Weekly Threat Landscape Digest – Week 51

1. Critical Vulnerabilities in Tenable Nessus

Tenable has released security updates for Nessus to remediate multiple critical and high-severity vulnerabilities stemming from embedded third-party open-source libraries. The affected components (expat, libxml2, and libxslt) are used for XML parsing and transformation within Nessus. Successful exploitation could lead to denial-of-service (DoS), privilege escalation, or impact the integrity and availability of data processed by the platform.

Affected Products

• Nessus 10.11.0
• Nessus 10.10.0 – 10.10.1
• Nessus 10.9.0 – 10.9.5
• Nessus 10.8.0 – 10.8.6

Fixed Versions

• Nessus 10.9.6
• Nessus 10.11.1

Key Vulnerability Details

The updates address multiple CVEs associated with third-party libraries, including several high and critical-severity issues:

• High / Critical CVEs include:
  • CVE-2025-49794 (CVSS 9.1)
  • CVE-2025-49796 (CVSS 9.1)
  • CVE-2025-7425 (CVSS 7.8)
  • CVE-2024-55549 (CVSS 7.8)
• Vulnerabilities may allow DoS conditions, privilege escalation, or compromise of data integrity and availability.

Impact / Risk

• Disruption of vulnerability scanning operations (DoS)
• Potential privilege escalation on Nessus hosts
• Reduced trust in scan results and security posture data
• Increased risk if Nessus servers are exposed to untrusted networks

Recommended Actions

• Immediately upgrade all Nessus installations to 10.9.6 or 10.11.1
• Restrict network and administrative access to Nessus servers
• Monitor Nessus logs for abnormal behavior or service interruptions
• Ensure vulnerability management platforms are included in regular patch cycles

References

• Tenable Security Advisory: https://www.tenable.com/security/tns-2025-24

 

2. Google Chrome – High-Severity Browser Vulnerabilities

Google has released security updates for the Chrome browser addressing multiple high-severity vulnerabilities in core components, including WebGPU and the V8 JavaScript engine. Successful exploitation could result in memory corruption, leading to browser instability, unauthorized access to sensitive data, or remote code execution within the context of the affected user.

Key Vulnerability Details

• CVE-2025-14765 – Use-after-free vulnerability in WebGPU
  • May allow memory corruption and browser instability
• CVE-2025-14766 – Out-of-bounds read/write in V8 JavaScript engine
  • Potentially enables arbitrary code execution via malicious web content

Impact / Risk

• Browser crashes or instability
• Exposure of sensitive information handled by the browser
• Arbitrary code execution in the browser context
• Compromise of user sessions through malicious or crafted web pages

 

Fixed Versions

• Windows / macOS: Chrome 143.0.7499.146 / 143.0.7499.147
• Linux: Chrome 143.0.7499.146
• Android: Chrome 143.0.7499.146
• Extended Stable (Windows / macOS): Chrome 142.0.7499.243
• iOS: Chrome 143.0.7499.151

Recommended Actions

• Immediately update Google Chrome to the latest available version on all platforms
• Enforce automatic browser updates across enterprise environments
• Restrict use of unsupported or outdated browser versions
• Advise users to avoid untrusted or suspicious web links until updates are applied

References

• View issue – Chromium
• Chrome Releases: Stable Channel Update for Desktop

 

3. Denial of Service (DoS) Vulnerability in TP-Link TL-WR940N V6 Router

A high-severity Denial of Service (DoS) vulnerability has been identified in the TP-Link TL-WR940N V6 router. The issue originates from improper input validation in the UPnP service, allowing unauthenticated attackers on the local network to disrupt the router’s UPnP functionality. Successful exploitation can lead to service unavailability and degradation of overall network operations.

