< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2058 articles · page 23 of 103

CISA Adds Two Known-Exploited Vulnerabilities to KEV Catalog

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The entries are CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect, and CVE-2026-32202, a protection mechanism failure in Microsoft Windows. Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed flaws by specified due dates, and CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.
read more →

NSA GRASSMARLIN XML External Entity Vulnerability Advisory

⚠️ A vulnerability in NSA GRASSMARLIN allows crafted session data to trigger improper XML parsing that may disclose sensitive information. Tracked as CVE-2026-6807 and classified under CWE-611, the issue affects GRASSMARLIN v3.2.1 and carries a CVSS 3.1 base score of 5.5 (MEDIUM). The GRASSMARLIN project reached end-of-life in 2017 and is archived, so no vendor patches are planned; CISA recommends compensating controls, network isolation, and following published ICS defensive guidance.
read more →

Critical CVE-2026-25874 in LeRobot Enables Remote RCE

⚠️ A critical vulnerability, CVE-2026-25874, was disclosed in Hugging Face's open-source robotics framework LeRobot, enabling unauthenticated remote code execution via unsafe deserialization with pickle.loads(). The flaw affects the async inference PolicyServer handling gRPC calls (SendPolicyInstructions, SendObservations, GetActions) over unauthenticated channels and has been validated against LeRobot 0.4.3. A patch is planned for version 0.6.0; operators should treat exposed instances as high-risk and apply mitigations such as enabling TLS, restricting network access, and eliminating pickle-based deserialization.
read more →

Microsoft: New Remote Desktop Warnings Display Issue

⚠ Microsoft confirmed a display bug causing newly introduced Windows security warnings to render incorrectly when opening Remote Desktop (RDP) files. The issue affects all supported Windows releases updated in April 2026 (including Windows 11 KB5083768 & KB5083769, Windows 10 KB5082200, and Windows Server KB5082063) and appears when multiple monitors use different scaling settings, producing overlapping text and misplaced buttons. These dialogs — deployed to warn users about unsigned or unverified RDP files and to show resource redirection settings — can become difficult or impossible to interact with until Microsoft provides a fix.
read more →

Microsoft Patches Entra ID Role Flaw Allowing Takeover

🔒 An underscoped built-in role in Microsoft Entra ID, Agent ID Administrator, allowed users to assume ownership of arbitrary service principals and then add credentials to authenticate as those principals, enabling full service principal takeover. Silverfort researchers, led by Noa Ariel, reported the vulnerability on March 1, 2026, and Microsoft issued a patch across all cloud environments on April 9, 2026. After the update, attempts to assign ownership of non-agent service principals using the role are blocked and return a 'Forbidden' error. Organizations are advised to monitor sensitive role usage, audit service principal ownership and credential changes, and secure privileged non-human identities.
read more →

Microsoft: Active Exploitation of Windows Shell Bug

🛡️ Microsoft confirmed active exploitation of a patched Windows Shell vulnerability, CVE-2026-32202, after correcting its advisory metadata. The flaw is a spoofing/authentication-coercion issue (CVSS 4.3) that can disclose sensitive information and was addressed in April Patch Tuesday. Akamai researcher Maor Dahan links the defect to an incomplete February fix for CVE-2026-21510 and says an APT28 campaign weaponized LNK/CPL/UNC/SMB chains to harvest credentials.
read more →

Persistent 'Firestarter' Backdoor Hits Cisco Firewalls

🛡️ Security teams are being urged to inspect Cisco ASA and Firepower devices following discovery of a resilient backdoor called Firestarter that can persist after patching and survive normal reboots. CISA and the UK’s NCSC recommend generating a core dump and running their published YARA rules (or scanning a disk image) to detect the implant. If an infection is confirmed, the advisory states the device must be physically disconnected from all power sources, including redundant and backup supplies, for at least one minute or be fully reimaged — a standard reboot or power cycle is not sufficient.
read more →

Microsoft Fixes Agent ID Administrator Role Privilege Flaw

🔒 Researchers at Silverfort discovered that Microsoft’s Agent ID Administrator role could modify and take ownership of unrelated service principals, allowing role holders to create credentials and authenticate as compromised applications. The flaw stemmed from scope enforcement failing in the Agent Identity Platform, where agent identities share primitives with applications. Microsoft deployed a fix by April 9, 2026; organizations should audit role assignments and service principal ownership and monitor for unexpected changes.
read more →

CISA Adds Four Actively Exploited Flaws to KEV Catalog

⚠️ CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X routers, citing evidence of active exploitation. The listed flaws include two SimpleHelp issues (CVE-2024-57726, CVE-2024-57728), a Samsung path traversal (CVE-2024-7399), and a D-Link command injection (CVE-2025-29635). Agencies are urged to apply fixes or retire affected devices by May 8, 2026.
read more →

Pack2TheRoot flaw in PackageKit lets local users gain root

⚠️ A newly disclosed vulnerability, dubbed Pack2TheRoot (CVE-2026-41651), permits local Linux users to install or remove system packages and obtain root privileges by abusing the PackageKit daemon. The bug dates back to 2014 and affects PackageKit versions 1.0.2 through 1.3.4; it is resolved in PackageKit 1.3.5. Administrators should upgrade immediately, verify if packagekit is running, and monitor logs for assertion failures or crashes as likely indicators of attempted exploitation.
read more →

