< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 52 of 104

Google: WinRAR CVE-2025-8088 Actively Exploited Widely

⚠️ Google’s Threat Intelligence Group warns that multiple actors — including state-backed clusters from Russia and China and financially motivated groups — are actively exploiting CVE-2025-8088, a WinRAR path-traversal bug patched in WinRAR 7.13. Attackers craft malicious archives that drop payloads into the Windows Startup folder (often via ADS-hidden LNKs) to achieve persistence and execute on login. Google advises upgrading to WinRAR 7.13+, monitoring Startup items and alternate data streams, and blocking malicious archive extraction.
read more →

Fortinet fixes FortiOS SSO bypass in active exploitation

🔒 Fortinet has released security updates to address a critical authentication bypass (CVE-2026-24858) affecting FortiOS, FortiManager, and FortiAnalyzer. The flaw allows a FortiCloud account with a registered device to access other devices when FortiCloud SSO is enabled, enabling creation of local admin accounts and configuration changes. Fortinet locked malicious FortiCloud accounts, temporarily disabled SSO, and urges customers to update firmware, audit configurations, and rotate credentials.
read more →

Patches Issued for Critical Microsoft Office Zero-Day

🔒 Microsoft warns administrators of a critical Office security-bypass zero-day, CVE-2026-21509, that is being actively exploited. The flaw leverages legacy OLE document support to bypass protections similar to Office macros, enabling code execution when a user opens a malicious file. Microsoft has released fixes — automatic for Office 2021 and later, and separate updates for Office 2016 and 2019 — and notes affected applications must be restarted for patches to take effect.
read more →

Fortinet blocks exploited FortiCloud SSO zero-day; patch due

🔒 Fortinet confirmed a critical FortiCloud SSO authentication bypass (CVE-2026-24858) actively exploited to gain administrative access to customer devices. The company has implemented server-side mitigations that block SSO logins from vulnerable firmware versions while patches for FortiOS, FortiManager, and FortiAnalyzer are developed. Administrators are advised to review accounts and credentials; disabling SSO remains an optional mitigation.
read more →

WinRAR path-traversal flaw exploited by many hackers

🔒 Security researchers report that the high-severity CVE-2025-8088 path traversal in WinRAR is being actively exploited by both state-sponsored and criminal groups to gain initial access. The flaw leverages Alternate Data Streams (ADS) inside archives to hide payloads and uses directory traversal to drop LNK, HTA, BAT, CMD or script files, frequently into the Windows Startup folder for persistence. ESET and Google observed campaigns beginning in July 2025 and continuing into 2026, tied to actors such as RomCom, Turla and APT44 as well as financially motivated operators. Organizations should apply patches, monitor ADS/archive extraction behavior, and block or alert on suspicious startup items.
read more →

Pyodide Sandbox Escape Enables RCE in Grist-Core SaaS

⚠️A critical sandbox escape in Pyodide used by Grist-Core allows remote code execution from a single malicious spreadsheet formula. Discovered by Cyera Research Labs and rated CVSS 9.1, the flaw leverages Python's object model, ctypes and exposed Emscripten runtime hooks to traverse from cell data into host runtimes. Grist patched the issue in v1.7.9 by running Pyodide under Deno and adding permission-based isolation; operators should upgrade promptly and treat formula execution as a privileged capability.
read more →

Critical sandbox escape in vm2 Node.js library patched

⚠️ A critical sandbox-escape vulnerability (CVE-2026-22709) was discovered in the vm2 Node.js sandbox library that allows untrusted code to break out of the sandbox and execute commands on the host. The flaw stems from improper sanitization of Promise.prototype.then and Promise.prototype.catch callbacks for asynchronous code, enabling trivial exploitation. Maintainer Patrik Šimek issued sequential fixes in 3.10.1 and 3.10.2 and says 3.10.3 addresses disclosed issues; users should upgrade immediately.
read more →

