< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2054 articles · page 6 of 103

CISA warns: actively exploited LiteSpeed cPanel flaw

⚠️ CISA has ordered federal agencies to secure servers against an actively exploited LiteSpeed cPanel user-end plugin flaw (CVE-2026-48172 / CVE-2026-54420) that can allow privilege escalation to root on shared hosting with CloudLinux/CageFS. The vulnerability affects plugin versions prior to 2.4.8 and stems from a UNIX symlink following weakness; LiteSpeed released urgent updates and provided a command to check for compromises. Agencies must comply with BOD 26-04 and remediate systems within three days per the Known Exploited Vulnerabilities Catalog.
read more →

Vertex AI SDK bucket-squatting enables RCE

🛡️ We discovered a vulnerability in the Google Cloud Vertex AI Python SDK that allowed an attacker to hijack a model upload and poison it, enabling remote code execution (RCE) in a victim's serving infrastructure. The issue stems from a predictable default staging bucket name and a missing ownership check in the SDK. By creating the same deterministic bucket in their own project and granting broad permissions, an attacker could replace uploaded model artifacts within a short window before Vertex AI reads them. Google fixed the issue in google-cloud-aiplatform v1.148.0 released April 15, 2026; developers should upgrade to the patched SDK.
read more →

Cisco SD‑WAN flaw highlights management‑plane risk

🔒 Cisco has issued patches for a vulnerability in Cisco Catalyst SD‑WAN Manager that allowed authenticated users with write access to create or overwrite files via a flawed file upload API, potentially enabling later privilege escalation to root. The flaw, tracked as CVE‑2026‑20262, affected all deployment types and had been subject to limited exploitation; Cisco advised upgrading to fixed releases and reviewing logs for suspicious uploads such as index.jsp and .war files. Analysts warn that compromise of the management plane can lead to network‑wide control‑plane impact and recommend isolating, hardening, and tightly monitoring SD‑WAN managers as Tier‑0 assets.
read more →

Cisco issues patches for SD‑WAN file upload flaw

🔒 Cisco has released updates fixing a medium‑severity flaw in Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20262) that is being actively exploited. The bug allows an authenticated attacker with write access to create or overwrite files via a vulnerable web UI file upload API, which can be leveraged to escalate privileges. Affected on‑prem and cloud SD‑WAN deployments have fixes available across multiple release tracks; customers are urged to apply patches and audit logs for suspicious WAR uploads.
read more →

CISA Adds LiteSpeed cPanel Plugin Flaw to KEV

🛡️ CISA added CVE-2026-54420 — a privilege escalation flaw in the LiteSpeed cPanel plugin — to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to remediate by June 18, 2026. The vulnerability (CVSS 8.5) allows a user with FTP or web shell access to escalate to root on shared hosting running CloudLinux/CageFS. LiteSpeed advised running a specific grep check in cPanel logs to detect exploitation and recommended upgrading to LiteSpeed WHM Plugin v5.3.2.1 (with cPanel plugin v2.4.8) or later. Namecheap reported the issue on May 31, 2026.
read more →

Critical OIDC flaw lets attackers add SimpleHelp technicians

🔒 A critical vulnerability (CVE-2026-48558) in SimpleHelp allows unauthenticated actors to create privileged Technician accounts when OIDC authentication is enabled. Researchers at Horizon3.ai attribute the issue to improper validation of identity assertions from OIDC identity providers. The vendor released fixes in versions 5.5.16 and 6.0RC2 on June 9, and mitigations include IP allowlists and monitoring for suspicious technician registrations.
read more →

Cisco fixes SD‑WAN Manager zero‑day exploited to root

🛡️ Cisco has released patches for a zero-day in Catalyst SD-WAN Manager (formerly SD-WAN vManage), tracked as CVE-2026-20262, which was exploited to escalate to root privileges. The flaw affects all deployment types and results from insufficient validation of user-supplied file uploads, allowing authenticated low-privilege attackers to create or overwrite files via a crafted HTTP request. Cisco PSIRT confirmed active exploitation, provided IOCs, and strongly urged customers to upgrade to fixed releases.
read more →

LiteLLM vulnerability chain allows full server takeover

🛡️ Researchers at Obsidian Security disclosed a three-bug chain in the open-source LiteLLM proxy that lets a default low-privilege account escalate to full proxy admin and achieve remote code execution. The combined issue, rated CVSS 9.9, exposes provider keys, decryption secrets, prompts, and responses. Maintainer BerriAI published fixes in LiteLLM v1.83.14-stable (May 2); users should upgrade and audit admin roles, guardrails, callbacks, and keys.
read more →

One-click Microsoft 365 Copilot SearchLeak flaw

🔎 Researchers at Varonis chained three bugs into a one-click exfiltration path dubbed SearchLeak that could have pulled emails, calendar entries, and indexed files from Microsoft 365 Copilot Enterprise Search. Because the malicious link used a legitimate microsoft.com domain, URL filters and anti-phishing tools were unlikely to block it. Microsoft assigned CVE-2026-42824, mitigated the issue on its backend, and Varonis released a proof-of-concept without observed exploitation.
read more →

