< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 43 of 104

Critical Claude Code Flaws Expose RCE and Key Theft

⚠️ Check Point researchers disclosed critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code that allow remote code execution and theft of Anthropic API keys via malicious repository-level configuration files. The flaws can be triggered simply by cloning and opening an untrusted project; built-in mechanisms such as Hooks, MCP integrations, and environment variables may be abused to bypass trust controls, execute hidden shell commands, and redirect authenticated API traffic before user consent. Stolen keys can expose shared workspaces, modify or delete resources, and generate unauthorized costs, underscoring a shift in the AI supply chain threat model.
read more →

CISA and Partners: Guidance on Cisco SD‑WAN Exploits

🔔 CISA and international partners warn of active exploitation of Cisco SD-WAN systems, adding CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities Catalog. FCEB agencies are required by Emergency Directive 26-03 to inventory, update, and assess SD-WAN deployments. Organizations should collect artifacts, apply vendor updates, follow the Catalyst SD-WAN Hardening Guide, and hunt for evidence of compromise immediately.
read more →

CISA Emergency Directive: Mitigate Cisco SD‑WAN Risks

⚠ CISA issued Emergency Directive 26-03 requiring immediate mitigation of critical vulnerabilities in Cisco SD‑WAN systems, citing exploitable flaws including CVE-2026-20127 and CVE-2022-20775. Agencies must inventory systems, collect virtual snapshots and logs, apply patches, hunt for evidence of compromise, and implement vendor hardening guidance. CISA will monitor compliance, provide technical assistance, and deliver additional resources as needed. The directive is supported by the NSA, ASD’s ACSC, Canada’s Cyber Centre, NCSC-NZ, and NCSC-UK.
read more →

CISA Adds Two Cisco SD-WAN Vulnerabilities to KEV Catalog

⚠️CISA has added two Cisco SD‑WAN vulnerabilities (CVE‑2022‑20775 and CVE‑2026‑20127) to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. These affect Cisco Catalyst SD‑WAN components and include a path traversal and an authentication bypass that can enable unauthorized access. Under BOD 22‑01, FCEB agencies must remediate by required due dates; CISA urges all organizations to prioritize timely mitigation.
read more →

Windows 11 KB5077241 Preview Adds Sysmon, Fixes BitLocker

🔧 Microsoft released the KB5077241 optional cumulative preview for Windows 11, delivering 29 fixes and features including improved BitLocker reliability and a built-in network speed test. The update introduces native Sysmon functionality (disabled by default) and will automatically enable Quick Machine Recovery on some Professional devices that are not domain‑joined or enterprise managed. It also shortens resume-from-sleep times, refines taskbar and File Explorer behavior, and adds RSAT support on Arm64.
read more →

SolarWinds Issues Patch for Four Critical Serv-U Flaws

🔒 SolarWinds has released updates to address four critical vulnerabilities in its Serv-U file transfer software, each rated 9.1 on the CVSS scale. The flaws include a broken access control that can create a system admin (CVE-2025-40538), two type confusion bugs (CVE-2025-40539 and CVE-2025-40540), and an IDOR (CVE-2025-40541) — all capable of enabling remote code execution when exploited with administrative privileges. The issues affect Serv-U 15.5 and are fixed in Serv-U 15.5.4. SolarWinds warns Windows deployments carry medium risk because services often run under less-privileged accounts by default, and while no active exploitation has been reported, similar past defects were abused by threat actors such as Storm-0322.
read more →

CISA Confirms Active Exploitation of FileZen Flaw Now

🚨 CISA has added a recently disclosed FileZen vulnerability, CVE-2026-25108 (CVSS v4 8.7), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The issue is an OS command injection that allows an authenticated user to execute arbitrary commands via specially crafted HTTP requests. Affected versions include 4.2.1–4.2.8 and 5.0.0–5.0.10; Soliton advises updating to 5.0.11 or later and changing passwords if exploitation is suspected. Federal agencies must remediate by March 17, 2026.
read more →

Critical Serv-U RCE Flaws Extend SolarWinds Risk Profile

⚠ SolarWinds has issued four critical patches for its Serv-U managed file transfer server to remediate remote code execution and broken access-control vulnerabilities that can lead to root or other privileged account takeover. The most severe, CVE-2025-40538, can create system admin users and execute arbitrary code, while CVE-2025-40539 and CVE-2025-40540 are type confusion flaws and CVE-2025-40541 is another broken access-control issue. Organizations should treat this as a high-urgency patch event: update immediately, verify internet exposure, check logs for signs of compromise, and rotate associated credentials.
read more →

VMware patches Aria Operations command injection flaw

🔒Recent patches from VMware address several high- and medium-risk vulnerabilities in Aria Operations, Cloud Foundation, and Telco Cloud products. The most serious, CVE-2026-22719, is an unauthenticated command injection that could lead to remote code execution but requires support-assisted product migration to be exploitable, so it is rated high rather than critical. Broadcom recommends upgrading to Aria Operations 8.18.6 and applying corresponding updates for VMware Cloud Foundation and Telco Cloud components to mitigate these issues.
read more →

RoguePilot Flaw: Copilot in Codespaces Could Leak Tokens

🛡️ RoguePilot was a vulnerability in GitHub Codespaces that allowed GitHub Copilot to be manipulated via a crafted GitHub issue, enabling silent execution of hidden AI instructions and potential exfiltration of a privileged GITHUB_TOKEN. Orca Security researcher Roi Nisimi reported that an attacker could embed the prompt inside an HTML comment and direct Copilot to send the token to an external server. Microsoft patched the flaw after responsible disclosure. The disclosure underscores risks from AI-mediated prompt injection and urges better prompt handling, content sanitization, and least-privilege token practices.
read more →

