< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 48 of 104

SolarWinds WHD Under Active Attack via January Zero‑Days

🔒 Analysis by Huntress shows SolarWinds Web Help Desk instances are being actively exploited through a chain of zero‑day and previously disclosed deserialization flaws from late 2025 and January. The incidents combine two January zero‑days—CVE-2025-40551 (deserialization RCE) and CVE-2025-40536 (authentication bypass)—with the earlier CVE-2025-26399. Organizations should urgently upgrade to WHD 2026.1, follow SolarWinds' release notes, reset service and admin credentials, and treat any unexpected Velociraptor, Cloudflared, or Zoho Assist activity and silent MSI installations as indicators of compromise.
read more →

ZLAN5143D Critical Authentication Bypass and Reset Flaws

⚠️ CISA reports two critical authentication vulnerabilities in ZLAN Information Technology Co. ZLAN5143D v1.600. CVE-2026-25084 allows authentication bypass via direct access to internal URLs, while CVE-2026-24789 exposes an unprotected API that enables remote password changes without credentials. Both are scored CVSS 3.1 9.8. CISA notes the vendor did not respond to coordination; users should minimize network exposure, restrict internet access to devices, contact the vendor, and keep systems updated.
read more →

AVEVA PI to CONNECT Agent Log Information Exposure

⚠️ AVEVA reported that PI to CONNECT Agent (<=v2.4.2520) contains a vulnerability that can record sensitive proxy connection details in event logs. An attacker with local Event Log Reader (S-1-5-32-573) privileges could extract proxy URLs and credentials from those logs and gain unauthorized access to the proxy server. The issue is not remotely exploitable; the vendor’s fix is v2.5.2790 or later. Users should review and sanitize logs, rotate proxy credentials, avoid plain-text passwords in proxy URLs, and restrict Event Log Reader privileges.
read more →

AVEVA PI Data Archive: Remote DoS (CVE-2026-1507) Advisory

⚠ AVEVA's PI Data Archive contains an uncaught-exception vulnerability (CVE-2026-1507) that can allow an unauthenticated remote attacker to crash PI core services and cause denial of service. Affected versions include PI Server <=2018_SP3_Patch_7, 2023 (including 2023_Patch_1), and 2024. The issue has a CVSS 3.1 base score of 7.5 (High). AVEVA recommends upgrading to PI Server 2024 R2 or applying vendor patches and restricting inbound access to TCP port 5450.
read more →

ZOLL ePCR iOS App Vulnerability Exposes Local Data

🔒 The ZOLL ePCR iOS mobile application (version 2.6.7) contains a WebView input-sanitization flaw (CVE-2025-12699) that can reflect attacker-controlled strings into rendered HTML/JavaScript. Proof-of-concept testing shows injected scripts may read local application files, potentially exposing device telemetry and protected health information (PHI). CISA assigns a CVSS v3.1 base score of 5.5 (MEDIUM), notes the issue is not remotely exploitable, and reports no known public exploitation. ZOLL decommissioned the iOS app in May 2025 and has no replacement planned.
read more →

Yokogawa FAST/TOOLS Multiple Web and Crypto Flaws Reported

⚠️ Yokogawa's FAST/TOOLS (versions R9.01–R10.04) contains multiple web and cryptographic vulnerabilities tracked across 14 CVEs that could enable redirection to malicious sites, decryption of communications, man-in-the-middle attacks, cross-site request forgery, script execution, and unauthorized file access. Example CVSS v3 scores reach up to 8.2 for some issues. Yokogawa advises updating to R10.04, applying patch CS_e12787, then installing R10.04 SP3. CISA recommends minimizing Internet exposure for control systems, isolating OT networks behind firewalls, and using secure remote access.
read more →

CISA Adds Six Microsoft Vulnerabilities to KEV Catalog

⚠️ CISA added six Microsoft-related vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on February 10, 2026, citing evidence of active exploitation. The entries include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533, affecting Windows, MSHTML, and Office components. Federal agencies must remediate KEV entries under BOD 22-01, and CISA urges all organizations to prioritize patching to reduce exposure.
read more →

February 2026 Patch Tuesday: Six Zero-Days, Five Criticals

🚨 Microsoft’s February 2026 updates address 59 vulnerabilities, including six actively exploited zero-days and five Critical issues. CrowdStrike identified the Windows Remote Desktop elevation-of-privilege (CVE-2026-21533) and observed exploitation against U.S. and Canadian organizations; other zero-days affect MSHTML, Windows Shell, Microsoft Word, Desktop Window Manager and Remote Access Connection Manager. Three Critical Azure service flaws were remediated in-platform while two Critical issues in Azure confidential containers require customer patching. CrowdStrike recommends timely updates, compensating controls, expanded detection/hunting, and use of the Falcon Exposure Management dashboard to prioritize and mitigate risk.
read more →

Fortinet Patches Critical SQL Injection in FortiClientEMS

⚠️ Fortinet has issued updates to remediate a critical SQL injection vulnerability (CVE-2026-21643) in FortiClientEMS that could allow unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests. The flaw is rated CVSS 9.1 and affects FortiClientEMS 7.4.4; Fortinet advises upgrading to 7.4.5 or later. Gwendal Guégniaud is credited with reporting the issue, and users are urged to apply the fixes promptly.
read more →

Threat actors exploit SolarWinds WHD to deploy Velociraptor

⚠️ Researchers report attackers exploiting critical SolarWinds Web Help Desk (WHD) remote code execution flaws (CVE-2025-40551 and CVE-2025-26399) to gain access to at least three organizations. After initial compromise the actor installed Zoho ManageEngine Assist and used Cloudflare tunnels alongside an outdated Velociraptor build as a command-and-control platform. The intruders disabled Defender and the Windows Firewall, deployed persistence mechanisms including scheduled tasks and SSH backdoors, and researchers advise upgrading WHD to 2026.1, removing public admin exposure, and rotating credentials.
read more →

