< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2061 articles · page 61 of 104

Open WebUI Direct Connections flaw risks account takeover

⚠️ A high-severity vulnerability (CVE-2025-64496) affecting Open WebUI versions 0.6.34 and earlier can enable account takeover when the Direct Connections feature is enabled. A malicious OpenAI-compatible model server can send a crafted server-sent events message that executes JavaScript in a connected user's browser and steals authentication tokens from localStorage. Open WebUI 0.6.35 and later block the malicious execute events; administrators should upgrade immediately, restrict Direct Connections to trusted endpoints, and strengthen authentication and sandboxing.
read more →

Columbia Weather Systems MicroServer Vulnerabilities

⚠️ Columbia Weather Systems’ MicroServer firmware contains multiple vulnerabilities that could let an attacker redirect SSH connections, expose vendor and user secrets stored on an unencrypted SD card, and obtain a limited interactive shell with elevated file privileges. Affected devices run firmware versions prior to MS_4.1_14142. Columbia Weather Systems recommends updating to MS_4.1_14142 or later and contacting support for assistance; CISA advises minimizing network exposure, isolating control networks, and using secure remote access such as up-to-date VPNs. No known targeted public exploitation has been reported; UsrPacific reported these issues to CISA.
read more →

High-severity Open WebUI flaw lets models inject code

⚠️Security researchers disclosed a high-severity vulnerability in Open WebUI (CVE-2025-64496) that allows external model servers connected via the Direct Connections feature to stream server-sent events that execute JavaScript in the browser. Malicious code can read long-lived JSON Web Tokens stored in localStorage to take over accounts and access workspaces, documents, chats, and embedded API keys. With elevated workspace.tools permissions, attackers can escalate to remote code execution on backend servers. Organizations should patch to v0.6.35 immediately.
read more →

Critical n8n CVE-2025-68668: Python Code Node RCE Exploit

⚠️ A critical sandbox bypass, CVE-2025-68668 (CVSS 9.9), has been disclosed in n8n, allowing an authenticated user with workflow create/modify permissions to execute arbitrary OS commands on the host running n8n. The flaw resides in the Python Code Node that uses Pyodide and affects n8n versions 1.0.0 up to, but not including, 2.0.0. The issue is resolved in n8n 2.0.0, which makes the task-runner native Python implementation the default. Short-term mitigations include disabling the Code Node, disabling Python in the Code Node, or enabling the task-runner Python sandbox via environment variables.
read more →

Critical AdonisJS bodyparser Path Traversal Risks File Write

🚨 Maintainers of @adonisjs/bodyparser urge immediate updates after disclosure of CVE-2026-21440, a critical path traversal flaw that can enable attackers to write arbitrary files via unsanitized multipart filenames. The vulnerability stems from MultipartFile.move(location, options) defaulting to client-supplied names when the options.name is omitted. Exploitation requires a reachable upload endpoint and can lead to file overwrite and possible RCE depending on deployment, filesystem permissions, and overwrite settings.
read more →

Thousands of FortiGate Firewalls Still Exposed to 2020 Flaw

🔒 Bleeping Computer reports that attackers are actively exploiting an older FortiOS vulnerability, CVE-2020-12812, which can bypass two-factor authentication. Although Fortinet issued a patch in July 2020, researchers say at least 10,000 FortiGate firewalls remain unpatched. Administrators are urged to install the latest updates immediately to mitigate account access risks. Additional measures include restricting administrative access, rotating credentials, and monitoring logs for suspicious activity.
read more →

10,000+ Fortinet Firewalls Exposed to 2FA Bypass Worldwide

⚠ Administrators continue to find more than 10,000 internet-exposed Fortinet firewalls vulnerable to an active two-factor authentication bypass (CVE-2020-12812) that was patched in July 2020. The flaw in FortiOS SSL VPN permits login without a second factor when username case is altered; Fortinet advised disabling username case sensitivity as a mitigation. Shadowserver reports over 1,300 affected IPs in the U.S. — network owners should patch, apply mitigations, and audit LDAP-dependent management interfaces immediately.
read more →

Critical IBM API Connect Flaw Allows Authentication Bypass

🔒 IBM is urging customers to quickly apply interim fixes for a critical authentication-bypass vulnerability in IBM API Connect (CVE-2025-13915) that affects versions 10.0.8.0–10.0.8.5 and 10.0.11.0. The flaw can allow unauthorized access to exposed applications without user interaction and stems from a broken architectural assumption that traffic passing the gateway guarantees identity enforcement (CWE-305). IBM has published platform-specific interim fixes and advises disabling self-service sign-up on Developer Portals if patches cannot be applied; administrators must also remove image overrides when upgrading to avoid persistent shadow state.
read more →

IBM Alerts: Critical API Connect Authentication Bypass

🔒 IBM has disclosed a critical authentication bypass in IBM API Connect, tracked as CVE-2025-13915 with a CVSS score of 9.8. The flaw could allow remote attackers to gain unauthorized access to the application. Affected releases include 10.0.8.0–10.0.8.5 and 10.0.11.0. IBM advises downloading the interim fix from Fix Central and, if immediate patching is not possible, disabling Developer Portal self-service sign-up as a temporary mitigation.
read more →

IBM warns of critical API Connect auth bypass — patch now

🔒 IBM urged customers to patch a critical authentication bypass in its API Connect platform that could allow attackers to access applications remotely. Tracked as CVE-2025-13915 and rated 9.8/10, the flaw affects versions 10.0.11.0 and 10.0.8.0–10.0.8.5. Exploitation is low-complexity and requires no user interaction. IBM recommends upgrading to the latest release and offers interim mitigations, including disabling self-service sign-up on the Developer Portal.
read more →

