< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 45 of 104

Microsoft: Copilot Bug Summarizes Confidential Emails

⚠️Microsoft says a bug in Microsoft 365 Copilot has been summarizing confidential emails since late January, bypassing organizations' configured data loss prevention (DLP) safeguards. The flaw affected the Copilot 'work tab' chat and improperly read messages stored in Sent Items and Drafts, including those with sensitivity labels intended to block automated processing. Microsoft attributes the behavior to a code error, began rolling out a fix in early February, and is monitoring deployment while contacting a subset of impacted users. The company has not yet disclosed the full scope or number of affected organizations and has flagged the incident as an advisory.
read more →

CISA Adds Two Exploited Vulnerabilities to KEV Catalog

⚠️ CISA announced the addition of two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation: CVE-2021-22175 (GitLab SSRF) and CVE-2026-22769 (Dell RecoverPoint for Virtual Machines hard-coded credentials). These issues represent common, high-risk attack vectors that can enable data access and unauthorized persistence. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by specified deadlines, and CISA strongly urges all organizations to prioritize remediation as part of routine vulnerability management.
read more →

Good Enough Emulation: Fuzzing a Modbus Thread for Bugs

🔍 This post details emulation-based analysis of the Socomec DIRIS M-70 gateway, where JTAG flash readout protection prevented full hardware debugging. The researcher emulated the Modbus processing thread with Unicorn, integrated AFL for coverage-guided fuzzing across hundreds of message types, and later adopted Qiling for built-in coverage and debugging. The effort uncovered multiple denial-of-service vulnerabilities and six CVEs, showing that a 'good enough' single-thread emulation approach can produce high-impact results.
read more →

Critical zero-day in Dell RecoverPoint for VMs, exploited

🔒 A maximum-severity vulnerability (CVE-2026-22769, CVSS 10.0) in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus cluster tracked as UNC6201 since mid-2024. The flaw is a hard-coded Apache Tomcat Manager admin credential that allows unauthenticated attackers to upload a web shell (SLAYSTYLE) and deploy native backdoors (BRICKSTORM, later GRIMBOLT) for root access and persistence. Dell urges customers to upgrade to 6.0.3.1 HF1 (or follow staged upgrades from 5.3 SP4 P1) and to isolate RecoverPoint appliances on trusted, segmented networks until patched.
read more →

Chinese APT Exploited Dell RecoverPoint Zero-Day Since 2024

🔒 Dell has released a patch for a critical zero-day, CVE-2026-22769, in RecoverPoint for Virtual Machines after Mandiant reported exploitation by a suspected Chinese APT cluster since mid-2024. The flaw is a hardcoded credential that enables unauthenticated access to the underlying OS and potential root-level persistence on versions prior to 6.0.3.1 HF1. Mandiant links the intrusions to UNC6201, which deployed malware such as Slaystyle, Brickstorm and a native AOT C# backdoor called Grimbolt, and observed novel TTPs including VM "ghost NICs" and iptables-based single-packet authorization.
read more →

CISA Adds Four Actively Exploited Flaws to KEV Catalog

🔔 CISA has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing active exploitation. The additions include CVE-2026-2441 (Chrome use-after-free), CVE-2020-7796 (Synacor Zimbra SSRF), CVE-2024-7694 (TeamT5 ThreatSonar arbitrary file upload), and CVE-2008-0015 (Windows Video ActiveX overflow). Federal agencies are urged to remediate by March 10, 2026.
read more →

Critical Flaws in Popular VSCode Extensions Expose Devs

⚠️ Ox Security disclosed high- to critical-severity vulnerabilities in widely used VSCode extensions that could enable local file theft and remote code execution. Affected extensions include Live Server (CVE-2025-65717), Code Runner (CVE-2025-65715), Markdown Preview Enhanced (CVE-2025-65716), and a one-click XSS in Microsoft Live Preview (pre-0.4.16). The researchers say they attempted disclosure from June 2025 but received no responses from maintainers. Users are advised to avoid running localhost servers, opening untrusted HTML, pasting untrusted settings, and to remove unnecessary extensions.
read more →

Critical Ivanti EPMM RCE Zero-Days Actively Exploited

🚨 Unit 42 reports two critical zero-day RCEs in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — are being actively weaponized. Both flaws arise from unsafe legacy bash script usage invoked via Apache RewriteMap and permit unauthenticated command execution through specially crafted HTTP GET requests. Observed activity includes reverse shells, JSP web shells, deployment of monitoring agents/cryptominers, and follow-on persistence. Apply vendor RPM patches immediately, hunt for web shells and backdoors, and engage incident response if compromise is suspected.
read more →

UNC6201 Targets Dell RecoverPoint Zero-Day, Deploys GRIMBOLT

🔐 Mandiant and the Google Threat Intelligence Group (GTIG) identified exploitation of a critical vulnerability in Dell RecoverPoint for Virtual Machines, CVE-2026-22769, used by UNC6201 since mid‑2024. The actor uploaded malicious WAR files to the embedded Tomcat Manager—leveraging hard‑coded admin credentials—to deploy a SLAYSTYLE web shell and gain root. In compromised appliances, UNC6201 established persistence by modifying convert_hosts.sh and later replaced BRICKSTORM implants with a native AOT‑compiled C# backdoor named GRIMBOLT. Investigators also observed novel VMware pivoting techniques, including temporary "Ghost NICs" and iptables‑based Single Packet Authorization. Dell published mitigations and GTIG/Mandiant released IOCs, YARA rules, and hunting guidance to aid detection and response.
read more →

