Latest Squid caching proxy vulnerabilities #

Squid has disclosed a heap-based buffer overflow vulnerability in certain versions of the Squid caching proxy due to incorrect buffer management when processing a Uniform Resource Name (URN). This vulnerability allows a remote server to perform a buffer overflow attack by delivering specially crafted URN Trivial-HTTP responses. Successful exploitation may lead to remote code execution (RCE) or the disclosure of up to 4KB of data from Squid’s allocated heap memory. This leaked memory may contain security credentials or other confidential data. This vulnerability has been designated CVE-2025-54574 and has been rated critical with a CVSS score of 9.3.

The following versions are affected

• Squid 2.x versions up to and including 2.7.STABLE9
• Squid 3.x versions up to and including 3.5.28
• Squid 4.x versions up to and including 4.17
• Squid 5.x versions up to and including 5.9
• Squid 6.x versions up to and including 6.3

What is the impact? #

Successful exploitation of the vulnerability would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Squid 6.x upgrade to version 6.4 or later
• For all other stable releases upgrade to the latest patch version available in the patch archives

If you are using a prepackaged version of Squid, refer to your package vendor for information on the availability of updated packages.

Workaround: Mitigate the vulnerability by disabling URN access permissions through adding the following configuration changes:

acl URN proto URN
http_access deny URN

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:"Squid Cache" and product:"Squid" and version:<6.4

Latest Tridium Niagara vulnerabilities #

Tridium (a Honeywell company) has disclosed ten vulnerabilities in certain versions of Niagara Framework and Niagara Enterprise Security.

• The use of a password hash with insufficient computational effort leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3937 and has been rated high with a CVSS score of 7.7.
• Incorrect permission assignment for critical system resources may allow an adversary to manipulate sensitive files, potentially leading to unauthorized data alteration, system instability, or privilege escalation. This vulnerability has been designated CVE-2025-3944 and has been rated high with a CVSS score of 7.2.
• Argument delimiters are not properly neutralized potentially allowing an adversary to inject argument and control the executed command. This vulnerability has been designated CVE-2025-3945 and has been rated high with a CVSS score of 7.2.
• A critical cryptographic step was omitted or incorrectly performed undermining the security strength and leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3938 and has been rated medium with a CVSS score of 6.8.
• Incorrect permission assignment for a critical resource may be exploited allowing an adversary to bypass intended access control security levels, potentially leading to unauthorized access, modification, or deletion of a security-critical resource. This vulnerability has been designated CVE-2025-3936 and has been rated medium with a CVSS score of 6.5.
• Improper handling of the Windows ::DATA Alternate Data Stream (ADS) may allow an adversary to manipulate input data, potentially leading to unexpected application behavior. This vulnerability has been designated CVE-2025-3941 and has been rated medium with a CVSS score of 5.4.
• Through observable discrepancies in system responses when processing cryptographic operations or sensitive data, this vulnerability leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3939 and has been rated medium with a CVSS score of 5.3.
• Incorrect or insufficient use of an input validation framework allows an adversary to manipulate input data, circumventing intended security checks and potentially leading to other issues. This vulnerability has been designated CVE-2025-3940 and has been rated medium with a CVSS score of 5.3.
• Improper neutralization of untrusted input when writing data to log files may allow an adversary to inject malicious data into log entries. This vulnerability has been designated CVE-2025-3942 and has been rated medium with a CVSS score of 4.3.
• The anti-CSRF refresh token appears within HTTP GET request query strings allowing an adversary to potentially capture the sensitive parameter and perform parameter injection attacks. This vulnerability has been designated CVE-2025-3943 and has been rated medium with a CVSS score of 4.1.