Key Vulnerability Details

• CVE ID: CVE-2025-11676
• Severity: High
• CVSS v4.0: 7.1
• Root Cause: Improper input validation in the UPnP module
• Attack Vector: Adjacent network (unauthenticated local attacker)

Affected Products

• TP-Link TL-WR940N V6 running firmware Build 220801 or earlier

Fixed Versions

• TP-Link TL-WR940N V6 Build 250919
• TP-Link TL-WR940N V6 Build 250925

Impact / Risk

• Denial of Service affecting UPnP functionality
• Network instability or service outages
• Potential disruption to connected devices and services

Recommended Actions

• Immediately upgrade to a fixed TP-Link firmware version
• Disable UPnP if it is not required for network operations
• Restrict access to the router management interface
• Monitor network activity for unexpected disruptions or outages

References

• TP-Link Security Advisory: https://www.tp-link.com/us/support/faq/4755/

 

4. Critical Remote Code Execution Vulnerability in pgAdmin

A critical Remote Code Execution (RCE) vulnerability has been identified in pgAdmin, the widely used PostgreSQL administration tool. The flaw allows an authenticated attacker to execute arbitrary system commands on the pgAdmin server by abusing a maliciously crafted PLAIN-format SQL database restore file. This issue represents a bypass of a previously implemented fix and poses a severe risk, particularly for deployments running pgAdmin in server mode.

Key Vulnerability Details

• CVE ID: CVE-2025-13780

• Severity: Critical

• CVSS v3 Score: 9.1

• Vulnerability Type: Remote Code Execution (RCE)

• Attack Vector: Malicious database restore using PLAIN-format SQL dumps

• Deployment Mode Affected: Server mode

Affected Products

• pgAdmin: All versions up to and including 9.10

Fixed Version

• pgAdmin 9.11 or later

Impact / Risk

• Arbitrary system command execution on the pgAdmin server

• Full compromise of the underlying host

• Exposure of PostgreSQL databases and credentials

• Potential lateral movement within internal infrastructure

• High risk in shared or multi-admin database environments

Recommended Actions

• Immediately upgrade pgAdmin to version 9.11 or later

• Restrict pgAdmin access to trusted administrative users only

• Avoid restoring databases from untrusted or unknown sources

• Review pgAdmin server logs for suspicious restore activity

• Apply network segmentation and least-privilege controls to database management interfaces

• Consider temporarily disabling restore functionality if immediate patching is not possible

References

• pgAdmin Issue Tracker: https://github.com/pgadmin-org/pgadmin4/issues/9368

 

5. Actively Exploited Zero-Day Vulnerabilities in Apple WebKit

Apple has released emergency security updates across multiple platforms to address actively exploited zero-day vulnerabilities in the WebKit rendering engine. Apple confirmed in-the-wild exploitation, likely in highly targeted attacks. Due to WebKit’s deep integration across Safari, in-app browsers, and system components, these flaws significantly increase the risk of remote device compromise via malicious web content. Immediate patching is strongly recommended.

Key Vulnerability Details

• CVE-2025-43529 – Use-after-free in WebKit
  • Severity: Critical (CVSS 9.8)
  • Impact: Arbitrary code execution when processing malicious web content
  • User Interaction: None beyond visiting a malicious webpage
• CVE-2025-14174 – Out-of-bounds memory access in WebKit (ANGLE / Metal renderer)
  • Severity: High (CVSS 8.8)
  • Impact: Memory corruption leading to potential code execution
  • Notes: Mirrors a recently patched Chrome vulnerability, indicating active cross-platform exploitation

Impact / Risk

• Arbitrary code execution via malicious web content
• Full device compromise without authentication
• Bypass of browser and OS-level security controls
• Targeted surveillance and follow-on exploitation
• Application crashes or system instability
• Exposure even when Safari is not the primary browser due to WebKit reuse

Affected Platforms & Fixed Versions

• iOS 26.2 / iPadOS 26.2 (supported devices)
• iOS 18.7.3 / iPadOS 18.7.3 (older supported devices)
• macOS Tahoe 26.2
• macOS Sequoia 15.7.3
• macOS Sonoma 14.8.3
• tvOS 26.2
• watchOS 26.2
• visionOS 26.2

Recommended Actions

• Immediately install the latest Apple security updates on all supported devices
• Prioritize patching for internet-facing, executive, and privileged-user devices
• Restrict access to untrusted websites until remediation is complete
• Monitor endpoint telemetry for browser exploitation or abnormal WebKit behavior
• Treat unpatched Apple devices as high-risk assets until fully updated

