< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 36 of 104

Interlock Ransomware Exploits Cisco FMC Zero-Day Campaign

🛡️ Amazon Threat Intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131 in Cisco Secure Firewall Management Center, with exploitation observed beginning January 26, 2026—36 days before Cisco publicly disclosed the flaw on March 4, 2026. A misconfigured attacker-controlled staging server exposed Interlock's full operational toolkit, including custom remote access trojans, reconnaissance scripts, a fileless Java webshell, and infrastructure-laundering scripts. Organizations running Cisco Secure FMC should immediately apply Cisco patches, review the provided indicators of compromise, and hunt for signs of lateral movement and data staging.
read more →

Ubuntu Desktop Flaw Allows Local Elevation to Root

⚠ A local privilege escalation vulnerability (CVE-2026-3888) affects default installations of Ubuntu Desktop 24.04 and later, enabling attackers with low-level access to obtain full root privileges. The flaw stems from an interaction between snap-confine and systemd-tmpfiles that enables a timing-based attack leveraging automated temporary-file cleanup. Exploitation requires patience due to a built-in 10–30 day cleanup window, but no user interaction is needed; Qualys rated the issue CVSS 7.8 and urges immediate upgrade to patched snapd releases.
read more →

CISA Adds CVE-2026-20963 to Known Exploited Vulnerabilities

⚠️ CISA has added CVE-2026-20963 — a Microsoft SharePoint deserialization of untrusted data vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation. This class of flaw is a frequent attack vector that can allow malicious actors to execute code or manipulate data when untrusted input is deserialized. CISA reminds Federal Civilian Executive Branch agencies that BOD 22-01 requires remediation by the assigned due dates and strongly urges all organizations to prioritize timely fixes.
read more →

CISA Urges Hardening of Endpoint Management Systems

🔒 CISA warns of malicious activity targeting endpoint management systems following the March 11, 2026 attack against Stryker Corporation that affected its Microsoft environment. The agency urges organizations to harden endpoint management configurations and adopt Microsoft’s newly released best practices for securing Microsoft Intune, while applying those principles to other endpoint management tools. Key recommended controls include RBAC-based least-privilege administrative roles, phishing-resistant MFA and privileged access hygiene using Microsoft Entra ID, and configuring Multi Admin Approval policies for high-impact actions such as device wipes, application and script changes, and RBAC modifications.
read more →

CISA Adds One Vulnerability to Known Exploited Catalog

🔔 CISA added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog — CVE-2025-66376, a cross-site scripting (XSS) issue in Synacor Zimbra Collaboration Suite (ZCS). Evidence indicates active exploitation, prompting inclusion under BOD 22-01 guidance. While the binding directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize remediation. CISA will continue to update the KEV Catalog as new exploited vulnerabilities are identified.
read more →

Nine IP KVM Vulnerabilities Allow Remote Full Host Control

🔒 Eclypsium researchers disclosed nine vulnerabilities in low-cost IP KVM devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaws can allow unauthenticated attackers to gain root or execute arbitrary code and operate at BIOS/UEFI levels, enabling keystroke injection, booting from removable media, and persistence beyond OS defenses. Some vendors have issued firmware fixes, but critical issues in Angeet ES3 remain unpatched. Administrators should apply available updates, isolate KVMs, and enforce stronger access controls.
read more →

Ubuntu CVE-2026-3888: snap-confine Privilege Escalation

⚠️ A high-severity vulnerability tracked as CVE-2026-3888 affects default Ubuntu Desktop installations starting with 24.04, allowing an unprivileged local attacker to escalate to root by abusing the interaction between snap-confine and systemd-tmpfiles. The exploit relies on a timing window (roughly 10–30 days) in which systemd-tmpfiles removes stale /tmp entries, enabling an attacker to recreate sandbox directories with malicious payloads that are later bind-mounted as root. Ubuntu and upstream snapd have released patches; administrators should upgrade snapd and follow vendor guidance to mitigate exposure.
read more →

Apple issues WebKit fix via Background Security Improvements

🔒 Apple has issued Background Security Improvements to address CVE-2026-20643, a cross-origin flaw in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. Apple fixed the issue by improving input validation and shipped patches in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Researcher Thomas Espach is credited with the report. Users should keep Automatically Install enabled in Settings > Privacy and Security to receive these lightweight fixes promptly.
read more →

Critical GNU InetUtils telnetd RCE via SLC Overflow

🚨 A critical out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler of GNU InetUtils telnetd (CVE-2026-32746) enables unauthenticated remote attackers to achieve remote code execution as root. Discovered by Dream on March 11, 2026, the flaw affects releases through 2.7 and carries a CVSS score of 9.8. Exploitation can succeed during the initial Telnet handshake with a single connection to port 23; no credentials or user interaction are required. A patch is expected by April 1, 2026; until then, disable Telnet, avoid running telnetd as root, and block port 23.
read more →

Apple issues first Background Security Improvements fix

🔒 Apple has pushed its first Background Security Improvements release to patch a WebKit vulnerability tracked as CVE-2026-20643 on iPhone, iPad, and Mac without requiring a full OS upgrade. The flaw is a cross-origin issue in the Navigation API that could allow malicious web content to bypass the browser's Same Origin Policy, and Apple says it fixed the bug with improved input validation. Credited to researcher Thomas Espach, the update is available on iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.1/26.3.2; Apple warns that uninstalling Background Security Improvements removes all prior background patches and reverts the device to the baseline OS.
read more →

