< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 60 of 104

Coolify patches 11 critical flaws enabling root compromise

🔒 Researchers disclosed 11 critical vulnerabilities in Coolify, an open-source self-hosting platform, including multiple authenticated command injections, remote code execution, container escape and an information disclosure of the root SSH private key. Several issues carry CVSS scores of 9.4–10.0 and allow attackers with low or moderate privileges to execute arbitrary commands as root or obtain persistent access. Operators should upgrade to patched releases or apply vendor mitigations immediately.
read more →

Cisco patches ISE flaw after PoC exploit released; update

🔒 Cisco has released patches for an Identity Services Engine (ISE) XML-parsing vulnerability tracked as CVE-2026-20029 that can be abused by remote attackers with valid administrative credentials. The flaw in ISE and ISE Passive Identity Connector allows a crafted XML upload to read arbitrary files on the host. Cisco notes a public proof-of-concept is available and urges customers to upgrade to patched releases rather than rely on temporary mitigations.
read more →

CISA Flags Critical HPE OneView Flaw as Actively Exploited

🚨 CISA has added a maximum-severity vulnerability in HPE OneView (CVE-2025-37164) to its catalog of flaws actively exploited in the wild. Reported by Nguyen Quoc Khanh (brocked200) and patched by HPE in mid-December, the bug affects all OneView releases before v11.00 and enables unauthenticated code-injection attacks leading to remote code execution. There are no known mitigations or workarounds; HPE and CISA urge immediate upgrades, and federal agencies must remediate by January 28 under BOD 22-01.
read more →

CISA Flags Microsoft Office and HPE OneView KEV Flaws

⚠️ CISA added two vulnerabilities — in Microsoft Office PowerPoint (CVE-2009-0556, CVSS 8.8) and HPE OneView (CVE-2025-37164, CVSS 10.0) — to its Known Exploited Vulnerabilities catalog after observing evidence of active exploitation. The HPE flaw permits unauthenticated remote code execution and affects versions prior to 11.00; HPE has released hotfixes for OneView 5.20 through 10. A proof-of-concept exploit for CVE-2025-37164 was disclosed publicly on December 23, 2025, prompting eSentire to urge immediate patching. Federal agencies subject to BOD 22-01 are instructed to remediate by January 28, 2026.
read more →

Critical Veeam Backup & Replication Flaws Require Patch

🔒 Veeam has released a patch addressing four vulnerabilities in Backup & Replication v13 that let users with Backup Admin, Backup Operator, or Tape Operator roles exceed intended privileges. The most severe, CVE-2025-59470 (CVSS 9.0), can enable remote code execution as the Postgres user; others permit file writes as root or RCE via malicious configuration files. Veeam recommends immediate installation of version 13.0.1.1071; the vendor says core backup data remains immutable and intact.
read more →

Critical jsPDF flaw exposes local files in generated PDFs

⚠ The jsPDF library contains a critical local file inclusion and path traversal vulnerability (CVE-2025-68428) that can embed sensitive files from the local filesystem into generated PDFs when user-controlled input is passed to file-loading APIs. The issue affects Node.js builds (dist/jspdf.node.js and dist/jspdf.node.min.js) and functions such as loadFile, addImage, html, and addFont. The bug was addressed in jsPDF 4.0.0 by restricting filesystem access by default; maintainers recommend upgrading, sanitizing input paths, and using modern Node.js permission modes.
read more →

Critical RCE in n8n Enables Full Local Deployment Takeover

⚠️ Researchers at Cyera disclosed a critical vulnerability in n8n (CVE-2026-21858) that allows unauthenticated attackers to read arbitrary local files via content-type parsing confusion and then recreate session cookies to assume any user’s identity. Exploitation can yield administrator privileges and remote code execution through the Execute Command node. The bug was patched in version 1.121.0 on Nov. 18; administrators should update immediately.
read more →

Logitech Options+ and G HUB Fail on macOS After Cert Expiry

⚠️Logitech's Options+ and G HUB apps on macOS stopped launching after their code-signing certificate expired, preventing users from accessing custom gestures, button mappings, lighting presets, and other saved settings. Logitech acknowledged the outage on its support portal and said it will push a new macOS installer that preserves user profiles without changing the visible app version. Community-proposed workarounds include rolling the system date back, installing older builds, or blocking network access, but these are unverified and may have trade-offs. Until an official update is released, users are advised not to delete configuration files to avoid losing customizations.
read more →

Ni8mare: Critical RCE and data-exposure bug in n8n instances

⚠️ A maximum-severity vulnerability (CVE-2026-21858, 10/10) lets unauthenticated remote attackers fully compromise self-hosted n8n instances by exploiting a content-type parsing flaw in webhook/form handling. Cyera reports more than 100,000 vulnerable servers. The bug allows attackers to control file metadata in req.body.files, enabling arbitrary file reads, secret exfiltration, session forgery and potential command execution. n8n recommends updating to 1.121.0 and restricting public webhook endpoints.
read more →

Classic Outlook bug prevents opening encrypted emails

🔒 Microsoft is investigating a bug in the classic Outlook client introduced by Current Channel Version 2511 (Build 19426.20218) that prevents recipients from opening messages encrypted with Encrypt Only permissions. Impacted users may see a reading pane error asking them to verify credentials or encounter a message_v2.rpmsg attachment instead of readable content. The Outlook Team is working on a fix but has not provided an ETA. Microsoft recommends two temporary workarounds: have senders save encrypted messages before sending, or roll back to build 16.0.19426.20186.
read more →