Critical SolarWinds Serv-U Flaws Allow Root Access

🔒 SolarWinds has released Serv-U 15.5.4 to patch four critical remote-code-execution vulnerabilities, including CVE-2025-40538, that can allow attackers with elevated privileges to create administrative accounts and execute arbitrary code as root on vulnerable Windows and Linux servers. The update also fixes two type-confusion bugs and an IDOR that can be chained to achieve root code execution. Organizations should apply 15.5.4 immediately, verify administrator account integrity, and review access logs for signs of unauthorized admin activity; Shodan shows over 12,000 Internet-exposed Serv-U instances.
read more →

CISA Adds FileZen Command Injection CVE to KEV Catalog

⚠️ CISA added CVE-2026-25108, a FileZen OS command injection vulnerability affecting Soliton Systems K.K., to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. Command injection is a frequent and high-risk vector that can enable remote code execution and system compromise. Under BOD 22-01 federal agencies must remediate KEV entries by required deadlines; CISA strongly urges all organizations to prioritize remediation, apply vendor fixes or mitigations, and monitor for related activity.
read more →

Schneider Electric EBO Vulnerabilities and Patches Released

🔒 Schneider Electric has released patches for multiple vulnerabilities in EcoStruxure Building Operation Workstation and WebStation that could disclose local files, enable execution of unintended code, or cause denial-of-service. Affected 6.x and 7.0.x builds should be updated to the vendor-supplied patch builds immediately to mitigate exposure. The issues are tracked as CVE-2026-1227 (XXE) and CVE-2026-1226 (code generation/control). If immediate patching is not possible, implement recommended mitigations — network segmentation, strict access controls, MFA for EBO 7.0+, monitoring, and adherence to EBO hardening guidance — to reduce operational risk.
read more →

Gardyn Home Kit Multiple Vulnerabilities: Patches Available

🔒 CISA reports multiple high‑severity vulnerabilities in Gardyn Home Kit firmware, cloud API, and mobile application that could permit unauthenticated access, remote command execution, and extraction of administrative credentials. Affected versions include the mobile app prior to 2.11.0, cloud API before 2.12.2026, and firmware older than master.619. Gardyn has released fixes in updated software; users should update apps and firmware and keep devices connected to receive automatic patches.
read more →

InSAT MasterSCADA BUK-TS: Critical RCE Vulnerabilities

⚠️ CISA reports two critical remote code execution vulnerabilities in InSAT MasterSCADA BUK-TS (all versions). CVE-2026-21410 enables SQL injection via the main web interface, and CVE-2026-22553 allows OS command injection through the MMadmServ interface. Both CVEs have CVSS v3.1 base scores of 9.8. CISA recommends minimizing network exposure, isolating control systems behind firewalls, using secure remote access, and contacting the vendor for guidance.
read more →

Amazon RDS Custom Adds Latest GDR for SQL Server Updates

🔒 Amazon Relational Database Service (Amazon RDS) Custom for SQL Server now supports the latest General Distribution Release (GDR) updates, including SQL Server 2022 Cumulative Update and KB5072936 (16.00.4230.2.v1). These GDRs address vulnerabilities described in CVE-2026-20803 and are recommended for production environments. You can apply the updates via the RDS Management Console, AWS SDK, or CLI, and consult the Amazon RDS Custom User Guide for upgrade procedures and best practices.
read more →

Android Mental Health Apps Found with Security Flaws

⚠️ Security researchers found widespread vulnerabilities across ten Android mental-health apps that together exceed 14.7 million installs and could expose highly sensitive therapy and medical data. Oversecured's scans from January 22–23, 2026 identified 1,575 issues — 54 high-, 538 medium-, and 983 low-severity — which could enable credential interception, HTML injection, spoofing, and location leaks. Findings include use of Intent.parseUri() on external input, plaintext API endpoints and hardcoded Firebase URLs, insecure token generation with java.util.Random, and overly permissive local file access.
read more →

Security Analysis of Password Managers and Server Risks

🔒 New research examines whether cloud-based password managers can be misused by those controlling servers. Researchers reverse-engineered and closely analyzed Bitwarden, Dashlane, and LastPass, finding that features such as account recovery, shared vaults, and group organization can be abused so a server operator or a compromised server can extract credentials or entire vaults. The study also describes protocol-level attacks that can weaken encryption, potentially converting ciphertext into plaintext. The author contrasts these cloud models with Password Safe, a local-only manager that avoids recovery features and the cloud.
read more →

CISA: Patched Roundcube Flaws Now Seen in Active Attacks

⚠️ CISA has added two recently patched Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to remediate affected systems within three weeks. The critical remote code execution bug CVE-2025-49113 and a separate XSS issue CVE-2025-68461 affect Roundcube 1.5.x and 1.6.x; vendor fixes (1.6.12 and 1.5.12) have been released. Shodan still enumerates tens of thousands of exposed instances, and organizations are urged to update, audit logs, and mitigate immediately.
read more →

Attackers Exploit Ivanti EPMM Zero-Days in Active Campaign

🔴 Palo Alto Networks' Unit 42 warns that threat actors are actively exploiting two critical zero-day vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — in Ivanti Endpoint Manager Mobile (EPMM). Both flaws allow unauthenticated remote code execution, enabling attackers to seize MDM appliances and install web shells, cryptominers, or persistent backdoors that can survive initial patching. Unit 42 says more than 4,400 EPMM instances are internet-exposed, proof-of-concept exploits are public, and multiple sectors and countries have been targeted.
read more →