Critical VM Escape vulnerability reported in Happy DOM

A critical vulnerability (CVE-2025-61927) in Happy DOM JavaScript library allows authenticated users to escape the Node.js virtual machine sandbox and execute arbitrary code by exploiting JavaScript's constructor chain.

**If you're using Happy DOM, plan a quick update to version 20 or later which disables JavaScript evaluation by default. If you can't upgrade right away, manually disable JavaScript evaluation in your Happy DOM configuration or run Node.js with the --disallow-code-generation-from-strings flag to prevent VM escape attacks. Then allow JavaScript selectively only for trusted sources.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-vm-escape-vulnerability-reported-in-happy-dom-5-v-0-5-r/gD2P6Ple2L

Oracle E-Business Suite reports another vulnerability during rising ransomware threats

Oracle is reporting a high-severity vulnerability (CVE-2025-61884) in its E-Business Suite that allows remote attackers to exploit the Oracle Configurator component via HTTP and access sensitive resources without authentication. The timing is concerning given recent Oracle E-Business Suite exploitations. Oracle urges customers to apply security patches ASAP.

**If you're running Oracle E-Business Suite, check Oracle's Patch Update program and plan for another quick update. It's not clear whether this vulnerability is actively exploited, but given the recent wave of Oracle E-Business Suite exploits, treat this as urgent as well. You don't want a repeat of the previous attack cycle.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/oracle-e-business-suite-reports-another-vulnerability-during-rising-ransomware-threats-0-p-c-u-a/gD2P6Ple2L

Critical vulnerabilities reported in WP Travel Engine WordPress plugin

Two critical vulnerabilities (CVE-2025-7634 and CVE-2025-7526) rated 9.8 CVSS were discovered in the WP Travel Engine WordPress plugin allowing attackers to execute arbitrary PHP code through local file inclusion and achieve remote code execution via arbitrary file deletion through path traversal.

**If you're using the WP Travel Engine plugin for WordPress, immediately update to version 6.6.8 or newer. The two flaws will be exploited very quickly, and you can't hide your WordPress from the Internet. Update the plugin, it's not that hard.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-vulnerabilities-reported-in-wp-travel-engine-wordpress-plugin-6-x-1-z-4/gD2P6Ple2L

Juniper Networks patches nearly 220 security flaws in quarterly October 2025 update

Juniper Networks released its October 2025 quarterly security update patching nearly 220 vulnerabilities across Junos OS, Junos Space, and Security Director platforms, including nine critical-severity flaws. No active exploitation has been reported.

**If you're using Juniper products, especially Junos Space, review the advisory and plan a quick update cycle. The patch is huge and fixes critical flaws. Now that the list of vulnerabilities is out, attackers will start exploiting the flaws, and Juniper equipment is by its very nature exposed to multiple networks so it will be reached.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/juniper-networks-patches-nearly-220-security-flaws-in-quarterly-october-2025-update-1-y-d-t-7/gD2P6Ple2L

Zero Day Initiative reports 13 vulnerabilities in Ivanti Endpoint Manager

Zero Day Initiative publicly disclosed 13 unpatched vulnerabilities in Ivanti Endpoint Manager on October 7, 2025, including 12 remote code execution flaws (mostly SQL injection) and one privilege escalation vulnerability, after Ivanti repeatedly delayed patches despite being notified between June-November 2024.

**If you're running Ivanti Endpoint Manager, be aware that there are 13 unpatched vulnerabilities and no fixes available from the vendor. Isolate the IEM as much as possible from the internet and restrict access. Then start calling Ivanti for a patch. Hackers love Ivanti, and will try to exploit these flaws.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/zero-day-initiative-reports-13-vulnerabilities-in-ivanti-endpoint-manager-d-5-o-t-9/gD2P6Ple2L

Cybersecurity experts warn of ASCII Smuggling prompt injection vulnerability in multiple AI systems

FireTail researchers disclosed an "ASCII Smuggling" vulnerability in Google Gemini that allows attackers to embed invisible Unicode characters to inject malicious prompt instructions. Google has refused to address since being reported on September 18, 2025, classifying it as social engineering. The flaw is most dangerous in Google Workspace environments where Gemini's integration with Gmail and Calendar enables automated data exfiltration, malicious link injection, and identity spoofing, prompting recommendations to disable automatic access to employee email and calendars until remediated.

**This is another prompt injection vector through hidden characters that the human user will not see but the AI will. Be Extremely conservative about AI access to your real systems and data, because all these products are half baked, not properly secured and the vendors hide behind "terms and conditions".**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/cybersecurity-experts-warn-of-ascii-smuggling-prompt-injection-vulnerability-in-multiple-ai-systems-y-t-v-4-g/gD2P6Ple2L

Critical flaw in Service Finder WordPress Theme actively exploited

Wordfence is reporting active exploitation of an authentication bypass vulnerability (CVE-2025-5947) in the Service Finder Bookings WordPress plugin that allows attackers to gain administrator access without credentials by manipulating cookies.

**If you're using the Service Finder WordPress theme, THIS IS URGENT. Immediately update the Service Finder Bookings plugin to version 6.1. The flaw is actively exploited and fairly trivial to exploit. After updating, check your access logs for suspicious "switch_back" requests and review all user accounts.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-flaw-in-service-finder-wordpress-theme-actively-exploited-4-g-u-9-p/gD2P6Ple2L

Google releases Chrome 141, patches multiple vulnerabilities enabling arbitrary code execution

Google released Chrome version 141.0.7390.65/.66 for Windows/Mac and 141.0.7390.65 for Linux, patching multiple memory vulnerabilities, two rated high severity.

**If you are using Google Chrome or other Chromium-based browsers (Edge, Brave, Vivaldi, Opera...) patch your browser ASAP. While not a critical zero-day emergency, three vulnerabilities, two high-severity deserve quick update. And updating is trivial, all your tabs reopen.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/google-releases-chrome-141-patches-multiple-vulnerabilities-enabling-arbitrary-code-execution-l-w-m-z-h/gD2P6Ple2L

Nagios patches multiple flaws in their Log Server, at least one critical

Nagios has patched two vulnerabilities in its Log Server platform. CVE-2025-44823 allowing any authenticated user to retrieve administrative API keys in cleartext, and CVE-2025-44824 allowing service disruption by stopping Elasticsearch.

**As a first step, make sure your Nagios server is not exposed to the internet. Then, if you're running Nagios Log Server versions before 2024R1.3.2, plan a quick upgrade since any authenticated user can leak out the API keys or crash your Nagios Log Server. After upgrading, rotate all API keys and review your audit logs for any suspicious access to admin endpoints.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/nagios-patches-multiple-flaws-in-their-log-server-at-least-one-critical-7-r-v-7-v/gD2P6Ple2L

Critical privilege escalation vulnerability reported in AWS Client VPN for macOS

AWS disclosed a critical privilege escalation vulnerability (CVE-2025-11462) in the macOS version of AWS Client VPN (versions 1.3.2 through 5.2.0) that allows local attackers to exploit insufficient validation during log rotation to create symbolic links and execute arbitrary code with root privileges.

**If you're using AWS Client VPN on macOS, check your version and upgrade to version 5.2.1 or later as soon as possible. The exploit requires access to the computer, but even that can be achieved with some malware through phishing or "free" apps.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-privilege-escalation-vulnerability-reported-in-aws-client-vpn-for-macos-4-0-x-f-5/gD2P6Ple2L