< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2059 articles · page 30 of 103

GrafanaGhost vulnerability enables silent data exfiltration

🔒 Researchers at Noma's Threat Research Team have disclosed a critical vulnerability, GrafanaGhost, that enables attackers to silently extract sensitive enterprise data from Grafana environments. The exploit chains application and AI weaknesses — including flawed URL validation and indirect prompt injection — to transfer data to attacker servers without credentials or user interaction. Built-in guardrails can be bypassed with simple prompt tricks and protocol-relative URLs, allowing automatic background exfiltration that leaves little trace.
read more →

Zero‑click Grafana AI flaw enables enterprise data leaks

🛡️ Researchers disclosed a critical issue in Grafana, dubbed GrafanaGhost, that enables zero‑click exfiltration of sensitive telemetry and business data via AI‑powered dashboards. Noma Security reported the chained exploit, which combines indirect prompt injection and a URL validation bypass; Grafana validated the report and released a patch. The attack abuses protocol‑relative URLs and model keywords to trick AI into sending data to attacker servers. Organizations should patch, restrict img‑src, and enforce egress controls.
read more →

Mitsubishi Electric GENESIS64 and ICONICS Suite Fixes

🔒 CISA reports two high‑severity vulnerabilities (CVE‑2025‑14815, CVE‑2025‑14816) in Mitsubishi Electric GENESIS64, ICONICS Suite, and related products that may expose SQL Server credentials stored in local caches or displayed in the Hyper Historian Splitter GUI. Successful exploitation could enable disclosure, tampering, or denial of service on affected systems. Vendor updates are available (10.98+ for GENESIS64/ICONICS products and 11.03+ for GENESIS); administrators should disable local cache, delete cache files, prefer Windows authentication, and restrict administrative and remote access until patches are applied.
read more →

Iranian-Linked Actors Target Internet-Facing PLCs in US

🚨 CISA, the FBI, NSA and partner agencies warn that Iranian-affiliated APT actors are actively exploiting internet-facing operational technology controllers, notably Rockwell Automation/Allen-Bradley PLCs. The actors used vendor configuration software and leased overseas hosting to access exposed PLCs, extracted project files, and altered data shown on HMIs and SCADA displays, causing operational disruption and financial loss. Organizations should urgently apply the advisory's IOCs and mitigations: remove PLCs from direct internet exposure, enforce access controls and MFA, and contact vendor and federal incident contacts if targeted.
read more →

Fortinet issues emergency FortiClient EMS patch now

🔐 Fortinet has released an emergency hotfix for FortiClient Enterprise Management Server (EMS) to address a critical improper access control flaw tracked as CVE-2026-35616 (CVSS 9.1) that is being exploited in the wild. The vendor said the interim hotfix for EMS 7.4.5 and 7.4.6 fully prevents the issue and that a permanent fix will be included in 7.4.7. Security vendor Defused also reported a separate critical SQL injection, CVE-2026-21643 (CVSS 9.8), with active exploit activity; customers were urged to upgrade to 7.4.5 or later or at minimum disconnect the administrative web interface from the internet.
read more →

GPUBreach: RowHammer on GPUs Enables Full Host Takeover

⚠️ New research describes GPUBreach, a set of GDDR6 RowHammer techniques that corrupt GPU page tables to gain arbitrary GPU memory read/write and, in GPUBreach's case, full host control. The work shows chained GDDR6 bit-flips can corrupt trusted driver state and trigger kernel memory-safety bugs in NVIDIA drivers even with the IOMMU enabled. Related efforts (GDDRHammer, GeForge) also achieve GPU-side arbitrary read/write, though some require IOMMU to be disabled. Enabling ECC reduces risk but is not a guaranteed mitigation for all platforms.
read more →

Amazon Aurora PostgreSQL: Minor Releases 14–17 Update

🛡️ Amazon Aurora PostgreSQL-Compatible Edition now supports PostgreSQL 17.9, 16.13, 15.17, and 14.22, which include community bug fixes and Aurora-specific enhancements. We recommend upgrading to the latest minor versions to address known security vulnerabilities and improve stability. Use automatic minor version upgrades, scheduled maintenance windows, the AWS Organizations Upgrade Rollout Policy, and Aurora's zero-downtime patching to perform phased, low-impact upgrades at scale.
read more →

Active Exploitation of Critical Flowise RCE (CVE-2025-59528)

🔴 New findings show threat actors are actively exploiting a maximum-severity code injection flaw in Flowise (CVE-2025-59528) that can lead to remote code execution. The issue stems from the CustomMCP node executing user-supplied JavaScript in the mcpServerConfig string, granting access to sensitive Node.js modules and full runtime privileges. Flowise released a fix in the npm package v3.0.6; affected deployments should upgrade immediately. VulnCheck reports exploitation activity originating from a single Starlink IP and warns of 12,000+ internet-exposed instances.
read more →

GPUBreach: GPU Rowhammer Enables System Takeover to Root

⚠️ A new attack called GPUBreach demonstrates that Rowhammer-induced bit flips in GDDR6 memory can corrupt GPU page tables and allow an unprivileged CUDA kernel to gain arbitrary GPU memory read/write access. The University of Toronto team showed this capability can be chained into CPU-side privilege escalation by exploiting memory-safety bugs in the NVIDIA driver, potentially yielding a full system compromise up to a root shell. Critically, the attack works with IOMMU enabled and remains unmitigated on consumer GPUs without ECC. Full technical details and a reproduction package will be published on April 13.
read more →

