< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2058 articles · page 24 of 103

Critical Authentication Bypass in Xiongmai XM530 IP Cameras

⚠️ A critical authentication bypass (CVE-2025-65856) affects Hangzhou Xiongmai Technology Co., Ltd XM530 IP cameras running firmware V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06. The ONVIF implementation fails to enforce authentication on 31 endpoints, allowing unauthenticated remote attackers to access sensitive device information and live video streams. CISA rates the issue CRITICAL (CVSS 3.1 9.8). The vendor has not cooperated with CISA; users should minimize network exposure, isolate devices behind firewalls, and contact Xiongmai support for guidance.
read more →

Countering China-Nexus Covert Networks of Edge Devices

🔒 This advisory from CISA and international partners, informed by UK NCSC analysis, describes a tactical shift by China‑nexus actors toward externally provisioned, large‑scale covert networks of compromised edge devices. Such networks—made up of SOHO routers, IoT cameras, NAS units and firewalls—are used for reconnaissance, malware delivery, multi‑hop C2 proxying and data exfiltration. The guidance urges organizations to map and inventory edge assets, baseline normal connections, leverage dynamic threat feeds, and enforce multifactor authentication to reduce exposure and improve detection.
read more →

CISA Warns of FIRESTARTER Targeting Cisco ASA Devices

🔒 CISA published a malware analysis on FIRESTARTER, a backdoor that enables remote access and persistent control of Cisco Firepower and Secure Firewall devices running ASA or FTD software. The report, co-sealed with NCSC-UK, attributes exploitation to an APT using CVE-2025-20333 and CVE-2025-20362. CISA issued Emergency Directive 25-03 requiring FCEB agencies to identify affected devices, collect forensic data, apply vendor updates, and report findings to mitigate ongoing risk.
read more →

SpiceJet Booking System: Two High-Severity Exposure Flaws

⚠️ CISA reports two high-severity authorization and authentication flaws in SpiceJet Online Booking System (CVE-2026-6375, CVE-2026-6376) that permit unauthenticated disclosure of passenger information. Both issues carry a CVSS 3.1 base score of 7.5 and allow PNR enumeration and full booking retrieval without proper access controls. SpiceJet did not respond to coordination requests; CISA recommends defensive network segmentation and other mitigations.
read more →

Advisory: Defending Against China-Nexus Covert Networks

🛡️ CISA and the U.K. NCSC, together with federal and international partners, released an advisory on deniable, dynamic covert networks exploited by Chinese government-linked actors. The advisory outlines how threat groups leverage weak home, small-office, and IoT devices to build large botnets that enable espionage, intrusion, device takeover, and data theft. It provides actionable detection and mitigation steps — including asset mapping, connection baselining, persistent log collection, and multifactor authentication — to help organizations protect critical infrastructure.
read more →

CISA Adds Marimo RCE to Known Exploited Vulnerabilities

⚠️ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-39987, a Marimo Remote Code Execution flaw the agency identified as actively exploited. The advisory notes that Remote Code Execution is a common, high-risk attack vector capable of enabling full system compromise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed issues by required deadlines, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

CISA Orders Patching of Microsoft Defender BlueHammer Flaw

🔒 CISA has ordered federal agencies to urgently patch a high-severity Microsoft Defender privilege escalation vulnerability tracked as CVE-2026-33825 and publicly dubbed BlueHammer, after evidence of active exploitation. Microsoft released a patch on April 14 following public disclosure and proof-of-concept code published by a researcher using the handle 'Chaotic Eclipse', who also revealed related Defender issues. Huntress Labs reported attacks showing hands‑on‑keyboard activity and suspicious FortiGate SSL VPN access tied to a Russia‑geolocated IP. Agencies must apply mitigations or update systems within two weeks, with a compliance deadline of May 7.
read more →

Apple fixes iOS bug that retained deleted notifications

🔒 Apple released patches for iOS and iPadOS to fix a Notification Services logging flaw that could retain notifications marked for deletion. Tracked as CVE-2026-28950, the issue was addressed by improving data redaction so deleted alerts are no longer preserved. Affected models were fixed in iOS 26.4.2/iPadOS 26.4.2 and in iOS/iPadOS 18.7.8 for other devices. The update follows reporting that copies of Signal messages were forensically extracted from push notification storage.
read more →

Serial-to-Ethernet Converters Riddled with Vulnerabilities

⚠ Forescout's BRIDGE:BREAK study finds serial-to-Ethernet adapters widely shipped with outdated kernels and insecure open-source components, exposing industrial, healthcare, and retail equipment to attack. Researchers report firmware images averaged roughly 80 OSS components and nearly 2,500 known vulnerabilities with public exploits present. Manual analysis uncovered 22 new flaws in Lantronix and Silex devices enabling RCE, authentication bypass, firmware tampering, and device takeover. Vendors released patches; operators should patch, remove internet exposure, enforce strong credentials, segment networks, and monitor for misuse.
read more →

Apple fixes iOS bug retaining deleted notifications

🔒 Apple released out-of-band updates for iPhone and iPad to address a Notification Services flaw that could leave deleted notifications stored on the device. The bug, tracked as CVE-2026-28950, was patched on April 22, 2026 in iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8 and iPadOS 18.7.8. Apple says the issue was resolved through improved data redaction but provided no further technical details or confirmation of exploitation. Users are advised to install the updates promptly.
read more →

