< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2054 articles · page 14 of 103

Schneider Electric EcoStruxure HVAC Sensitive Data Risk

🔒 Schneider Electric has identified a CWE-312 vulnerability in EcoStruxure Machine Expert HVAC, a programming tool for Modicon M171-M172 controllers, that can expose sensitive information including protected source code. Version 1.10.0 includes a vendor-provided fix and users are urged to update. The advisory also reiterates standard ICS security best practices to isolate control networks and limit exposure.
read more →

Exploit Released for PinTheft Linux RDS Root Escalation

🔒 A public proof-of-concept (PoC) exploit has been released for the recently patched local privilege escalation flaw dubbed PinTheft, which targets an RDS zerocopy double-free in the Linux kernel. The issue can lead to a page-cache overwrite via io_uring fixed buffers and allow a local attacker to obtain a root shell. Exploitation requires the RDS kernel module, io_uring enabled, a readable SUID-root binary and x86_64 support, so the impact is limited in practice and Arch Linux defaults make it the most exposed. Administrators are advised to apply kernel updates or unload and blacklist the RDS modules as an interim mitigation.
read more →

Microsoft Mitigation Released for BitLocker YellowKey

🔒 Microsoft has issued a mitigation for a BitLocker bypass called YellowKey (CVE-2026-45585), after a public proof-of-concept appeared. The flaw lets specially crafted FsTx files placed on a USB drive or EFI partition trigger an unrestricted shell when WinRE boots, risking access to encrypted volumes on affected Windows 11 and Windows Server 2025 systems. Microsoft and researchers recommend removing autofstx.exe from the WinRE image and switching from TPM-only to TPM+PIN to block exploitation.
read more →

Microsoft outlines mitigations for YellowKey zero-day

🛡️ Microsoft has published mitigations for the YellowKey Windows BitLocker zero-day (tracked as CVE-2026-45585) after a public proof-of-concept revealed attackers can place crafted FsTx files on USB or EFI media and boot into WinRE to bypass protections. The company advises removing autofstx.exe from the Session Manager BootExecute value and reestablishing BitLocker trust for WinRE. It also recommends switching devices from TPM-only to TPM+PIN to require a pre-boot PIN. These steps are interim mitigations until a security update is available.
read more →

Max-Severity ChromaDB Flaw Lets Attackers Hijack Servers

⚠️ A max-severity flaw (CVE-2026-45829) in the Python FastAPI server of ChromaDB allows unauthenticated attackers to load and execute remote models before authentication is enforced, enabling arbitrary code execution on exposed servers. The issue impacts PyPI-distributed releases used widely in AI retrieval stacks; a 1.5.9 release exists but it is unclear if the fix addresses this vulnerability. Mitigations include using the Rust frontend, avoiding public exposure of the Python API, and restricting network access to the ChromaDB API port.
read more →

Talos Discloses TP-Link, Photoshop, OpenVPN, Norton Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities affecting TP‑Link, Adobe Photoshop, OpenVPN, and Norton VPN. Most issues were patched by vendors under Cisco’s third‑party disclosure policy; the Norton installer flaw was observed in use before a patch was available. The TP‑Link Archer AX53 firmware contains eight issues including buffer overflow and several command injection and config‑control flaws that allow code execution or arbitrary file access. Talos recommends applying vendor updates and using updated Snort rules to detect exploitation.
read more →

DirtyDecrypt PoC Released for Linux Kernel Privilege Bug

🔐 Proof-of-concept exploit code has been published for the recently patched Linux kernel vulnerability known as DirtyDecrypt (aka DirtyCBC), which enables local privilege escalation by bypassing copy-on-write protections in rxgk_decrypt_skb. The flaw (CVE-2026-31635) affects kernels built with CONFIG_RXGK, impacting distributions like Fedora, Arch and openSUSE Tumbleweed. In containerized environments, vulnerable worker nodes may enable pod escape and root compromise.
read more →

PAN-OS Captive Portal Critical RCE Affecting Siemens Devices

⚠️A buffer overflow in the User-ID™ Authentication Portal (Captive Portal) of Palo Alto Networks PAN-OS permits an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens has identified affected Siemens RUGGEDCOM APE1808 devices and is preparing fixes while recommending immediate mitigations. Recommended actions include disabling Response Pages on exposed interfaces, disabling the User-ID Authentication Portal if not required, and restricting portal access to trusted internal IP addresses; contact vendor support for patch information.
read more →

CISA Advisory: Multiple Critical Vulnerabilities in ScadaBR

⚠ CISA reports multiple critical vulnerabilities in ScadaBR version 1.2.0, including missing authentication, OS command injection, CSRF, and hard-coded credentials. Successful exploitation could enable unauthenticated remote code execution, root command execution, arbitrary sensor injection, or full administrative access. The vendor did not respond to CISA requests; users should contact ScadaBR support and implement network-level mitigations immediately.
read more →

ZKTeco CCTV Cameras Vulnerability: Auth Bypass Patch

📷 An undocumented configuration export port on certain ZKTeco CCTV camera models permits unauthenticated access to sensitive device information. The exposed data can include running services and camera account credentials, creating a risk of information disclosure and unauthorized access. ZKTeco released a firmware update V5.0.1.2.20260421 to remediate the issue and urges immediate upgrading. CISA recommends minimizing network exposure, using firewalls and segmentation, and restricting Internet access to control devices.
read more →

