All news in category “Security Advisory and Patch Watch”

⚠️ Schneider Electric has identified multiple denial-of-service vulnerabilities in Zigbee products that use the Silicon Labs EmberZNet stack. Affected items include a broad set of Wiser, Iconic, Fuga and other connected modules. A malicious device joining a Zigbee network could trigger buffer overflows or uncontrolled resource consumption, leading to device unavailability. Customers should restrict network joins, use unique install codes and non-default keys, close pairing windows promptly, and follow Schneider Electric and CISA mitigations to reduce exploitation risk.

⚠️ CISA and Johnson Controls disclose CVE-2025-26385, a critical remote SQL execution vulnerability in Metasys components with a CVSS v3.1 base score of 10.0. An attacker could execute SQL remotely, potentially altering or destroying data in affected products including ADS, ADX, LCS8500, NAE8500, SCT, and CCT. Johnson Controls provides a patch (GIV-165989) via the License Portal and recommends applying the Metasys Release 14 Hardening Guide, segmenting installations, and closing TCP port 1433 as immediate mitigations. CISA notes there is no known public exploitation of this vulnerability at this time.

🛡️ Microsoft has released a patch addressing a high-severity zero-day in Microsoft Office that the company says has been exploited in the wild. Tracked as CVE-2026-21509 with a CVSS 3.1 score of 7.8, the flaw lets an attacker bypass OLE mitigations by relying on untrusted inputs in a security decision and requires only that a user open a malicious Office file. Microsoft urges users of Office 2016 and 2019 to install the update; Office 2021 and later will receive a service-side fix but require application restarts to take effect.

⚠️ A critical sandbox escape in Grist-Core allows malicious spreadsheet formulas to execute OS commands or host JavaScript via Pyodide, collapsing the boundary between cell logic and host execution. The flaw, tracked as CVE-2026-24002 and dubbed Cellbreak, has CVSS 9.1 and was fixed in Grist 1.7.9 (Jan 9, 2026). Operators should update immediately or set GRIST_SANDBOX_FLAVOR to "gvisor" as a temporary mitigation.

🛡️ Microsoft released an out-of-band patch for a high-severity Microsoft Office zero-day, tracked as CVE-2026-21509, rated CVSS 7.8 for a security feature bypass exploited in attacks. The flaw bypasses OLE mitigations for COM/OLE controls and requires a specially crafted Office file and user interaction; Microsoft says the Preview Pane is not an attack vector. Customers running Office 2021 and later receive a service-side fix (restart Office); Office 2016 and 2019 require installed updates. Microsoft also published a manual registry mitigation, and CISA added the flaw to its Known Exploited Vulnerabilities catalog.

🔓 npm and yarn contain vulnerabilities, dubbed PackageGate, that Koi Security researcher Oren Yomtov says can bypass defenses introduced after the Shai-Hulud campaign by allowing lifecycle scripts to run and lockfile integrity to be evaded. pnpm, vlt and Bun have addressed the issues; npm and yarn have not applied comparable fixes. GitHub and npm maintain some behaviors are intentional—particularly that installing git dependencies with a prepare script will trigger installs—which Yomtov disputes. Developers are advised to prefer patched managers, follow the post-Shai-Hulud guidance, and keep tooling current.

🔒 Microsoft has issued emergency out-of-band updates to patch a high-severity Office zero-day, tracked as CVE-2026-21509, which is being actively exploited. The vulnerability allows an unauthenticated local attacker to bypass Office security features by convincing a user to open a malicious file; Microsoft says the preview pane is not an attack vector. Updates cover Microsoft 365 Apps and Office LTSC 2021/2024; fixes for Office 2016 and 2019 are pending. Microsoft and reporting outlets published registry-based mitigations administrators can apply until official updates are available.

🔧 Microsoft has issued emergency out-of-band updates after users reported that the January 13 Patch Tuesday releases caused some applications, notably Outlook, to hang or behave unexpectedly when accessing files stored on cloud services such as OneDrive and Dropbox. The company released cumulative fixes — including KB5078127 for Windows 11, KB5078129 for Windows 10 and server updates KB5078131/KB5078136/KB5078135 — to address PST-file issues that could cause hangs, missing sent items or repeated redownloads. Administrators should review the KB notes, test in their environments and deploy the patches to restore normal email and cloud-file workflows.

🔒 Researchers from Koi Security disclosed a set of flaws, called PackageGate, that let attackers bypass post‑Shai‑Hulud protections by abusing Git-sourced dependencies. They found crafted configuration files (for example, a malicious .npmrc) can override the git binary path during install and enable code execution even when --ignore-scripts is set. Similar bypasses and lockfile integrity weaknesses affected pnpm, vlt and Bun; vendors patched those tools, but npm closed the report claiming the behavior "works as expected."

⚠️ CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation, affecting Linux Kernel, SmarterMail, Microsoft Office, and GNU InetUtils. The newly listed CVEs are CVE-2018-14634, CVE-2025-52691, CVE-2026-21509, CVE-2026-23760, and CVE-2026-24061 and represent frequent attack vectors that pose significant risks to federal and enterprise environments. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates, and CISA urges all organizations to prioritize timely remediation as part of vulnerability management.

