< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2059 articles · page 29 of 103

EngageLab SDK Flaw Exposed Millions of Android Users

🔒 Microsoft Defender disclosed a patched vulnerability in the EngageLab SDK that could allow co‑located apps on an Android device to bypass the system sandbox and access private app data. The issue, introduced in version 4.5.4 and characterized as an intent redirection vulnerability, affected many cryptocurrency and wallet apps—wallet installations exceeded 30 million and total installs topped 50 million. EngageLab released version 5.2.1 in November 2025 after a responsible disclosure in April 2025; detected vulnerable apps were removed from Google Play and developers are urged to update immediately.
read more →

Intent Redirection in EngageSDK Exposes Android Wallets

🔒 Microsoft Defender Security Research Team discovered a critical intent redirection vulnerability in the third‑party EngageSDK that allowed co‑installed apps to abuse a merged, exported activity and act with the victim app's identity and permissions. The flaw, present in a post‑build merged manifest entry (MTCommonActivity) and tied to parseUri(URI_ALLOW_UNSAFE) and grant flags, could yield persistent read/write access to content providers. Microsoft coordinated with EngageLab and the Android Security Team; EngageLab released EngageSDK v5.2.1 on 2025‑11‑03 to set the activity non‑exported, affected apps were removed from Google Play, and Android platform protections were updated. Developers should upgrade and inspect merged manifests for unexpected exported components.
read more →

GPL Odorizers GPL750 Vulnerability Allows Modbus Tampering

🔐 A vulnerability in GPL Odorizers GPL750 controllers (CVE-2026-4436) permits a low-privileged remote attacker to send unauthenticated Modbus packets that alter register values used by the odorant injection logic, potentially causing excessive or insufficient odorant dosing in gas lines. Affected XL4/XL4 Prime/XL7/XL7 Prime firmware ranges are documented and the issue is rated CVSS 3.1 8.6 (High). Vendors provide firmware updates and installation guidance; apply updates, isolate controllers on control networks, and follow ICS security best practices.
read more →

CISA: Critical BASC-20T Vulnerability Allows Remote Control

🔒 The Cybersecurity and Infrastructure Security Agency (CISA) reports a high-severity vulnerability in Contemporary Controls BASC 20T (BASControl20 v3.1, CVE-2025-13926). An unauthenticated attacker who can sniff network traffic may forge packets to enumerate components, reconfigure, rename, delete items, perform file transfers, and invoke remote procedure calls. CISA assigns a CVSS v3.1 base score of 9.8 and notes the product is considered obsolete; users are advised to contact the vendor for guidance and to reduce network exposure.
read more →

Adobe Reader zero-day exploited via crafted PDF lures

⚠️ Security researchers report a previously unknown zero-day in Adobe Reader is being actively exploited via maliciously crafted PDF documents. The exploit, linked to samples named Invoice540.pdf, has been observed since at least December 2025 and executes obfuscated JavaScript to harvest data and retrieve additional payloads. Analysts warn the vulnerability abuses privileged Acrobat APIs, works on the latest Adobe Reader build, and may enable follow-on RCE or sandbox escape.
read more →

Attackers Exploiting Adobe Reader Zero-Day Since December

⚠ Haifei Li has identified a zero-day vulnerability in Adobe Reader that has been exploited since at least December via maliciously crafted PDFs. The attack uses a highly sophisticated, fingerprinting-style exploit that can harvest local data using Acrobat APIs and may enable follow-on RCE or sandbox escape without user interaction beyond opening a file. Li urges users to avoid PDFs from untrusted sources and to monitor network traffic for the Adobe Synchronizer User-Agent string as a temporary mitigation.
read more →

AgentCore Starter Toolkit Grants Broad IAM God Mode

🔐 Unit 42 found the AgentCore starter toolkit auto-creates overly permissive IAM roles that grant wildcard access to Bedrock AgentCore and ECR resources. The default deployment enables an “Agent God Mode” scenario where a compromised agent can exfiltrate container images, retrieve other agents’ MemoryIDs, invoke code interpreters, and read or poison memories across an entire AWS account. AWS updated documentation to warn these roles are intended for development; Unit 42 recommends creating scoped, least-privilege roles and auditing ECR, memory, and invoke permissions.
read more →

CISA Orders Federal Agencies to Patch Ivanti EPMM Flaw

⚠️ CISA has ordered U.S. federal agencies to remediate a critical Ivanti Endpoint Manager Mobile flaw (CVE-2026-1340) that has been exploited since January. The agency added the bug to its Known Exploited Vulnerabilities catalog and invoked BOD 22-01, giving agencies until Saturday, April 11 to patch or mitigate affected systems. Ivanti released fixes on January 29 and urged all customers to update immediately.
read more →

13-Year-Old Remote Code Execution in ActiveMQ Classic

⚠️ Researchers disclosed a critical remote code execution flaw in Apache ActiveMQ Classic that remained undetected for 13 years and can allow arbitrary system command execution. Tracked as CVE-2026-34197 with a CVSS score of 8.8, the bug affects Classic releases before 5.19.4 and 6.0.0 through 6.2.3; fixes were released in 5.19.4 and 6.2.3. Administrators should apply the updates, review Jolokia access controls, and inspect broker logs for indicators of compromise.
read more →

Google API Key Flaw Exposes Mobile Apps to Gemini Access

🔒 A flaw in Google's API key model has allowed embedded Android app keys to gain silent access to the Gemini AI endpoints when the API is enabled in a project. CloudSEK's April 8 advisory found 32 active keys across 22 apps with more than 500 million installs and demonstrated retrieval of user-uploaded audio via the Gemini Files API. Developers should immediately audit projects, rotate exposed keys and apply strict API restrictions.
read more →

