< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 50 of 104

Exploit of React Native Metro Bug Breaches Dev Systems

🚨 Researchers report attackers are exploiting CVE-2025-11953 in the React Native Metro server to deliver malicious, cross-platform payloads to developer machines. The vulnerability stems from the /open-url endpoint accepting POST data that is passed unsanitized to the system open() call, enabling command execution on Windows and arbitrary executable launches on Unix-like hosts. JFrog disclosed the flaw in early November and it was fixed in @react-native-community/cli-server-api 20.0.0 and later, but active exploitation tracked as 'Metro4Shell' has been observed delivering base64-encoded payloads for both Windows and Linux.
read more →

Hackers Exploit Metro4Shell RCE in React Native CLI

🔒 VulnCheck observed active exploitation of CVE-2025-11953 (Metro4Shell), a critical RCE in the @react-native-community/cli Metro Development Server first seen on December 21, 2025. With a CVSS score of 9.8, the flaw enables unauthenticated remote command execution and was weaponized to deliver a Base64-encoded PowerShell loader that adds Microsoft Defender exclusions. The loader opens a raw TCP channel to 8.218.43.248:60124 to fetch and execute a Rust-based binary with anti-analysis checks; VulnCheck links the activity to multiple attacker IPs and describes it as operational exploitation.
read more →

CISA Adds Four Known Exploited Vulnerabilities to KEV Catalog

🔒 CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog: CVE-2019-19006 (Sangoma FreePBX improper authentication), CVE-2021-39935 (GitLab SSRF), CVE-2025-40551 (SolarWinds Web Help Desk deserialization), and CVE-2025-64328 (Sangoma FreePBX OS command injection). Evidence indicates active exploitation and these issues pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by required deadlines. CISA strongly urges all organizations to prioritize timely remediation and will continue updating the catalog.
read more →

Mitsubishi FREQSHIP-mini for Windows: Incorrect Permissions

⚠️ A high-severity vulnerability (CVE-2025-10314) affects Mitsubishi Electric FREQSHIP-mini for Windows versions 8.0.0 through 8.0.2 due to incorrect default permissions. A local attacker with write access to the installation directory could replace service executables or DLLs and execute code with SYSTEM privileges, potentially modifying or destroying data or causing denial of service. Mitsubishi released version 8.1.0 to address the issue; administrators should install the update and apply vendor mitigations, limit remote access, and maintain endpoint protections.
read more →

MOMA Seismic Station Authentication Bypass Vulnerability

⚠️ MOMA Seismic Station versions v2.4.2520 and earlier expose the device web management interface without requiring authentication, enabling unauthenticated actors to modify configuration, retrieve device data, or remotely reset the device. The vulnerability is tracked as CVE-2026-1632 and classified as Missing Authentication for Critical Function (CWE-306). CISA assigns a CRITICAL severity (CVSS v3.1 Base Score 9.1) and notes that RISS SRL did not provide a vendor-supplied patch in the advisory.
read more →

Avation Light Engine Pro: Critical Missing Authentication

🛡️ Avation's Light Engine Pro devices expose configuration and control interfaces without authentication, tracked as CVE-2026-1341. Successful exploitation could allow an attacker to take full control of affected units. Avation has not responded to CISA's coordination request; users should contact the vendor and apply mitigations such as isolating devices from the internet, placing them behind firewalls, and using VPNs for remote access. CISA reports no public exploitation to date.
read more →

CISA: Synectix LAN 232 TRIO Unauthenticated Web Interface

🔒 The Synectix LAN 232 TRIO 3‑port serial-to-Ethernet adapter exposes its web management interface without requiring authentication, enabling unauthenticated actors to modify critical device settings or perform a factory reset. Tracked as CVE-2026-1633 and rated CVSS v3.1 10.0 (Critical), the product is end-of-life and Synectix is no longer in business, so firmware fixes are unavailable. CISA recommends minimizing network exposure, isolating control networks behind firewalls, and using up-to-date VPNs or other secure remote-access methods while operators pursue replacement or isolation of affected units.
read more →

