< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 51 of 104

Ivanti warns of two critical EPMM zero-day flaws exploited

⚠ Ivanti disclosed two critical code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, both rated 9.8 and observed in limited zero-day exploitation. The flaws allow unauthenticated remote arbitrary code execution and exposure of administrator, user, and managed-device data. Ivanti published RPM hotfixes to mitigate affected builds, advised immediate application, and warned hotfixes must be reapplied after upgrades until a permanent 12.8.0.0 fix is released in Q1 2026.
read more →

Microsoft January 2026 Out-of-Band Office Update Patch

⚠️ Microsoft released three out-of-band updates in January 2026, including a security update addressing CVE-2026-21509 in Microsoft Office, which has been reportedly exploited in the wild. The vulnerability is rated Important with a CVSS 3.1 score of 7.8 and is considered local, requiring a user to open a malicious Office document or for an attacker to have system access. Microsoft notes the issue cannot be triggered via the Preview Pane and has published mitigation guidance. Talos published Snort and ClamAV detections and advises customers to apply the latest rules and SRU updates.
read more →

Critical RCE Bugs Allow n8n Sandbox Escapes, Patches

⚠️Two critical sandbox escape vulnerabilities in n8n allow authenticated users to achieve remote code execution on affected instances. JFrog researchers reported that flaws in the JavaScript expression engine and the Python Code node can bypass sandboxing protections, exposing workflow engines to host-level compromise. The JavaScript issue stems from a missed edge case in AST-based sanitization when expressions are passed to a Function constructor; the Python escape affects Internal execution mode. Both flaws carry high severity and have been patched—organizations should update to the specified releases and restrict who can create or edit workflows until upgrades are applied.
read more →

KiloView Encoder Series: Missing Auth (CVE-2026-1453)

⚠️ CISA warns of a critical Missing Authentication for Critical Function vulnerability (CVE-2026-1453) in KiloView Encoder Series devices that could let an unauthenticated attacker create or delete administrator accounts and gain full administrative control. Multiple E1, E1-s, E2, G1, P1, P2 and RE1 hardware and firmware builds are affected. No public exploitation has been reported to CISA, and KiloView has not engaged with CISA; users should minimize network exposure, ensure devices are not directly reachable from the Internet, and contact KiloView support for guidance.
read more →

Rockwell ArmorStart LT Denial-of-Service Vulnerabilities

⚠ Rockwell Automation's ArmorStart LT devices are affected by multiple vulnerabilities that can cause denial-of-service conditions. Affected models include 290D, 291D, and 294D running firmware versions <=V2.002; each issue is rated CVSS v3.1 7.5 (High). Observed impacts include unresponsive CIP ports, unexpected device reboots, ICMP loss, and web application inaccessibility during fuzzing and active scanning. No patch is available; operators should apply network segmentation and secure remote access best practices to reduce exposure.
read more →

Rockwell ControlLogix 1756-RM2/RM2XT Denial-of-Service

⚠️ Multiple denial-of-service vulnerabilities in Rockwell Automation ControlLogix Redundancy Enhanced Modules (catalogs 1756-RM2 and 1756-RM2XT) can be triggered by crafted inputs, including malformed Class 3 messages and resource exhaustion. Exploitation may render devices unresponsive or cause major nonrecoverable faults, potentially requiring a restart. The issues carry a CVSS 3.1 base score of 7.5 (High). Rockwell recommends upgrading to 1756-RM3 and following advisory SD1769; if immediate upgrade is not possible, apply segmentation, firewalling, and other security best practices to reduce exposure.
read more →

CISA Adds Ivanti EPMM Code Injection to KEV Catalog

🔔 CISA added CVE-2026-1281, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog after confirmed active exploitation in the wild. The advisory notes that code injection is a common and dangerous attack vector that can enable unauthorized execution and data compromise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by set deadlines, and CISA strongly urges all organizations to prioritize timely remediation.
read more →

EU GCVE Initiative Addresses CVE Dependence, Risks

🔎 The EU-hosted GCVE.eu aggregates advisories from more than 25 public sources and is operated by CIRCL with co-funding from the EU's FETTA project, aiming to reduce reliance on the US-run CVE/NVD. Experts applaud redundancy but warn that without enforced mapping, automated cross-referencing, and strong governance, parallel identifiers risk creating fragmented silos. GCVE.eu says it supports cross-referencing, distributed allocation, and open-source tooling to aid coordinated disclosure and integration.
read more →

SolarWinds Fixes Critical Web Help Desk Vulnerabilities

⚠️ SolarWinds has released updates for Web Help Desk to address multiple high‑severity vulnerabilities, including four critical flaws that can enable authentication bypass and remote code execution. Affected issues include deserialization and hard‑coded credential bugs tracked as CVE‑2025‑40536 through CVE‑2025‑40554. Rapid7 highlights that the deserialization flaws are particularly exploitable without authentication. SolarWinds fixed the issues in WHD 2026.1 and customers are urged to upgrade immediately.
read more →

SolarWinds WHD Critical RCE and Auth Bypass Flaws Revealed

⚠️ SolarWinds has issued emergency updates for Web Help Desk (WHD) to patch six vulnerabilities—four rated critical—that include unauthenticated data deserialization RCEs and authentication bypasses. Researchers from watchTowr and Horizon3.ai disclosed the flaws, which could let attackers execute commands, access protected functions, or leverage hardcoded credentials. Administrators should upgrade to WHD 2026.1 immediately and investigate any anomalous activity on affected servers.
read more →

