All news in category “Security Advisory and Patch Watch”

⚠️ CISA has added CVE-2024-37079, an out-of-bounds write in VMware vCenter Server (Broadcom), to the Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of memory-corruption flaw is a common attacker vector and poses significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by the required due date; CISA urges all organizations to prioritize timely remediation and to reduce exposure to active threats.

⚠️ Fortinet confirmed it is still addressing a critical FortiCloud SSO authentication bypass (CVE-2025-59718) after reports that attackers are able to bypass patches and compromise fully updated firewalls. Security firm Arctic Wolf says automated attacks beginning January 15 created VPN-access admin accounts and quickly exfiltrated firewall configurations. Fortinet advises disabling FortiCloud SSO, restricting administrative access with a local-in policy, and treating affected systems as compromised while a full fix is developed.

🔓 A trivial authentication bypass in the inetutils telnet server (CVE-2026-24061) lets attackers gain root by abusing the USER environment variable. Telnetd forwards the USER value to /usr/bin/login, so sending USER='-f root' with telnet's -a/--login option causes an automatic root login (e.g., USER='-f root' telnet -a [host_ip]). The flaw has existed for about 11 years, so many legacy and IoT devices are likely affected. Apply the vendor/distribution patch immediately or disable Telnet and restrict access to whitelisted IPs.

🔒 An authentication bypass in SmarterTools SmarterMail allows unauthenticated actors to reset system administrator passwords via the publicly exposed 'force-reset-password' API endpoint. The endpoint accepts attacker-controlled JSON and an IsSysAdmin flag that, when set to true, triggers admin password reset logic without verifying the old password. watchTowr reported the issue on January 8 and SmarterMail released Build 9511 on January 15; researchers observed exploitation within days. Administrators should apply the update immediately to prevent full account takeover.

🔒 Fortinet issued an advisory describing two FortiCloud SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) discovered during an internal code audit. The flaws allowed crafted SAML assertions to bypass authentication on FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager when FortiCloud SSO was enabled. Recent reports show active exploitation, including instances against fully patched devices, indicating a new attack path. Fortinet advises monitoring IOCs, restricting administrative access, disabling FortiCloud SSO as a workaround, and treating affected systems as compromised.

🔐 A critical vulnerability in GNU InetUtils telnetd (CVE-2026-24061) enables remote attackers to bypass authentication and gain root access by supplying a crafted USER environment string. The flaw, present in releases 1.9.3 through 2.7, occurs because telnetd forwards an unvalidated USER value to /usr/bin/login, which interprets "-f root" as an authentication bypass. Administrators should apply patches or disable telnetd until updates are installed.

🔒 A critical authentication vulnerability (CVE-2026-22794) in the Appsmith low-code platform allowed attackers to manipulate password reset links by supplying a malicious HTTP Origin header, causing reset tokens to be redirected to attacker-controlled infrastructure. Exploitation can lead to full account takeover, including administrator access. The flaw affects Appsmith 1.92 and earlier and was corrected in 1.93; internet scans identified 1,666 publicly accessible instances.

⚠️ A critical flaw in the RealHomes CRM WordPress plugin—bundled with the widely used RealHomes theme and present on more than 30,000 sites—allowed any logged-in user with Subscriber access or higher to upload arbitrary files via a CSV import. Assigned CVE-2025-67968, the bug affected versions 1.0.0 and earlier and could lead to full site takeover. Developers released v1.0.1, adding a current_user_can check and file-type validation via wp_check_filetype; users should update immediately.

🔒 Cisco Talos disclosed multiple vulnerabilities affecting Foxit PDF Editor, the Epic Games Store installer, and MedDream PACS. The issues include installer privilege escalation, two use‑after‑free flaws in Foxit that can be triggered by crafted PDF JavaScript, and 21 reflected XSS vulnerabilities in MedDream. Vendors have issued patches under Cisco’s disclosure policy. Administrators should apply vendor updates and consider IDS/IPS signatures such as Snort to detect attempted exploitation.

🚗 On the second day of Pwn2Own Automotive 2026, security researchers earned $439,250 after exploiting 29 unique zero-day vulnerabilities in EV chargers, in-vehicle infotainment systems, and automotive operating systems. Contestants targeted fully patched devices such as the Phoenix Contact CHARX SEC-3150, ChargePoint Home Flex, and the Grizzl-E Smart 40A charging station. Fuzzware.io led the leaderboard after two days, and organizers confirmed vendors have 90 days to issue fixes before public disclosure by the Zero Day Initiative.