Russian APT28 Exploits Patched Microsoft Office Bug

🛡️ Ukraine's CERT warns that Russian state-linked actor APT28 is exploiting the recently patched CVE-2026-21509 in Microsoft Office. Malicious DOC files were observed days after Microsoft's emergency out-of-band update on Jan 26 and deploy a WebDAV download chain, COM hijacking, a malicious DLL (EhStoreShell.dll), shellcode hidden in an image (SplashScreen.png), and a scheduled task named OneDriveHealth. The chain results in the launch of the COVENANT framework, which uses the Filen cloud storage service for command-and-control. Organizations are advised to apply Microsoft's updates for affected Office versions, ensure application restarts where required, and consider blocking or monitoring Filen-related traffic.
read more →

Amazon RDS for MySQL: New Minor Versions 8.0.45 & 8.4.8

🔒 Amazon RDS for MySQL now supports the MySQL community minor releases 8.0.45 and 8.4.8. AWS recommends upgrading to these minors to remediate known security vulnerabilities present in earlier releases and to benefit from bug fixes, performance improvements, and incremental features. You can enable automatic minor version upgrades to apply eligible updates during scheduled maintenance windows to reduce manual effort. For lower-risk updates and faster cutover, consider Amazon RDS Managed Blue/Green deployments and follow the Amazon RDS User Guide for upgrade instructions, regional availability, and pricing details.
read more →

Microsoft January update shutdown bug affects more PCs

⚠️ Microsoft confirmed that a shutdown bug first reported on Windows 11 also affects Windows 10 devices with Virtual Secure Mode (VSM) enabled after recent January updates. The issue was initially tied to Windows 11 23H2 with KB5073455 and System Guard Secure Launch; emergency patches were issued shortly afterward. Affected users can temporarily force a shutdown using the command shutdown /s /t 0 while Microsoft prepares a broader fix.
read more →

OpenClaw token flaw enables one-click remote RCE exploit

🔒 A high-severity vulnerability (CVE-2026-25253, CVSS 8.8) in OpenClaw allowed a crafted link or webpage to exfiltrate a stored gateway token and enable one-click remote code execution. The Control UI trusted the gatewayUrl query parameter and auto-connected on load while the server failed to validate WebSocket Origin headers. The issue was patched in v2026.1.29 (Jan 30, 2026); users should upgrade immediately.
read more →

Microsoft fixes Windows 11 bug hiding password icon

🔒 Microsoft has resolved a Windows 11 sign-in issue that caused the password icon to disappear from lock screen options after installing August 2025 updates and later. Affected users with multiple sign-in methods could still sign in by hovering over the placeholder to reveal the hidden button. The fix is included in the optional January 2025 KB5074105 preview update released January 29; install via Settings > Windows Update or the Microsoft Update Catalog.
read more →

Privileged File System Flaw in Iconics Suite CVE-2025-0921

🔒 Unit 42 researchers discovered CVE-2025-0921, a privileged file system operations vulnerability in Iconics Suite (GENESIS64) that can be abused to corrupt critical binaries and cause a denial-of-service. The issue affects certain Windows deployments of Iconics Suite and can be chained with CVE-2024-7587 (GenBroker32 installer) to gain effective write access to protected log paths. Iconics released an advisory and a workaround that, if applied, mitigates the reported issues; organizations should apply vendor guidance and limit local write access to application directories.
read more →

Ivanti patches two critical EPMM RCE flaws under attack

🔒 Ivanti released stand‑alone RPM patches for Endpoint Manager Mobile (EPMM) to fix two unauthenticated code‑injection vulnerabilities, CVE-2026-1281 and CVE-2026-1340, each rated 9.8 by CVSS. The flaws affect EPMM’s In‑House Application Distribution and Android File Transfer Configuration features and are already being exploited in a limited number of customer environments. Administrators must manually install version-specific RPMs; Ivanti says a permanent fix will arrive in the 12.8.0.0 release.
read more →