Critical vm2 Node.js sandbox vulnerability allows escape

⚠️ A critical vulnerability in vm2, a widely used Node.js sandboxing library, allows attackers to escape the sandbox and execute arbitrary code. Tracked as CVE-2026-22709, the flaw affects versions older than 3.10.2; users are urged to upgrade immediately. The issue stems from a bypass in Promise.prototype.then and Promise.prototype.catch callback sanitization, and the project maintainer warns that in-process sandboxing will remain a cat-and-mouse challenge. Where possible, combine vm2 with additional isolation, resource limits, and monitoring, or consider stronger isolation alternatives.
read more →

Critical sandbox escape flaws allow RCE in n8n instances

🔓 Two sandbox-escape vulnerabilities in the n8n workflow automation platform allow authenticated users to execute arbitrary code and potentially take full control of affected instances. JFrog researchers disclosed CVE-2026-1470, a JavaScript AST sandbox bypass that can resolve to Function and execute code in the main node, and CVE-2026-0863, a Python AST bypass that abuses format-string introspection and Python 3.10+ behavior to regain restricted builtins and run OS commands. CVE-2026-1470 was rated critical (9.9) because it grants execution in the main node; both issues affect self-hosted deployments while n8n Cloud has been mitigated. Fixes are available in specific 1.x and 2.x releases and users should upgrade immediately.
read more →

OpenSSL patches 12 vulnerabilities discovered by AISLE

🔒 A coordinated security update addressed 12 previously unknown vulnerabilities in OpenSSL, disclosed by AISLE through a coordinated process with project maintainers. The issues span multiple subsystems — from legacy CMS parsing to QUIC and post-quantum signature handling — and include a high-severity stack buffer overflow in CMS AuthEnvelopedData that could enable remote code execution under specific conditions. Remediation included fixes merged into releases and six additional issues resolved before reaching users.
read more →

Critical n8n Sandbox Flaws Allow Remote Code Execution

⚠️Two vulnerabilities in n8n sandboxing allow authenticated users to achieve remote code execution by bypassing JavaScript and Python sandbox controls. JFrog Security Research disclosed CVE-2026-1470 (CVSS 9.9) affecting the JavaScript expression engine and CVE-2026-0863 (CVSS 8.5) targeting Python execution in the Code node. Both issues exploit gaps in AST validation and require the ability to create or modify workflows, enabling attackers to access environment variables and run system-level commands. Users should upgrade immediately to the patched releases listed by the vendor.
read more →

SolarWinds Patches Critical Web Help Desk RCE and Bypass

🔒 SolarWinds released updates for Web Help Desk to address critical authentication bypass and remote code execution vulnerabilities, including CVE-2025-40551, CVE-2025-40552 and CVE-2025-40553. Reported by researchers at watchTowr and Horizon3.ai, the flaws allow unauthenticated attackers to bypass authentication and execute commands via deserialization and other vectors. Administrators should upgrade to Web Help Desk 2026.1 immediately to mitigate risk.
read more →

Critical vm2 Node.js Vulnerability Enables Sandbox Escape

⚠️ A critical sandbox escape in vm2 (CVE-2026-22709) can allow execution of arbitrary code on the host by bypassing Promise handler sanitization. Endor Labs researchers Peyton Kennedy and Cris Staicu reported that async functions return global Promise objects whose then and catch handlers were not properly sanitized, creating an escape vector. The flaw carries a CVSS score of 9.8 and was addressed in vm2 3.10.2; the article cites 3.10.3 with additional fixes. Users are urged to update and consider stronger isolation alternatives such as isolated-vm or container-level separation.
read more →

EncystPHP Web Shell Exploits FreePBX Endpoint Manager

🛡️ FortiGuard Labs discovered EncystPHP, a sophisticated PHP web shell exploiting FreePBX via CVE-2025-64328. The campaign, linked to activity attributed to INJ3CTOR3, deploys droppers that create root accounts, inject SSH keys, alter cron jobs for persistence, and remove competing shells. Infected hosts enable remote command execution and abuse of PBX telephony resources. Fortinet offers detections and IPS coverage to mitigate the threat.
read more →

Two High-Severity n8n Flaws Allow Remote Code Execution

⚠️ Researchers disclosed two high-severity eval-injection vulnerabilities in n8n that can bypass sandboxing and enable remote code execution. JFrog Security Research identified CVE-2026-1470 (JavaScript eval, CVSS 9.9) and CVE-2026-0863 (Python eval, CVSS 8.5), which can compromise instances even in internal execution mode. Users should update to the patched releases listed by the vendor without delay.
read more →

Fortinet guidance: ongoing CVE-2026-24858 SSO bypass

🔒 Fortinet released guidance after disclosure of CVE-2026-24858, an authentication bypass in FortiCloud single sign-on (SSO) that can allow an attacker with a FortiCloud account to access devices registered to other users. The flaw affects multiple products including FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer. Fortinet temporarily disabled FortiCloud SSO on Jan. 26, 2026 and restored the service with mitigations on Jan. 27; CISA added the CVE to its KEV Catalog and urges operators to check for indicators of compromise and apply vendor updates immediately.
read more →

Critical FortiCloud SSO Zero-Day Forces Emergency Fix

⚠️ Fortinet disclosed a critical authentication-bypass zero-day (CVE-2026-24858) that affects FortiCloud SSO and can let attackers compromise FortiGate, FortiManager, and FortiAnalyzer devices. The vendor temporarily disabled FortiCloud SSO globally on Jan 26 to stop active exploitation and re-enabled it Jan 27 with server-side blocking that prevents logins from vulnerable firmware. FortiOS 7.4.11 is available and additional patched releases are being rolled out; most fixes are still listed as "upcoming."
read more →