The following versions are affected

• Niagara Framework and Niagara Enterprise Security versions 0 through 4.10.10 (4.10u10)
• Niagara Framework and Niagara Enterprise Security versions 0 through 4.14.1 (4.14u1)
• Niagara Framework and Niagara Enterprise Security versions 0 through 4.15

What is the impact? #

A proposed exploit chain involving two of these vulnerabilities (CVE-2025-3943, CVE-2025-3944) carries a prerequisite that the Niagara system has been misconfigured, disabling encryption on a Niagara device. This misconfiguration should produce a warning on the security dashboard, which would need to remain unaddressed by system administrators. Successful exploitation of these vulnerabilities, under specific conditions, could enable an adjacent adversary to compromise both the Station and Platform environments, and achieve arbitrary code execution on the device.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• Niagara Framework and Niagara Enterprise Security to version 4.10.11 (4.10u11) and later releases
• Niagara Framework and Niagara Enterprise Security to version 4.14.2 (4.14u2) and later releases
• Niagara Framework and Niagara Enterprise Security to version 4.15.1 (4.15u1) and later releases

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate potentially vulnerable assets:

os:Tridium hw:Niagara

In Episode 20 of runZero Hour, we sat down with ProjectDiscovery co-founders Rishi Sharma and Sandeep Singh for a wide-ranging conversation on how open source is driving the next wave of security tooling and what it means for practitioners in the field. Our CEO HD Moore also dropped by to share some exciting updates on runZero’s recent collaboration on the Nuclei project.

Here’s a recap of what we covered:

How Nuclei became the standard for vulnerability detection #

What started as a tool to automate repetitive bug bounty tasks is now a best-in-class vulnerability scanner with over 10,000 detection templates and over 100,000 users. ProjectDiscovery’s open source model and approach to community collaboration have helped scale Nuclei into a critical tool for security professionals and researchers alike.

The growing ecosystem around ProjectDiscovery #

Beyond Nuclei, ProjectDiscovery has released 20+ tools (including Subfinder, DNSX, and HTTPX) that chain together for reconnaissance, service discovery, web crawling, and vulnerability scanning. Each tool can work independently or plug into broader workflows using command-line pipes, creating a powerful, modular toolkit for modern offensive and defensive security teams. These tools aren’t just open source, they are provided under one of the most permissive licenses available (the MIT License), simplifying integrations and collaboration with commercial tools and services.

runZero’s engineering collaboration with ProjectDiscovery #

HD Moore shared how runZero is contributing back by working with the ProjectDiscovery team to support in-process concurrency and eliminate race conditions. These updates make it possible to run thousands of Nuclei engines with different configurations in the same process, enabling new approaches to embedding and integration.

ProjectDiscovery’s roadmap for Nuclei #

From headless, browser-based testing and auto-generated templates to more robust authenticated scanning and better fuzzing support, ProjectDiscovery is doubling down on usability and coverage. They’re also experimenting with AI-driven template generation, with a focus on maintaining quality and control. Check out their public roadmap for upcoming features.

A tale of two scanning models #

Nuclei supports automatic targeting using the “autoscan” (-as) flag. This feature uses technology detection templates to then select specific follow-on checks for individual systems and services. 

runZero takes a different approach; we handle the service discovery, fingerprinting, and targeting logic within the runZero scanner, and then run thousands of individual Nuclei engines that are each tuned for a single service for precise vulnerability scanning.  

Both models work great and whether you want to run a single Nuclei engine or thousands of concurrent engines, the code base now supports both!

Shared commitment to open source and community standards #

Everyone agreed: if you’re using open source in your product, you should give back. That’s why runZero is contributing patches, detection templates, test coverage, and new features into the ProjectDiscovery ecosystem. We’re excited to be part of the open source community and are working on two big updates; porting SSHamble to Nuclei and integrating our excrypto package to simplify TLS communication across the ecosystem.