Microsoft issues out-of-band patch for ASP.NET Core flaw

🔒 Microsoft released an out-of-band fix after an April 14 .NET update (10.0.6) introduced a critical regression in the ASP.NET Core Data Protection NuGet package (CVE-2026-40372, CVSS 9.1). A bug in the ManagedAuthenticatedEncryptor caused HMAC validation tags to be computed with an incorrect offset, allowing forged cookies and tokens to be treated as valid. Developers should upgrade to 10.0.7, rebuild embedded apps (including Docker images), expire affected cookies and tokens, and rotate protection keys to remove potential forgeries.
read more →

Amazon Corretto April 2026 Quarterly Security Updates

🔒 Amazon announced its April 2026 quarterly security and critical updates for Amazon Corretto, delivering new builds for LTS and Feature Release OpenJDK distributions. Releases available: Corretto 26.0.1, 25.0.3, 21.0.11, 17.0.19, 11.0.31, and 8u492. This is the final Corretto 8 release that includes JavaFX binaries; JavaFX will be removed starting July 2026. Downloads and repo configuration instructions are provided on the Corretto home page to help administrators apply the updates.
read more →

CISA Adds One Vulnerability to KEV Catalog After Exploitation

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-33825, an Microsoft Defender access-control issue characterized by insufficient granularity and identified as being actively exploited. The agency emphasizes that this class of flaw is a frequent attack vector and presents significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the prescribed due date, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.
read more →

Microsoft Issues Patch for Critical ASP.NET Core Flaw

🔒 Microsoft released an out-of-band update to address a high-severity privilege-escalation flaw in ASP.NET Core tracked as CVE-2026-40372 (CVSS 9.1). A regression in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 allowed the managed encryptor to compute HMAC validation over incorrect payload bytes, enabling forged payloads to pass authenticity checks and potentially grant SYSTEM-level access on non-Windows hosts. Microsoft fixed the issue in ASP.NET Core 10.0.7 and warned tokens issued during the vulnerable window remain valid until the DataProtection key ring is rotated.
read more →

Microsoft issues emergency patches for ASP.NET flaw

🔒 Microsoft has released out-of-band updates to fix a critical ASP.NET Core privilege escalation vulnerability (CVE-2026-40372) in the ASP.NET Core Data Protection APIs. A regression in the Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 packages caused HMAC validation to be computed over the wrong bytes, allowing forged auth cookies and decryption of protected payloads. Developers should update to 10.0.7, redeploy, and rotate DataProtection key rings to invalidate tokens issued during the vulnerable window.
read more →

Critical Terrarium Sandbox Flaw Enables Root Code Execution

⚠️ A critical vulnerability in the Python-based sandbox Terrarium (CVE-2026-5752) allows attackers to execute arbitrary code with root privileges by traversing JavaScript prototype chains in the Pyodide WebAssembly environment. Disclosed by CERT/CC and credited to researcher Jeremy Brown, the flaw permits sandbox escapes from Docker-deployed containers and can expose sensitive files or services. Because the project is no longer actively maintained, immediate mitigations are recommended, such as disabling untrusted code submissions and isolating containers.
read more →

Over 1,300 Microsoft SharePoint Servers Remain Unpatched

🚨 Over 1,300 Internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing vulnerability Microsoft fixed in its April 2026 Patch Tuesday. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition and was flagged as a zero-day exploited in the wild. Fewer than 200 systems have been patched since the update; organizations should apply Microsoft's fixes or recommended mitigations immediately.
read more →

Thousands of ActiveMQ Instances Unpatched After AI-Found Flaw

🔒 Two weeks after the April 7 disclosure of a remote code injection flaw (CVE-2026-34197) in Apache ActiveMQ, ShadowServer reports nearly 6,500 internet-facing instances remain unpatched. The vulnerability affects versions before 5.19.4 and 6.2.3 and can let an authenticated attacker load remote Spring XML to achieve code execution. CISA added the bug to its KEV list and organizations are urged to upgrade immediately.
read more →

22 BRIDGE:BREAK Flaws in Lantronix and Silex Converters

⚠️ Forescout Research Vedere Labs disclosed 22 vulnerabilities, labeled BRIDGE:BREAK, in popular Lantronix and Silex serial-to-IP converters that bridge legacy serial equipment to IP networks. Researchers located nearly 20,000 exposed devices online and warned that several flaws permit full takeover or tampering with serial traffic. Affected models include Lantronix EDS3000PS/EDS5000 and Silex SD330-AC; vendors have issued firmware updates and advisories. Operators should patch immediately, remove default credentials, segment networks, and avoid exposing these converters to the internet.
read more →

Critical Azure SRE Agent Flaw Allowed Silent Eavesdropping

🔒 A high-severity authentication flaw in Azure SRE Agent exposed agent activity streams to unauthorized tenants, researcher Yanir Tsarimi of Enclave AI reported. Tracked as CVE-2026-32173 with a CVSS score of 8.6, the vulnerability stemmed from an Entra ID app registration configured as multi-tenant and a WebSocket hub that accepted tokens without tenant authorization checks. The hub broadcast agent prompts, internal reasoning, commands and outputs to all connected clients. Microsoft applied a server-side fix and says no customer action is required, but organizations that ran the agent during preview should review any credentials or sensitive data that may have traversed agent interactions.
read more →