6,000+ SmarterMail Servers Exposed to Hijacking Attacks

🔒 Shadowserver has identified over 6,000 internet-exposed SmarterMail servers likely vulnerable to a critical authentication bypass that enables unauthenticated attackers to hijack administrator accounts. The issue was reported to SmarterTools on January 8 and patched in build 9511 on January 15; it was later assigned CVE-2026-23760. A permissive force-reset-password endpoint accepts anonymous requests and fails to verify the existing password or a reset token, allowing an attacker who knows an administrator username to reset credentials and achieve full administrative compromise and potential remote code execution. Organizations should confirm they have applied the vendor update or recommended mitigations and audit logs for unauthorized resets or other indicators of compromise.
read more →

Johnson Controls Metasys: Critical Remote SQL RCE Alert

⚠️ CISA and Johnson Controls disclose CVE-2025-26385, a critical remote SQL execution vulnerability in Metasys components with a CVSS v3.1 base score of 10.0. An attacker could execute SQL remotely, potentially altering or destroying data in affected products including ADS, ADX, LCS8500, NAE8500, SCT, and CCT. Johnson Controls provides a patch (GIV-165989) via the License Portal and recommends applying the Metasys Release 14 Hardening Guide, segmenting installations, and closing TCP port 1433 as immediate mitigations. CISA notes there is no known public exploitation of this vulnerability at this time.
read more →

Critical ibaPDA File-System Permission Vulnerability

⚠️ A critical vulnerability (CVE-2025-14988) in iba Systems ibaPDA 8.12.0 permits unauthorized file-system actions that can affect confidentiality, integrity, and availability; CISA assigns a CVSS v3.1 base score of 9.8. Siemens reported the issue and the vendor has released ibaPDA 8.12.1 as a remediation. If immediate updating is not possible, vendor-recommended mitigations include enabling User Management and setting a strong admin password, configuring Server Access Manager to restrict access (for example to 127.0.0.1 or specific system IPs), disabling automatic Windows Firewall port openings and removing or deactivating incoming ibaPDA firewall rules, and creating manual rules that permit only required ports. After applying updates or mitigations, verify that all ibaPDA services and data acquisition continue to function correctly.
read more →

Festo Didactic MES PC XAMPP Components: 140 Vulnerabilities

🔒 Festo Didactic SE MES PCs shipped with Windows 10 include a pre-installed copy of XAMPP that bundles Apache, PHP, MariaDB/MySQL, phpMyAdmin and other open-source components. The included XAMPP contains roughly 140 known vulnerabilities—ranging from denial-of-service and information disclosure to remote code execution and authentication weaknesses, with several CVEs scoring in the 9.x CVSS range. Festo has released a Factory Control Panel replacement; customers should contact services.didactic@festo.com to obtain the updated software and mitigation guidance and to schedule replacement.
read more →

Schneider Electric Zigbee Products Vulnerable to DoS

⚠️ Schneider Electric has identified multiple denial-of-service vulnerabilities in Zigbee products that use the Silicon Labs EmberZNet stack. Affected items include a broad set of Wiser, Iconic, Fuga and other connected modules. A malicious device joining a Zigbee network could trigger buffer overflows or uncontrolled resource consumption, leading to device unavailability. Customers should restrict network joins, use unique install codes and non-default keys, close pairing windows promptly, and follow Schneider Electric and CISA mitigations to reduce exploitation risk.
read more →

CISA Adds Fortinet Authentication Bypass CVE to KEV Catalog

🔒 CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog for a Fortinet Multiple Products Authentication Bypass that leverages an alternate path or channel. The agency reports evidence of active exploitation and characterizes this class of flaw as a frequent and serious attack vector. Under BOD 22-01, federal agencies must remediate KEV entries by their due dates; CISA strongly urges all organizations to prioritize timely remediation, apply vendor patches, implement compensating controls, and monitor for indicators of compromise.
read more →

