轉發 台灣電腦網路危機處理暨協調中心 資安訊息警訊 TWCERTCC-200-202511-00000001
[內容說明]
1.【CVE-2025-6204】Dassault Systèmes DELMIA Apriso Code Injection Vulnerability (CVSS v3.1: 8.0)
【是否遭勒索軟體利用:未知】 Dassault Systèmes DELMIA Apriso 存在程式碼注入漏洞,可能允許攻擊者執行任意程式碼。
2.【CVE-2025-6205】Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability (CVSS v3.1: 9.1)
【是否遭勒索軟體利用:未知】 Dassault Systèmes DELMIA Apriso 存在授權缺失漏洞,可能允許攻擊者取得對應程式的特權存取權限。
3.【CVE-2025-41244】Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability (CVSS v3.1: 7.8)
【是否遭勒索軟體利用:未知】 Broadcom VMware Aria Operations 與 VMware Tools 存在本機權限提升漏洞。具非管理員權限的惡意本機使用者,若能存取已安裝 VMware Tools 且由 Aria Operations 管理並啟用 SDMP 的虛擬機,即可利用此漏洞在該虛擬機上將權限提升至 root。
4.【CVE-2025-24893】XWiki Platform Eval Injection Vulnerability (CVSS v3.1: 9.8)
【是否遭勒索軟體利用:已知】 XWiki Platform 存在 eval 注入漏洞,可能允許任何訪客透過向 SolrSearch 發送請求來執行任意遠端程式碼。
[影響平台]
1.【CVE-2025-6204】請參考官方所列的影響版本
https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204
2.【CVE-2025-6205】請參考官方所列的影響版本
https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205
3.【CVE-2025-41244】請參考官方所列的影響版本 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149
4.【CVE-2025-24893】請參考官方所列的影響版本 https://jira.xwiki.org/browse/XWIKI-22149
[建議措施]
1.【CVE-2025-6204】 官方已針對漏洞釋出修復更新,請更新至相關版本 https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204
2.【CVE-2025-6205】 官方已針對漏洞釋出修復更新,請更新至相關版本 https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205
3.【CVE-2025-41244】 官方已針對漏洞釋出修復更新,請更新至相關版本 https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149
4.【CVE-2025-24893】 官方已針對漏洞釋出修復更新,請更新至相關版本 https://jira.xwiki.org/browse/XWIKI-22149
Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202511-00000001
[Content Description]
1. [CVE-2025-6204] Dassault Systèmes DELMIA Apriso Code Injection Vulnerability (CVSS v3.1: 8.0)
[Whether it is exploited by ransomware: Unknown] The Dassault Systèmes DELMIA Apriso contains a code injection vulnerability that could allow attackers to execute arbitrary code.
2. [CVE-2025-6205] Dassault Systèmes DELMIA Apriso Missing Authorization Vulnerability (CVSS v3.1: 9.1)
[Exploited by ransomware: Unknown]** The Dassault Systèmes DELMIA Apriso vulnerability contains a missing authorization vulnerability that could allow an attacker to gain privileged access to the corresponding program.
3. [CVE-2025-41244] Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability (CVSS v3.1: 7.8)**
[Exploited by ransomware: Unknown]** Broadcom VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local user without administrator privileges who gains access to a virtual machine that has VMware Tools installed, is managed by Aria Operations, and has SDMP enabled can exploit this vulnerability to escalate privileges to root on that virtual machine.
4. [CVE-2025-24893] XWiki Platform Eval Injection Vulnerability (CVSS v3.1: 9.8)
[Ransomware Exploitation Possible: Known] The XWiki Platform contains an eval injection vulnerability that could allow any visitor to execute arbitrary remote code by sending a request to SolrSearch.
[Affected Platforms]
1. [CVE-2025-6204] Please refer to the official list of affected versions:
https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204
2. [CVE-2025-6205] Please refer to the official list of affected versions:
https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205
3. [CVE-2025-41244] Please refer to the official list of affected versions: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149
4. [CVE-2025-24893] Please refer to the official list of affected versions. https://jira.xwiki.org/browse/XWIKI-22149
[Recommended Measures]
1. [CVE-2025-6204] An official patch update has been released for this vulnerability. Please update to the relevant version. https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6204
2. [CVE-2025-6205] An official patch update has been released for this vulnerability. Please update to the relevant version. https://www.3ds.com/trust-center/security/security-advisories/cve-2025-6205
3. [CVE-2025-41244] An official patch update has been released for this vulnerability. Please update to the relevant version. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149
4. [CVE-2025-24893] An official patch update has been released to fix this vulnerability. Please update to the relevant version: https://jira.xwiki.org/browse/XWIKI-22149
【資安漏洞預警】CISA新增4個已知遭駭客利用之漏洞至KEV目錄(2025/10/27-2025/11/02)
[Security Vulnerability Alert] CISA adds 4 known vulnerabilities exploited by hackers to the KEV directory (2025/10/27-2025/11/02)
公告類別:行政公告
發佈日期:2025/11/04 至 2026/05/04
點閱數:70
返回列表
