< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2054 articles · page 2 of 103

CERT/CC warns of hidden admin backdoor in Tenda

🔒 The CERT Coordination Center (CERT/CC) has disclosed that multiple Tenda router firmware versions contain an undocumented authentication backdoor (CVE-2026-11405) that allows attackers to bypass password checks and gain administrative access. The backdoor resides in the login() function of the /bin/httpd binary and compares a submitted password to a configuration-stored value obtained via GetValue("sys.rzadmin.password"). Any username is accepted when the backdoor password matches, enabling full device takeover. Users should disable remote management and change default LAN IPs while a patch is pending.
read more →

BeyondTrust issues critical authentication patches

🔒 BeyondTrust released updates to address multiple critical vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products. The flaws include pre-authentication authentication-bypass and input-validation issues that could allow unauthenticated attackers to gain elevated access or cause denial-of-service. Fixes are available in RS/PRA 25.3.3 and later; users are urged to patch promptly.
read more →

Januscape: 16-year KVM flaw allows guest-to-host escape

🛡️ A long-standing use-after-free bug in Linux's KVM shadow MMU, tracked as CVE-2026-53359 and dubbed Januscape, lets a guest VM corrupt host shadow-page state and can reliably panic hosts. The public PoC triggers host crashes; the researcher reported an unreleased exploit that achieves full host code execution on Intel and AMD. Fixes were merged June 19, 2026 and backported to stable kernels on July 4, 2026; hosts with nested virtualization should be patched or have nesting disabled.
read more →

Critical Opera GX mod flaw allowed cross‑site data theft

🔒 An independent researcher discovered a critical vulnerability in Opera GX where GX Mods auto-install on download with no permission prompt, allowing an attacker to inject CSS across all pages. This behavior enabled a zero-click XS-Leak to recover a victim's Gmail address and facilitated a DoS crash when mods were forced into private mode. The issue was reported in February, patched on May 8, and the PoC was published on July 3.
read more →

Max-severity Adobe ColdFusion flaw being actively exploited

🔧 Adobe has issued emergency updates to fix a maximum-severity ColdFusion vulnerability (CVE-2026-48282) that is now being actively exploited, the Canadian Center for Cyber Security (CCCS) warned. The flaw affects ColdFusion 2025.9, 2023.20, and earlier, enabling unauthenticated remote code execution on unpatched systems. Adobe urges administrators to install the patch immediately, and Shadowserver reports nearly 800 exposed ColdFusion instances online.
read more →

Opera GX auto-install flaw allowed silent data leaks

🛡️ Researchers discovered a flaw in the gaming-focused Opera GX browser that allowed malicious websites to silently auto-install a GX Mod (a .crx look-and-feel package) and use its CSS to extract specific data from pages a victim visited. In a proof of concept, the team reconstructed a signed-in user's full Gmail address from a single visit, with no clicks required. Opera patched the issue in Opera GX version 130.0.5847.89, labeled the bug P1, paid the $5,000 maximum bounty, and reported no evidence of in-the-wild exploitation. There was no practical workaround prior to the patch.
read more →

Seven vulnerabilities disclosed in ubiquitous FatFs library

🔒 Security firm runZero disclosed seven vulnerabilities in the FatFs filesystem library used to read FAT/exFAT on many embedded devices. The bugs—rated Medium to High—can lead to memory corruption, crashes, data leaks, or code execution when a device mounts malformed media or firmware images. Only the GPT hang issue is fixed upstream; most fixes must come from downstream vendors who bundle FatFs. runZero published PoCs and urges vendors and integrators to audit wrappers and treat physical ports and update channels as attack surfaces.
read more →

Bad Epoll kernel flaw lets local users become root

🛡️ A newly disclosed Linux kernel vulnerability, Bad Epoll (CVE-2026-46242), allows an ordinary local user to escalate privileges to root and affects Linux desktops, servers, and Android. The flaw is a use-after-free race in the epoll subsystem; the timing window is tiny but an exploit by researcher Jaeyoung Chung widens it and succeeds reliably. A fix is available upstream (commit a6dc643c6931) and distributions should backport it; kernels built on 6.4+ are affected unless patched.
read more →

Citrix NetScaler memory overread patched, exploits spotted

🔒 Citrix patched a new NetScaler memory overread, CVE-2026-8451, similar to prior CitrixBleed issues; researchers from watchTowr disclosed that malformed unauthenticated requests can leak protected process memory. While this flaw leaks smaller data fragments than earlier CitrixBleed faults, it still poses risk for chaining with memory-write exploits. Citrix also fixed additional high-severity memory overflows and an HTTP/2 DoS; customers are urged to upgrade and apply configuration mitigations.
read more →

Argo CD flaw highlights GitOps as tier-zero risk

🔒 A critical vulnerability in Argo CD repo-server exposes risks inherent to GitOps platforms. Synacktiv found the unauthenticated GenerateManifest gRPC endpoint can be abused via Kustomize/Helm options to execute commands if an attacker can reach both the repo-server and Redis ports. The issue affects typical Helm deployments where Kubernetes network policies are not enabled by default, enabling lateral movement from a compromised pod. Synacktiv disclosed details July 1, 2026 and recommends strict network segmentation until a patch is available.
read more →

