All news in category “Security Advisory and Patch Watch”

🔓 Two sandbox-escape vulnerabilities in the n8n workflow automation platform allow authenticated users to execute arbitrary code and potentially take full control of affected instances. JFrog researchers disclosed CVE-2026-1470, a JavaScript AST sandbox bypass that can resolve to Function and execute code in the main node, and CVE-2026-0863, a Python AST bypass that abuses format-string introspection and Python 3.10+ behavior to regain restricted builtins and run OS commands. CVE-2026-1470 was rated critical (9.9) because it grants execution in the main node; both issues affect self-hosted deployments while n8n Cloud has been mitigated. Fixes are available in specific 1.x and 2.x releases and users should upgrade immediately.

🔒 A coordinated security update addressed 12 previously unknown vulnerabilities in OpenSSL, disclosed by AISLE through a coordinated process with project maintainers. The issues span multiple subsystems — from legacy CMS parsing to QUIC and post-quantum signature handling — and include a high-severity stack buffer overflow in CMS AuthEnvelopedData that could enable remote code execution under specific conditions. Remediation included fixes merged into releases and six additional issues resolved before reaching users.

⚠️Two vulnerabilities in n8n sandboxing allow authenticated users to achieve remote code execution by bypassing JavaScript and Python sandbox controls. JFrog Security Research disclosed CVE-2026-1470 (CVSS 9.9) affecting the JavaScript expression engine and CVE-2026-0863 (CVSS 8.5) targeting Python execution in the Code node. Both issues exploit gaps in AST validation and require the ability to create or modify workflows, enabling attackers to access environment variables and run system-level commands. Users should upgrade immediately to the patched releases listed by the vendor.

🔒 SolarWinds released updates for Web Help Desk to address critical authentication bypass and remote code execution vulnerabilities, including CVE-2025-40551, CVE-2025-40552 and CVE-2025-40553. Reported by researchers at watchTowr and Horizon3.ai, the flaws allow unauthenticated attackers to bypass authentication and execute commands via deserialization and other vectors. Administrators should upgrade to Web Help Desk 2026.1 immediately to mitigate risk.

⚠️ A critical sandbox escape in vm2 (CVE-2026-22709) can allow execution of arbitrary code on the host by bypassing Promise handler sanitization. Endor Labs researchers Peyton Kennedy and Cris Staicu reported that async functions return global Promise objects whose then and catch handlers were not properly sanitized, creating an escape vector. The flaw carries a CVSS score of 9.8 and was addressed in vm2 3.10.2; the article cites 3.10.3 with additional fixes. Users are urged to update and consider stronger isolation alternatives such as isolated-vm or container-level separation.

🛡️ FortiGuard Labs discovered EncystPHP, a sophisticated PHP web shell exploiting FreePBX via CVE-2025-64328. The campaign, linked to activity attributed to INJ3CTOR3, deploys droppers that create root accounts, inject SSH keys, alter cron jobs for persistence, and remove competing shells. Infected hosts enable remote command execution and abuse of PBX telephony resources. Fortinet offers detections and IPS coverage to mitigate the threat.

⚠️ Researchers disclosed two high-severity eval-injection vulnerabilities in n8n that can bypass sandboxing and enable remote code execution. JFrog Security Research identified CVE-2026-1470 (JavaScript eval, CVSS 9.9) and CVE-2026-0863 (Python eval, CVSS 8.5), which can compromise instances even in internal execution mode. Users should update to the patched releases listed by the vendor without delay.

🔒 Fortinet released guidance after disclosure of CVE-2026-24858, an authentication bypass in FortiCloud single sign-on (SSO) that can allow an attacker with a FortiCloud account to access devices registered to other users. The flaw affects multiple products including FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer. Fortinet temporarily disabled FortiCloud SSO on Jan. 26, 2026 and restored the service with mitigations on Jan. 27; CISA added the CVE to its KEV Catalog and urges operators to check for indicators of compromise and apply vendor updates immediately.

⚠️ Fortinet disclosed a critical authentication-bypass zero-day (CVE-2026-24858) that affects FortiCloud SSO and can let attackers compromise FortiGate, FortiManager, and FortiAnalyzer devices. The vendor temporarily disabled FortiCloud SSO globally on Jan 26 to stop active exploitation and re-enabled it Jan 27 with server-side blocking that prevents logins from vulnerable firmware. FortiOS 7.4.11 is available and additional patched releases are being rolled out; most fixes are still listed as "upcoming."

⚠️ Google’s Threat Intelligence Group warns that multiple actors — including state-backed clusters from Russia and China and financially motivated groups — are actively exploiting CVE-2025-8088, a WinRAR path-traversal bug patched in WinRAR 7.13. Attackers craft malicious archives that drop payloads into the Windows Startup folder (often via ADS-hidden LNKs) to achieve persistence and execute on login. Google advises upgrading to WinRAR 7.13+, monitoring Startup items and alternate data streams, and blocking malicious archive extraction.

