< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 34 of 104

Schneider Electric Foxboro DCS Deserialization Flaw Patched

🔒 Schneider Electric has disclosed a deserialization of untrusted data vulnerability (CVE-2026-1286) impacting EcoStruxure Foxboro DCS versions prior to CS 8.1. An authenticated administrative user who opens a malicious project file could compromise confidentiality and integrity and potentially achieve remote code execution on a workstation (CVSS 3.1: 6.5). Schneider released CS 8.1 which requires FX-V3 licenses and a reboot; standard upgrade procedures apply. Until patched, follow mitigations such as restricting files to trusted sources, enforcing least privilege, and isolating DCS networks.
read more →

Pharos Controls Mosaic Show Controller Critical RCE

🛡️ Pharos Controls Mosaic Show Controller firmware 2.15.3 contains a Missing Authentication for Critical Function vulnerability (CVE-2026-2417) that can allow an unauthenticated attacker to execute arbitrary commands with root privileges. The flaw has a CVSS v3.1 base score of 9.8 (Critical). Pharos Controls recommends upgrading to version 2.16 or later and isolating controllers from public networks.
read more →

Schneider Electric Plant iT/Brewmaxx: Critical Redis Flaws

🔒 Schneider Electric and ProLeiT disclosed several Redis-related vulnerabilities in Plant iT/Brewmaxx that could permit privilege escalation and, in some cases, remote code execution. The issues stem from embedded Redis 8.2.1 (and earlier) instances and include use-after-free, integer overflow, and code-injection vectors. Schneider and ProLeiT recommend installing patch ProLeiT-2025-001, disabling Redis eval commands, applying secure Redis configuration templates, and restarting patched systems while following recommended ICS cybersecurity practices.
read more →

Memory Leak in Grassroots DICOM 3.2.2 Could Cause DoS

⚠ The Grassroots DICOM (GDCM) 3.2.2 library contains a memory leak vulnerability (CVE-2026-3650) that can be triggered by parsing specially crafted DICOM files with non-standard VR types. Successful exploitation can cause extensive heap allocations that are not released, producing resource exhaustion and a denial-of-service condition. This issue is rated High with a CVSS v3.1 base score of 7.5. Users should follow defensive best practices and monitor vendor distribution channels for updates.
read more →

Citrix Urges Immediate Patching of Critical NetScaler Flaw

⚠ Citrix has published updates for NetScaler ADC and NetScaler Gateway to fix two vulnerabilities, including a critical memory overread (CVE-2026-3055) that can leak sensitive information from appliance memory. Exploitation requires specific configurations—SAML IdP for CVE-2026-3055 and gateway or AAA roles for CVE-2026-4368. Affected builds include 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23; customers should inspect configurations and apply patches immediately.
read more →

VoidStealer bypasses Chrome ABE to steal browser secrets

🔐 Researchers have identified a new infostealer called VoidStealer that bypasses Chrome's Application-Bound Encryption (ABE) to exfiltrate stored passwords, cookies, and tokens. Unlike prior ABE bypasses that relied on code injection or elevated privileges, VoidStealer attaches as a debugger and uses hardware breakpoints to capture the v20_master-key at the precise moment it appears in plaintext. The malware can fall back to injection-based methods but prioritizes the stealthy debugger technique. Defenders should monitor for debugger attachments, unexpected memory reads, and anomalous Chrome process activity.
read more →

CISA Orders US Agencies to Patch Critical Cisco FMC Flaw

🔒 CISA has directed all federal civilian agencies to urgently patch a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) — tracked as CVE-2026-20131 with a CVSS score of 10. Cisco released a fix on 4 March after reports that the Interlock ransomware group had been exploiting the flaw as a zero day. Agencies were given just three days after KEV listing to patch or discontinue use due to active ransomware campaigns.
read more →

CISA Orders Federal Patch for DarkSword iOS Flaws Now

🔒 CISA ordered U.S. federal agencies to patch three iOS vulnerabilities exploited by the DarkSword exploit kit, imposing a two-week deadline under BOD 22-01. Apple has released fixes and the flaws now only affect iPhones running iOS 18.4 through 18.7. Researchers linked DarkSword to multiple threat groups and to data-stealing malware families including GhostBlade, GhostKnife, and GhostSaber.
read more →

Microsoft issues KB5085516 to fix account sign-in bug

🔧 Microsoft released an out-of-band update, KB5085516, to fix a sign-in failure that prevented Microsoft account authentication in multiple apps after the March cumulative update KB5079473. Affected apps included Microsoft Edge, Teams, OneDrive, Microsoft 365 Copilot and Office apps, which reported the device was not connected to the Internet. The optional fix is available for Windows 11 25H2 and 24H2 via Windows Update or the Microsoft Update Catalog, and Microsoft recommends installing the latest updates.
read more →

Attackers Exploit CVE-2025-32975 to Hijack KACE SMA

🚨 Arctic Wolf reported exploitation of CVE-2025-32975 (CVSS 10.0), an authentication-bypass in Quest KACE Systems Management Appliance (SMA), against internet-exposed instances beginning the week of March 9, 2026. Attackers impersonated administrative users, executed remote commands to download Base64 payloads via curl from an external host, and created additional admin accounts using runkbot.exe. Observed post-compromise activity included Windows Registry modifications, credential harvesting with Mimikatz, reconnaissance, and RDP access to backup systems and domain controllers. Administrators should apply the May 2025 fixes and avoid exposing SMA directly to the internet.
read more →