Microsoft Issues Patch for Office Zero-Day Exploit

🛡️ Microsoft has released a patch addressing a high-severity zero-day in Microsoft Office that the company says has been exploited in the wild. Tracked as CVE-2026-21509 with a CVSS 3.1 score of 7.8, the flaw lets an attacker bypass OLE mitigations by relying on untrusted inputs in a security decision and requires only that a user open a malicious Office file. Microsoft urges users of Office 2016 and 2019 to install the update; Office 2021 and later will receive a service-side fix but require application restarts to take effect.
read more →

Critical 'Cellbreak' Pyodide Sandbox Escape in Grist

⚠️ A critical sandbox escape in Grist-Core allows malicious spreadsheet formulas to execute OS commands or host JavaScript via Pyodide, collapsing the boundary between cell logic and host execution. The flaw, tracked as CVE-2026-24002 and dubbed Cellbreak, has CVSS 9.1 and was fixed in Grist 1.7.9 (Jan 9, 2026). Operators should update immediately or set GRIST_SANDBOX_FLAVOR to "gvisor" as a temporary mitigation.
read more →

Microsoft releases emergency Office patch for zero-day

🛡️ Microsoft released an out-of-band patch for a high-severity Microsoft Office zero-day, tracked as CVE-2026-21509, rated CVSS 7.8 for a security feature bypass exploited in attacks. The flaw bypasses OLE mitigations for COM/OLE controls and requires a specially crafted Office file and user interaction; Microsoft says the Preview Pane is not an attack vector. Customers running Office 2021 and later receive a service-side fix (restart Office); Office 2016 and 2019 require installed updates. Microsoft also published a manual registry mitigation, and CISA added the flaw to its Known Exploited Vulnerabilities catalog.
read more →

Holes in npm and Yarn let attackers bypass defenses

🔓 npm and yarn contain vulnerabilities, dubbed PackageGate, that Koi Security researcher Oren Yomtov says can bypass defenses introduced after the Shai-Hulud campaign by allowing lifecycle scripts to run and lockfile integrity to be evaded. pnpm, vlt and Bun have addressed the issues; npm and yarn have not applied comparable fixes. GitHub and npm maintain some behaviors are intentional—particularly that installing git dependencies with a prepare script will trigger installs—which Yomtov disputes. Developers are advised to prefer patched managers, follow the post-Shai-Hulud guidance, and keep tooling current.
read more →

Microsoft issues emergency Office patch for zero-day

🔒 Microsoft has issued emergency out-of-band updates to patch a high-severity Office zero-day, tracked as CVE-2026-21509, which is being actively exploited. The vulnerability allows an unauthenticated local attacker to bypass Office security features by convincing a user to open a malicious file; Microsoft says the preview pane is not an attack vector. Updates cover Microsoft 365 Apps and Office LTSC 2021/2024; fixes for Office 2016 and 2019 are pending. Microsoft and reporting outlets published registry-based mitigations administrators can apply until official updates are available.
read more →

Microsoft issues second out-of-band Windows fix in a week

🔧 Microsoft has issued emergency out-of-band updates after users reported that the January 13 Patch Tuesday releases caused some applications, notably Outlook, to hang or behave unexpectedly when accessing files stored on cloud services such as OneDrive and Dropbox. The company released cumulative fixes — including KB5078127 for Windows 11, KB5078129 for Windows 10 and server updates KB5078131/KB5078136/KB5078135 — to address PST-file issues that could cause hangs, missing sent items or repeated redownloads. Administrators should review the KB notes, test in their environments and deploy the patches to restore normal email and cloud-file workflows.
read more →

Git-based bypasses undermine NPM's Shai-Hulud defenses

🔒 Researchers from Koi Security disclosed a set of flaws, called PackageGate, that let attackers bypass post‑Shai‑Hulud protections by abusing Git-sourced dependencies. They found crafted configuration files (for example, a malicious .npmrc) can override the git binary path during install and enable code execution even when --ignore-scripts is set. Similar bypasses and lockfile integrity weaknesses affected pnpm, vlt and Bun; vendors patched those tools, but npm closed the report claiming the behavior "works as expected."
read more →