Open WebUI SSE Flaw Allows Malicious Model Server Takeover

⚠ Security researchers at Cato Networks disclosed CVE-2025-64496, a vulnerability in Open WebUI that lets external model servers inject JavaScript via Server-Sent Events (SSE) when the Direct Connections feature is enabled. An attacker controlling a malicious model endpoint can exfiltrate JSON Web Tokens (JWTs) from the browser, enabling account takeover and access to documents, chats, and embedded API keys. If the compromised account has Workspace Tools privileges, the session token can be used to execute authenticated Python code on the backend, leading to remote code execution. The flaw affects versions up to 0.6.34 and is fixed in 0.6.35; organizations are urged to update and implement HttpOnly cookies, strict CSPs, and ban dynamic code evaluation.
read more →

n8n Ni8mare: Critical unauthenticated RCE (CVE-2026-21858)

⚠️ A maximum-severity flaw, CVE-2026-21858 (Ni8mare), in n8n allows unauthenticated remote attackers to read local files, forge administrator sessions, and achieve remote code execution by exploiting a Content-Type parsing confusion that can override req.body.files. The bug affects releases up to and including 1.65.0 and was fixed in 1.121.0 (released November 18, 2025). Operators should upgrade immediately, avoid exposing n8n publicly, and restrict or disable public webhooks and form endpoints until patched.
read more →

New Veeam Backup & Replication RCE Vulnerabilities Exposed

⚠️ Veeam released security updates for Backup & Replication to fix multiple vulnerabilities, including a remote code execution bug tracked as CVE-2025-59470. The flaw affects version 13.0.1.180 and earlier 13 builds and can allow users with Backup or Tape Operator roles to execute code as the postgres user. On January 6 Veeam published 13.0.1.1071 to patch CVE-2025-59470 plus a high (CVE-2025-55125) and a medium (CVE-2025-59468) issue. Administrators are advised to apply updates and follow Veeam's security guidelines to limit privileged-role exposure.
read more →

CISA Adds Two CVEs to KEV Catalog, Urges Remediation

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2009-0556 (Microsoft Office PowerPoint code injection) and CVE-2025-37164 (HPE OneView code injection). CISA notes evidence of active exploitation and highlights that these vulnerability types are frequent attack vectors posing significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV entries by the specified due date. CISA strongly urges all organizations to prioritize timely remediation as part of sound vulnerability management.
read more →

n8n warns of CVE-2026-21877: CVSS 10.0 RCE in service

🔒 n8n has warned of a maximum-severity remote code execution flaw, CVE-2026-21877, rated 10.0 under CVSS. Under certain conditions an authenticated user may cause untrusted code to be executed by the service, potentially allowing full compromise of affected instances. Both self-hosted and n8n Cloud deployments running versions >= 0.123.0 and < 1.121.3 are impacted; the issue is fixed in 1.121.3 (released November 2025). Administrators should upgrade immediately or, if that is not possible, disable the Git node and restrict access for untrusted users.
read more →

Veeam patches critical RCE in Backup & Replication 13

🔒 Veeam has released security updates for Veeam Backup & Replication to address a critical remote code execution flaw tracked as CVE-2025-59470 (CVSS 9.0) that could allow a Backup or Tape Operator to run code as the postgres user via a crafted interval or order parameter. The vendor also fixed three additional vulnerabilities that permit escalation to root or file writes by privileged backup roles. All 13.x builds up to 13.0.1.180 are affected and the fixes are included in 13.0.1.1071; customers are advised to apply updates and follow role-hardening guidance promptly.
read more →

Critical RCE in Legacy D-Link DSL Routers Under Attack

⚠️A critical remote code execution flaw, CVE-2026-0625, is being actively exploited in legacy D-Link DSL gateway routers via a command-injection weakness in the dnscfg.cgi endpoint. Improper sanitization of DNS configuration parameters allows unauthenticated attackers to execute arbitrary shell commands and modify DNS settings. D-Link says it is investigating affected firmware variants and will publish an updated model list after a firmware-level review. Owners of end-of-life devices should retire or replace impacted hardware immediately.
read more →

New Command Injection in Legacy D-Link DSL Routers

⚠An unauthenticated command injection (CVE-2026-0625) in dnscfg.cgi allows remote shell execution on multiple legacy D-Link DSL gateway routers. VulnCheck reported the issue to D-Link after The Shadowserver Foundation observed an exploitation attempt on a honeypot on December 15. Confirmed affected models (DSL-526B, DSL-2640B, DSL-2740R, DSL-2780B) are End-of-Life and will not receive patches. D-Link advises retiring affected devices or isolating them in segmented non-critical networks and applying restrictive security settings.
read more →

Phishing Actors Exploit Complex Mail Routing and Spoofing

📧 Phishing actors are exploiting complex mail routing and misconfigured spoof protections to send messages that appear to originate internally, frequently using PhaaS platforms such as Tycoon2FA. Microsoft observed increased use of this vector since May 2025, including nested redirect chains and AiTM techniques to harvest credentials. Tenants with MX records pointed to Office 365 benefit from built-in protections; others must enforce strict SPF hard-fail, DKIM signing, and DMARC reject policies and correctly configure connectors to prevent these spoofing campaigns.
read more →

Unpatched EX200 Flaw Lets Authenticated Users Trigger Telnet

⚠ An unpatched firmware error in the TOTOLINK EX200 wireless range extender can cause the device to start an unauthenticated root-level telnet service when specific malformed firmware files are processed. CERT/CC (CVE-2025-65606) says exploitation requires an attacker to be authenticated to the web management interface to reach the firmware-upload handler, which can then enter an abnormal error state. The vendor has not issued a patch and the product is no longer actively maintained; users are advised to restrict administrative access and consider upgrading to a supported model.
read more →