< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2062 articles · page 56 of 104

Mandiant Publishes Tool to Expose NTLMv1 Insecurity

🔓 Mandiant released a pre-computed Net-NTLMv1 rainbow table so anyone can map challenge-response data back to real NT hashes, a move intended to force organizations to abandon the insecure NTLMv1 protocol. The dataset, hosted via the Google Cloud Research Dataset portal, can recover keys in about 12 hours using roughly $600 of hardware. Mandiant says the goal is to demonstrate immediate risk and prompt remediation rather than to create new vulnerabilities.
read more →

ACME HTTP-01 Path Flaw Temporarily Disabled WAF Rules

🔒 Cloudflare patched a logic flaw in its ACME HTTP-01 handling that could disable certain WAF protections for specific challenge paths. The issue was reported by researchers from FearsOff through Cloudflare’s bug bounty program on October 13, 2025, and affected requests to /.well-known/acme-challenge/*. In some cases, challenge requests could reach customer origins when they should have been blocked because WAF features were incorrectly disabled. Cloudflare implemented a code change to ensure WAF disabling only occurs when Cloudflare will serve a valid ACME challenge response; no customer action is required and there is no known abuse.
read more →

StackWarp: Hardware Flaw Breaks SEV-SNP on AMD Zen CPUs

🔒 A team from CISPA disclosed StackWarp, a hardware vulnerability affecting AMD Zen 1–5 processors that subverts SEV-SNP protections. The flaw lets a privileged host manipulate a guest VM's stack pointer via a previously undocumented control bit and a co-running hyperthread, enabling control-flow hijacks, data corruption, and secret exfiltration. Vendors released microcode fixes and AGESA patches are planned.
read more →

Python libraries for Hugging Face models enable RCE

⚠️ Researchers at Palo Alto Networks' Unit 42 disclosed critical weaknesses in the NeMo, Uni2TS and FlexTok Python libraries used with Hugging Face models, where malicious code can be hidden in model metadata and executed automatically when a manipulated file is loaded. The root cause is the use of Hydra's instantiate(), which accepts arbitrary callables and arguments and can therefore permit remote code execution if metadata is untrusted. Vendors including NVIDIA, Salesforce and the maintainers of FlexTok have issued fixes and CVE assignments; users should upgrade affected libraries and audit models before loading.
read more →

ServiceNow BodySnatcher Flaw Exposes AI Agent Risks

⚠️ Research firm AppOmni disclosed a critical privilege-escalation vulnerability called BodySnatcher in ServiceNow’s Now Assist AI Agents and Virtual Agent API that could let unauthenticated actors execute workflows as arbitrary users. ServiceNow says hosted instances were patched at the end of October and customers should upgrade to specified Now Assist and Virtual Agent API versions. AppOmni warns that default example agents and permissive authentication choices mean similar risky configurations could still exist in custom code or third-party integrations, and recommends enforcing MFA, reviewing agents, and applying the updates promptly.
read more →

Microsoft releases OOB Windows fixes for Cloud PC issues

🔧 Microsoft has issued out-of-band Windows updates to address two issues introduced by the January 2026 security updates: credential prompt failures that can block Microsoft 365 Cloud PC and remote desktop sign-ins, and a shutdown/hibernate failure on Windows 11 23H2 when Secure Launch is enabled. The fix packages must be manually downloaded from the Microsoft Update Catalog, and administrators can deploy Known Issue Rollback (KIR) installers via Group Policy for enterprise-managed devices when immediate deployment is required.
read more →

Cisco patches critical zero-day in email gateway products

⚠️ Cisco has released patches for a critical zero-day, CVE-2025-20393, in AsyncOS that affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw allows a remote attacker to gain root by sending a crafted HTTP request to the Spam Quarantine interface when it is enabled and reachable from the internet. Cisco first learned of exploitation in December, issued a public advisory on Dec. 17, and has now published fixes to address the issue.
read more →

Google Vertex AI permissions raise insider threat risks

⚠️ XM Cyber disclosed privilege-escalation flaws in Google’s Vertex AI that let low‑privileged users manipulate Google-managed Service Agents to gain elevated project-wide permissions. Google told XM Cyber this behavior is "working as intended." Security experts warn that managed service identities and insecure defaults create invisible, structural risks. CISOs are urged to audit service identities, reduce authentication scope, and monitor agent activity like privileged users.
read more →

Modular DS Flaw Lets Attackers Gain Instant WordPress Admin

🔓 Modular DS versions 2.5.1 and earlier contain a critical privilege-escalation bug (CVE-2026-23550) that lets unauthenticated attackers gain full WordPress admin access by calling unprotected API routes under /api/modular-connector/. Patchstack reported active exploitation and the vendor released Modular DS 2.5.2 on January 14, 2026. Administrators should update immediately, check for rogue admin accounts, enable two-factor authentication, apply IP restrictions, and consider Patchstack’s mitigation rules if immediate patching isn’t possible.
read more →

Windows 11 January Update Causes Outlook Freezes for POP

⚠ Microsoft is investigating reports that the January Windows 11 security update KB5074109 causes the classic Outlook desktop client to freeze and hang for users with POP email accounts. Affected users say Outlook does not exit properly and will not restart after being closed, disrupting normal mail access. Microsoft’s Outlook and Windows teams are examining the issue but have not provided a timeline for a fix. As a temporary workaround, users can uninstall KB5074109 via Settings > Windows Update > Update history > Uninstall updates, though removing security updates can expose systems to additional risk.
read more →

