All news in category “Security Advisory and Patch Watch”

🔒 Microsoft disclosed two Microsoft Defender vulnerabilities under active exploitation: CVE-2026-41091, a local privilege escalation rated 7.8 that can allow an attacker to gain SYSTEM privileges via improper link resolution, and CVE-2026-45498, a denial-of-service issue rated 4.0. Both are addressed in Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Systems with Defender disabled are not affected; updates are applied automatically through malware definitions and the Microsoft Malware Protection Engine.

🛡️ Microsoft released emergency updates on Wednesday to address two actively exploited Microsoft Defender zero-day vulnerabilities. The first, CVE-2026-41091, affects the Microsoft Malware Protection Engine and can be abused to achieve SYSTEM privileges via improper link resolution before file access. The second, CVE-2026-45498, impacts the Defender Antimalware Platform and may be used to trigger denial-of-service; Microsoft says updates should deploy automatically but advises administrators to verify platform and signature versions and confirm successful installation.

🔒 Qualys disclosed a nine-year-old Linux kernel vulnerability tracked as CVE-2026-46333 (ssh-keysign-pwn) that stems from the __ptrace_may_access() code path. The flaw can allow an unprivileged local user to disclose sensitive files such as /etc/shadow and SSH host private keys and to execute arbitrary commands as root on default installs of Debian, Fedora, and Ubuntu. A public proof-of-concept appeared after a kernel commit; vendors have issued patches and recommend raising kernel.yama.ptrace_scope to 2 as a temporary mitigation.

🛡️ Drupal issued emergency updates addressing a "highly critical" SQL injection flaw tracked as CVE-2026-9082 in its database abstraction API that can be exploited against sites using PostgreSQL, allowing information disclosure and in some cases privilege escalation or remote code execution. The vendor released patched builds for supported 11.x and 10.x branches and published manual patches for EOL versions. Upstream Symfony and Twig fixes are also included in recent releases.

🔒 Microsoft is evaluating a patch for a newly disclosed zero-day, YellowKey, which can bypass BitLocker encryption and allow local attackers to read and modify files. The company issued an advisory for CVE-2026-45585 and provided immediate mitigation guidance while a fix is considered. Organizations are urged to limit physical access to vulnerable devices, audit their environments, and strengthen Secure Boot and firmware integrity controls.

🚨Drupal administrators must apply an emergency core update to address a “highly critical” SQL injection defect (CVE-2026-9082) that affects sites using PostgreSQL. The release also bundles upstream fixes for Symfony and Twig, so Drupal urges updates even for non-Postgres deployments. Supported branches 11.3, 11.2, 10.6 and 10.5 are patched, while end-of-life versions may receive unsupported best-effort patches. The flaw permits anonymous attackers to send crafted requests resulting in arbitrary SQL injection, information disclosure, and potential privilege escalation or remote code execution.

🔒 ReliaQuest observed attackers brute-forcing credentials and bypassing MFA on SonicWall Gen6 SSL‑VPN appliances by exploiting CVE-2024-12802, allowing rapid internal access and attempts to deploy Cobalt Strike and a vulnerable driver. SonicWall warns that installing the firmware update alone on Gen6 devices does not fully mitigate the flaw; administrators must manually reconfigure LDAP settings to restore MFA enforcement. Gen7/Gen8 devices are fully remediated by firmware updates.

🛡️ Drupal has issued a core security release scheduled for May 20 between 17:00 and 21:00 UTC, warning that exploits could appear within hours of disclosure. Administrators are urged to reserve time for the update and to upgrade sites running Drupal 8 or 9 to at least 10.6. Patches will be released for several 10.x and 11.x branches, and although some older branches are EOL, hotfixes will be provided for affected 9.5 and 8.9 releases. Sites using Drupal Steward have mitigations but should still apply updates promptly.

🔒 A public proof-of-concept (PoC) exploit has been released for the recently patched local privilege escalation flaw dubbed PinTheft, which targets an RDS zerocopy double-free in the Linux kernel. The issue can lead to a page-cache overwrite via io_uring fixed buffers and allow a local attacker to obtain a root shell. Exploitation requires the RDS kernel module, io_uring enabled, a readable SUID-root binary and x86_64 support, so the impact is limited in practice and Arch Linux defaults make it the most exposed. Administrators are advised to apply kernel updates or unload and blacklist the RDS modules as an interim mitigation.

🔒 Microsoft has issued a mitigation for a BitLocker bypass called YellowKey (CVE-2026-45585), after a public proof-of-concept appeared. The flaw lets specially crafted FsTx files placed on a USB drive or EFI partition trigger an unrestricted shell when WinRE boots, risking access to encrypted volumes on affected Windows 11 and Windows Server 2025 systems. Microsoft and researchers recommend removing autofstx.exe from the WinRE image and switching from TPM-only to TPM+PIN to block exploitation.

