< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 40 of 104

n8n OAuth misconfig allows stored XSS, credential risk

⚠️ Researchers at Imperva disclosed a configuration weakness in the OAuth credential handling of n8n that fails to sanitize the authorization URL, enabling a stored XSS payload to be saved in the application database. An attacker with access to a victim's n8n instance can replace a legitimate URL with malicious JavaScript that executes when other users interact with the same credential. Because the payload is persistent, it can expose multiple OAuth credentials and enable broader system compromise. The flaw was fixed in n8n v2.6.4 on February 6.
read more →

CISA Flags iOS Flaws Exploited by Coruna Exploit Kit

🛡️ CISA has ordered federal agencies to patch three iOS vulnerabilities targeted by the Coruna exploit kit, which bundles multiple chains for at least 23 iOS flaws. Google researchers say Coruna provides PAC bypass, sandbox and PPL escapes, WebKit remote code execution and kernel elevation. Exploits are mitigated on recent iOS releases and can be blocked by private browsing or Lockdown Mode. CISA added the flaws to its KEV list and set a March 26 remediation deadline under BOD 22-01, urging organizations to prioritize fixes.
read more →

CISA Adds Hikvision and Rockwell Flaws to KEV Catalog

🔒 CISA added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting Hikvision and Rockwell Automation. CVE-2017-7921 (CVSS 9.8) is an improper authentication flaw that can enable privilege escalation and exposure of sensitive information in multiple Hikvision products. CVE-2021-22681 (CVSS 9.8) involves insufficiently protected credentials in Studio 5000 Logix Designer, RSLogix 5000 and Logix Controllers, which can allow an unauthorized network user to bypass verification and modify controller configuration or application code. SANS has detected exploit attempts targeting vulnerable Hikvision cameras; there are no public reports of active attacks exploiting the Rockwell issue. Federal civilian agencies are required to update to supported software by March 26, 2026 under BOD 22-01, and CISA urges all organizations to prioritize remediation of KEV-listed vulnerabilities.
read more →

Critical WordPress plugin bug lets attackers create admins

⚠️ A critical vulnerability in the User Registration & Membership WordPress plugin (CVE-2026-1492, CVSS 9.8) is being actively exploited to create unauthenticated administrator accounts. The flaw allows attackers to supply a role during membership registration and obtain full admin privileges. Defiant's Wordfence blocked over 200 exploit attempts in the past 24 hours, indicating live attacks. WPEverest released a fix in 5.1.3 (the article notes 5.1.4 was released last week); update immediately or disable the plugin until you can patch.
read more →

Cisco issues emergency patches for critical firewall flaws

🚨 Cisco released its March 4 semiannual firewall update addressing 25 security advisories and 48 CVEs, led by two “perfect 10” flaws in Secure Firewall Management Center (FMC). CVE-2026-20079 (authentication bypass) and CVE-2026-20131 (insecure deserialization) both carry CVSS scores of 10 and can yield unauthenticated root access via the web management interface. Cisco reports no known exploitation yet and offers no workarounds; administrators should remove public FMC exposure until patches can be applied.
read more →

Cisco Confirms Active Exploitation of SD‑WAN Manager Flaws

🔔Cisco has confirmed active exploitation of two vulnerabilities in Catalyst SD‑WAN Manager (formerly SD‑WAN vManage). CVE-2026-20122 (CVSS 7.1) permits an authenticated remote attacker with valid read‑only API credentials to overwrite arbitrary files on the local filesystem, while CVE-2026-20128 (CVSS 5.5) could allow an authenticated user to obtain Data Collection Agent (DCA) privileges. Cisco has released fixes across affected 20.x releases and urges immediate upgrades and mitigations such as restricting access, disabling HTTP, securing appliances behind firewalls, changing default passwords, and monitoring logs for unexpected activity.
read more →