Delta Electronics ASDA-Soft Stack Overflow (CVE-2026-1361)

⚠ A stack-based buffer overflow has been identified in Delta Electronics ASDA-Soft when parsing .par files, allowing an attacker to write data past a stack buffer and corrupt a structured exception handler (SEH). The issue affects versions <= 7.2.0.0 (CVE-2026-1361) and is assigned a CVSS v3.1 base score of 7.8 (High). Delta released fixed ASDA-Soft version 7.2.2.0 and published advisory Delta-PCSA-2026-00003; CISA reports no known public exploitation and notes the vulnerability is not remotely exploitable.
read more →

Honeywell CCTV Products: Critical Account Recovery Flaw

🔒 CISA reports a critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV products that exposes an unauthenticated API endpoint allowing an attacker to change the forgot password recovery email. Successful exploitation can enable account takeover and unauthorized access to camera feeds, and the issue is scored CVSS v3.1 9.8 (CRITICAL). Affected firmware includes several 2MP and 25M IPC/PTZ variants. Honeywell recommends contacting support for patches; CISA urges reducing Internet exposure, segmenting networks, and using secure remote access.
read more →

GE Vernova Enervista UR Setup Vulnerabilities Fixed

🔒 GE Vernova released updates for Enervista UR Setup to address two vulnerabilities. The installer is vulnerable to DLL hijacking (CVE-2026-1762), which could allow administrative code execution when run in directories containing untrusted DLLs. A second issue is a path traversal (CVE-2026-1763) that can overwrite files as the logged-in user. Users should update to version 8.70 or later.
read more →

Siemens Simcenter Femap and Nastran File Parsing Flaws

⚠️ Siemens has published updates for Simcenter Femap and Simcenter Nastran addressing multiple file‑parsing vulnerabilities in NDB and XDB formats. If a user opens a specially crafted malicious file, affected versions may crash or allow an attacker to achieve arbitrary code execution. Siemens rates the issues as high severity and recommends updating to V2512 or later and avoiding untrusted NDB/XDB files.
read more →

CISA Adds Four Vulnerabilities to Known Exploited Catalog

⚠ CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The additions are CVE-2008-0015 (Microsoft Windows Video ActiveX remote code execution), CVE-2020-7796 (Synacor Zimbra SSRF), CVE-2024-7694 (TeamT5 ThreatSonar unrestricted upload of dangerous files), and CVE-2026-2441 (Google Chromium CSS use-after-free). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV entries by the due date, and CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.
read more →

Exploit Reported for New Chrome Zero-Day in CSS Engine

⚠️ Google warns IT administrators that an exploit for a newly disclosed Chrome zero-day (CVE-2026-2441) is active in the wild. The issue is a use-after-free bug in the browser's CSS engine that can allow remote code execution in the renderer sandbox when a user visits a crafted page. Patches are available — update to 145.0.7632.75/76 on Windows/Mac or 144.0.7559.75 on Linux — and Google is limiting technical details until most users are updated. Administrators should prioritize deploying the fixes and monitor browser versions and endpoints closely.
read more →

Study Finds Multiple Cloud Password Managers Vulnerable

🔒 A new study from ETH Zurich and Università della Svizzera italiana shows that cloud-based password managers, including Bitwarden, Dashlane, and LastPass, can be vulnerable to password recovery and integrity attacks under a malicious-server model. Researchers identified 25 distinct attack variants ranging from metadata leakage and item swapping to full organizational vault compromise. Vendors have issued patches or mitigation roadmaps and say there is no evidence of in-the-wild exploitation.
read more →

Researchers Find Multiple Flaws in Cloud Password Managers

🔐 A team of researchers from ETH Zurich and USI disclosed 27 successful attack scenarios against cloud-based password managers from Bitwarden, LastPass, Dashlane and 1Password, challenging vendors' zero-knowledge claims. The attacks exploit design and cryptographic flaws — including unauthenticated public keys, missing ciphertext integrity and KDF downgrades — enabling vault compromise, password recovery and mass takeover. Vendors report remediation is underway; users should verify fixes and follow advisories.
read more →

CISA orders federal agencies to patch BeyondTrust bug

🔒 CISA has ordered federal agencies to secure on‑premises BeyondTrust Remote Support and Privileged Remote Access instances within three days after disclosure of a critical remote code execution flaw (CVE-2026-1731) that is being actively exploited. The OS command injection allows unauthenticated attackers to run system commands and could lead to data exfiltration or service disruption. BeyondTrust patched SaaS instances on Feb 2; on‑premise customers must install fixes manually.
read more →

Google Issues Patch for In-the-Wild Chrome Zero-Day

🔒 Google has released an urgent security update for Chrome to address CVE-2026-2441, a high-severity zero-day affecting desktop builds on Windows, macOS and Linux. The flaw, rooted in a CSS processing issue, can allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Google confirmed an exploit is already in the wild and credited researcher Shaheen Fazim for reporting the bug on February 11; the company issued the patch on February 13.
read more →

Google patches first Chrome zero-day exploited in attacks

🔧 Google released emergency updates to fix a high-severity Chrome zero-day (CVE-2026-2441) that is being exploited in the wild. The flaw is a use-after-free caused by an iterator invalidation bug in CSSFontFeatureValuesMap, and Google pushed a backported patch across stable branches. Fixes are rolling out to Windows and macOS (145.0.7632.75/76) and Linux (144.0.7559.75); users should update or let Chrome apply updates automatically. Google noted additional related work remains tracked in bug 483936078.
read more →