Critical Fortinet FortiSIEM Flaw Now Exploited in Attacks

⚠️ Researchers disclosed that a critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) with public proof-of-concept code is being abused in active attacks. Horizon3.ai described the issue as an unauthenticated OS command injection via exposed phMonitor command handlers that enables arbitrary writes and escalation to root, and Fortinet released security updates plus a port-restriction workaround for phMonitor (7900). Administrators should upgrade affected FortiSIEM versions 6.7 through 7.5 to the patched releases and review phMonitor logs for indicators of compromise.
read more →

Cisco Patches AsyncOS Zero-Day Targeting SEG/SEWM Appliances

🔒 Cisco has released a fix for a maximum‑severity AsyncOS zero‑day (CVE-2025-20393) that has been exploited since November 2025. The flaw impacts Cisco Secure Email Gateway and Secure Email and Web Manager appliances with non-standard configurations when the Spam Quarantine feature is exposed to the internet, permitting arbitrary command execution as root. Cisco Talos links the intrusions to a Chinese-nexus actor tracked as UAT-9686, which deployed persistence and tunneling implants and a log-wiping utility. CISA has added the vulnerability to its known exploited vulnerabilities catalog and ordered federal remediation under BOD 22-01.
read more →

RondoDox Botnet Escalates Exploitation of HPE OneView

⚠️ Check Point Research links the Linux-based RondoDox botnet to a coordinated exploitation campaign against HPE OneView, leveraging the critical RCE flaw CVE-2025-37164. The vulnerability, published to the NVD on 16 December 2025 and rated CVSS 3.1 = 10 by HPE, has been the subject of tens of thousands of automated attack attempts. Check Point reported blocking more than 40,000 hits on 7 January 2026 and urged organizations to patch immediately and implement compensating controls.
read more →

Windows 11 23H2 Shutdown Issue After January Security Update

⚠️ Microsoft has confirmed that the January 13, 2026 cumulative update (KB5073455) can prevent some Windows 11, version 23H2 devices with System Guard Secure Launch enabled from shutting down or entering hibernation, causing them to restart instead. The issue is limited to Enterprise and IoT editions where the update is offered. Microsoft recommends the temporary workaround shutdown /s /t 0 for shutdowns and warns there is currently no hibernation workaround. Users should save work and perform manual shutdowns to avoid battery drain.
read more →

Cisco patches critical AsyncOS RCE exploited by APT

🔒 Cisco has released patches for a maximum-severity remote command execution vulnerability (CVE-2025-20393, CVSS 10.0) in AsyncOS that affects Cisco Secure Email Gateway and Secure Email and Web Manager. The defect stems from insufficient validation of HTTP requests in the Spam Quarantine feature and can allow arbitrary commands to run as root when the feature is enabled and reachable from the internet. Cisco says a China-nexus APT tracked as UAT-9686 exploited the bug in the wild, deploying tunneling tools, a log-cleaner and a Python backdoor, and that fixes remove persistence artifacts. Administrators should apply the provided fixed releases and follow the vendor's hardening guidance to restrict access and monitor for anomalous activity.
read more →

Palo Alto patches PAN-OS after new DoS flaw revealed

🔒 Palo Alto Networks has released patches for PAN-OS after a researcher disclosed CVE-2026-0227, a high-severity (CVSS 7.7) vulnerability in GlobalProtect gateway and portal components that can trigger a denial-of-service and force affected firewalls into maintenance mode. The vendor reports no known in-the-wild exploitation but acknowledges proof-of-concept code exists. Prisma Access customers have largely been upgraded; on-premises NGFWs must apply vendor updates per the posted remediation table. There are no official workarounds; temporarily disabling the VPN interface may reduce risk while patching.
read more →

Modular DS WordPress Flaw Lets Attackers Gain Admin

🔒 Hackers are actively exploiting a maximum-severity authentication bypass in the Modular DS WordPress plugin (CVE-2026-23550) to gain admin-level access on vulnerable installs. The flaw affects versions 2.5.1 and earlier and was first observed in the wild on January 13; the vendor released a fix in version 2.5.2 shortly after disclosure. Site owners should update immediately, review server logs, verify admin accounts, and regenerate WordPress salts after patching.
read more →

AWS CodeBuild Misconfiguration Exposed GitHub Repos

⚠️ A critical CodeBuild misconfiguration, dubbed CodeBreach by Wiz, could have allowed attackers to take over several AWS-managed GitHub repositories, including aws-sdk-js-v3, by bypassing webhook actor ID filters. The flaw—missing ^ and $ anchors in regex filters—enabled unauthorized build triggers and potential leakage of privileged GitHub tokens. AWS fixed the issue in September 2025, rotated credentials, implemented mitigations, and reported no evidence of exploitation.
read more →

WhisperPair Flaw Lets Attackers Hijack Bluetooth Audio

🔒 Security researchers at KU Leuven disclosed a critical flaw dubbed WhisperPair (CVE-2025-36911) in the Fast Pair protocol that lets attackers forcibly pair with and control Bluetooth audio accessories. The issue stems from devices failing to enforce the Fast Pair requirement to ignore pairing requests when not in pairing mode, enabling silent hijacking and eavesdropping. Hundreds of millions of headphones, earbuds, and speakers from vendors including Google, Jabra, Sony, OnePlus, Xiaomi, and others are affected, and patches are being coordinated with manufacturers.
read more →

Critical Fast Pair Flaw Lets Attackers Hijack Headsets

🔒 Researchers disclosed a critical vulnerability in Google's Fast Pair protocol, tracked as CVE-2025-36911 and dubbed WhisperPair. The flaw stems from many accessories failing to ignore pairing requests when not in pairing mode, enabling attackers to pair without user consent. Exploits can hijack audio devices, enable eavesdropping and location tracking, and affect hundreds of millions of headsets from vendors including Google, Sony, Jabra, JBL, OnePlus. Only manufacturer firmware updates mitigate the risk; disabling Fast Pair on phones does not protect accessories.
read more →