ContextCrush Flaw Risks AI Development Tool Supply

🛡️ Security researchers from Noma Labs disclosed a critical vulnerability in the Context7 MCP Server used by Upstash to deliver library documentation to AI coding assistants. The flaw, named ContextCrush, allowed unfiltered "Custom Rules" to be served directly to AI agents, enabling malicious instructions to be executed within developers' environments. Context7 is widely used—boasting around 50,000 GitHub stars and over 8 million npm downloads—and integrates with assistants such as Cursor, Claude Code and Windsurf, increasing potential exposure. Upstash deployed rule sanitisation and additional safeguards after disclosure; there is no evidence of active exploitation.
read more →

Coruna Exploit Kit Targets Older iPhones in Campaigns

🔐 Researchers at Google's Threat Intelligence Group disclosed the Coruna exploit kit, a complex toolkit that compromises Apple iPhones running iOS 13.0 through 17.2.1 using multiple chained vulnerabilities. The framework contains five full exploit chains and 23 distinct flaws, and includes device fingerprinting, automatic WebKit exploit selection and mitigation bypasses. A final-stage loader called PlasmaLoader focuses on extracting financial data such as QR codes and cryptocurrency recovery phrases. Google recommends updating to the latest iOS release or enabling Lockdown Mode when updates aren’t possible.
read more →

CISA Adds Five Vulnerabilities to KEV Catalog, March 2026

🔔 CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The new entries affect Hikvision, Rockwell, and multiple Apple products and include CVE-2017-7921, CVE-2021-22681, CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000. Under BOD 22-01 Federal Civilian Executive Branch agencies must remediate listed CVEs by the required due dates; CISA strongly urges all organizations to prioritize timely remediation to reduce exposure to common attack vectors.
read more →

Delta CNCSoft-G2 Out-of-Bounds Write Vulnerability

🛡️ An Out‑of‑Bounds Write vulnerability in the DOPSoft DPAX parser of CNCSoft‑G2 (CVE‑2026‑3094) can lead to remote code execution on affected devices. The flaw affects versions prior to V2.1.0.39 and has a CVSS v3.1 score of 7.8 (High). Although exploitation requires local access and is not remotely exploitable, Delta recommends updating to V2.1.0.39 to remediate the issue and CISA advises reducing network exposure and following ICS security best practices.
read more →

Zero-click RCE in FreeScout urges immediate patching

⚠️ Ox Security has disclosed a zero-click remote code execution (RCE) vulnerability affecting FreeScout, tracked as CVE-2026-28289 (Mail2Shell), which bypasses an earlier fix (CVE-2026-27636). By sending a single crafted email to any address configured in FreeScout, an attacker can execute code on the server without authentication and without any user interaction. Ox warned thousands of instances may be exposed and urged immediate upgrades to v1.8.207 or later. Administrators are also advised to disable AllowOverrideAll in Apache on affected servers.
read more →

Cisco Flags More Catalyst SD-WAN Flaws as Actively Exploited

🔔 Cisco has warned that two additional Catalyst SD-WAN Manager vulnerabilities — a high-severity arbitrary file overwrite (CVE-2026-20122) and a medium-severity information disclosure flaw (CVE-2026-20128) — are being actively exploited. The file-overwrite vulnerability can be triggered remotely by attackers with valid read-only API credentials; the information-disclosure issue requires local vManage credentials. Cisco says the flaws affect the software regardless of device configuration and urges administrators to upgrade to fixed releases immediately.
read more →

Cisco Releases Patches for 48 Firewall Vulnerabilities

🔒 Cisco has published 25 joint advisories addressing 48 vulnerabilities across its Secure Firewall ASA, Secure FMC and FTD product lines. The two most critical flaws, CVE-2026-20079 and CVE-2026-20131, are rated CVSS 10 and impact Secure FMC, enabling authentication bypass and remote code execution respectively. The auth bypass can be triggered with crafted HTTP requests against a boot-created system process, while the RCE stems from insecure deserialization of a user-supplied Java byte stream to the web management interface. There are no workarounds; Cisco urges customers to install the fixed software and the bundle also addresses 15 high and 31 medium severity issues.
read more →