Kieback & Peter DDC Controllers Vulnerable to XSS Alert

⚠️ A cross-site scripting vulnerability (CWE-79, CVSS v3 5.3) affects multiple Kieback & Peter DDC Building Controllers and can enable execution of arbitrary JavaScript in a victim's browser, potentially allowing attacker control of web sessions. Affected models include end-of-maintenance units (DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400) and e-series controllers (DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e). The vendor advises isolating legacy devices, restricting and disabling web access where possible, and updating e-series firmware to the specified versions (e.g., DDC520 -> 1.24.2; DDC4002e/DDC4200e/DDC4400e/DDC4020e/DDC4040e -> 1.23.5) while implementing defense-in-depth controls.
read more →

ABB CoreSense Path Traversal Fixed in New Updates Released

🔒 ABB published updates addressing a path traversal vulnerability (CWE-22, CVSS v3 7.1) affecting CoreSense HM and CoreSense M10. The flaw allowed unauthenticated local users to access restricted directories and could lead to full system compromise and sensitive data exposure. ABB fixed the issue in CoreSense HM v2.3.4 and CoreSense M10 v1.4.1.31 and recommends applying the update promptly. CISA republished the vendor advisory and advises network isolation, strict input validation, and restricting local host access to authorized users.
read more →

Microsoft: Patch Download Failures in Restricted Networks

🔧 Microsoft warns that Windows Update may fail on restricted networks after installing the January 2026 optional preview updates, producing error code 0x80010002. Affected devices may download the February security update but then fail to retrieve March or later releases via the Windows Update settings. The issue stems from tightened download timeout requirements and does not affect installation capability. Admins can apply Known Issue Rollback (KIR) group policies and restart devices to work around the problem.
read more →

Drupal warns of urgent core security release on May 20

⚠️ The Drupal Security Team announced a planned core security release for all supported branches on May 20, 2026, from 5–9 p.m. UTC. Administrators are urged to reserve that window because exploits may emerge within hours or days, and to update to the latest patch for their branch in advance. Patches are expected for 11.3.x, 11.2.x, 10.6.x and 10.5.x, with mitigation guidance and instructions for end-of-life releases included.
read more →

Critical RCE and Data-Leak Flaws in SEPPMail Gateway

🔒 InfoGuard Labs disclosed multiple critical vulnerabilities in SEPPMail Secure E-Mail Gateway that allow unauthenticated remote code execution, path traversal, deserialization flaws, and exposure of sensitive server data. Researchers demonstrated an exploit chain leveraging the LFT path traversal (CVE-2026-2743) to overwrite syslog configuration and obtain a Perl reverse shell, enabling full appliance takeover and mail interception. SEPPmail has released fixes across versions 15.0.2.1, 15.0.3 and 15.0.4 and urges administrators to apply updates immediately.
read more →

Windows 11 May Patch Fails Due to EFI Partition Size

⚠️ Some Windows 11 devices fail to complete Microsoft’s May Security Update when the EFI System Partition (ESP) has roughly 10MB or less free, producing the rollback message "Something didn’t go as planned. Undoing changes." Microsoft suggested a registry tweak or rollback while consultants warn this leaves endpoints unpatched and undermines trust in update validation. Experts recommend resizing partitions, testing fixes, and adding ESP checks to endpoint health.
read more →

Patched Windows Cloud Filter Bug Reappears as Exploit

🔒 Researchers report a six-year-old elevation-of-privilege vulnerability in the Windows Cloud Filter driver cldflt.sys remains exploitable despite a 2020 patch. Nightmare Eclipse reworked a Google Project Zero PoC by James Forshaw into an exploit called MiniPlasma, which can elevate a local user to SYSTEM on many builds. The issue, tracked as CVE-2020-17103, involves undocumented key-creation behavior and is race-dependent; Microsoft declined immediate comment.
read more →

Zero-Day Exploit Targets Windows BitLocker TPM Protections

⚠️A new zero-day called YellowKey, published this week by a researcher using the alias Nightmare-Eclipse, demonstrates a reliable bypass of default Windows 11 BitLocker deployments. The exploit circumvents disk encryption that relies solely on the TPM-stored key and requires physical access to the affected machine. Organizations that mandate BitLocker, including government contractors, should reassess device physical security and BitLocker configuration.
read more →

Critical Patches for Ivanti, Fortinet, SAP, VMware, n8n

🔒 Ivanti, Fortinet, SAP, VMware, n8n and dozens of other vendors have released security updates addressing multiple high- and critical-severity flaws that enable authentication bypass, information disclosure, local privilege escalation, and remote code execution. Highlights include a critical Ivanti Xtraction file-name control flaw (CVE-2026-8043), Fortinet authentication and sandbox execution bugs, SAP SQL injection and missing-auth issues, and a TOCTOU local privilege escalation in VMware Fusion. Administrators should prioritize applying the vendor-recommended patches immediately.
read more →

MiniPlasma Zero-Day Enables SYSTEM Privilege on Windows

🛡️Chaotic Eclipse has published a proof-of-concept for a Windows privilege escalation zero-day, dubbed MiniPlasma, which targets the Cloud Files Mini Filter Driver (cldflt.sys) in the HsmOsBlockPlaceholderAccess routine. Originally reported to Microsoft in September 2020 and linked to CVE-2020-17103, the researcher says the exact issue remains unpatched. Tests show it can spawn a SYSTEM shell on fully patched Windows 11 systems running May 2026 updates, though success rates vary due to a race condition.
read more →