< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2057 articles · page 20 of 103

Critical vm2 Node.js sandbox escape vulnerabilities

⚠️ Multiple critical vulnerabilities have been disclosed in the vm2 Node.js library that allow untrusted code to break out of sandboxes and execute arbitrary host commands. The defects include numerous sandbox escapes, code injection vectors, and an allowlist bypass, with several issues rated CVSS 9.8–10.0. Affected releases span multiple 3.9.x–3.11.x builds; maintainers recommend upgrading to v3.11.2 and auditing any vm2-based sandbox deployments. The project lead has acknowledged that further bypasses are likely as research continues.
read more →

PAN-OS Captive Portal Zero-Day Exploitation and Activity

🔒 Unit 42 details exploitation of a buffer overflow vulnerability (CVE-2026-0300) in the PAN-OS User-ID Authentication Portal that permits unauthenticated remote code execution as root on affected PA‑Series and VM‑Series firewalls. Observed adversary activity included shellcode injection into an nginx worker, rapid log and evidence cleanup, and deployment of tunneling tools such as EarthWorm and ReverseSocks5. Immediate mitigations are to restrict or disable the portal, apply vendor guidance, and enable available threat signatures and protections.
read more →

Critical vm2 sandbox vulnerability allows host RCE

🚨 A critical vulnerability in the Node.js sandbox library vm2 (CVE-2026-26956) can be exploited to escape the sandbox and execute arbitrary code on the host. The issue has been confirmed in vm2 3.10.4 on Node.js 25 (tested on 25.6.1) when WebAssembly exception handling and JSTag support are enabled. A proof-of-concept exploit is public; users should upgrade to vm2 3.10.5 or later (latest 3.11.2) immediately.
read more →

Cisco DoS Bug Requires Manual Reboot to Recover Devices

⚠️ Cisco released patches for a high-severity denial-of-service vulnerability (CVE-2026-20188) affecting Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO). The issue stems from inadequate rate limiting on incoming connections and can be exploited remotely by unauthenticated actors to exhaust connection resources and crash systems. Affected releases include CNC 7.1 and earlier and NSO 6.3 and earlier; fixed releases and mitigations are detailed in Cisco's advisory. Cisco's PSIRT says it is not aware of active exploitation but strongly urges customers to upgrade to patched software to avoid manual reboots and service disruption.
read more →

CISA Adds One Known Exploited Vulnerability to KEV

⚠️ CISA has added CVE-2026-0300, an Palo Alto Networks PAN-OS out-of-bounds write vulnerability, to the KEV Catalog after evidence of active exploitation. BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate cataloged vulnerabilities by their due dates. Although the directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management. CISA will continue to update the catalog when vulnerabilities meet its criteria.
read more →

VoidStealer Bypasses Chrome App-Bound Encryption Exploit

🔓 Researchers found that a new infostealer, VoidStealer, can bypass Chrome’s App-Bound Encryption by attaching to the browser process as a debugger and setting breakpoints at decryption routines. At the moment the browser decrypts data, the malware reads the master key directly from memory, enabling theft of session cookies and other secrets. The technique affects other Chromium-based browsers and is available as malware-as-a-service, increasing its reach. Users should combine secure practices and endpoint defenses rather than rely solely on built-in protections.
read more →

Rowhammer GPU Attacks Grant Full Control of NVIDIA CPUs

⚠️ Two independent research teams disclosed new Rowhammer-style attacks against NVIDIA Ampere GPUs that induce GDDR bitflips to gain arbitrary read/write access to host memory, enabling full system compromise when IOMMU is disabled by default in many BIOS settings. The proofs of concept — GDDRHammer and GeForge — manipulate GPU page tables and page directories to escalate privileges and, in demonstrations, open root shells on affected machines. A subsequent variant was shown to succeed even with IOMMU enabled; tested cards include RTX 3060, RTX A6000, and RTX 6000.
read more →

Palo Alto Warns of Actively Exploited PAN-OS Zero-Day

🔴 Palo Alto Networks warns that a critical unpatched PAN-OS zero-day, CVE-2026-0300, is being actively exploited against the User-ID Authentication Portal (Captive Portal). The flaw is a buffer overflow that can allow unauthenticated attackers to execute arbitrary code as root on Internet-exposed PA-Series and VM-Series firewalls. Palo Alto classifies the bug at the highest severity and advises restricting or disabling the portal until a patch is available. Security telemetry from Shadowserver shows over 5,800 PAN-OS VM-series instances exposed online, increasing urgency for mitigations.
read more →

Critical PAN-OS Buffer Overflow Exploited in the Wild

⚠️ Palo Alto Networks has warned of a critical buffer overflow (CVE-2026-0300) in the User-ID Authentication Portal component of PAN-OS, allowing unauthenticated remote code execution as root. The flaw carries a CVSS of 9.3 when the portal is internet-accessible (8.7 for internal-only access). Palo Alto reports limited in-the-wild exploitation targeting publicly accessible portals; fixes are scheduled to begin May 13, 2026. Administrators should restrict or disable the portal until patches are applied.
read more →

Copy Fail (CVE-2026-31431): Deterministic Linux LPE

🔒 On April 29, 2026 researchers disclosed CVE-2026-31431, dubbed Copy Fail, a deterministic local privilege escalation impacting Linux kernels 4.14–6.19.12. The flaw resides in the AF_ALG crypto interface's algif_aead module and permits a controlled four-byte overwrite into the kernel page cache. A standalone 732-byte Python proof-of-concept reliably escalates to root across major distributions. Apply vendor kernel updates immediately or temporarily disable algif_aead; Cortex XDR and XSIAM provide layered detection and mitigation.
read more →

