< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 49 of 104

Malicious Commands in GitHub Codespaces Enable RCE Risk

⚠️Orca Security researchers disclosed multiple attack vectors in GitHub Codespaces that can produce remote code execution simply by opening a malicious repository or pull request. By embedding commands in repository configuration files—specifically .vscode/tasks.json, .vscode/settings.json and .devcontainer/devcontainer.json—an attacker can execute code, exfiltrate tokens and access secrets without further user interaction. Microsoft confirmed the behavior is "by design" and points to trusted-repository controls to limit cross-environment impact.
read more →

CISA Adds Two CVEs to Known Exploited Vulnerabilities

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-11953 (React Native Community CLI OS command injection) and CVE-2026-24423 (SmarterTools SmarterMail missing authentication for critical function). The additions reflect evidence of active exploitation and elevated risk to the federal enterprise. Under BOD 22-01 federal agencies must remediate KEV entries by the due date. CISA strongly urges all organizations to prioritize timely remediation.
read more →

Mitsubishi MELSEC iQ-R Series Critical Firmware Flaw

⚠️ A critical vulnerability (CVE-2025-15080) affects Mitsubishi Electric MELSEC iQ-R Series firmware (R08/16/32/120PCPU) versions 48 and earlier. An attacker can read device data or parts of control programs, write device data, or cause a denial-of-service by sending specially crafted SLMP or proprietary protocol packets. Mitsubishi Electric recommends updating affected firmware to version 49 or later and, until patched, restricting access via firewalls, IP filters, VPNs, and LAN-only operation.
read more →

Ilevia EVE X1 Server: Multiple Critical Vulnerabilities

⚠️ CISA warns of multiple high‑severity vulnerabilities in Ilevia EVE X1 Server (≤ 4.7.18.0), including pre‑auth path traversal, unauthenticated OS command injection, plaintext credential exposure in logs, and reflected XSS. Successful exploitation can allow arbitrary shell execution and disclosure of sensitive files on critical manufacturing systems. Ilevia and CISA recommend updating the Ilevia Manager, closing TCP/8080, enforcing strong credentials, applying network segmentation, and monitoring for unauthorized access.
read more →

o6 Automation Open62541 JSON PubSub Heap Overflow Advisory

⚠️ o6 Automation's Open62541 contains a heap out-of-bounds write in builds with PubSub and JSON enabled. A crafted JSON message can overwrite heap memory prior to authentication, reliably crashing the process and causing memory corruption. The vulnerability affects versions >=1.5-rc1 and <1.5-rc2 (CVE-2026-1301). Upgrade to v1.5.0 and apply network-access mitigations such as isolating control networks and restricting remote access to reduce exposure.
read more →

Hitachi Energy FOX61x RADIUS MD5 Forgery Vulnerability

🔒 Hitachi Energy reported a critical vulnerability in FOX61x devices when configured to use remote RADIUS authentication. The RADIUS implementation is vulnerable to a chosen-prefix collision attack on the MD5 Response Authenticator, allowing an attacker able to manipulate responses to forge Access-Accept/Access-Reject/Access-Challenge messages and affect confidentiality, integrity, and availability. Affected versions include FOX61x R17A and earlier; update to R18 and enable the RADIUS Message-Authenticator on both the device and the RADIUS server. If immediate upgrade is not possible, segment FOX management traffic to reduce exposure.
read more →

Hitachi Energy XMC20 RADIUS Forgery Vulnerability Advisory

⚠️ Hitachi Energy disclosed a critical vulnerability (CVE-2024-3596) affecting XMC20 devices that use remote RADIUS authentication. An MD5 Response Authenticator weakness permits a local attacker to forge or convert valid RADIUS responses (Access-Accept, Access-Reject, Access-Challenge), affecting confidentiality, integrity, and availability. Vendor guidance is to upgrade to XMC20 R18 and enable the RADIUS Message-Authenticator on both the device and the RADIUS server; where upgrades are not possible, segment FOX management traffic and apply network mitigations. CISA republishes the vendor advisory for visibility.
read more →