References

• Apple Security Advisory: https://support.apple.com/en-ae/100100

 

6. Multiple High and Critical Vulnerabilities in Atlassian Data Center and Server Products

Atlassian has released its December 2025 Security Bulletin, addressing a large number of security vulnerabilities impacting Atlassian Data Center and Server products. The bulletin includes 37 high-severity and 9 critical-severity vulnerabilities, many originating from bundled third-party dependencies such as Apache Tika, Apache Struts, Jackson, Netty, Spring Security, and various JavaScript libraries. While some issues have constrained exploit paths, successful exploitation could result in remote code execution (RCE), XXE injection, SSRF, DoS, privilege escalation, and information disclosure. Immediate patching is strongly recommended.

Affected Products

• Jira Software
• Jira Service Management
• Confluence
• Bitbucket
• Bamboo
• Crowd
• Fisheye / Crucible

Critical Vulnerability Categories

• XML External Entity (XXE) Injection – CVE-2025-66516 (CVSS 10.0)
  • Originates from Apache Tika
  • Allows arbitrary file disclosure, SSRF, and DoS
  • Affects Bamboo, Confluence, Crowd, Fisheye/Crucible, Jira Software, Jira Service Management
• Prototype Pollution – Critical
  • CVE-2022-37601 (loader-utils) – Confluence
  • CVE-2021-39227 (zrender) – Jira Software, Jira Service Management
  • May enable application logic manipulation and chained exploitation

High-Severity Vulnerabilities (Selected)

• Remote Code Execution (RCE):
  • CVE-2016-1181 – Apache Struts (Jira Software, Jira Service Management)
• Server-Side Request Forgery (SSRF):
  • CVE-2024-29415 – Confluence
  • CVE-2025-27152 – axios (Jira Software)
• Denial of Service (DoS):
  • Multiple issues across Netty, Jackson, Apache Tomcat, Struts, axios, minimatch, protobuf, and loader-utils
  • Examples: CVE-2025-55163, CVE-2025-52434, CVE-2025-48989
• Improper Authorization:
  • CVE-2025-41248 – Spring Security (Crowd, Jira Software, Jira Service Management)
• Information Disclosure:
  • CVE-2024-13009 – Jackson Databind (Crowd)

Affected / Fixed Versions (Examples)

• Jira Software / Jira Service Management: 11.3.0 (LTS), 10.3.15 (LTS)
• Confluence: 10.2.1 (LTS), 9.2.12 (LTS), 8.5.30 (LTS)
• Bamboo: 12.0.2, 10.2.12 (LTS), 9.6.20 (LTS)
• Crowd: 7.1.2
• Fisheye / Crucible: 4.9.6
  (Refer to Atlassian advisory for full version mapping.)

Impact / Risk

• Remote code execution and privilege escalation
• Exposure of sensitive application and authentication data
• Internal network access via SSRF
• Service disruption and availability impact
• Elevated risk for internet-facing and mission-critical platforms

Recommended Actions

• Immediately upgrade all Atlassian Data Center and Server products to vendor-recommended fixed or LTS versions
• Prioritize remediation for internet-exposed systems and platforms supporting authentication, CI/CD, or service management
• Address critical XXE and prototype pollution vulnerabilities first
• Monitor logs and security telemetry for abnormal file access, outbound requests, or crashes
• Review and harden dependency management practices to reduce third-party risk

References

• Atlassian Security Bulletin (December 2025):
  https://confluence.atlassian.com/security/security-bulletin-december-11-2025-1689616574.html

 

7. Windows Remote Access Connection Manager (RasMan) Privilege Escalation Vulnerability

A critical local privilege escalation vulnerability has been identified in the Windows Remote Access Connection Manager (RasMan) service. Tracked as CVE-2025-59230, the flaw may allow a local attacker to achieve arbitrary code execution with SYSTEM privileges, resulting in full host compromise. Further research shows successful exploitation relies on chaining this vulnerability with a secondary zero-day RasMan service crash flaw, enabling a race-condition attack.