🔒 Fortinet has released security updates to address a critical authentication bypass (CVE-2026-24858) affecting FortiOS, FortiManager, and FortiAnalyzer. The flaw allows a FortiCloud account with a registered device to access other devices when FortiCloud SSO is enabled, enabling creation of local admin accounts and configuration changes. Fortinet locked malicious FortiCloud accounts, temporarily disabled SSO, and urges customers to update firmware, audit configurations, and rotate credentials.

🔒 Microsoft warns administrators of a critical Office security-bypass zero-day, CVE-2026-21509, that is being actively exploited. The flaw leverages legacy OLE document support to bypass protections similar to Office macros, enabling code execution when a user opens a malicious file. Microsoft has released fixes — automatic for Office 2021 and later, and separate updates for Office 2016 and 2019 — and notes affected applications must be restarted for patches to take effect.

🔒 Fortinet confirmed a critical FortiCloud SSO authentication bypass (CVE-2026-24858) actively exploited to gain administrative access to customer devices. The company has implemented server-side mitigations that block SSO logins from vulnerable firmware versions while patches for FortiOS, FortiManager, and FortiAnalyzer are developed. Administrators are advised to review accounts and credentials; disabling SSO remains an optional mitigation.

🔒 Security researchers report that the high-severity CVE-2025-8088 path traversal in WinRAR is being actively exploited by both state-sponsored and criminal groups to gain initial access. The flaw leverages Alternate Data Streams (ADS) inside archives to hide payloads and uses directory traversal to drop LNK, HTA, BAT, CMD or script files, frequently into the Windows Startup folder for persistence. ESET and Google observed campaigns beginning in July 2025 and continuing into 2026, tied to actors such as RomCom, Turla and APT44 as well as financially motivated operators. Organizations should apply patches, monitor ADS/archive extraction behavior, and block or alert on suspicious startup items.

⚠️A critical sandbox escape in Pyodide used by Grist-Core allows remote code execution from a single malicious spreadsheet formula. Discovered by Cyera Research Labs and rated CVSS 9.1, the flaw leverages Python's object model, ctypes and exposed Emscripten runtime hooks to traverse from cell data into host runtimes. Grist patched the issue in v1.7.9 by running Pyodide under Deno and adding permission-based isolation; operators should upgrade promptly and treat formula execution as a privileged capability.

⚠️ A critical sandbox-escape vulnerability (CVE-2026-22709) was discovered in the vm2 Node.js sandbox library that allows untrusted code to break out of the sandbox and execute commands on the host. The flaw stems from improper sanitization of Promise.prototype.then and Promise.prototype.catch callbacks for asynchronous code, enabling trivial exploitation. Maintainer Patrik Šimek issued sequential fixes in 3.10.1 and 3.10.2 and says 3.10.3 addresses disclosed issues; users should upgrade immediately.

🔒 Shadowserver has identified over 6,000 internet-exposed SmarterMail servers likely vulnerable to a critical authentication bypass that enables unauthenticated attackers to hijack administrator accounts. The issue was reported to SmarterTools on January 8 and patched in build 9511 on January 15; it was later assigned CVE-2026-23760. A permissive force-reset-password endpoint accepts anonymous requests and fails to verify the existing password or a reset token, allowing an attacker who knows an administrator username to reset credentials and achieve full administrative compromise and potential remote code execution. Organizations should confirm they have applied the vendor update or recommended mitigations and audit logs for unauthorized resets or other indicators of compromise.

⚠️ Schneider Electric has identified multiple denial-of-service vulnerabilities in Zigbee products that use the Silicon Labs EmberZNet stack. Affected items include a broad set of Wiser, Iconic, Fuga and other connected modules. A malicious device joining a Zigbee network could trigger buffer overflows or uncontrolled resource consumption, leading to device unavailability. Customers should restrict network joins, use unique install codes and non-default keys, close pairing windows promptly, and follow Schneider Electric and CISA mitigations to reduce exploitation risk.

⚠️ A critical vulnerability (CVE-2025-14988) in iba Systems ibaPDA 8.12.0 permits unauthorized file-system actions that can affect confidentiality, integrity, and availability; CISA assigns a CVSS v3.1 base score of 9.8. Siemens reported the issue and the vendor has released ibaPDA 8.12.1 as a remediation. If immediate updating is not possible, vendor-recommended mitigations include enabling User Management and setting a strong admin password, configuring Server Access Manager to restrict access (for example to 127.0.0.1 or specific system IPs), disabling automatic Windows Firewall port openings and removing or deactivating incoming ibaPDA firewall rules, and creating manual rules that permit only required ports. After applying updates or mitigations, verify that all ibaPDA services and data acquisition continue to function correctly.

🔒 CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog for a Fortinet Multiple Products Authentication Bypass that leverages an alternate path or channel. The agency reports evidence of active exploitation and characterizes this class of flaw as a frequent and serious attack vector. Under BOD 22-01, federal agencies must remediate KEV entries by their due dates; CISA strongly urges all organizations to prioritize timely remediation, apply vendor patches, implement compensating controls, and monitor for indicators of compromise.