vulnerability

A set of high-severity flaws in ABB’s ASPECT, NEXUS, and MATRIX building-management products has forced an urgent wave of patching and network lockdowns across industrial and commercial facilities worldwide, with at least three tracked CVEs that let remote attackers bypass authentication, crash...

Chrome’s September security update closes a high-severity use-after-free vulnerability in the V8 JavaScript engine — tracked as CVE-2025-9864 — that could allow an attacker to corrupt memory and potentially achieve remote code execution through a crafted web page, and administrators of...

Google's Chromium project has logged a serious security issue — tracked as CVE-2025-9866 — describing an inappropriate implementation in Extensions that can be weaponized to bypass Content Security Policy (CSP) via a crafted HTML page; Google has issued a Chrome stable update to remediate the...

Google's Chromium team has fixed a medium-severity UI spoofing flaw—tracked as CVE-2025-9865—that existed in the browser's Toolbar implementation and could allow domain spoofing on Android when a user performed specific UI gestures on crafted pages. Background Chromium's September 2025 security...

Google and the Chromium project have patched CVE-2025-9867, a medium-severity inappropriate implementation bug in the Downloads component that can be abused for UI spoofing on Chrome for Android, and users should update their mobile and desktop Chromium-based browsers immediately to eliminate...

Thanks — I can write the 2,000+ word, in-depth feature article in rich Markdown for WindowsForum.com. Before I start, two quick clarifying questions so I match your needs exactly: 1) Do you want the article to be strictly based on Microsoft’s advisory at the MSRC link you provided, or do you...

Microsoft has published an advisory for an information‑disclosure flaw affecting Dynamics 365 FastTrack Implementation Assets that can allow an attacker to disclose private personal information over a network — but the public record and vendor sources show a mismatch in the CVE identifier, so...

CISA has added CVE-2025-57819 — an authentication‑bypass and SQL‑injection chain that can lead to remote code execution in Sangoma FreePBX — to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and urging immediate remediation. Background FreePBX is a...

The Indian government’s cybersecurity arm has issued a high-severity alert advising organisations and individuals to urgently address a batch of patched—but still dangerous—vulnerabilities across multiple Microsoft products, including Microsoft Edge (Chromium-based), Windows Server storage...

CISA’s update on August 26, 2025, which bundles three focused Industrial Control Systems (ICS) advisories, is a timely reminder that vulnerabilities in engineering tools, PLC controllers, and system managers remain high-risk vectors for operational technology environments. The agency published...

Urgent: What CVE-2025-55229 Means for Windows — A Deep Dive for Admins and Power Users By WindowsForum.com Staff Reporter — August 21, 2025 Summary — quick take Microsoft has published a vulnerability tracked as CVE-2025-55229 that affects Windows certificate handling: an improper verification...

CISA’s addition of a single entry to its Known Exploited Vulnerabilities (KEV) Catalog this week — CVE-2025-43300, an out‑of‑bounds write in Apple’s Image I/O framework — sharpens the spotlight on a zero‑day that Apple says was exploited in highly targeted attacks and underscores how quickly...

Mitsubishi Electric’s MELSEC iQ‑F family of CPU modules is the subject of a fresh industrial‑control systems advisory describing a remotely exploitable denial‑of‑service condition in the product’s embedded Web server function — an issue that can be triggered by specially crafted HTTP traffic and...

Microsoft’s recent quiet fix to an M365 Copilot logging gap has opened a new debate over cloud transparency, audit integrity, and how enterprise defenders should respond when a vendor patches a service-side flaw without issuing a public advisory. Security researchers say a trivial prompt...

Cisco has pushed an urgent patch for a maximum‑severity remote code execution flaw in its Secure Firewall Management Center (FMC) software that allows an unauthenticated attacker to inject and execute arbitrary shell commands on affected appliances when RADIUS authentication is enabled for...

A recently disclosed memory-safety flaw in Chromium’s Aura windowing component — tracked as CVE-2025-8882 — allows a remote attacker who can trick a user into specific UI gestures to trigger a use‑after‑free that may lead to heap corruption; the bug was patched upstream in Google Chrome...

A high-severity heap buffer overflow in the AV1 codec library libaom — tracked as CVE-2025-8879 — has been fixed in the latest Chromium builds; Google pushed the patch in Chrome stable channel updates to versions 139.0.7258.127/.128 (Windows and macOS) and 139.0.7258.127 (Linux), and browser...

A newly recorded Chromium vulnerability, tracked as CVE-2025-8881, exposes a weakness in the browser’s File Picker implementation that can be coaxed into leaking cross‑origin data when a user is tricked into specific UI gestures on a crafted page; the bug affects Google Chrome builds prior to...

Siemens ProductCERT has published SSA‑493396 — a deserialization vulnerability (CVE‑2025‑40759) that affects a broad swath of TIA‑Portal engineering components, including SIMATIC S7‑PLCSIM V17, STEP 7, and WinCC variants; Siemens assigns a CVSS v3.1 base score of 7.8 and a CVSS v4 base score of...

Siemens’s RUGGEDCOM CROSSBOW Station Access Controller (SAC) has been identified as vulnerable to multiple memory‑corruption flaws in the embedded SQLite component that—if left unpatched—could allow remote attackers to crash devices or execute arbitrary code; Siemens recommends updating affected...