Key Vulnerability Details

• CVE ID: CVE-2025-59230
• Component: Windows Remote Access Connection Manager (RasMan)
• Vulnerability Type: Elevation of Privilege (EoP)
• Impact: Arbitrary code execution as SYSTEM

Exploitation Overview

• RasMan registers a trusted RPC endpoint used by other privileged Windows services.
• Insufficient verification allows an attacker to register the same RPC endpoint first if RasMan is not running.
• A secondary zero-day flaw enables a low-privileged user to crash the RasMan service via a logic error (NULL pointer handling in a circular linked list).
• Once RasMan crashes, the attacker can hijack the RPC endpoint and trigger CVE-2025-59230 to gain SYSTEM-level access.

Affected Platforms

• Windows 10
• Windows 11
• Windows Server 2008 through Windows Server 2025

Impact / Risk

• Full system compromise via local privilege escalation
• Execution of arbitrary code with SYSTEM privileges
• Increased risk on shared or multi-user systems
• Potential use as a post-exploitation persistence or privilege escalation technique

Recommended Actions

• Immediately apply the October 2025 Microsoft security updates addressing CVE-2025-59230
• Verify all systems are fully patched and not relying on service auto-start behavior for security
• Monitor Windows Event Logs for unexpected RasMan service crashes or restarts
• Restrict local user access on sensitive or high-value systems

References

• Cybersecurity News: https://cybersecuritynews.com/windows-remote-access-connection-manager-vulnerability/
• 0patch Analysis: https://blog.0patch.com/2025/12/free-micropatches-for-windows-remote.html

 

8. Supply-Chain Exposure in Notepad++ Update Infrastructure

A high-severity supply-chain style security exposure has been identified in the Notepad++ auto-update infrastructure, where threat actors manipulated update traffic to deliver malicious installers to targeted users. The issue affects the WinGUp updater (gup.exe), which retrieves update metadata remotely, downloads executables into the system TEMP directory, and executes them. Full remediation requires a manual upgrade to Notepad++ v8.8.9, which introduces comprehensive security controls.

Key Issue Details

• Issue Type: Insecure update delivery / Supply-chain exposure
• Severity: High
• Affected Component: WinGUp updater (gup.exe)

Root Cause Factors

• Redirectable network traffic allowing update redirection to attacker-controlled infrastructure
• Self-signed certificate usage (≤ v8.8.7) embedded in public source code, enabling spoofed installers
• Insufficient signature validation in earlier versions
  • GlobalSign certificates introduced in v8.8.7
  • Strict enforcement only implemented in v8.8.9

Affected / Patched Versions

• Affected:
  • Notepad++ ≤ v8.8.7
  • Notepad++ v8.8.8 (partial/incomplete hardening)
• Patched:
  • Notepad++ v8.8.9
    • Enforces trusted download sources (GitHub only)
    • Mandatory certificate and signature validation
    • Automatic update termination on validation failure

Impact / Risk

• Delivery and execution of malicious installers via update mechanism
• Potential full endpoint compromise
• Elevated risk due to auto-execution from TEMP directory
• Confirmed targeted exploitation prior to full mitigation release

Indicators of Compromise (IOCs)

• Unexpected executables in TEMP directory:
  • update.exe
  • AutoUpdater.exe
• Suspicious outbound connections initiated by gup.exe
• Unexpected child processes spawned by the Notepad++ updater
• Installer warnings indicating “Unknown Publisher”

 

Recommended Actions

• Manually install Notepad++ v8.8.9 immediately using only the official website or GitHub link
• Do not rely on automatic updates for remediation
• Verify installer digital signature (Notepad++ / GlobalSign certificate)
• Do not proceed if the publisher is listed as “Unknown Publisher”
• Conduct IOC-based threat hunting on endpoints and network logs
• Treat systems showing indicators as potentially compromised

References

• Notepad++ Security Update: https://notepad-plus-plus.org/news/v889-released/

 

9. Mozilla Security Updates – High-Severity Vulnerabilities in Firefox and Thunderbird

Mozilla has released security updates addressing multiple high-severity vulnerabilities affecting Firefox, Firefox ESR, and Thunderbird. The issues include memory corruption, sandbox escape, privilege escalation, and JavaScript engine flaws, which could be leveraged to achieve arbitrary code execution or full compromise of the browser or email client environment. Immediate patching is strongly recommended.