Critical File Upload Flaw in Ninja Forms (WordPress)

⚠ A critical arbitrary file upload vulnerability has been identified in the Ninja Forms – File Upload Plugin for WordPress, impacting versions up to 3.3.26 and rated CVSS 9.8. The flaw allows unauthenticated attackers to upload malicious files (including .php), bypass validation, and achieve remote code execution. Wordfence validated the report after it was disclosed on January 8, 2026, and the developer issued a complete patch in version 3.3.27 on March 19; administrators should update immediately.
read more →

Critical Flowise flaw enables JavaScript injection in AI

🚨 A critical design oversight in Flowise, a low-code platform for building LLM flows, allows arbitrary JavaScript to be injected via its Custom MCP node. The vulnerability (CVE-2025-59528) results from unsafe parsing in convertToValidJSONString, which feeds user input to the Function() constructor and executes with full Node.js privileges. A patch shipped in v3.0.6 and the latest public release is v3.1.1, but thousands of internet-exposed instances remain at risk as attackers have begun exploiting unpatched deployments.
read more →

CISA Adds Ivanti EPMM Code Injection CVE to KEV Catalog

⚠️ CISA has added CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The agency notes that code injection is a common, high-risk attack vector with significant implications for federal networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate identified KEV entries by the required deadlines, and CISA urges all organizations to prioritize timely fixes to reduce exposure.
read more →

Claude-assisted discovery of long-hidden ActiveMQ RCE

🔎 Horizon3.ai researchers used Anthropic's Claude to help uncover a remote code execution vulnerability, CVE-2026-34197, in Apache ActiveMQ Classic that reportedly persisted for about 13 years. The flaw allows an attacker to invoke Jolokia management operations to fetch a remote configuration file and execute arbitrary OS commands; default admin:admin credentials or prior exposure via CVE-2024-32114 can make exploitation trivial. Patches are available in versions 5.19.4 and 6.2.3, and administrators are advised to update, remove default credentials, and inspect broker logs for signs of compromise.
read more →

Microsoft rolls out fix for broken Windows Start search

🔧 Microsoft has deployed a server-side fix after a Bing update disrupted Windows 11 23H2 Start Menu search on a small number of devices. The issue, first noted around April 6 and reportedly seen by some users for months, produced blank but clickable search results. Microsoft rolled back the problematic server-side Bing update and says reports of failures are decreasing; the company advises ensuring the device is online and that Web Search has not been disabled by Group Policy.
read more →

Critical RCE Flaw in Ninja Forms File Uploads Plugin

⚠️ A critical vulnerability in the Ninja Forms File Uploads premium add-on (identified as CVE-2026-0740) allows unauthenticated attackers to upload arbitrary files, including PHP, enabling remote code execution. Wordfence reports active exploitation and has blocked thousands of attempts. The flaw affects versions up to 3.3.26; the vendor issued a full fix in 3.3.27 on March 19. Users of the File Upload extension should upgrade immediately and apply available mitigations.
read more →

AgentCore Sandbox DNS Escape and MMDSv1 Regression

🔎 Unit 42 found that Amazon's AgentCore Code Interpreter sandbox permitted recursive DNS resolution, enabling covert DNS tunneling that can exfiltrate and receive data despite advertised isolation. They also identified a regression in the microVM Metadata Service where MMDSv1 accepted unauthenticated HTTP GETs without session-token enforcement, exposing credentials and pre-signed S3 artifacts. AWS was notified and implemented mitigations including documentation updates, setting MMDSv2 as the default for new runtimes, and providing APIs to disable v1 on legacy agents.
read more →

Fortinet issues emergency hotfix for FortiClient EMS

🚨 Fortinet has released an emergency hotfix for FortiClient EMS to address a critical authentication-bypass vulnerability tracked as CVE-2026-35616 that permits unauthenticated remote code execution. The flaw carries a CVSS score of 9.1 and affects on-premises EMS versions 7.4.5 and 7.4.6; FortiClient Cloud and FortiSASE were patched server-side and a full fix is planned for 7.4.7. Organizations should apply the hotfix to EMS Linux servers, audit API logs and recent configuration changes, and restore or rebuild instances if compromise is suspected.
read more →

Max-severity Flowise RCE (CVE-2025-59528) Now Exploited

🚨 Security researchers report active exploitation of Flowise via CVE-2025-59528, a CVSS-10 arbitrary JavaScript injection that can lead to remote command execution and filesystem access. The flaw stems from the CustomMCP node unsafely evaluating user-supplied mcpServerConfig, allowing execution of supplied scripts. The developer fixed the issue in Flowise 3.0.6; users should upgrade to 3.1.1 or at minimum 3.0.6 and restrict public exposure.
read more →

Docker CVE-2026-34040 Lets Attackers Bypass AuthZ Exploit

⚠ A high-severity flaw (CVE-2026-34040, CVSS 8.8) in Docker Engine can allow an attacker with API access to bypass AuthZ plugins by causing the daemon to forward requests without their body. The bug is tied to an incomplete fix for CVE-2024-41110 and arises when oversized, padded HTTP requests are dropped before reaching the authorization plugin. An attacker who pads a container-creation request above the threshold can cause the daemon to create a privileged container that mounts the host filesystem. Docker Engine 29.3.1 contains the patch; mitigations include avoiding body-dependent AuthZ plugins, restricting API access to trusted users, or running Docker in rootless mode.
read more →