🚨 CISA has added a critical VMware vCenter Server remote code execution flaw (CVE-2024-37079) to its catalog of vulnerabilities exploited in the wild and ordered federal civilian agencies to secure affected systems within three weeks. Patched in June 2024, the issue stems from a heap overflow in the DCERPC implementation of vCenter Server that can be exploited via a specially crafted network packet without credentials or user interaction. Broadcom confirms in-the-wild exploitation and urges immediate patching to the latest vCenter Server and Cloud Foundation releases; no mitigations are available.

⚠️Microsoft is investigating reports that some Windows 11 devices fail to boot with the UNMOUNTABLE_BOOT_VOLUME stop error after installing the January 13, 2026 cumulative update KB5074109. Affected systems running Windows 11 25H2 and all editions of 24H2 display a black crash screen and cannot start without manual recovery. Microsoft says only physical devices are impacted so far and asks affected users to submit feedback via the Feedback Hub. The company also released emergency out‑of‑band updates to address an Outlook PST cloud storage freeze.

🚗 The third annual Pwn2Own Automotive contest in Tokyo revealed 76 unique zero-day vulnerabilities across targets from Tesla infotainment to EV chargers, with Trend Micro's Zero Day Initiative paying out more than $1 million. A Fuzzware.io team took top honors, earning Master of Pwn with $215,500 and a $60,000 single-exploit prize for an Alpitronic HYC50 out-of-bounds write. Other teams compromised Automotive Grade Linux and exploited charger logic to install a playable Doom on a charger's screen. Vendors are urged to patch promptly.

🔧 Microsoft has released out-of-band updates for Windows 10, Windows 11, and Windows Server to address an issue that caused Outlook to freeze when opening PST files stored in cloud-backed storage such as OneDrive or Dropbox. The problem emerged after the January 13, 2026 Patch Tuesday updates and mainly affected classic Outlook configurations used in enterprises. Affected instances could become unresponsive until the process was terminated or the system restarted, and users reported missing Sent Items and duplicate downloads. The fixes are available via Windows Update or the Microsoft Download Catalog and include several KB updates for specific Windows and Server versions.

⚠️ CISA has added CVE-2024-37079, a critical heap overflow in Broadcom VMware vCenter's DCE/RPC implementation, to its Known Exploited Vulnerabilities catalog citing evidence of active exploitation. The flaw (CVSS 9.8) can enable remote code execution via a crafted network packet; Broadcom released fixes in June 2024 alongside CVE-2024-37080, with related patches issued in September 2024. Broadcom confirms in‑the‑wild abuse and Federal civilian agencies must update to the latest vCenter release by February 13, 2026.

🔒 Fortinet has confirmed a new attack campaign that exploits an unpatched zero-day vulnerability to bypass authentication across SAML SSO implementations, including FortiCloud SSO. The activity, observed in mid-January, involves extraction of firewall configurations and creation of administrative and VPN-capable accounts. Fortinet is working on a fix and recommends updating to the latest releases, restoring clean backups, rotating all credentials, disabling FortiCloud SSO administrative logins, and restricting administrative access to trusted subnets.

⚠️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities affecting enterprise software to its KEV catalog after observing active exploitation. Affected projects include Versa Concerto, Zimbra Collaboration Suite, the Vite frontend toolchain, and the eslint-config-prettier package used with Prettier. CISA requires federal agencies to apply vendor patches or mitigations, or stop using impacted products by February 12, 2026. Details on the nature and scope of in-the-wild exploitation remain limited.

⚠️ A coordinated campaign is exploiting a critical authentication-bypass flaw in the GNU InetUtils telnetd server, tracked as CVE-2026-24061. The bug, present since 2015, lets attackers set the USER environment variable (for example USER=-f root) to bypass /usr/bin/login and obtain a root shell. Patches are in InetUtils 2.8; mitigations include disabling telnetd or blocking TCP port 23. GreyNoise observed limited, mostly automated exploitation activity and recommends immediate patching and hardening.

⚠️ CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, including a high-severity PHP remote file inclusion in Zimbra (CVE-2025-68645) and an authentication bypass in Versa Concerto (CVE-2025-34026). One entry describes a supply-chain compromise that trojanized eslint-config-prettier and six related npm packages to deliver a malicious DLL. Federal agencies are required to remediate under BOD 22-01 by February 12, 2026.

🔒 Fortinet confirmed active exploitation of a FortiCloud SSO authentication bypass affecting fully patched FortiGate firewalls. The vendor said attackers exploited a new attack path that can circumvent patches addressing CVE-2025-59718 and CVE-2025-59719 by using crafted SAML messages when FortiCloud SSO is enabled. Observed activity includes creation of generic admin accounts, configuration changes to enable VPN access, and configuration exfiltration. Fortinet recommends restricting internet-facing administrative access and disabling the admin-forticloud-sso-login feature while a full remediation is finalized.