Edge Password Manager Keeps Credentials in Plaintext

🔒 A Norwegian researcher discovered that Microsoft Edge decrypts saved passwords at startup and keeps them resident in process memory, leaving credentials retrievable in plain text on shared or compromised machines. German publication Heise reproduced the finding, locating passwords even after a browser restart. Microsoft reportedly treats the behavior as 'by design,' prompting calls for using alternative password managers.
read more →

Critical Apache HTTP/2 Double-Free May Enable RCE Now

⚠ Apache Software Foundation released updates to address CVE-2026-23918, a high-severity (CVSS 8.8) double-free bug in mod_http2 that can cause denial-of-service and potentially remote code execution. The flaw impacts Apache HTTP Server 2.4.66 and is fixed in 2.4.67. Researchers provided an x86_64 proof-of-concept and warned the RCE path is practical on systems using APR with the mmap allocator. Administrators should upgrade or mitigate by disabling mod_http2 or using the prefork MPM until patched.
read more →

ABB B&R PVI client logs sensitive data vulnerability

🔒 ABB has released an update addressing a logging issue in its B&R PVI client that could expose sensitive information. Affected versions are PVI <6.5.0>; the issue is fixed in PVI 6.5.0 (CVE-2026-0936). The vulnerability can allow an authenticated local attacker to read credentials written to client-side logs, although logging is disabled by default. Customers should apply the update promptly and limit client logging to troubleshooting only.
read more →

Hitachi Energy PCM600 Zip-Slip Vulnerability and Guidance

⚠️ Hitachi Energy reported a directory traversal vulnerability (CVE-2018-1002208) affecting PCM600 product lines, including legacy 2.11 and several 3.x releases. The flaw resides in an affected SharpZipLib component (pre-1.0 RC1) and allows crafted ZIP archives to write files outside intended extraction directories, creating an integrity risk. Hitachi Energy recommends migrating to maintained 3.x builds, following vendor guidance and immediate mitigations such as network isolation, removal of default credentials, and secure remote access while awaiting a planned 3.1 SP4 update.
read more →

ABB Automation Studio Certificate Validation Vulnerability

🔒 ABB has released an update for Automation Studio to address an improper certificate validation vulnerability affecting the OPC-UA and ANSL over TLS clients (CVE-2025-11043). An attacker with network access who can intercept or redirect communications could present forged certificates that pass validation, enabling interception or manipulation of data. The issue is fixed in Automation Studio 6.5; users should apply the update promptly and follow recommended network segmentation and secure remote-access practices. CISA rates this flaw as High (CVSS 7.4) and recorded no reports of active exploitation at publication.
read more →

ABB B&R Runtime ANSL Server DoS: Patch Released Now

⚠ ABB reported a vulnerability in B&R Automation Runtime (ANSL-Server) that can be triggered remotely to cause a denial-of-service on affected nodes. The issue (CVE-2025-11044) is fixed in Automation Runtime 6.5 and R4.93. Apply the vendor patch promptly; interim mitigations include longer cycle times, limiting ANSL connections at the control-network firewall, and load testing before commissioning.
read more →

Johnson Controls AC2000 DLL Hijacking Vulnerability

⚠️ Johnson Controls' CEM AC2000 contains a DLL hijacking vulnerability (CVE-2026-21661) affecting versions 12.0, 11.0, and 10.6 that could allow a local, non‑privileged user to escalate privileges on the host. CISA assigns a CVSS v3.1 base score of 8.7 (High). The issue is not remotely exploitable and no public exploitation has been reported. Johnson Controls has released patched updates and recommends upgrading to the specified releases.
read more →

Critical PHP Code Injection in MetInfo CMS (CVE-2026-29014)

⚠️ New findings from VulnCheck and the NVD confirm that MetInfo CMS versions 7.9, 8.0 and 8.1 contain an unauthenticated PHP code injection vulnerability (CVE-2026-29014, CVSS 9.8) that allows remote attackers to execute arbitrary code. The defect is located in /app/system/weixin/include/class/weixinreply.class.php and results from insufficient sanitization of Weixin API inputs. On non‑Windows hosts a preexisting /cache/weixin/ directory (created by the official WeChat plugin) is required for exploitation. MetInfo released patches on April 7, 2026, but active exploitation was observed beginning April 25 and escalated on May 1, with most activity originating from China and Hong Kong IPs.
read more →

AI-Assisted Analysis Uncovers Old Bugs in Databases

🔍 Researchers using AI-assisted analysis at Wiz's zeroday.cloud event disclosed multiple high-severity memory-safety flaws in PostgreSQL and MariaDB. Two PostgreSQL issues — including a heap overflow in the pgcrypto extension — date back more than 20 years and can enable remote code execution when fed attacker-controlled input. MariaDB's JSON schema validator also contains a heap overflow reachable by any authenticated SQL session, which under certain memory conditions can be escalated to code execution. Patches are available and maintainers strongly urge immediate upgrades.
read more →

Critical RCE in Weaver E-cology Actively Exploited

⚠️ A critical unauthenticated remote code execution flaw (CVE-2026-22679, CVSS 9.8) in Weaver (Fanwei) E-cology 10.0 (prior to 20260312) is being actively exploited in the wild. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where attacker-controlled parameters can invoke command-execution helpers. Weaver released patches on 2026-03-12; administrators should apply those updates, restrict access to debug/management endpoints, and use published detection scripts to hunt for exposed or compromised instances.
read more →