CSA warns of critical RCE in SmarterMail email server

⚠️ The Cyber Security Agency of Singapore (CSA) has warned of a maximum-severity vulnerability, CVE-2025-52691 (CVSS 10.0), in SmarterTools SmarterMail that permits unauthenticated arbitrary file uploads and could enable remote code execution. The flaw affects builds 9406 and earlier and was fixed in Build 9413 (Oct 9, 2025); CSA recommends updating to Build 9483 (Dec 18, 2025). While no active exploitation has been reported, administrators should apply the vendor update promptly to mitigate the risk of web shells or malicious binaries being deployed and executed with SmarterMail service privileges.
read more →

CISA Orders Agencies to Patch High-Severity MongoDB Flaw

🔒 CISA has ordered federal civilian agencies to secure systems against MongoBleed (CVE-2025-14847), a high-severity MongoDB Server vulnerability patched on December 19, 2025. The flaw, rooted in how the server uses the zlib compression library, can be exploited by unauthenticated actors to leak credentials, API/cloud keys, session tokens, logs, and PII. An Elastic researcher released a PoC and telemetry shows tens of thousands of potentially vulnerable instances; agencies must patch by January 19, 2026, or apply vendor mitigations or temporarily disable zlib until updates can be deployed.
read more →

CISA Releases Two ICS Advisories on WHILL and DAQFactory

🔔 CISA published two Industrial Control Systems (ICS) Advisories: ICSA-25-364-01 for WHILL C2 Wheelchairs and ICSA-25-345-03 for AzeoTech DAQFactory (Update A). The advisories describe identified vulnerabilities and recommended mitigations. Administrators and users are encouraged to review the technical details and apply mitigations promptly to reduce exposure.
read more →

Critical Bluetooth Authentication Flaw in WHILL Wheelchairs

🔒 WHILL Inc. electric wheelchairs (Model C2 and Model F) are affected by a critical Bluetooth authentication vulnerability, CVE-2025-14346, that allows an attacker within wireless range to pair without credentials and issue movement and configuration commands. The flaw is rated CVSS 3.1 9.8 (CRITICAL) and is classified as CWE-306 Missing Authentication for Critical Function. WHILL deployed mitigations on 29 December 2025 that restrict unlock commands during motion, protect speed profiles, and obfuscate application JSON configuration files on Android and iOS.
read more →

Patch Tuesday 2025: Microsoft's Most Concerning Bugs

🛡️Microsoft addressed 1,246 CVEs in 2025, including 158 critical flaws and 41 zero‑days, highlighting an increasingly aggressive threat landscape and the use of AI by attackers to accelerate exploitation. Experts warned that several lower‑scored but actively abused bugs—such as ToolShell (CVE-2025-53770), CVE-2025-24993, and CVE-2025-30377—enabled remote code execution or privilege escalation in practice. Recommended actions include immediate remediation of highest‑risk items, automated triage to free analysts, and contextual prioritization using SSVC rather than relying solely on raw CVSS scores.
read more →

CISA Adds CVE-2025-14847 (MongoDB) to KEV Catalog Now

⚠️ CISA has added CVE-2025-14847, an MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency vulnerability, to the KEV Catalog after evidence of active exploitation. The designation signals a significant risk to the federal enterprise under BOD 22-01, which requires Federal Civilian Executive Branch agencies to remediate listed vulnerabilities by their due dates. Although BOD 22-01 applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management and will continue adding qualifying CVEs to the catalog.
read more →

Fortinet warns: 5-year-old FortiOS 2FA bypass exploited

🔒 Fortinet warns that attackers continue to exploit a critical FortiOS vulnerability (CVE-2020-12812) that can bypass two-factor authentication on FortiGate SSL VPNs by changing the case of the username. The issue affects configurations where local users requiring FortiToken are linked to LDAP groups and stems from inconsistent case-sensitive matching between local and remote authentication. Fortinet patched the bug in July 2020 and advised disabling username case sensitivity or removing secondary LDAP group fallbacks if patches cannot be deployed; the vendor reports ongoing abuse against appliances with LDAP configured.
read more →

React2Shell: Critical RCE in React Server Components

⚠️ React 19 was hit by React2Shell, a critical unauthenticated RCE in React Server Components. The flaw allows arbitrary code execution on servers via crafted requests and affects default React and Next.js deployments. Multiple vendors, including Google and AWS, reported active exploitation within hours; patches are available. Defenders should validate exposure beyond version checks and hunt for backdoors, tunneling, and unexpected child processes.
read more →

MongoDB 'MongoBleed' Vulnerability Actively Exploited

⚠ A newly disclosed vulnerability, CVE-2025-14847 (dubbed MongoBleed), is being actively exploited to leak sensitive data from MongoDB server memory. The flaw in zlib-based network message decompression lets unauthenticated attackers send malformed compressed packets to read uninitialized heap memory before authentication. Researchers report over 87,000 potentially vulnerable instances worldwide and widespread exposure in cloud environments. Administrators should apply published patches, disable zlib compression as a temporary mitigation, restrict network exposure, and monitor for anomalous pre-auth connections.
read more →

MongoBleed flaw exposed MongoDB secrets on 87K servers

🔓 A critical MongoDB vulnerability, tracked as CVE-2025-14847 and dubbed MongoBleed, is being actively exploited to leak in-memory secrets from exposed servers. A public PoC demonstrates how malformed zlib-compressed network messages cause the server to return allocated memory rather than decompressed lengths, exposing credentials, API keys, session tokens, and other sensitive data. Over 87,000 instances were identified as potentially vulnerable on the public internet, and vendors released patches on December 19; administrators should prioritize upgrades or disable zlib compression if immediate upgrades are not possible.
read more →