CISA: Over 10,000 Zimbra Servers Vulnerable to XSS

⚠️ Shadowserver and CISA warn that more than 10,500 internet-exposed Zimbra Collaboration Suite instances remain vulnerable to an actively exploited cross-site scripting bug tracked as CVE-2025-48700. Synacor issued patches in June 2025, but the flaw can be triggered without user interaction when a maliciously crafted email is viewed in the Classic UI. CISA added the issue to its Known Exploited Vulnerabilities catalog and ordered federal agencies to secure affected servers by April 23.
read more →

CISA Adds Four Vulnerabilities to KEV Catalog; Urges Fixes

🚨 CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation: CVE-2024-7399 (Samsung MagicINFO 9 path traversal), CVE-2024-57726 (SimpleHelp missing authorization), CVE-2024-57728 (SimpleHelp path traversal), and CVE-2025-29635 (D-Link DIR-823X command injection). The agency notes these are common attack vectors that present significant risk to the federal enterprise and reminds Federal Civilian Executive Branch agencies of remediation obligations under BOD 22-01. Although that directive applies only to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation as part of standard vulnerability management.
read more →

Critical file upload flaw exploited in Breeze Cache

⚠️ Researchers warn that a critical vulnerability (CVE-2026-3844) in the Breeze Cache WordPress plugin allows unauthenticated attackers to upload arbitrary files via the fetch_gravatar_from_remote function. Exploitation can lead to remote code execution and complete site takeover, but successful attacks require the optional 'Host Files Locally - Gravatars' add-on to be enabled. Cloudways released a patch in version 2.4.5; administrators should update immediately or disable the add-on until patched.
read more →

Microsoft: Edge update prevents some Teams meeting joins

⚠️ Microsoft confirmed a recent Microsoft Edge update introduced a regression preventing some Windows users from joining scheduled Microsoft Teams meetings or meetings launched via links. The company advised impacted users to restart the Teams client as a temporary workaround while engineers analyze diagnostic data and monitor recent service changes. Microsoft classified the incident as an advisory and has not disclosed affected regions or user counts.
read more →

Apple issues emergency iOS fix for persistent notifications

🔒 Apple released an emergency update to fix a Notification Services logging flaw that allowed deleted alerts to remain stored on devices, potentially exposing message content. Tracked as CVE-2026-28950, the vulnerability is resolved in iOS 26.4.2 and iPadOS 26.4.2, with backports provided for older supported releases. Apple said the root cause was a logging issue and that improved data redaction prevents notifications marked for deletion from persisting. The company did not confirm whether the flaw was exploited or how long retained data could remain accessible.
read more →

Critical Path Traversal in Intrado 911 Emergency Gateway

⚠️ CISA warns of a critical path traversal vulnerability (CVE-2026-6074) in Intrado 911 Emergency Gateway that can expose the EGW management interface to unauthenticated access from an attacker with network access. The flaw enables reading, modifying, or deleting files and has a CVSS v3.1 base score of 9.8. Intrado released an update on March 2, 2026; organizations should apply the vendor patch immediately. Apply CISA guidance to minimize internet exposure and contact E911Support@intrado.com for vendor coordination.
read more →

Milesight Cameras: Multiple Critical and High Vulnerabilities

🔒 CISA warns of five vulnerabilities in Milesight camera firmware that can cause device crashes or permit remote code execution. The flaws affect numerous MS-, PM-, TS-, SC-, and SP-series models and include a CRITICAL use-of-default SSL private key (CVE-2026-32644) plus several HIGH-severity issues such as hard-coded credentials and a heap-based buffer overflow. Milesight has released firmware updates; operators should apply the latest PE/PC/PA builds and follow recommended network isolation and secure remote-access practices.
read more →

CISA Adds Marimo RCE to Known Exploited Vulnerabilities

⚠️ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-39987, a Marimo Remote Code Execution flaw the agency identified as actively exploited. The advisory notes that Remote Code Execution is a common, high-risk attack vector capable of enabling full system compromise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed issues by required deadlines, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

CISA Malware Analysis: FIRESTARTER Backdoor on Cisco

🔒 CISA and the U.K. NCSC analyzed a sample of the FIRESTARTER Linux ELF backdoor affecting Cisco Firepower and Secure Firewall devices running ASA/FTD. The agency assesses the malware provides persistent remote access, installs a hook into LINA to execute arbitrary shellcode, and can survive firmware updates and reboots. CISA provides YARA rules for detection and directs U.S. FCEB agencies to collect and submit core dumps per V1: ED 25-03, and to await further guidance.
read more →

Yadea T5 Electric Bicycle Weak Authentication Risk

🔓 CISA warns that Yadea T5 electric bicycles are affected by a weak authentication vulnerability tracked as CVE-2025-70994. A local attacker who intercepts a legitimate key fob transmission can forge signals to unlock and start the bicycle, enabling theft; CISA assigns a CVSS v3.1 score of 7.3 (High) and notes the issue is not remotely exploitable. Yadea did not respond to coordination efforts; users should secure property with external locks, keep devices updated, and contact vendor support.
read more →