TP-Link VIGI IP Cameras: Local Password Bypass Vulnerability

🔒 A vulnerability in the TP‑Link VIGI Series IP Camera local web interface allows an attacker on the same LAN to bypass authentication in the password recovery flow and reset the administrator password by manipulating client-side state. Successful exploitation grants full administrative access, compromising device configuration and network security. TP‑Link has released firmware updates and strongly recommends installing the latest builds; CISA advises isolating affected devices from public networks and using secure remote access such as updated VPNs.
read more →

Critical n8n Expression-Sandbox Bypass Enables RCE

⚠️A critical vulnerability (CVE-2026-25049, CVSS 9.4) in the n8n workflow automation platform can allow authenticated users with workflow edit rights to execute arbitrary system commands by abusing expression evaluation. The flaw bypasses prior fixes for CVE-2025-68613 and can be triggered by crafted expressions — including a single-line JavaScript destructuring payload — that escape the expression sandbox. Affected releases are <1.123.17 (fixed in 1.123.17) and <2.5.2 (fixed in 2.5.2). Operators should apply the updates immediately or, if patching is not possible, restrict workflow creation to trusted users and harden host and network privileges.
read more →

Threat actors hijack web traffic via React2Shell exploit

⚠️ Researchers at Datadog Security Labs report threat actors are exploiting the React2Shell vulnerability (CVE-2025-55182) in React 19 to execute code on servers and then target NGINX instances managed with Boato Panel, focusing on several Asian TLDs and Chinese hosting. Attackers use automated, multi-stage toolkits to discover targets, persist, and write malicious NGINX configs that redirect traffic for cryptomining, credential phishing, or malware delivery. Defenses include prompt patching, locking down configuration files, maintaining configuration records, and monitoring NGINX advisories.
read more →

Critical n8n Vulnerabilities Allow Remote Code Execution

🔒 Multiple critical vulnerabilities in the open-source workflow platform n8n (tracked as CVE-2026-25049) allow any authenticated user who can create or edit workflows to escape sandboxing and execute arbitrary code on the host server. Independent researchers at Pillar Security, Endor Labs and SecureLayer7 identified sanitization and AST-sandboxing bypasses — including a type-confusion issue and Function-constructor exploits — enabling access to Node.js globals, the filesystem, credentials and connected cloud accounts. n8n released fixes (notably 2.4.0, later 2.5.2 and 1.123.17) and recommends immediate patching, rotating the N8N_ENCRYPTION_KEY and stored credentials, and limiting workflow creation until environments are hardened.
read more →

CISA: VMware ESXi Flaw Now Used in Ransomware Attacks

🔒 CISA confirmed ransomware gangs are exploiting a high-severity VMware ESXi sandbox escape (CVE-2025-22225) patched by Broadcom in March 2025 alongside related fixes. The vulnerability permits an attacker with privileges in the VMX process to trigger an arbitrary kernel write and escape the virtual machine sandbox. Organizations are urged to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue affected products if mitigations are unavailable.
read more →

CISA Alerts on Five-Year-Old GitLab SSRF Exploitation

⚠️ CISA has ordered federal agencies to patch a five-year-old GitLab SSRF vulnerability (CVE-2021-39935) that is currently being exploited in attacks. GitLab issued a fix for the server-side request forgery bug in December 2021 after it was found that unauthenticated users could reach the CI Lint API when user registration was restricted. Under BOD 22-01, affected Federal Civilian Executive Branch agencies must remediate by February 24, 2026, and CISA urges all organizations to prioritize mitigation. Shodan currently identifies over 49,000 internet-exposed GitLab instances, many reachable on default ports.
read more →

