< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 53 of 104

CISA Adds Five Known Exploited Vulnerabilities to Catalog

⚠️ CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation, affecting Linux Kernel, SmarterMail, Microsoft Office, and GNU InetUtils. The newly listed CVEs are CVE-2018-14634, CVE-2025-52691, CVE-2026-21509, CVE-2026-23760, and CVE-2026-24061 and represent frequent attack vectors that pose significant risks to federal and enterprise environments. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates, and CISA urges all organizations to prioritize timely remediation as part of vulnerability management.
read more →

CISA Flags Critical VMware vCenter RCE as Actively Exploited

🚨 CISA has added a critical VMware vCenter Server remote code execution flaw (CVE-2024-37079) to its catalog of vulnerabilities exploited in the wild and ordered federal civilian agencies to secure affected systems within three weeks. Patched in June 2024, the issue stems from a heap overflow in the DCERPC implementation of vCenter Server that can be exploited via a specially crafted network packet without credentials or user interaction. Broadcom confirms in-the-wild exploitation and urges immediate patching to the latest vCenter Server and Cloud Foundation releases; no mitigations are available.
read more →

Microsoft Investigates Windows 11 Boot Failures in January

⚠️Microsoft is investigating reports that some Windows 11 devices fail to boot with the UNMOUNTABLE_BOOT_VOLUME stop error after installing the January 13, 2026 cumulative update KB5074109. Affected systems running Windows 11 25H2 and all editions of 24H2 display a black crash screen and cannot start without manual recovery. Microsoft says only physical devices are impacted so far and asks affected users to submit feedback via the Feedback Hub. The company also released emergency out‑of‑band updates to address an Outlook PST cloud storage freeze.
read more →

Pwn2Own Automotive 2026: 76 Zero-Days Found, $1M Payout

🚗 The third annual Pwn2Own Automotive contest in Tokyo revealed 76 unique zero-day vulnerabilities across targets from Tesla infotainment to EV chargers, with Trend Micro's Zero Day Initiative paying out more than $1 million. A Fuzzware.io team took top honors, earning Master of Pwn with $215,500 and a $60,000 single-exploit prize for an Alpitronic HYC50 out-of-bounds write. Other teams compromised Automotive Grade Linux and exploited charger logic to install a playable Doom on a charger's screen. Vendors are urged to patch promptly.
read more →

Microsoft issues emergency OOB updates to fix Outlook

🔧 Microsoft has released out-of-band updates for Windows 10, Windows 11, and Windows Server to address an issue that caused Outlook to freeze when opening PST files stored in cloud-backed storage such as OneDrive or Dropbox. The problem emerged after the January 13, 2026 Patch Tuesday updates and mainly affected classic Outlook configurations used in enterprises. Affected instances could become unresponsive until the process was terminated or the system restarted, and users reported missing Sent Items and duplicate downloads. The fixes are available via Windows Update or the Microsoft Download Catalog and include several KB updates for specific Windows and Server versions.
read more →

CISA Adds Actively Exploited VMware vCenter Flaw Patch Urged

⚠️ CISA has added CVE-2024-37079, a critical heap overflow in Broadcom VMware vCenter's DCE/RPC implementation, to its Known Exploited Vulnerabilities catalog citing evidence of active exploitation. The flaw (CVSS 9.8) can enable remote code execution via a crafted network packet; Broadcom released fixes in June 2024 alongside CVE-2024-37080, with related patches issued in September 2024. Broadcom confirms in‑the‑wild abuse and Federal civilian agencies must update to the latest vCenter release by February 13, 2026.
read more →

Fortinet confirms new zero-day targeting SAML SSO on devices

🔒 Fortinet has confirmed a new attack campaign that exploits an unpatched zero-day vulnerability to bypass authentication across SAML SSO implementations, including FortiCloud SSO. The activity, observed in mid-January, involves extraction of firewall configurations and creation of administrative and VPN-capable accounts. Fortinet is working on a fix and recommends updating to the latest releases, restoring clean backups, rotating all credentials, disabling FortiCloud SSO administrative logins, and restricting administrative access to trusted subnets.
read more →

CISA Confirms Active Exploitation of Four Enterprise Bugs

⚠️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities affecting enterprise software to its KEV catalog after observing active exploitation. Affected projects include Versa Concerto, Zimbra Collaboration Suite, the Vite frontend toolchain, and the eslint-config-prettier package used with Prettier. CISA requires federal agencies to apply vendor patches or mitigations, or stop using impacted products by February 12, 2026. Details on the nature and scope of in-the-wild exploitation remain limited.
read more →

Critical Telnetd Auth Bypass in GNU InetUtils Exploited

⚠️ A coordinated campaign is exploiting a critical authentication-bypass flaw in the GNU InetUtils telnetd server, tracked as CVE-2026-24061. The bug, present since 2015, lets attackers set the USER environment variable (for example USER=-f root) to bypass /usr/bin/login and obtain a root shell. Patches are in InetUtils 2.8; mitigations include disabling telnetd or blocking TCP port 23. GreyNoise observed limited, mostly automated exploitation activity and recommends immediate patching and hardening.
read more →

CISA Adds Four Actively Exploited Flaws to KEV Catalog

⚠️ CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, including a high-severity PHP remote file inclusion in Zimbra (CVE-2025-68645) and an authentication bypass in Versa Concerto (CVE-2025-34026). One entry describes a supply-chain compromise that trojanized eslint-config-prettier and six related npm packages to deliver a malicious DLL. Federal agencies are required to remediate under BOD 22-01 by February 12, 2026.
read more →