Securing AI Application Supply Chains: LangChain Case

🛡️ This case study details a high-severity serialization injection vulnerability (CVE-2025-68664, “LangGrinch”) in LangChain's langchain-core package that arises from improper handling of a reserved lc marker during dumps/dumpd operations. The flaw can enable unauthorized secret extraction, unintended class instantiation, or malicious side effects when attacker-controlled dictionaries are deserialized. Microsoft recommends immediate upgrades to patched versions and demonstrates how Defender for Cloud and Defender XDR can identify, remediate, and detect exposed workloads across code, build, and runtime stages. The post also offers practical hunting queries and remediation workflows to accelerate fixes.
read more →

Microsoft Fixes Outlook Bug Blocking Encrypted Emails

✅ Microsoft has issued a fix for a known issue that prevented Microsoft 365 customers from opening Encrypt Only messages in classic Outlook after a December update. Impacted users saw a message_v2.rpmsg attachment instead of readable content and a 'restricted permission' notice in the Reading Pane. Microsoft says the repair is available in the Beta Channel now and will roll to Current Channel and Current Channel Preview in February. Temporary workarounds are provided for users who cannot upgrade immediately.
read more →

Windows 11 KB5074105 Preview Fixes Boot and Sign-In

🔧 Microsoft released the optional January 2026 preview cumulative update KB5074105 for Windows 11, delivering 32 non-security quality fixes administrators can validate before Patch Tuesday. The preview moves 25H2 devices to build 26200.7705 and 24H2 devices to 26100.7705 and can be installed via Settings > Windows Update or the Microsoft Update Catalog. Key fixes address sign-in and boot failures, activation problems during license migrations, expanded Cross-Device Resume for Android-to-PC activity continuation (examples include resuming Spotify, Office work, or browsing sessions), and broader Windows Hello Enhanced Sign-in Security support for peripheral fingerprint sensors. Additional reliability fixes target UAC elevation hangs, graphics-related system errors (dxgmms2.sys, KERNEL_SECURITY_CHECK_FAILURE), Windows Sandbox startup failures (0x800705b4), startup/login hangs and iSCSI boot issues. Administrators are advised to test the update in lab environments before wide deployment.
read more →

SmarterMail Patches Critical Unauthenticated RCE, NTLM Fix

⚠️ SmarterTools released builds addressing critical vulnerabilities in SmarterMail, including an unauthenticated remote code execution flaw (CVE-2026-24423) rated CVSS 9.3. The flaw in the ConnectToHub API allowed an attacker to direct SmarterMail to a malicious HTTP server that serves OS commands, which the application could execute; this was fixed in Build 9511 on January 15, 2026. A separate NTLM-related path coercion issue (CVE-2026-25067, CVSS 6.9) that could force outbound SMB authentication and enable NTLM relay was patched in Build 9518 (January 22, 2026). Administrators should update immediately.
read more →

Ivanti EPMM Zero-Days Allow Unauthenticated RCE, Patch Issued

⚠️ Ivanti has released security updates addressing two critical zero-day code-injection flaws in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) — which enable unauthenticated remote code execution and have been observed in limited attacks. One of the defects, CVE-2026-1281, was added to CISA’s KEV catalog, imposing a Federal remediation deadline of February 1, 2026. A temporary RPM patch is available for affected 12.x releases but does not persist through upgrades; Ivanti plans a permanent fix in EPMM 12.8.0.0 due Q1 2026. Customers are urged to check Apache access logs using the provided regex, inspect administrative and configuration changes, and restore or rebuild compromised appliances if indicators of attack are found.
read more →

Microsoft Links Windows 11 Boot Failures to Dec 2025 Update

⚠️ Microsoft says recent Windows 11 boot failures following the January 2026 cumulative update are tied to earlier failed attempts to install the December 2025 security update, which left some systems in an "improper state." After applying KB5074109, affected devices showed a BSOD with stop error UNMOUNTABLE_BOOT_VOLUME. Microsoft is working on a partial resolution to prevent new no-boot cases, but it warns this fix will not repair devices already unable to boot or stop systems from entering the improper state. The company also says the issue appears limited to physical machines.
read more →