Researcher Releases BlueHammer Windows Zero-Day Exploit

🚨 A security researcher published exploit code for an unpatched Windows privilege escalation vulnerability dubbed BlueHammer, citing dissatisfaction with how Microsoft's Security Response Center handled the report. The public proof-of-concept reportedly combines a TOCTOU and path confusion to access the SAM database and escalate to SYSTEM or elevated administrator privileges. The PoC contains bugs and is not reliably successful across all Windows editions, and Microsoft had not issued a patch at publication, leaving the flaw classified as a zero-day.
read more →

Microsoft fixes Classic Outlook email delivery bug

🛠️ Microsoft implemented a server-side fix to resolve a known issue that prevented some Classic Outlook users from sending messages via Outlook.com. Affected users received non-delivery reports (NDRs) showing error codes such as 0x80070005-0x0004dc-0x000524 and a warning that messages could not be sent. The Outlook Team says the change was deployed to production on April 3, 2026. If problems persist, Microsoft recommends using the New Outlook client or Outlook on the web and provides a temporary workaround to download the Outlook Address Book for impacted accounts.
read more →

CISA Orders Feds to Patch Fortinet EMS Zero-Day Urgently

⚠️ CISA has ordered federal agencies to patch FortiClient EMS instances by April 9 after the discovery of CVE-2026-35616, a pre-authentication API access bypass. Fortinet released emergency hotfixes and said unauthenticated attackers can execute code via specially crafted requests. Administrators are urged to apply hotfixes or upgrade to 7.4.7 immediately to mitigate active exploitation.
read more →

CISA Adds New KEV Entry for Fortinet FortiClient EMS

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-35616, an Improper Access Control flaw affecting Fortinet FortiClient EMS. The agency reports evidence of active exploitation and highlights that this vulnerability class is a common attack vector posing significant risks to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by their due dates, and CISA urges all organizations to prioritize timely remediation.
read more →

Emergency Patch for FortiClient EMS Zero-Day Exploit

⚠️ Fortinet released an emergency weekend hotfix to address a critical pre-authentication flaw in FortiClient EMS (CVE-2026-35616) that is being actively exploited in the wild. The improper access control defect allows unauthenticated attackers to execute commands via specially crafted API requests and affects versions 7.4.5 and 7.4.6. Fortinet urges immediate installation of the hotfixes or upgrading to 7.4.7 when available. Shadowserver reports over 2,000 exposed EMS instances, primarily in the US and Germany.
read more →

Fortinet issues hotfix for actively exploited FortiClient EMS

🔧 Fortinet has released an out‑of‑band hotfix for a critical pre‑authentication API access bypass in FortiClient EMS (CVE-2026-35616, CVSS 9.1) that has been observed exploited in the wild. The flaw allows unauthenticated attackers to bypass API authentication and authorization protections and execute commands on affected systems, impacting versions 7.4.5–7.4.6. Fortinet urges immediate installation of the hotfix and says a full remediation will be included in 7.4.7.
read more →

Google patches fourth Chrome zero-day this year in 2026

🛡️ Google has patched a fourth zero-day in Chrome this year, addressing CVE-2026-5281 in Dawn, the browser's WebGPU implementation, which allowed remote code execution via a crafted HTML page when the renderer process was compromised. The company confirmed an exploit exists in the wild and urges users to update to Chrome 146.0.7680.178 or newer. This fix follows earlier 2026 patches for CSS memory handling, the Skia graphics library, and the V8 JavaScript engine.
read more →

Cisco fixes critical IMC auth bypass in many devices

🔒Cisco has released patches for a critical authentication bypass in its Integrated Management Controller (IMC), tracked as CVE-2026-20093. The flaw, caused by incorrect handling of password changes, can be exploited via specially crafted HTTP requests to gain unauthenticated admin access. Affected platforms include standalone UCS C-Series, UCS E-Series, Catalyst 8300, and 5000 Series systems. Administrators should apply updates and restrict IMC exposure immediately.
read more →

Democratisation of Business Email Compromise Fraud Trends

🔒 The Talos Threat Source newsletter warns that business email compromise (BEC) attacks have been democratised by AI, enabling attackers to cheaply and rapidly craft convincing payment requests that target small community organisations, charities, and businesses. Attackers can automate reconnaissance and generate tailored messages referencing projects, tone, and terminology. Defenders should verify unexpected payment requests via independent channels, enforce procurement controls, and increase awareness. The briefing also flags an automated credential-harvesting campaign exploiting React2Shell in Next.js applications that risks wide-scale token and key theft.
read more →

Cisco Patches Critical IMC and SSM Flaws (CVSS 9.8)

🔒 Cisco released patches for two critical vulnerabilities in its management software that carry a CVSS score of 9.8. CVE-2026-20093 in the Integrated Management Controller (IMC) allows an unauthenticated attacker to bypass authentication and change any user password via a crafted HTTP request. CVE-2026-20160 affects Smart Software Manager On‑Prem and can enable remote command execution as root due to an exposed internal service. Cisco provided fixed releases and urges customers to update immediately; there are no known in-the-wild exploits to date.
read more →

Pre-auth RCE Chain in Progress ShareFile Storage Zones

🔓 Researchers at watchTowr disclosed two critical flaws in Progress ShareFile Storage Zones Controller (SZC): an authentication bypass (CVE-2026-2699) and a remote code execution via file upload/extraction (CVE-2026-2701). The issues can be chained to grant unauthenticated access to the admin interface, modify zone configuration, and deploy ASPX webshells to the application webroot. Progress issued a patch in ShareFile 5.12.4 on March 10; administrators should apply it immediately given thousands of internet-exposed SZC instances.
read more →