Furthermore, multiple vulnerabilities can be chained to create chained attacks that can allow the attacker to combine attacks to bypass any security controls that prevent only specific attacks.

No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.

Thanks to Noam Moshe of Claroty Team82 for reporting these vulnerabilities. This document was written by CERT/CC.