🛡️ Microsoft has published mitigations for the YellowKey Windows BitLocker zero-day (tracked as CVE-2026-45585) after a public proof-of-concept revealed attackers can place crafted FsTx files on USB or EFI media and boot into WinRE to bypass protections. The company advises removing autofstx.exe from the Session Manager BootExecute value and reestablishing BitLocker trust for WinRE. It also recommends switching devices from TPM-only to TPM+PIN to require a pre-boot PIN. These steps are interim mitigations until a security update is available.

⚠️ A max-severity flaw (CVE-2026-45829) in the Python FastAPI server of ChromaDB allows unauthenticated attackers to load and execute remote models before authentication is enforced, enabling arbitrary code execution on exposed servers. The issue impacts PyPI-distributed releases used widely in AI retrieval stacks; a 1.5.9 release exists but it is unclear if the fix addresses this vulnerability. Mitigations include using the Rust frontend, avoiding public exposure of the Python API, and restricting network access to the ChromaDB API port.

🔒 Cisco Talos disclosed multiple vulnerabilities affecting TP‑Link, Adobe Photoshop, OpenVPN, and Norton VPN. Most issues were patched by vendors under Cisco’s third‑party disclosure policy; the Norton installer flaw was observed in use before a patch was available. The TP‑Link Archer AX53 firmware contains eight issues including buffer overflow and several command injection and config‑control flaws that allow code execution or arbitrary file access. Talos recommends applying vendor updates and using updated Snort rules to detect exploitation.

🔐 Proof-of-concept exploit code has been published for the recently patched Linux kernel vulnerability known as DirtyDecrypt (aka DirtyCBC), which enables local privilege escalation by bypassing copy-on-write protections in rxgk_decrypt_skb. The flaw (CVE-2026-31635) affects kernels built with CONFIG_RXGK, impacting distributions like Fedora, Arch and openSUSE Tumbleweed. In containerized environments, vulnerable worker nodes may enable pod escape and root compromise.

🔒 ABB published updates addressing a path traversal vulnerability (CWE-22, CVSS v3 7.1) affecting CoreSense HM and CoreSense M10. The flaw allowed unauthenticated local users to access restricted directories and could lead to full system compromise and sensitive data exposure. ABB fixed the issue in CoreSense HM v2.3.4 and CoreSense M10 v1.4.1.31 and recommends applying the update promptly. CISA republished the vendor advisory and advises network isolation, strict input validation, and restricting local host access to authorized users.

⚠️A buffer overflow in the User-ID™ Authentication Portal (Captive Portal) of Palo Alto Networks PAN-OS permits an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens has identified affected Siemens RUGGEDCOM APE1808 devices and is preparing fixes while recommending immediate mitigations. Recommended actions include disabling Response Pages on exposed interfaces, disabling the User-ID Authentication Portal if not required, and restricting portal access to trusted internal IP addresses; contact vendor support for patch information.

📷 An undocumented configuration export port on certain ZKTeco CCTV camera models permits unauthenticated access to sensitive device information. The exposed data can include running services and camera account credentials, creating a risk of information disclosure and unauthorized access. ZKTeco released a firmware update V5.0.1.2.20260421 to remediate the issue and urges immediate upgrading. CISA recommends minimizing network exposure, using firewalls and segmentation, and restricting Internet access to control devices.

⚠ CISA reports multiple critical vulnerabilities in ScadaBR version 1.2.0, including missing authentication, OS command injection, CSRF, and hard-coded credentials. Successful exploitation could enable unauthenticated remote code execution, root command execution, arbitrary sensor injection, or full administrative access. The vendor did not respond to CISA requests; users should contact ScadaBR support and implement network-level mitigations immediately.

⚠️ A cross-site scripting vulnerability (CWE-79, CVSS v3 5.3) affects multiple Kieback & Peter DDC Building Controllers and can enable execution of arbitrary JavaScript in a victim's browser, potentially allowing attacker control of web sessions. Affected models include end-of-maintenance units (DDC4002, DDC4100, DDC4200, DDC4200-L, DDC4400) and e-series controllers (DDC520, DDC4002e, DDC4200e, DDC4400e, DDC4020e, DDC4040e). The vendor advises isolating legacy devices, restricting and disabling web access where possible, and updating e-series firmware to the specified versions (e.g., DDC520 -> 1.24.2; DDC4002e/DDC4200e/DDC4400e/DDC4020e/DDC4040e -> 1.23.5) while implementing defense-in-depth controls.

🔧 Microsoft warns that Windows Update may fail on restricted networks after installing the January 2026 optional preview updates, producing error code 0x80010002. Affected devices may download the February security update but then fail to retrieve March or later releases via the Windows Update settings. The issue stems from tightened download timeout requirements and does not affect installation capability. Admins can apply Known Issue Rollback (KIR) group policies and restart devices to work around the problem.