Critical SearchLeak flaw in Microsoft 365 Copilot

🔒 Microsoft fixed a critical vulnerability chain named SearchLeak in Microsoft 365 Copilot Enterprise that could let attackers exfiltrate mailbox, OneDrive, and SharePoint data via a single crafted URL. Researchers at Varonis chained a parameter-to-prompt injection, an HTML rendering race condition, and a Bing SSRF-based CSP bypass to make Copilot fetch and leak sensitive content. The issue was addressed as CVE-2026-42824 and requires no user action now that Microsoft patched it.
read more →

CISA Adds Two Vulnerabilities to KEV Catalog

🔔 CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation. The agency emphasizes these flaws are common attack vectors that present substantial risk to the federal enterprise. BOD 26-04 requires Federal Civilian Executive Branch agencies to prioritize rapid remediation of high-risk CVEs in the KEV catalog and to assess potential compromise before patching. CISA urges all organizations to adopt risk-based vulnerability management and to submit suspected exploited flaws via the KEV Nomination Form.
read more →

Critical Splunk Enterprise Postgres Sidecar Flaw Fixed

🛡️ Splunk released security updates to remediate a critical unauthenticated file operation and remote code execution vulnerability (CVE-2026-20253, CVSS 9.8) affecting certain Splunk Enterprise versions. The flaw stemmed from an unauthenticated PostgreSQL sidecar service endpoint that allowed creation or truncation of arbitrary files. Splunk fixed the issue in 10.0.7 and 10.2.4; Splunk Cloud is not affected because it does not use Postgres sidecars. Users are urged to apply the updates promptly to mitigate exploitation risk.
read more →

phpBB fixes decade-old authentication bypass

🔒 Researchers discovered a 10-year-old authentication bypass in phpBB that allows logging in as any user, including administrators. The flaw affects versions 4.0.0-a2 and 3.3.16 and below and can be exploited with a single HTTP request on default configurations. Aikido reported the issue on June 2 and phpBB patched it in version 3.3.17 on June 6; 4.x users must await a safe release.
read more →

CISA Adds One Vulnerability to KEV Catalog

🔔 CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after confirmed active exploitation. The agency emphasizes that such flaws are common attack vectors posing significant risk to the federal enterprise and urges rapid remediation. Binding Operational Directive 26-04 requires FCEB agencies to prioritize fixes for KEV-listed CVEs on internet-exposed assets and to check for compromise prior to patching. CISA encourages all organizations to adopt risk-based vulnerability management and submit potential KEV candidates via the KEV Nomination Form.
read more →

Microsoft fixes WUSA update failures in June patch

🔧 Microsoft fixed a known issue causing Windows updates released since May 2025 to fail when installed via the Windows Update Standalone Installer (WUSA) from a network share. The bug affected enterprise Windows 11 24H2/25H2 and Windows Server 2025 devices when multiple .msu files were present on a network share, producing ERROR_BAD_PATHNAME. Microsoft mitigated the issue for home and non-managed business devices in September 2025 and delivered a full fix in the June 2026 cumulative updates (KB5079391, KB5094125).
read more →

Critical LangGraph flaw chain risks remote code execution

🔒 Researchers disclosed three patched vulnerabilities in LangGraph, including a critical SQL injection and unsafe deserialization chain that could enable remote code execution in self-hosted deployments. LangGraph is an open-source framework from LangChain for building stateful, multi-agent AI applications. Check Point and researcher Yarden Porat reported the issues, which affect SQLite and Redis checkpointers but not LangChain's managed LangSmith service.
read more →

Oracle mitigates PeopleSoft zero-day used in data theft

🔔 Oracle warns of a critical PeopleSoft Suite zero-day, CVE-2026-35273, enabling unauthenticated remote code execution and carrying a CVSS 9.8 score. The flaw impacts PeopleSoft PeopleTools versions 8.61 and 8.62; Oracle released emergency mitigations and plans a patch. Threat actor ShinyHunters is linked to active exploitation and large-scale data theft across hundreds of instances. Administrators are urged to review logs and block identified IPs to assess compromise.
read more →

New GreatXML BitLocker Bypass Exploit Disclosed

🔒 Security researcher Chaotic Eclipse disclosed a new BitLocker bypass named GreatXML that leverages files placed on the recovery partition and booting into Windows Recovery Environment (WinRE). The researcher says the issue is tied to using Windows Defender Offline Scan and can result in a shell with unrestricted access to a BitLocker volume if specific XML files are copied to the recovery partition and WinRE is invoked. GreatXML follows other recent disclosures from the same researcher, including a Defender zero-day and the earlier YellowKey bypass.
read more →

ServiceNow patches unauthenticated API exposure risk

🔒 ServiceNow notified customers after remediating a vulnerability that allowed an unauthenticated API endpoint to return tenant data under certain configurations. The issue, first reported via the vendor’s bug bounty program in April, prompted hosted updates on June 5 and guidance for self-hosted deployments. ServiceNow says affected instances were a subset of tenants and that observed activity appears linked to security researchers, though investigation continues. Customers are urged to apply updates and review logs for signs of unauthorized access.
read more →

Critical LangGraph Vulnerabilities Put AI Agents at Risk

🔒 Check Point Research discovered a critical vulnerability chain in LangGraph, an open-source AI agent framework with ~46.5M monthly downloads, that can lead to full remote code execution. The issue centers on the checkpointer persistence layer where an SQL injection in get_state_history() can be chained with a msgpack deserialization flaw to execute attacker-controlled code. Three CVEs were assigned and patched; affected teams should upgrade and place authentication and network controls in front of self-hosted deployments.
read more →