Mail2Shell zero-click bypass allows FreeScout server takeover

⚠️ A newly disclosed maximum-severity flaw, CVE-2026-28289, enables zero-click remote code execution against FreeScout by defeating filename validation. Researchers at OX Security found that inserting a zero-width space (U+200B) before a filename bypasses the prior patch, allowing an attacker to upload a .htaccess-style payload that is later processed as a dotfile. The uploaded file can be reached via the platform's /storage/attachment/ path and used to execute commands without authentication. FreeScout 1.8.207 fixes the bypass; admins should update immediately and consider disabling AllowOverrideAll in Apache.
read more →

Windows 10 KB5075039 Fixes Recovery Environment Issue

🔧 Microsoft released KB5075039 to repair a Windows 10 Recovery Environment (WinRE) startup failure caused by the October update KB5068164. The patch restores WinRE access for affected systems. Installation requires the WinRE partition to be at least 256 MB; administrators should back up drives before resizing partitions and follow Microsoft's manual resizing instructions.
read more →

Cisco Patches Maximum-Severity Flaws in Secure FMC

🔒 Cisco has released updates for two maximum-severity vulnerabilities in Cisco Secure FMC that allow unauthenticated remote attackers to obtain root on affected systems. CVE-2026-20079 is an authentication-bypass flaw exploitable via crafted HTTP requests to gain root, while CVE-2026-20131 is a remote code execution vulnerability triggered by a crafted serialized Java object that can execute arbitrary Java code as root. Cisco also patched dozens of other issues and says its PSIRT has no evidence these flaws are being actively exploited.
read more →

CISA Adds VMware Aria Operations RCE to KEV Catalog

⚠️ CISA has added a high‑severity VMware Aria Operations flaw, CVE-2026-22719, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation; the issue is an unauthenticated command injection that can allow arbitrary command execution and potential remote code execution. Broadcom released fixes for VMware Cloud Foundation, vSphere Foundation 9.0.2.0 and Aria Operations 8.18.6, and provided a shell-script workaround (aria-ops-rce-workaround.sh) for appliance nodes. Public details of in‑the‑wild exploitation and attribution remain scarce. Federal civilian agencies must apply the fixes by March 24, 2026.
read more →

CISA Flags VMware Aria Operations RCE as Exploited

🚨 CISA has added a VMware Aria Operations command injection flaw (CVE-2026-22719) to its Known Exploited Vulnerabilities catalog and is treating the issue as exploited in attacks. Broadcom says it is aware of reports of exploitation but cannot independently confirm them. VMware released patches on February 24 and provided a temporary workaround script (aria-ops-rce-workaround.sh) that disables vulnerable migration components; administrators should apply the updates or the workaround immediately.
read more →

OAuth redirect abuse lets phishers hide malicious pages

🔗 Microsoft warns attackers are abusing a legitimate OAuth redirect behavior to send victims from trusted identity-provider endpoints—like Microsoft Entra ID and Google Workspace—to attacker-controlled landing pages. Phishing lures such as e-signature requests, HR notices, Teams invites and password resets embed links that point to real authorization endpoints but use broken parameters (for example, prompt=none plus invalid scopes) so the provider silently redirects to a malicious URI. Microsoft has disabled multiple malicious OAuth apps, published client IDs and initial redirect IOCs, and supplied KQL hunting queries for Defender XDR customers. Analysts say the old advice to “hover and check the link” is no longer sufficient and urge validating context and tightening OAuth governance.
read more →

Hitachi Energy RTU500 Firmware Vulnerabilities Identified

🔒 Hitachi Energy disclosed multiple vulnerabilities in the RTU500 series CMU firmware that may reveal limited user-management data or cause device outages. The issues span improper permission handling, input validation gaps, uncontrolled recursion, and unbounded memory allocation, with CVSS scores up to 7.5. Vendor fixes are available — update to CMU Firmware 12.7.8, 13.7.8 (or later), or 13.8.2 as applicable — and apply recommended network mitigations until devices are patched.
read more →