Table of Contents
Additional Resources:
In this week’s Security Advisory
- Fortinet Patches Multiple Vulnerabilities
- Apache Patches Critical Tika Vulnerability
- Ivanti Patches Critical RCE Vulnerability in EPM
- Microsoft December 2025 Patch Tuesday
- SAP Releases December Patch Cycle
Fortinet Patches Multiple Vulnerabilities
Fortinet has patched 18 vulnerabilities in its products, including two critical severity vulnerabilities that can allow an attacker to bypass authentication. Those vulnerabilities, CVE-2025-59718 and CVE-2025-59719 (CVSS 9.8/10), impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and are caused by an improper cryptographic signature.
Of note, CyberMaxx has already applied patches to our own equipment.
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://fortiguard.fortinet.com/psirt?filter=1&version=&keyword=
- https://www.securityweek.com/fortinet-patches-critical-authentication-bypass-vulnerabilities/
Apache Patches Critical Tika Vulnerability
The vulnerability, CVE-2025-66516 (CVSS 10/10), in the Apache Tika application could lead to an XXE injection attack. This vulnerability is an expansion of the previously reported CVE-2025-54988 (CVSS 8.4/10). It is important to note that users who upgraded the tika-parser-pdf-module in response to the first CVE but did not upgrade tika-core to >= 3.2.2 are still vulnerable to the XXE injection attack. Additionally, the original CVE did not mention that in the 1.x Tika releases, the PDFParser was in the “org.apache.tika:tika-parsers” module and therefore some users did not realize their exposure.
Affected Versions
- org.apache.tika:tika-core >= 1.13, <= 3.2.1.
- org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1.
- org.apache.tika:tika-parsers >= 1.13, < 2.0.0.
Recommendations
- Upgrade org.apache.tika:tika-core to version 3.2.2.
- Upgrade org.apache.tika:tika-parser-pdf-module to version 3.2.2.
- Upgrade org.apache.tika:tika-parsers to version 2.0.0.
More Reading / Information
- https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html
- https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k
Ivanti Patches Critical RCE Vulnerability in EPM
The vulnerability, CVE-2025-10573 (CVSS 9.6/10), is an XSS vulnerability that can be exploited without authentication. Ivanti EPM provides organizations with remote administration, which triggers a client-side JavaScript execution that can be intercepted by an attacker to gain control of the admin’s session. The patch also covers three high severity vulnerabilities, CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662. Ivanti has stated that none of these vulnerabilities have been exploited in the wild; however, CyberMaxx recommends patching urgently.
Affected Versions
- 2024 SU4 and prior.
Recommendations
- Upgrade to Ivanti EPM 2024 SU4 SR1.
More Reading / Information
- https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US
- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-endpoint-manager-code-execution-flaw/
Microsoft December 2025 Patch Tuesday
Microsoft released its Patch Tuesday for December. This includes security updates for 57 vulnerabilities, including one actively exploited and two publicly disclosed zero-day vulnerabilities. The vulnerability that has come under active exploitation is CVE-2025-62221 (CVSS score: 7.8/10), a use-after-free in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and obtain SYSTEM permissions.
The remaining two zero-day vulnerabilities include CVE-2025-54100 (CVSS score: 7.8/10), a command injection vulnerability in Windows PowerShell that allows an unauthorized attacker to execute code locally, and CVE-2025-64671 (CVSS score: 8.4/10), a command injection vulnerability in GitHub Copilot for JetBrains that allows an unauthorized attacker to execute code locally.
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://www.bleepingcomputer.com/news/microsoft/microsoft-december-2025-patch-tuesday-fixes-3-zero-days-57-flaws/
- https://krebsonsecurity.com/2025/12/microsoft-patch-tuesday-december-2025-edition/
SAP Releases December Patch Cycle
SAP released patches for 14 new vulnerabilities in its December Patch Cycle, including four critical severity vulnerabilities. The first and second, CVE-2025-55754 and CVE-2025-55752 (CVSS 9.6/10), affect the Commerce Cloud application. The third, CVE-2025-42880 (CVSS 9.9), affects the Solution Manager, while the fourth, CVE-2025-42928 (CVSS 9.1/10), is caused by a deserialization issue within the jConnect SDK for Sybase Adaptive Server Enterprise (ASE). All four of these vulnerabilities allow an attacker to execute code remotely in the affected applications.
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2025.html
- https://www.securityweek.com/sap-patches-critical-vulnerabilities-with-december-2025-security-updates/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