DNS Exfiltration and RCE Risk in AI Code Sandboxes

🔒 Researchers disclosed that Amazon Bedrock AgentCore Code Interpreter's sandbox mode permits outbound DNS queries, enabling attackers to create bidirectional command-and-control channels and exfiltrate data via DNS despite a "no network access" setting. BeyondTrust rated the issue 7.5/10 and recommends migrating critical workloads to VPC mode and using a Route53 DNS Firewall. Administrators should audit IAM roles and inventory active interpreters immediately.
read more →

Microsoft issues fix for C: drive access on Samsung PCs

🔧 Microsoft and Samsung published recovery guidance to resolve C:\ drive access failures and permission issues impacting some Samsung laptops running Windows 11 (24H2 and 25H2). A joint investigation traced the root cause to the Samsung Galaxy Connect app (also distributed as Samsung Continuity Service), which altered drive permissions. Microsoft briefly removed the app from the Microsoft Store while Samsung released an updated version. The recovery requires signing in as Administrator, uninstalling the app, and running a 29‑step repair routine that restores default Windows permissions via a provided .bat file; the process can take up to 15 minutes and should return C:\ ownership to TrustedInstaller.
read more →

Critical CODESYS Vulnerabilities in Festo Automation Suite

⚠ CISA warns that multiple critical vulnerabilities affect CODESYS components bundled with Festo Automation Suite, including several issues rated CVSS 3.1 9.8. Affected installations include FAS releases prior to 2.8.0.138 and FAS 2.8.0.137 when using CODESYS 3.0 or 3.5.16.10; beginning with FAS 2.8.0.138, CODESYS is no longer bundled and must be installed separately. Vendors recommend updating to CODESYS Development System 3.5.21.20, applying Festo updates, avoiding untrusted project files, and minimizing network exposure of control systems.
read more →

Schneider Electric EcoStruxure DCE: Hard-Coded Credentials

🔒 Schneider Electric disclosed a hard‑coded credentials vulnerability in EcoStruxure IT Data Center Expert (DCE) that can lead to information disclosure and remote compromise when the SOCKS Proxy feature is enabled. Exploitation requires administrative access plus knowledge of PostgreSQL credentials; SOCKS Proxy is disabled by default. The issue is tracked as CVE‑2025‑13957 with a CVSS v3.1 base score of 7.2. Administrators should apply vendor updates or implement interim mitigations per the vendor handbook.
read more →

Critical Modbus TCP Vulnerability in Schneider SCADAPack

⚠️ Schneider Electric has disclosed a critical vulnerability affecting SCADAPack x70 RTUs (including SCADAPack 47xi, 47x, and 57x) that communicates over Modbus TCP. Exploitation could allow remote code execution, denial of service, and loss of confidentiality or integrity. Known affected products include SCADAPack 57x and RemoteConnect versions prior to R3.4.2; vendor fixes are available in RemoteConnect R3.4.2 and SCADAPack firmware 9.12.2. If immediate patching is not possible, implement network segmentation, enable the RTU firewall service, disable the logic debug service, and follow the SCADAPack security guidelines.
read more →

Siemens SICAM SIAPP SDK Multiple Vulnerabilities Patch

🔒 The Siemens SICAM SIAPP SDK contains multiple vulnerabilities that could allow disruption of customer-developed SIAPP components or their simulation environment. Identified impacts include denial of service, stack-based overflows, command injection enabling remote code execution, and unauthorized file deletion. These issues are exploitable primarily when the API is used improperly or when hardening measures are not applied. Siemens has released v2.1.7 to address the flaws and strongly recommends updating, validating updates prior to deployment, and supervising patch rollouts.
read more →

AWS Bedrock Sandbox Allows DNS-Based Isolation Bypass

🔒 BeyondTrust researchers demonstrated that the Sandbox mode in AWS Bedrock AgentCore Code Interpreter permits outbound DNS A/AAAA queries that can be abused to create a bidirectional covert channel. By encoding data in DNS requests and responses they showed both data exfiltration and an interactive reverse shell without triggering network restrictions. AWS reproduced the report but characterized the behavior as intended and updated documentation rather than issuing a patch.
read more →

Windows 11 hotpatch fixes Bluetooth device visibility issue

🔧 Microsoft released an out-of-band hotpatch (KB5084897) to address a Bluetooth device visibility problem impacting hotpatch-enabled Windows 11 Enterprise systems. Connected Bluetooth peripherals may not appear in Settings or Quick Settings, and users might be unable to add new devices because available devices are not listed. The update targets Windows 11 25H2 and 24H2, installs automatically on eligible Enterprise clients, and requires no restart.
read more →

Microsoft: Teams Meeting Add-in Breaks Outlook Classic

⚠️ Microsoft warns that enabling the Microsoft Teams Meeting Add-in can render the classic Outlook desktop client unusable for affected users, according to an admin center notice (EX1254044). The company says the problem is tied to a previous Outlook build and is working with customers to ensure the latest version is deployed. As a temporary fix, impacted users should update Outlook or run an Online Repair for click-to-run installs, which reinstalls Office apps.
read more →

CISA Flags Actively Exploited Wing FTP Info Leak Patch

⚠️ CISA has added a medium-severity information-disclosure bug, CVE-2025-47813, affecting Wing FTP to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw can leak the application's installation path when a long value is supplied in the UID session cookie and impacts versions up to 7.4.3. Vendor fixes were released in May with Wing FTP 7.4.4, which also addresses a separate critical RCE (CVE-2025-47812). Federal agencies are advised to apply updates by March 30, 2026.
read more →