Table of Contents
In this week’s Security Advisory
- SonicWall NetExtender Patches Vulnerabilities in Windows Versions
- Apache Patches Critical Roller Vulnerability
- Oracle Releases Quarterly Patch Cycle
- Juniper Networks Patches Dozens of Vulnerabilities
- Security Updates Released for Adobe, Chrome, and Firefox
SonicWall NetExtender Patches Vulnerabilities in Windows Versions
SonicWall has patched three vulnerabilities in its NetExtender for Windows product. The most severe is CVE-2025-23008 (CVSS 7.2/10), where an authenticated user can exploit and modify configurations. Two other medium severity vulnerabilities were also patched, CVE-2025-23009 (CVSS 5.9/10) and CVE-2025-23010 (CVSS 6.5/10). The first can allow an attacker to manipulate file paths while the second can allow them to trigger an arbitrary file deletion.
Affected Versions
Version 10.3.1 and earlier versions.
Recommendations
Upgrade to NetExtender Windows version 10.3.2.
More Reading / Information
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0006
- https://www.securityweek.com/sonicwall-patches-high-severity-vulnerability-in-netextender/
Apache Patches Critical Roller Vulnerability
Roller is an open-source Java blog server. Apache announced a new patch for the vulnerability CVE-2025-24859 (CVSS 10/10). This allows an attacker to abuse previous sessions and maintain persistence even if the password to the compromised account is changed. The issue was fixed by implementing a centralized session management to invalidate all sessions after passwords are changed.
Affected Versions
- Roller versions up to and including 6.1.4.
Recommendations
- Upgrade to Roller version 6.1.5
More Reading / Information
- https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f
- https://www.securityweek.com/critical-vulnerability-found-in-apache-roller-blog-server/
Oracle Releases Quarterly Patch Cycle
Oracle announced the release of its Quarterly Patching Cycle for the first Quarter of 2025. In the release, there were 378 total vulnerabilities, 180 unique vulnerabilities, and 40 critical severity vulnerabilities. These vulnerabilities affect many Oracle products, including but not limited to Oracle Communications, MySQL, Financial Services apps, Fusion Middleware, etc.
Affected Versions
A full list of affected products can be found here.
Recommendations
Apply the patches for any affected products in use.
More Reading / Information
- https://www.oracle.com/security-alerts/cpuapr2025.html
- https://www.securityweek.com/oracle-patches-180-vulnerabilities-with-april-2025-cpu/
Juniper Networks Patches Dozens of Vulnerabilities
Juniper Networks has released patches for dozens of high-severity vulnerabilities in Junos OS, Junos OS Evolved, and certain dependencies in Juno Space. Most of the vulnerabilities affecting Juno OS and OS Evolved can lead to DoS conditions and access sensitive information if exploited.
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=%40sfcec_community_publish_date_formula__c%20descending
- https://www.securityweek.com/juniper-networks-patches-dozens-of-junos-vulnerabilities/
Security Updates Released for Adobe, Chrome, and Firefox
Adobe has released patches for 54 vulnerabilities in several products. Adobe also called urgent attention specifically to its ColdFusion application. 15 of the patched vulnerabilities affect ColdFusion, leading to file system read, arbitrary code execution, and security feature bypasses.
Google Chrome announced patches with an updated browser version, which has addressed two new vulnerabilities. Successful exploitation of these can lead to buffer overflows and remote code execution.
Mozilla has released updates to Firefox ESR, Thunderbird, and Thunderbird ESR to address a high-severity vulnerability affecting its component handling HTTP requests.
Recommendations
- Apply the latest patches to any affected Adobe products.
- Upgrade to Google Chrome to version 135.0.0.7049.96 for Windows and Mac, and 135.0.7049.95 for Linux.
- Recent versions of Google Chrome have auto-update enabled by default. Organizations should confirm that the setting is not disabled and that they are not running any versions where the auto-update setting was not enabled by default. If updates are not set to auto-update, organizations need to ensure that they are communicating the need to update browsers with their users. Follow-up confirmation that the updates have been applied to users is essential. Additionally, browsers must be restarted to apply updates.
- Upgrade to Mozilla Firefox to version 137.0.2.
- Recent versions of Firefox have auto-update enabled by default. Organizations should confirm that the setting is not disabled and that they are not running any versions where the auto-update setting was not enabled by default. If updates are not set to auto-update, organizations need to ensure that they are communicating the need to update browsers with their users. Follow-up confirmation that the updates have been applied to users is essential. Additionally, browsers must be restarted to apply updates.
More Reading / Information
- https://helpx.adobe.com/security.html
- https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_15.html
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-25/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
