< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2058 articles · page 26 of 103

Critical RCE in protobuf.js due to unsafe code gen

⚠️ A critical remote code execution vulnerability has been disclosed in protobuf.js, the widely used JavaScript implementation of Google's Protocol Buffers, caused by unsafe dynamic code generation that concatenates schema-derived identifiers into functions. An attacker who can supply or influence schemas can inject arbitrary JavaScript into a generated Function() call, which executes when the crafted schema is processed. Maintainers and Endor Labs urge immediate upgrades to patched releases and recommend treating schema-loading as untrusted while auditing transitive dependencies.
read more →

Critical Thymeleaf Sandbox Bypass Patched in Java Template

⚠️ Maintainers of Thymeleaf released a patch addressing a critical Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-40478, that allows unauthenticated attackers to execute expressions and run code. The flaw bypasses Thymeleaf’s sandbox protections by exploiting control characters in expressions and improper class restrictions. All versions prior to 3.1.4.RELEASE are affected, there is no workaround, and organizations should upgrade immediately.
read more →

Flawed Cisco Update Risks Blocking AP Firmware Patches

⚠️ Cisco issued an IOS XE library update that causes a specific log file on many Catalyst and Wi‑Fi 6 access points to grow by about 5MB per day, potentially filling flash and preventing future firmware upgrades. Administrators should run Cisco’s WLANPoller tool or manually inspect the boot partition with show boot and perform mandatory prechecks close to maintenance windows. If flash is already exhausted an AP may require reboot, manual cleanup, vendor emergency script, or physical intervention to avoid being bricked.
read more →

Three Microsoft Defender Zero-Days Exploited in the Wild

🔒 Huntress warns that threat actors are actively exploiting three recently disclosed Microsoft Defender vulnerabilities — codenamed BlueHammer, RedSun, and UnDefend — to gain elevated privileges and disrupt defenses. Microsoft addressed BlueHammer in this week's Patch Tuesday as CVE-2026-33825, but RedSun and UnDefend remain unpatched and have PoCs observed in the wild. Huntress reported weaponization beginning April 10 for BlueHammer and April 16 for RedSun and UnDefend, and said it isolated affected environments while investigating post-exploitation activity.
read more →

RedSun exploit abuses Microsoft Defender to gain SYSTEM

🛡️ A new proof-of-concept called RedSun demonstrates that Microsoft Defender can be manipulated to overwrite protected system files and escalate privileges to SYSTEM on Windows 10 and 11 systems with cloud files features enabled. The exploit leverages Defender’s special handling of cloud-tagged files, which can trigger a rewrite to disk during remediation, allowing attackers to influence timing and destination. Researchers reproduce the issue using the Cloud Files API, oplocks, Volume Shadow Copy race conditions, and directory junctions; detection is limited and Microsoft has not yet commented.
read more →

CISA: Active Exploitation of Apache ActiveMQ CVE-2026-34197

🔴 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a high-severity Apache ActiveMQ flaw, CVE-2026-34197, is being actively exploited in attacks. The bug, present for 13 years, allows authenticated attackers to execute arbitrary code via improper input validation and injection. Apache released patches on March 30 for ActiveMQ Classic 6.2.3 and 5.19.4, and CISA added the CVE to its KEV catalog, ordering federal agencies to patch by April 30.
read more →

Microsoft: April update causes domain controller loops

⚠️After installing the April 2026 Windows security update (KB5082063), some non‑Global Catalog domain controllers configured with Privileged Access Management (PAM) may experience Local Security Authority Subsystem Service (LSASS) crashes during startup. Affected servers can enter repeated reboot loops, disrupting authentication and directory services and potentially rendering domains unavailable. Microsoft is investigating and advises administrators to contact Microsoft Support for Business for mitigation options until a permanent fix is released.
read more →

CISA Adds Apache ActiveMQ RCE CVE-2026-34197 to KEV

⚠️ CISA has added CVE-2026-34197 to its Known Exploited Vulnerabilities catalog after active exploitation reports targeting Apache ActiveMQ Classic. The flaw is an improper input validation issue that can enable code injection via the Jolokia management API, potentially allowing arbitrary OS command execution. While the bug typically requires credentials, default credentials and a prior authentication bypass in some versions can render it effectively unauthenticated. Users should upgrade to ActiveMQ 5.19.4 or 6.2.3 to remediate the issue.
read more →

Cisco issues critical Webex and ISE vulnerability fixes

⚠️ Administrators using Cisco Webex Services with SSO integrated via Control Hub must upload a new identity provider (IdP) SAML certificate to remediate a critical impersonation vulnerability (CVE-2026-20184). Cisco has patched the cloud-side service, but affected customers must perform the configuration change in Control Hub; there are no workarounds. Cisco also released critical fixes for ISE and ISE-PIC addressing remote code execution and path traversal flaws that require patching and credential hygiene.
read more →

MCP STDIO Design Choice Enables Widespread RCE Risk

⚠️ Researchers at OX Security warn that a design decision in Anthropic’s reference Model Context Protocol (MCP) STDIO implementation may permit remote code execution (RCE) when client applications start local MCP servers without proper command filtering. The flaw stems from SDKs accepting arbitrary STDIO commands as subprocess arguments, which many adapters and tools inherit. Anthropic and other framework maintainers say this behavior is by design and that application developers must sanitize inputs, but OX found few effective defenses and demonstrated RCE across numerous projects and services.
read more →