Bonus: A printer bug and the return of CVEs #

The team wrapped up with a fun (and very real) story: Stephen Fewer (of Rapid7) reported eight new vulnerabilities in printers made by Brother. One of these issues included the ability for an attacker to obtain detailed device information, including the printer serial number, through an unauthenticated web page. This is important because Rapid7 also discovered that the default password is derived from this serial number and the process can be reversed. Even worse, Brother isn’t able to address this in a firmware update, and the fix will only be available in devices built using a new manufacturing process. The funny part is that runZero has been detecting and reporting Brother printer serial numbers for years, using the eSCL protocol, and we didn’t consider it a vulnerability until the recent vulnerability disclosure. As a result, we’re now tracking the eSCL serial number leak as a follow-on issue with JPCERT/CC, building off Rapid7’s recent investigation.

Watch the Episode #

Check out the whole episode below, and never miss another one – subscribe to the series!

Latest Cisco Identity Services Engine (ISE) & Cisco ISE Passive Identity Connector (ISE-PIC) vulnerabilities #

Three vulnerabilities have been disclosed in certain versions of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote adversary to issue execute commands on the underlying operating system as the root user. There is evidence that this vulnerability is being actively exploited in the wild.

• Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20281 and has been rated critical with a CVSS score of 9.8.
• Cisco ISE and Cisco ISE-PIC are at risk of an improper privilege management vulnerability in an internal API due to a lack of file validation checks to prevent uploaded files from being stored in privileged directories on an affected system. This could allow an unauthenticated, remote adversary to upload arbitrary files to an affected device and then execute those files on the underlying operating system as the root user. Successful exploitation could allow the adversary to store malicious files on an affected system and then execute arbitrary code or obtain root privileges on an affected device. This vulnerability has been designated CVE-2025-20282 and has been rated critical with a CVSS score of 10.0
• Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20337 and has been rated critical with a CVSS score of 10.0.

The following versions are affected

• Cisco ISE or ISE-PIC release 3.3 prior to version 3.3 Patch 7
• Cisco ISE or ISE-PIC release 3.4 prior to version 3.4 Patch 2

What is the impact? #

Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.

Are any updates or workarounds available? #

Cisco has released updates in the form of patches for releases 3.3 and 3.4. Users should update to the latest version of the affected software.

• Cisco ISE or ISE-PIC release 3.3 to version 3.3 Patch 7 and later releases
• Cisco ISE or ISE-PIC release 3.4 to version 3.4 Patch 2 and later releases

Since the initial (version 1.0) advisory publication, Cisco released an improved fix for release 3.3 and recommends upgrading as follows:

• Release 3.3 Patch 6 should be up upgraded to Release 3.3 Patch 7
• Hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz should be up upgraded to Release 3.3 Patch 7 or Release 3.4 Patch 2

How do I find Cisco ISE installations with runZero? #

From the Software Inventory, use the following query to locate potentially impacted installations:

vendor:="Cisco" AND product:="Identity Services Engine"

June 2024: CVE-2025-20286 #

A vulnerability has been disclosed in certain cloud-deployed versions of Cisco Identity Services Engine (ISE) in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability exists due to improper credential generation in cloud platform deployments resulting in shared credentials across deployments based on release and cloud platform.

It is important to note that Cisco ISE is affected by this vulnerability when the Primary Administration node is deployed in the cloud. An on-premises Primary Administration node is not affected.

The following platforms and versions are affected

• AWS Cisco ISE 3.1, 3.2, 3.3 and 3.4
• Azure Cisco ISE 3.2, 3.3 and 3.4
• OCI Cisco ISE 3.2, 3.3 and 3.4 

This vulnerability has been designated CVE-2025-20286 and has a CVSS score of 9.9 (critical).

What is the impact? #

Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.

