Security Advisory: Weekly Advisory November 5th, 2025

In this week’s Security Advisory

Ubiquiti Patches Critical Unifi Access Vulnerability
Netgate Patches Path Traversal Vulnerability in pfSense
Apple Patches Multiple Critical Vulnerabilities in iOS 26.1
Android Update Patches Critical Remote Code Execution Flaw
Multiple WordPress Plugin Vulnerabilities Patched

Ubiquiti Patches Critical Unifi Access Vulnerability

The vulnerability, CVE-2025-52665 (CVSS 10/10), affects UniFi’s door access application. This vulnerability is present because of a misconfiguration in the backend code responsible for authentication. A threat actor with network access could gain unauthorized access to the management API.

Affected Versions

• UniFi Access Application (Version 3.3.22 through 3.4.31).

Recommendations

• Update your UniFi Access Application to Version 4.0.21 or later.

More Reading / Information

• https://community.ui.com/releases/Security-Advisory-Bulletin-056-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191
• https://community.ui.com/releases/UniFi-Access-Application-4-0-21/f3b63db6-6e51-442e-b5a6-24b67fe82f44

Netgate Patches Path Traversal Vulnerability in pfSense

Netgate has patched a new vulnerability in pfSense, CVE-2025-12490 (CVSS 8.8/10). This vulnerability allows a remote user to send a crafted HTTP request and create files on the system, leading to arbitrary code execution. This vulnerability exists due to an input validation issue in the Suricata package that allows directory traversal sequences.

Affected Versions

• Details on affected versions can be found here.

Recommendations

• Apply the latest patches.

More Reading / Information

• https://docs.netgate.com/advisories/index.html
• https://github.com/pfsense/FreeBSD-ports/commit/36b2303dfca35a1183d76f26bcc6ce26d4ea682d

Apple Patches Multiple Critical Vulnerabilities in iOS 26.1k

Apple has released security updates for iOS and macOS to patch over 100 vulnerabilities. This includes the release of iOS 26.1 and iPadOS 26.1. The patches address over 56 vulnerabilities, including 19 issues that affect the WebKit browser engine. Apple has confirmed that successful exploitation of these flaws could allow malicious apps to snoop on user data or destabilize the system.

Affected Versions

• MacOS Tahoe 26 and below.
• iOS and iPadOS 26 and below.

Recommendations

• Upgrade to MacOS Tahoe 26.1.
• Upgrade to iOS and iPadOS 26.1.

More Reading / Information

• https://www.securityweek.com/apple-patches-19-webkit-vulnerabilities/
• https://cyberpress.org/apple-fixes-critical-security-flaws-in-ios-26-1-and-ipados-26-1/
• https://cybersecuritynews.com/apple-patches-critical-vulnerabilities/

Android Update Patches Critical Remote Code Execution Flaw

Google announced security updates for the Android platform to address two vulnerabilities in the system component. The first vulnerability is tracked as CVE-2025-48593 and is described as an insufficient validation of user input issue, while the second vulnerability is tracked as CVE-2025-48581 and could lead to local escalation of privilege with no additional execution privileges needed. Devices running a security patch level of 2025-11-01 are patched against the vulnerabilities described above.

Affected Versions

• For a list of affected devices, please click here.

Recommendations

• Please apply the latest patches to the affected devices.

More Reading / Information

• https://www.securityweek.com/android-update-patches-critical-remote-code-execution-flaw/
• https://source.android.com/docs/security/bulletin/2025-11-01

Multiple WordPress Plugin Vulnerabilities Patched

Multiple WordPress Plugins have released patches due to the exposure of sensitive data or active exploitation. The first vulnerability, CVE-2025-11833 (CVSS 9.8/10), affects PostSMTP and allows an unauthenticated attacker to read logged emails and trigger password reset emails, which could lead to account takeovers. The second vulnerability, CVE-2025-11705, affects the Anti-Malware Security and Brute-Force Firewall plugin and allows subscribers to read any file on the server, potentially exposing private information like password hashes. The third vulnerability, CVE-2025-5397 (CVSS 9.8/10), affects the JobMonster plugin. This is an authentication bypass vulnerability that can allow an unauthenticated user to bypass authentication and access an admin account.

Affected Versions

• Post SMTP version 3.6.0 and earlier.
• Anti-Malware Security and Brute-Force Firewall plugin 4.23.81 and earlier.
• JobMonster version 4.8.1 and earlier.

Recommendations

• Upgrade Post SMTP to version 3.6.1.
• Upgrade Anti-Malware Security and Brute-Force Firewall plugin to version 4.23.83.
• Upgrade JobMonster to version 4.8.2.

More Reading / Information

• https://www.securityweek.com/exploited-post-smtp-plugin-flaw-exposes-wordpress-sites-to-takeover/
• https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-exposes-private-data-to-site-subscribers/
• https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-auth-bypass-flaw-in-jobmonster-wordpress-theme/

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.