Oracle patches critical RCE in Identity and Web Services

🔒 Oracle has released fixes for a critical pre-authentication remote code execution flaw, CVE-2026-21992, affecting Oracle Identity Manager and Oracle Web Services Manager. The issue carries a CVSS score of 9.8 and is described by NVD as "easily exploitable" over HTTP by unauthenticated attackers. Oracle says the flaw can enable full takeover of vulnerable instances and urges customers to apply updates immediately.
read more →

KEV: CISA Lists Apple, Craft CMS and Laravel Flaws

⚠️ CISA has added five actively exploited vulnerabilities affecting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to patch them by April 3, 2026. The flaws include high‑severity memory corruption bugs in Apple WebKit and kernel components and critical code injection issues in Craft and Laravel that were fixed in 2025. Security researchers have observed exploitation linked to the DarkSword iOS exploit kit and campaigns attributed to MuddyWater.
read more →

Oracle issues emergency patch for Identity Manager RCE

🛡️ Oracle has released an out-of-schedule security update to fix a critical unauthenticated remote code execution vulnerability, tracked as CVE-2026-21992, that affects Oracle Identity Manager and Oracle Web Services Manager. Oracle says the flaw is low complexity, exploitable remotely over HTTP without authentication or user interaction. The company strongly recommends applying patches or mitigations immediately and notes fixes via the Security Alert program are limited to supported versions.
read more →

Critical Langflow RCE (CVE-2026-33017) Exploited Fast

⚠️ The Langflow open-source tool contains a critical vulnerability, CVE-2026-33017 (CVSS 9.3), that allows unauthenticated remote code execution via a POST endpoint that accepts attacker-supplied Python in the request payload. The flaw affects all versions up to and including 1.8.1 and is addressed in the development branch (1.9.0.dev8). Exploitation was observed within 20 hours of public disclosure; operators should apply updates, rotate secrets, and restrict access immediately.
read more →

CISA Orders Feds to Patch Critical Cisco FMC Flaw by Sunday

⚠️ CISA has directed Federal Civilian Executive Branch agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center by Sunday, March 22, citing active exploitation and maximum severity. Cisco says the web-based management interface suffers insecure deserialization that can allow an unauthenticated remote attacker to execute arbitrary Java code as root. The vendor published updates and warned there are no available workarounds; administrators should apply fixes immediately.
read more →

CISA Adds Five Vulnerabilities to KEV Catalog — Mar 20, 2026

🔔 CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on March 20, 2026: CVE-2025-31277, CVE-2025-32432, CVE-2025-43510, CVE-2025-43520, and CVE-2025-54068. The flaws affect multiple Apple products, Craft CMS, and Laravel Livewire and include buffer overflows, improper locking, and code injection risks. BOD 22-01 requires FCEB agencies to remediate listed CVEs; CISA urges all organizations to prioritize mitigation as part of routine vulnerability management.
read more →

Magento 'PolyShell' REST API Flaw Affects 2.x Releases

⚠ Sansec has disclosed a critical file upload vulnerability dubbed PolyShell in Magento's REST API that can let unauthenticated attackers upload arbitrary executables and achieve remote code execution or account takeover. The flaw stems from how custom product options accept a base64-encoded file_info object and write files to pub/media/custom_options/quote/. Adobe applied a fix in the 2.4.9 pre-release (APSB25-94), but most production stores remain unpatched; operators should restrict and block access to the upload directory, verify nginx/Apache rules, scan for web shells, and consider a specialized WAF.
read more →

KB5079473: March Windows 11 Update Breaks Sign-Ins

🛠️ Microsoft says the March Windows 11 cumulative update KB5079473 causes Microsoft account sign-in failures across multiple apps, including Teams, OneDrive, Edge, Excel, Word and Microsoft 365 Copilot. Affected apps display an erroneous message indicating the device is offline even when connected. Microsoft recommends restarting affected devices while they remain online as a temporary workaround while it works on a fix. Business sign-ins using Entra ID are not impacted.
read more →

Apple Warns Older iPhones Vulnerable to Web Exploit Kits

🔒 Apple is urging users on older versions of iOS to update immediately after reporting that web-based exploit kits such as Coruna and DarkSword have been used to deliver data-stealing malware via compromised sites. Apple says devices running the latest releases (iOS 15 through 26) are not affected, and has released targeted patches for legacy hardware. For devices that cannot be updated, Apple recommends specific interim updates and enabling Lockdown Mode to reduce exposure.
read more →

Low-cost KVM-over-IP Flaws Risk Remote Network Takeover

🔒 Researchers discovered nine critical vulnerabilities across several low-cost KVM-over-IP units, including Angeet/Yeeso, GL-iNet, Sipeed, and JetKVM. Flaws range from unauthenticated file uploads and command injection to weak firmware verification and exposed debugging interfaces, enabling pre-authentication root takeover on some devices. Eclypsium warns these inexpensive, Linux-based single-port KVMs are increasingly common in business and pose outsized risks if exposed directly to networks.
read more →