Fortinet: Active FortiCloud SSO Bypass on Patched FortiGate

🔒 Fortinet confirmed active exploitation of a FortiCloud SSO authentication bypass affecting fully patched FortiGate firewalls. The vendor said attackers exploited a new attack path that can circumvent patches addressing CVE-2025-59718 and CVE-2025-59719 by using crafted SAML messages when FortiCloud SSO is enabled. Observed activity includes creation of generic admin accounts, configuration changes to enable VPN access, and configuration exfiltration. Fortinet recommends restricting internet-facing administrative access and disabling the admin-forticloud-sso-login feature while a full remediation is finalized.
read more →

CISA Adds VMware vCenter CVE to KEV Catalog January 2026

⚠️ CISA has added CVE-2024-37079, an out-of-bounds write in VMware vCenter Server (Broadcom), to the Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of memory-corruption flaw is a common attacker vector and poses significant risk to the federal enterprise. Under BOD 22-01, FCEB agencies must remediate cataloged vulnerabilities by the required due date; CISA urges all organizations to prioritize timely remediation and to reduce exposure to active threats.
read more →

Fortinet confirms FortiCloud SSO auth bypass remains unpatched

⚠️ Fortinet confirmed it is still addressing a critical FortiCloud SSO authentication bypass (CVE-2025-59718) after reports that attackers are able to bypass patches and compromise fully updated firewalls. Security firm Arctic Wolf says automated attacks beginning January 15 created VPN-access admin accounts and quickly exfiltrated firewall configurations. Fortinet advises disabling FortiCloud SSO, restricting administrative access with a local-in policy, and treating affected systems as compromised while a full fix is developed.
read more →

Trivial Telnet Auth Bypass Enables Complete Device Takeover

🔓 A trivial authentication bypass in the inetutils telnet server (CVE-2026-24061) lets attackers gain root by abusing the USER environment variable. Telnetd forwards the USER value to /usr/bin/login, so sending USER='-f root' with telnet's -a/--login option causes an automatic root login (e.g., USER='-f root' telnet -a [host_ip]). The flaw has existed for about 11 years, so many legacy and IoT devices are likely affected. Apply the vendor/distribution patch immediately or disable Telnet and restrict access to whitelisted IPs.
read more →

SmarterMail auth bypass exploited to hijack admins

🔒 An authentication bypass in SmarterTools SmarterMail allows unauthenticated actors to reset system administrator passwords via the publicly exposed 'force-reset-password' API endpoint. The endpoint accepts attacker-controlled JSON and an IsSysAdmin flag that, when set to true, triggers admin password reset logic without verifying the old password. watchTowr reported the issue on January 8 and SmarterMail released Build 9511 on January 15; researchers observed exploitation within days. Administrators should apply the update immediately to prevent full account takeover.
read more →

FortiOS Single Sign-On Abuse: Incident Analysis and Guidance

🔒 Fortinet issued an advisory describing two FortiCloud SSO bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) discovered during an internal code audit. The flaws allowed crafted SAML assertions to bypass authentication on FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager when FortiCloud SSO was enabled. Recent reports show active exploitation, including instances against fully patched devices, indicating a new attack path. Fortinet advises monitoring IOCs, restricting administrative access, disabling FortiCloud SSO as a workaround, and treating affected systems as compromised.
read more →

Critical GNU InetUtils telnetd Flaw Allows Root Login

🔐 A critical vulnerability in GNU InetUtils telnetd (CVE-2026-24061) enables remote attackers to bypass authentication and gain root access by supplying a crafted USER environment string. The flaw, present in releases 1.9.3 through 2.7, occurs because telnetd forwards an unvalidated USER value to /usr/bin/login, which interprets "-f root" as an authentication bypass. Administrators should apply patches or disable telnetd until updates are installed.
read more →

Appsmith authentication flaw enables account takeovers

🔒 A critical authentication vulnerability (CVE-2026-22794) in the Appsmith low-code platform allowed attackers to manipulate password reset links by supplying a malicious HTTP Origin header, causing reset tokens to be redirected to attacker-controlled infrastructure. Exploitation can lead to full account takeover, including administrator access. The flaw affects Appsmith 1.92 and earlier and was corrected in 1.93; internet scans identified 1,666 publicly accessible instances.
read more →

RealHomes CRM Plugin Flaw Patched After Site Takeovers

⚠️ A critical flaw in the RealHomes CRM WordPress plugin—bundled with the widely used RealHomes theme and present on more than 30,000 sites—allowed any logged-in user with Subscriber access or higher to upload arbitrary files via a CSV import. Assigned CVE-2025-67968, the bug affected versions 1.0.0 and earlier and could lead to full site takeover. Developers released v1.0.1, adding a current_user_can check and file-type validation via wp_check_filetype; users should update immediately.
read more →

Talos Disclosures: Foxit, Epic Games, and MedDream Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities affecting Foxit PDF Editor, the Epic Games Store installer, and MedDream PACS. The issues include installer privilege escalation, two use‑after‑free flaws in Foxit that can be triggered by crafted PDF JavaScript, and 21 reflected XSS vulnerabilities in MedDream. Vendors have issued patches under Cisco’s disclosure policy. Administrators should apply vendor updates and consider IDS/IPS signatures such as Snort to detect attempted exploitation.
read more →