Latest Microsoft SharePoint Server vulnerabilities #

Microsoft has disclosed two vulnerabilities in certain versions of on-premises Microsoft SharePoint Server:

• SharePoint Server deserializes untrusted data without sufficiently ensuring that the resulting data will be valid resulting in a remote code execution (RCE) vulnerability. The vulnerability allows an unauthenticated adversary to remotely execute code on the vulnerable server. This vulnerability has been designated CVE-2025-53770 and has been rated critical with a CVSS score of 9.8. This vulnerability is a variant of a remote code execution vulnerability designated CVE-2025-49704 that was patched earlier this month. There is evidence that this vulnerability is being actively exploited in the wild.
• SharePoint Server improperly limits a pathname to a restricted directory allowing path traversal in Microsoft Office SharePoint resulting in a spoofing vulnerability. The vulnerability allows an authorized adversary to perform spoofing over a network. This vulnerability has been designated CVE-2025-53771 and has been rated medium with a CVSS score of 6.3. This vulnerability is a variant of a spoofing vulnerability designated CVE-2025-49706 that was patched earlier this month.

The following versions are affected

• Microsoft SharePoint Enterprise Server 2016 versions currently unknown
• Microsoft SharePoint Server 2019 versions currently unknown
• Microsoft SharePoint Server Subscription Edition versions 16.0.0 prior to 16.0.18526.20508

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are any updates or workarounds available? #

As of 7/20/2025 security updates are available for Microsoft SharePoint Server Subscription Edition. A patch is currently unavailable for other affected versions, but Microsoft is actively working on a security update.

• Mitigate attacks against on-premises SharePoint Server environments by configuring the Windows Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers. This should stop an unauthenticated adversary from successfully exploiting the vulnerability.
• Rotate SharePoint Server ASP.NET machine keys.

• Upgrade affected systems to the new versions when a patch is available.

How do I find Microsoft SharePoint Server installations with runZero? #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:="Microsoft" AND product:="SharePoint Server%"

German Cybersecurity Specialist Appointed as Primary Distributor for runZero to Drive Expansion in the DACH-Region

London, United Kingdom – July 24, 2025 – runZero, a leader in exposure management, today announced a strategic partnership with Aqaio, a German value-added distributor specializing in advanced IT security solutions. As runZero’s primary channel partner in Germany, Aqaio will spearhead regional growth efforts by delivering runZero’s expanded exposure management platform to organizations navigating today’s increasingly complex cyber threat landscape.

This alliance represents a significant milestone in runZero’s wider EMEA growth strategy. Leveraging Aqaio’s deep market expertise and established channel network, runZero can now accelerate its European expansion while offering localized support tailored to the specific needs of German organizations.

Partnership highlights include:

• Localized Expertise: Aqaio brings in-depth knowledge of the German cybersecurity market, enabling specialized customer engagement and faster time-to-value.
• Expanded Channel Reach: A top-tier network of resellers and systems integrators gain access to runZero’s powerful exposure management platform, enabling them to offer comprehensive proactive cyber defense to their end customers.
• Streamlined Distribution and Support: Aqaio will facilitate seamless implementation via dedicated consulting, logistics, and certified training services for partners and end users.

“This partnership with runZero is a strategic win for our channel ecosystem,” said Richard Hellmeier, CEO at Aqaio. “They are no longer selling just another product — they’re delivering a vital capability. runZero’s technology is fast to deploy, easy to integrate, and solves a foundational security challenge. It aligns perfectly with our mission to deliver holistic and forward-looking solutions to the market.”

“In today’s rapidly shifting threat landscape, partnerships like this are essential to delivering resilient, scalable cybersecurity,” said Joe Taborek, Chief Revenue Officer at runZero. “Aqaio’s proven expertise and reach across the German market empower us to extend access to the runZero Platform and strengthen cyber readiness from the ground up. Together, we’re helping build a safer, smarter digital future.”

About Aqaio

Aqaio partners with resellers, system integrators, and OEMs. We focus on new technological developments, which we supplement and expand with complementary solutions from market and technology leaders in the IT security field. We also provide 2nd level support and training for our partners and their end-customers. The product portfolio consists of high-end IT products that complement each other and can be combined to create integrated solutions. Additionally, Aqaio offers services such as consulting, marketing support, logistics, training, and technical support. For more information, visit: https://aqaio.com/