CISA Adds SharePoint RCE CVE-2026-45659 to KEV Catalog

🔒 CISA has added a high-severity SharePoint Server vulnerability, CVE-2026-45659 (CVSS 8.8), to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. Microsoft patched the deserialization-based remote code execution flaw in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The issue can be triggered by any authenticated attacker with as little as Site Member permissions and does not require elevated privileges. Federal agencies are advised to apply updates by July 4, 2026, while Microsoft assesses public exploitation as "Exploitation Less Likely."
read more →

Cursor IDE sandbox bypasses enable RCE via prompt injection

🛡️ Researchers discovered two vulnerabilities in the Cursor AI-enabled IDE that enable prompt-injection-driven remote code execution by escaping the command execution sandbox. The flaws, CVE-2026-50548 and CVE-2026-50549, allow attackers to change the working directory and exploit symlink canonicalization fallbacks to write or overwrite files outside the project scope. Cursor patched the issues in version 3.0, and the findings underscore broader risks in agentic AI workflows and the difficulty of defending against prompt injection.
read more →

Unpatched Argo CD repo-server flaw risks code execution

🔒 Synacktiv disclosed an unpatched vulnerability in Argo CD's repo-server that allows unauthenticated attackers to execute arbitrary commands if they can reach the component's internal gRPC port. The flaw abuses kustomize's --helm-command option to run attacker-controlled scripts, demonstrated against Argo CD v2.13.3, and can lead to full cluster takeover by leveraging exposed Redis credentials. There is no fixed release or CVE; operators must enable Kubernetes network policies to isolate repo-server and Redis until a patch is available.
read more →

Adobe fixes critical ColdFusion and Campaign flaws

🛡️ Adobe released urgent patches addressing multiple maximum-severity vulnerabilities in ColdFusion and Adobe Campaign Classic, including several CVSS 10.0 issues. The ColdFusion fixes are included in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10, while the Campaign patch is in ACC v7: 7.4.3 build 9397. Adobe reports no known active exploitation and credited external researchers for several reports.
read more →

Critical Cursor sandbox escape bugs demand urgent patch

🛡️ Two high-severity flaws in the Cursor AI code editor allow a crafted prompt to escape the editor's sandbox and execute arbitrary commands on a developer's machine without any user interaction. Discovered by Cato AI Labs as DuneSlide and tracked as CVE-2026-50548 and CVE-2026-50549 (both rated 9.8), the issues are patched in Cursor 3.0 released April 2; versions before 3.0 are affected. The vulnerabilities exploit how Cursor handles a tool parameter and symlink resolution to cause writes that disable the sandbox, enabling full code execution as the user.
read more →

Over 900 Oracle E-Business instances exposed online

🔒 Over 900 Oracle E-Business Suite (EBS) instances were found exposed online amid active attacks exploiting a critical File Transmission flaw in Oracle Payments (CVE-2026-46817). The vulnerability permits unauthenticated HTTP takeover, and Oracle released patches in its May 2026 Critical Security Patch Update, urging immediate remediation. Threat intelligence firm Defused reported active exploitation observed on honeypots, while Shadowserver noted roughly 950 exposed instances and the extent of patching remains unclear.
read more →

Adobe fixes seven critical ColdFusion and Campaign flaws

🛡️ Adobe released patches addressing seven maximum-severity vulnerabilities in ColdFusion and Campaign Classic. These issues allow low-complexity, no-interaction attacks and were assigned priority 1, prompting administrators to update within 72 hours. Six flaws impact ColdFusion 2025.9, 2023.20 and earlier, enabling remote code execution, while one affects on-premises Campaign Classic builds and may permit arbitrary code execution in the user context.
read more →

Citrix issues patches for six NetScaler vulnerabilities

🔒 Citrix released security updates to address six vulnerabilities in NetScaler ADC and NetScaler Gateway that could allow arbitrary file reads or trigger denial-of-service conditions. The flaws include memory overread/overflow issues and an external control of file name vulnerability, each with CVSS scores ranging from 6.9 to 8.8. Fixed builds are available for 14.1 and 13.1 branches, with additional configuration changes required for one HTTP/2 issue. Citrix credited multiple external researchers and said there is no evidence of in-the-wild exploitation.
read more →

AirDrop and Quick Share weaknesses disrupt sharing

🔒 Two researchers disclosed six vulnerabilities in AirDrop and Quick Share that let a nearby attacker crash or manipulate file‑sharing sessions. The issues impact Apple and Samsung implementations and include a stack overflow in Apple's XML plist parser and a Windows memory bug in Google's Quick Share app. Apple, Google, and Samsung have begun issuing fixes and coordinating disclosures; users should update and restrict visibility settings.
read more →

Critical Progress Kemp LoadMaster API RCE Patch

🛡️ A critical vulnerability in Progress Kemp LoadMaster allows unauthenticated attackers to execute arbitrary commands as root by sending a crafted request to the appliance API. Tracked as CVE-2026-8037 with a ZDI CVSS of 9.8, Progress published an advisory on June 4 and released patches (GA v7.2.63.2 and LTSF v7.2.54.18). Researchers at watchTowr Labs published a technical write-up and proof-of-concept on June 29; administrators should update immediately if the API is enabled.
read more →