[Content]
Forwarded from TWCERTCC-200-202512-00000007

【CVE-2022-37055】D-Link Routers Buffer Overflow Vulnerability (CVSS v3.1: 9.8)

【Whether Ransomware Exploitation Occurred: Unknown】 A buffer overflow vulnerability exists in D-Link routers, which has a high impact on confidentiality, integrity, and availability. The affected products may have reached End of Life (EoL) and/or End of Service (EoS) status. Users are advised to discontinue use of these products.

【CVE-2025-66644】Array Networks ArrayOS AG OS Command Injection Vulnerability (CVSS v3.1: 7.2)

【Whether Ransomware Exploitation Occurred: Unknown】 An operating system command injection vulnerability exists in Array Networks ArrayOS AG, which may allow attackers to execute arbitrary commands.

【CVE-2025-6218】RARLAB WinRAR Path Traversal Vulnerability (CVSS v3.1: 7.8)

【Whether Ransomware Exploitation Occurred: Unknown】 A path traversal vulnerability exists in RARLAB WinRAR, allowing attackers to execute code with the privileges of the current user.

【CVE-2025-62221】Microsoft Windows Use After Free Vulnerability (CVSS v3.1: 7.8)

【Whether Ransomware Exploitation Occurred: Unknown】 A use-after-free vulnerability exists in the Microsoft Windows Cloud Files Mini Filter Driver, which may allow an authenticated attacker to perform local privilege escalation.

【CVE-2025-58360】OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability (CVSS v3.1: 8.2)

【Whether Ransomware Exploitation Occurred: Unknown】 OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability. When the application receives XML input for the GetMap operation at the /geoserver/wms endpoint, it may allow attackers to define external entities within XML requests.

【CVE-2018-4063】Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability (CVSS v3.1: 8.8)

【Whether Ransomware Exploitation Occurred: Unknown】 An unrestricted upload of file with dangerous type vulnerability exists in Sierra Wireless AirLink ALEOS. Attackers can upload files via specially crafted HTTP requests, resulting in executable code being uploaded to the web server and made accessible over the network. An attacker only needs to send an authenticated HTTP request to trigger this vulnerability. The affected products may have reached End of Life (EoL) and/or End of Service (EoS) status. Users are advised to discontinue use of these products.

【CVE-2025-14174】Google Chromium Out of Bounds Memory Access Vulnerability (CVSS v3.1: 8.8)

【Whether Ransomware Exploitation Occurred: Unknown】 An out-of-bounds memory access vulnerability exists in the ANGLE component of Google Chromium, which may allow remote attackers to perform out-of-bounds memory access through specially crafted HTML pages. This vulnerability may affect multiple Chromium-based web browsers, including but not limited to Google Chrome, Microsoft Edge, and Opera.

Information Sharing Level: WHITE (Information content can be publicly disclosed)

[Affected Platform]
【CVE-2022-37055】Please refer to the affected versions listed by the official source:

https://www.dlink.com/en/security-bulletin/

【CVE-2025-66644】ArrayOS AG versions 9.4.5.8 and earlier

【CVE-2025-6218】Please refer to the affected versions listed by the official source:

https://www.win-rar.com/singlenewsview.html

【CVE-2025-62221】Please refer to the affected versions listed by the official source:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221

【CVE-2025-58360】Please refer to the affected versions listed by the official source:

https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525

【CVE-2018-4063】Sierra Wireless AirLink ES450 FW version 4.9.3 【CVE-2025-14174】Please refer to the affected versions listed by the official source:

https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#december-11-2025

[Recommended Actions]
【CVE-2022-37055】The affected products may have reached End of Life (EoL) and/or End of Service (EoS) status. Users are advised to discontinue use of these products.

【CVE-2025-66644】Upgrade the corresponding products to the following version (or higher): ArrayOS AG 9.4.5.9

【CVE-2025-6218】The vendor has released a patch for the vulnerability. Please update to the relevant versions:

https://www.win-rar.com/singlenewsview.html

【CVE-2025-62221】The vendor has released a patch for the vulnerability. Please update to the relevant versions:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62221

【CVE-2025-58360】The vendor has released a patch for the vulnerability. Please update to the relevant versions:

https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525

【CVE-2018-4063】The affected products may have reached End of Life (EoL) and/or End of Service (EoS) status. Users are advised to discontinue use of these products.

【CVE-2025-14174】The vendor has released a patch for the vulnerability. Please update to the relevant versions:

https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#december-11-2025