Two Critical Sandbox Escapes in n8n AI Lead to Full Takeover

🔒 Pillar Security identified two maximum-severity sandbox escape vulnerabilities in the n8n workflow automation platform that allow any authenticated user to gain full server control and exfiltrate stored credentials (API keys, cloud keys, database passwords and OAuth tokens) on both self-hosted and cloud instances. The first flaw was patched by n8n, but researchers found a bypass within 24 hours, prompting the vendor to release n8n v2.4.0 in January 2026. Immediate mitigation steps include upgrading to 2.4.0, rotating the n8n encryption key and all stored credentials, auditing workflows for suspicious expressions and monitoring AI-related outbound activity.
read more →

SolarWinds Web Help Desk RCE Vulnerability Exploited

⚠️ The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-40551 — a critical remote code execution flaw in SolarWinds Web Help Desk — to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The vendor patched multiple high-severity bugs on January 28 and assigned CVSS scores of 9.8. Administrators are urged to apply the vendor update to Web Help Desk 2026.1 immediately to mitigate unauthenticated deserialization and authentication-bypass risks.
read more →

CISA Flags Actively Exploited SolarWinds WHD Flaw Issue

⚠ CISA has added a critical SolarWinds Web Help Desk vulnerability, CVE-2025-40551, to its Known Exploited Vulnerabilities catalog and flagged it as actively exploited. The flaw is an untrusted data deserialization vulnerability that can enable remote code execution without authentication, allowing attackers to run commands on affected hosts. SolarWinds released patches in WHD version 2026.1 that also address several related high-severity CVEs. Federal Civilian Executive Branch agencies are required to remediate this flaw under BOD 22-01, with a February 6, 2026, deadline.
read more →

CISA: Critical SolarWinds Web Help Desk RCE Exploited

🔒 CISA has flagged a critical SolarWinds Web Help Desk vulnerability (CVE-2025-40551) as actively exploited and ordered federal agencies to patch within three days under BOD 22-01. The flaw is an untrusted data deserialization weakness that can enable unauthenticated remote command execution; SolarWinds released Web Help Desk 2026.1 on January 28 to address it. Administrators are urged to apply the patch immediately and verify affected systems.
read more →

Docker patches critical Ask Gordon AI 'DockerDash' flaw

🛡️ Researchers disclosed a critical prompt-injection flaw, codenamed DockerDash, that allowed malicious Docker image metadata to hijack the Ask Gordon AI assistant in Docker Desktop and the Docker CLI. The vulnerability, discovered by Noma Labs, could enable remote code execution or sensitive data exfiltration by treating unverified LABEL fields as executable instructions. Docker fixed the issue in Ask Gordon version 4.50.0 (November 2025). Administrators should upgrade and apply zero-trust validation to AI toolchains and MCP/Gateway integrations.
read more →

SQL Injection in Quiz and Survey Master Affects 40k Sites

🔒 A SQL injection vulnerability in the Quiz and Survey Master (QSM) WordPress plugin affected more than 40,000 sites running versions 10.3.1 and earlier. The flaw allowed any logged-in user with Subscriber-level privileges or higher to supply crafted input to a REST API parameter named is_linking, which was concatenated into a database query without sanitisation. Patchstack credited Doan Dinh Van for the report and QSM released version 10.3.2 to enforce integer casting (intval) and mitigate the issue; the defect is tracked as CVE-2025-67987. There is no public evidence of active exploitation, but the bug underscores risks from trusting request data and the need for prepared statements.
read more →

DockerDash: Metadata Flaw in Docker's Ask Gordon AI

⚠️ Noma Labs disclosed a critical vulnerability, dubbed DockerDash, in Docker's Ask Gordon AI assistant that allows unverified image metadata to be treated as executable instructions. The flaw exploits a trust failure in the Model Context Protocol (MCP) gateway: Ask Gordon reads Docker LABEL metadata, forwards the interpreted content to MCP, and MCP tools execute it without validation. Depending on deployment this can enable remote code execution (cloud/CLI) or large-scale data exfiltration and reconnaissance in Docker Desktop. Docker issued mitigations in Docker Desktop 4.50.0 and users are urged to upgrade.
read more →