⚠️ Cisco has released patches for a critical remote code execution vulnerability, CVE-2026-20045, affecting Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw allows unauthenticated remote attackers to gain user access via crafted HTTP requests and then escalate privileges to root without user interaction. No workarounds exist; fixes are version-specific and organizations should apply the matching patch or migrate unsupported 12.5 systems.

🔒 AutomationDirect reported two vulnerabilities in CLICK Programmable Logic Controllers (PLCs) — CVE-2025-67652 and CVE-2025-25051 — that expose stored credentials and weak encoding. Both issues carry a CVSS 3.1 base score of 6.1 (Medium) and affect C0-0x, C0-1x, and C2-x product versions. AutomationDirect recommends updating CLICK PLUS and PLC firmware to V3.90; until the update can be applied, implement compensating controls such as network isolation, restricted access, application whitelisting, and enhanced logging and monitoring. CISA notes these vulnerabilities are not exploitable remotely and no public exploitation has been reported.

⚠️ CISA warns of an Authorization Bypass Through User-Controlled Key flaw (CVE-2026-1201) in Hubitat Elevation controllers that can allow an authenticated user to escalate privileges and control devices beyond their authorized scope. Affected models — C3, C4, C5, C7, C8, and C8 pro — are vulnerable prior to firmware 2.4.2.157. The issue carries a CVSS v3.1 base score of 9.1 (CRITICAL). Hubitat has released firmware 2.4.2.157 and CISA recommends timely upgrades and standard network isolation measures.

⚠️ Schneider Electric has issued a fix for a local privilege escalation vulnerability in EcoStruxure Process Expert (CVE-2025-13905) caused by incorrect default permissions. An attacker with local access could modify executable service binaries and gain elevated privileges when services restart. Version 2025 contains the vendor fix; interim mitigations include application whitelisting and restricting privileged accounts.

⚠️ DIAView contains a command injection vulnerability (CVE-2026-0975) that allows project scripts to execute shell commands when a malicious project is opened. Successful exploitation can result in arbitrary code execution on affected installations of Delta Electronics DIAView version 4.2.0. Delta recommends updating to DIAView v4.4 or later and following defensive measures such as isolating control networks, avoiding untrusted files or links, and using secure remote access methods.

⚠️ The Cybersecurity and Infrastructure Security Agency (CISA) warns of a stack-based buffer overflow in Johnson Controls' iSTAR Configuration Utility (ICU), tracked as CVE-2025-26386. The vulnerability affects ICU versions <= 6.9.7 and, under certain conditions, could lead to an operating system failure on the host machine. Johnson Controls released a vendor fix; update ICU to version 6.9.8. CISA recommends applying the update promptly and following network-segmentation and remote-access best practices to reduce exposure.

🔒 CISA reports two high-severity vulnerabilities in Weintek cMT X Series HMI devices that allow low-privileged users to escalate privileges and potentially take full control of affected units. Both issues (CVE-2025-14750 and CVE-2025-14751) receive a CVSS 3.1 base score of 8.3. Vendor firmware updates are available for specific models; apply vendor-supplied patches and follow network-segmentation mitigations.

⚠️ Rockwell Automation's CompactLogix 5370 controllers are affected by a denial-of-service vulnerability (CVE-2025-11743) that can produce a major nonrecoverable fault requiring a restart. The issue is triggered by a malformed CIP Forward Open message and has a CVSS v3.1 base score of 6.5. Affected versions include <=34.013, <=35.012, and 36.011; fixed releases include 37.011, 34.016, 35.015, and 36.012. Rockwell reported the issue to CISA; no known public exploitation has been reported and CISA notes the vulnerability is not exploitable remotely. Users unable to upgrade should follow security best practices to limit exposure.

🔒 CISA warns of multiple high-severity vulnerabilities in EVMAPA electric vehicle charging station software, including missing authentication on a WebSocket endpoint (CVE-2025-54816), unlimited authentication attempts (CVE-2025-53968), and insufficient session expiration (CVE-2025-55705). Exploitation could enable unauthorized remote command execution, spoofing of station statuses, or denial-of-service, with a top CVSS score of 9.4. Vendor responses vary: EVMAPA plans BASIC auth for OCPP 2.x, uses WSS and vendor VPN for some deployments, and reports one issue has been fixed.

⚠️ CISA has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The entries include CVE-2025-31125 (Vite improper access control), CVE-2025-34026 (Versa Concerto improper authentication), CVE-2025-54313 (Prettier eslint-config-prettier embedded malicious code), and CVE-2025-68645 (Synacor Zimbra Collaboration Suite PHP remote file inclusion). CISA urges organizations to prioritize remediation and follow BOD 22-01 guidance to reduce exposure to active threats.