Key Vulnerability Details

• CVE-2025-14321 – WebRTC Signaling (Use-After-Free)
  • May result in memory corruption and potential remote code execution
• CVE-2025-14322 – Graphics: CanvasWebGL (Sandbox Escape)
  • Improper boundary handling could allow escape from browser sandbox restrictions
• CVE-2025-14323 – DOM: Notifications (Privilege Escalation)
  • May allow attackers to obtain elevated browser permissions
• CVE-2025-14324 / CVE-2025-14325 – JavaScript JIT Engine
  • Miscompilation issues leading to unpredictable execution and potential exploitation

Affected Products

• Mozilla Firefox
• Mozilla Firefox ESR
• Mozilla Thunderbird

Fixed Versions

• Firefox: 146
• Firefox ESR: 115.31, 140.6
• Thunderbird: 146, 140.6

Impact / Risk

• Arbitrary code execution within browser or email client
• Sandbox escape and privilege escalation
• Memory corruption leading to instability or exploitation
• Elevated risk when processing untrusted web or email content

Recommended Actions

• Immediately upgrade all Firefox, Firefox ESR, and Thunderbird installations to the latest patched versions
• Enable automatic updates wherever possible
• Restrict browser and email client usage on unpatched systems
• Monitor endpoints for signs of exploitation or abnormal behavior
• Apply standard browser hardening and endpoint security best practices

References

• Mozilla Security Advisories:
  • https://www.mozilla.org/en-US/security/advisories/mfsa2025-92/
  • https://www.mozilla.org/en-US/security/advisories/mfsa2025-93/
  • https://www.mozilla.org/en-US/security/advisories/mfsa2025-94/
  • https://www.mozilla.org/en-US/security/advisories/mfsa2025-95/
  • https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/

10. Zoom Rooms Security Updates – Windows and macOS

Zoom has released security updates to address vulnerabilities affecting Zoom Rooms for Windows and Zoom Rooms for macOS. The identified issues could allow local privilege escalation on Windows systems or disclosure of sensitive information on macOS systems, posing increased risk in shared or publicly accessible Zoom Rooms environments. Immediate patching is strongly recommended.

Key Vulnerability Details

Zoom Rooms for Windows – Privilege Escalation

• CVE ID: CVE-2025-67460
• Severity: High
• CVSS Score: 7.8
• Description: A failure in the software downgrade protection mechanism may allow an unauthenticated local attacker to downgrade the application to a vulnerable version and subsequently escalate privileges.
• Affected Versions: Zoom Rooms for Windows prior to 6.6.0
• Fixed Version: 6.6.0 or later

Zoom Rooms for macOS – Information Disclosure

• CVE ID: CVE-2025-67461
• Severity: Medium
• CVSS Score: 5.0
• Description: External control of file name or path may allow an authenticated local attacker to access or disclose sensitive system information.
• Affected Versions: Zoom Rooms for macOS prior to 6.6.0
• Fixed Version: 6.6.0 or later

Impact / Risk

• Local privilege escalation on Windows-based Zoom Rooms systems
• Disclosure of sensitive information on macOS-based Zoom Rooms systems
• Elevated risk of misuse in shared or publicly accessible environments

Recommended Actions

• Immediately upgrade all Zoom Rooms for Windows and macOS systems to version 6.6.0 or later
• Restrict local access to Zoom Rooms systems, especially in shared or public locations
• Monitor systems for unauthorized access or privilege escalation attempts
• Apply standard endpoint hardening and least-privilege access controls

References

• Zoom Security Bulletin ZSB-25050: https://www.zoom.com/en/trust/security-bulletin/zsb-25050/
• Zoom Security Bulletin ZSB-25051: https://www.zoom.com/en/trust/security-bulletin/zsb-25051/