Attempted Exploitation of CVE-2023-33538 in TP‑Link Routers

🔎 Unit 42 observed automated scans targeting CVE-2023-33538 in several end-of-life TP‑Link routers (TL‑WR940N, TL‑WR740N, TL‑WR841N). Payloads resembled Mirai-like botnet binaries and attempted to download and execute an arm7 ELF, but in-the-wild attempts were flawed and generally failed. Emulation and reverse engineering confirmed a real command-injection flaw in the ssid1 parameter that reaches a system shell, but successful exploitation requires web authentication (default credentials like admin:admin remain a practical risk). TP‑Link lists the devices as EOL with no patches; Unit 42 recommends replacing affected units and avoiding default credentials while using layered protections.
read more →

NIST Narrows CVE Enrichment Amid Growing Backlog Strain

🔍 NIST will restrict enrichment in its National Vulnerability Database to the most critical CVEs, prioritizing entries in CISA’s Known Exploited Vulnerabilities (KEV), software used by the federal government, and other critical products. All other CVEs will be ingested but marked as not scheduled, and the agency will stop recalculating severity scores when submitters provide their own. The move follows a surge in submissions and a backlog of more than 30,000 CVEs, and NIST says it will adopt automation and delegate tasks to CNAs to stabilize NVD operations.
read more →

New Microsoft Defender 'RedSun' zero-day grants SYSTEM

⚠️ A proof-of-concept for a second Microsoft Defender zero-day, dubbed RedSun, was published by researcher 'Chaotic Eclipse', demonstrating a local privilege escalation that grants SYSTEM privileges on patched Windows 10, Windows 11, and supported Windows Server releases when Defender is enabled. The PoC exploits Defender's handling of cloud-tagged files via the Cloud Files API to overwrite system binaries and achieve code execution as SYSTEM. Security analyst Will Dormann of Tharros confirmed the exploit works; some antivirus products detect elements of the PoC due to an embedded EICAR test file. The researcher says the publication was a protest over interactions with the Microsoft Security Response Center.
read more →

Foxit Reader and LibRaw Vulnerabilities — Talos Advisory

🔒 Cisco Talos disclosed a use-after-free flaw in Foxit Reader (TALOS-2026-2365 / CVE-2026-3779) exploitable via malicious PDF JavaScript, and six vulnerabilities in LibRaw including heap-based buffer overflows and integer overflows across multiple CVEs. All issues were patched by vendors following Cisco’s disclosure policy. Administrators should apply vendor updates and deploy Snort rules from Talos to detect exploitation.
read more →

NIST Shifts NVD Enrichment Strategy Pre-March 2026

📢 NIST announced a major operational change to the National Vulnerability Database (NVD), moving to a risk-based enrichment model and ceasing enrichment for all CVEs reported before March 1, 2026. The NVD will prioritize vulnerabilities in software used by the US federal government, critical software under Executive Order 14028, and entries on the CISA Known Exploited Vulnerabilities (KEV) list. CVEs that don't meet those criteria will be labeled Not Scheduled, though all submissions will still be ingested and users may request enrichment by emailing nvd@nist.gov.
read more →

Windows Recall Still Permits Silent Data Extraction

🛡️ A security researcher says Microsoft’s Windows Recall feature remains vulnerable to quiet exfiltration of everything it captures by malware running in the same user context. Alexander Hagenah published a proof-of-concept called TotalRecall Reloaded and disclosed the issue to Microsoft on March 6; Microsoft reviewed and closed the report April 3, calling the behavior "by design." Hagenah says the gap lies not in encryption but in how decrypted screenshots and text are handled and displayed in an unprotected process, allowing same-user code to read Recall data without admin rights or kernel exploits.
read more →

Cisco patches critical Webex SSO flaw; action required

🔒 Cisco released updates addressing four critical vulnerabilities, including a fixed improper certificate validation bug in Webex Services SSO integration (CVE-2026-20184) that could enable user impersonation via crafted tokens. While Cisco patched the service-side defect, customers using SSO must upload a new SAML certificate for their IdP into Control Hub to avoid service interruptions. The company also fixed three critical ISE flaws that require administrative credentials to exploit.
read more →

Critical Missing Authorization in AVEVA Pipeline Simulation

🔒 A critical authorization vulnerability (CVE-2026-5387) in AVEVA Pipeline Simulation allows an unauthenticated actor to perform actions reserved for Simulator Instructor or Developer roles, with the potential to modify simulation parameters, training configuration, and training records. Affected versions are <=2025_SP1_build_7.1.9497.6351. AVEVA provides a fix: upgrade to 2025 SP1 P01 (build 7.1.9580.8513) or later; interim mitigations include restricting API network access and enforcing TLS.
read more →

Critical Weak Password Issue in Horner Automation PLCs

🔒 Horner Automation products contain a weak-password vulnerability (CVE-2026-6284) that allows network attackers to brute-force credentials and gain unauthorized access to PLC systems and services. Affected versions include Cscape v10.0, XL7 v15.60, and XL4 v16.32.0. The vulnerability is scored CVSS 3.1 9.1 (Critical) and is associated with CWE-521: Weak Password Requirements. Horner has released fixes—update to Cscape v10.2 SP2 and the latest XL4/XL7 firmware—and operators should minimize network exposure and use secure remote access.
read more →

Critical Vulnerabilities in Anviz CX Series & CrossChex

⚠️ CISA published an advisory describing multiple critical vulnerabilities in Anviz products, including CX2 Lite, CX7, and CrossChex Standard. Issues range from unauthenticated firmware uploads and command injection to credential exposure and cleartext administrative sessions, any of which can lead to remote code execution and full device compromise. The advisory lists numerous CVEs with example CVSS up to 9.8 and notes no vendor response; organizations are urged to isolate affected devices and apply defensive mitigations immediately.
read more →