Attacks on vulnerabilities in Linux, Android and Sitecore

The US IT security authority CISA warns of ongoing attacks on vulnerabilities in Android, Linux and Sitecore. IT managers should install the available updates to seal the gaps.

CISA does not provide any details in its announcement, but merely states which vulnerabilities have already been observed. For example, malicious actors are attacking a time-of-check time-of-use (TOCTOU) vulnerability in the Linux kernel. According to the description, this is a race condition in the posix timers in the functions handle_posix_cpu_timers() and posix_cpu_timer_del() (CVE-2025-38352 / EUVD-2025-22297, CVSS 7.4, risk "high"). Information on the vulnerability has been known since July 22 of this year; patches are available that Linux distributions have been able to incorporate since then. According to the Enisa entry, Linux versions up to 2.6.36, 5.4.295, 5.10.239, 5.15.186, 6.1.142, 6.6.94, 6.12.34, 6.15.3, 6.16-rc2 and 6.16 are vulnerable.

In the Android operating system, attackers can break out of the Chrome sandbox due to a use-after-free vulnerability and attack Android's system_server. This results in privilege escalation and requires no user interaction (CVE-2025-48543 / EUVD-2025-26791, CVSS 8.8, risk "high"). Google closed the gap with the September Patchday updates. It affects Android 13, 14, 15 and 16.

CMS vulnerability abused

CISA also confirms the abuse of a vulnerability in the Sitecore CMS. This is a vulnerability of the type "Deserialization of untrusted data", through which attackers can inject malicious code that can be executed (CVE-2025-53690 / EUVD-2025-26629, CVSS 9.0, risk "critical"). Mandiant discovered this during the investigation of an attack. It is based on a faulty configuration with sample machine keys in ASP.NET. Countermeasures can be found in our vulnerability report.

As updates are available to plug the security leaks, IT managers should not hesitate to apply them.

(dmk)