Critical Zero-Click Flaw in Claude Desktop Extensions

⚠️LayerX disclosed a critical zero-click vulnerability affecting 50 Claude Desktop Extensions (DXT) that can result in remote code execution from a single crafted Google Calendar event. The flaw is possible because DXTs operate as unsandboxed MCP servers with full host privileges, allowing them to read files, run system commands and access credentials. LayerX rated the issue CVSS 10.0 and warned it could affect over 10,000 active users. Anthropic has declined to remediate, saying the scenario falls outside its current threat model.
read more →

BeyondTrust warns of critical RCE in Remote Support

⚠️BeyondTrust has issued an urgent advisory for a critical pre-authentication remote code execution vulnerability tracked as CVE-2026-1731 affecting Remote Support (≤25.3.1) and Privileged Remote Access (≤24.3.4). The flaw is an OS command injection discovered by Harsh Jaiswal and the Hacktron AI team and can be exploited by unauthenticated attackers without user interaction. BeyondTrust says cloud systems were secured by February 2, 2026 and advises on‑premises customers to upgrade to RS 25.3.2 or PRA 25.1.1 immediately.
read more →

BeyondTrust Patches Critical Pre-Auth RCE in RS and PRA

🔒 BeyondTrust has released updates to address a critical pre-authentication remote code execution vulnerability affecting Remote Support and older Privileged Remote Access versions. The flaw, tracked as CVE-2026-1731, is an operating-system command injection rated 9.9 on the CVSS scale and allows unauthenticated attackers to execute OS commands in the context of the site user. Patches (BT26-02-RS and BT26-02-PRA) or upgrades to the fixed releases should be applied immediately, and self-hosted customers without automatic updates must apply the fix manually.
read more →

Tirith tool blocks homoglyph and terminal injection attacks

🔒 Tirith is an open-source, cross-platform tool that inspects pasted commands and blocks impostor attacks that rely on Unicode homoglyphs, invisible characters, and terminal injection techniques. It hooks into common shells (zsh, bash, fish, PowerShell), analyzes URLs and command patterns locally, and halts execution when suspicious input is detected. The author reports sub-millisecond overhead, no cloud or telemetry dependencies, and options to analyze commands without running them.
read more →

Active Exploitation of SolarWinds Web Help Desk Observed

⚠️ Microsoft Defender observed in-the-wild exploitation of internet-facing SolarWinds Web Help Desk, enabling unauthenticated remote code execution and arbitrary command execution within the application context. Post-exploitation behaviors included PowerShell using BITS to download payloads, installation of ManageEngine RMM components for interactive control, credential theft via DLL sideloading and LSASS access, and persistence through scheduled tasks and reverse SSH/RDP tunnels. Organizations should patch WHD, restrict public admin access, hunt for unauthorized RMM artifacts, and rotate exposed service and admin credentials.
read more →

Critical vulnerabilities found in n8n automation platform

🔒 Security researchers at Upwind disclosed six vulnerabilities in n8n, four rated critical (CVSS 9.4), that enable remote code execution, command injection, arbitrary file access and cross-site scripting. The flaws target how n8n sandboxes user processes and protect the host, making multi-user and shared deployments especially dangerous. Administrators and developers should update to the latest release, audit extensions, and treat web-exposed instances with heightened caution.
read more →

Germany warns of Signal account hijacking targeting VIPs

⚠️ Germany's domestic intelligence agencies warn of suspected state-backed campaigns that hijack messaging accounts on Signal to target politicians, military officers, diplomats, and journalists. The attacks use social engineering rather than malware, abusing legitimate features such as QR-code pairing and SMS/PIN verification. Two variants are reported: a full account takeover and a silent device pairing that monitors chats and contacts. Authorities advise blocking/reporting support-like messages, enabling Registration Lock, and routinely checking linked devices.
read more →

CISA: SmarterMail RCE Flaw Actively Exploited by Ransomware

⚠️ CISA warns that ransomware actors are actively exploiting CVE-2026-24423, a critical unauthenticated remote code execution vulnerability in SmarterTools SmarterMail via the ConnectToHub API. SmarterTools released a fix on January 15 (Build 9511) and issued further updates through Build 9526 on January 30. Agencies must apply updates or stop using the product by February 26, 2026, under KEV and BOD 22-01 guidance.
read more →

Four New Vulnerabilities Found in Ingress NGINX Controller

⚠ Four vulnerabilities were disclosed in the open source Ingress NGINX controller used in Kubernetes, with two rated CVSS 8.8. CVE-2026-1580 can enable authentication bypass when a misconfigured custom-errors backend ignores the X-Code header, and CVE-2026-24512 allows configuration injection via rules.http.paths.path, enabling code execution and secret disclosure. The other two issues pose lower or medium risks, including a potential DoS. Affected releases are 1.13.7 and below and 1.14.3 and below, and the only reliable mitigation is upgrading or migrating before Ingress NGINX reaches end of support.
read more →

SIEM Rules to Detect FortiCloud SSO Authentication Bypass

🔒 Kaspersky has released a set of SIEM correlation rules to detect exploitation of FortiCloud SSO authentication bypasses in Fortinet products. The rules target activity related to CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, which allow an attacker with a FortiCloud account to access devices when SSO is enabled. The downloadable package ([OOTB] FortiCloud SSO abuse package – ENG) contains IOC, critical admin action, and suspicious activity rule groups; administrators should tune exceptions to reduce false positives and ensure Fortinet events are fully normalized with the "Extra" field populated for effective detection.
read more →