< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2054 articles · page 7 of 103

Critical IoT Platform Flaws Enable Device Takeover

🔒 CISA published an advisory on multiple critical vulnerabilities in the Naxclow IoT Platform that allow device impersonation, credential exposure, and fleet enumeration. A replayable onboarding flow and inadequate authorization let attackers reassign devices, while persistent, non-rotating relay credentials enable long-term access. Additional weaknesses include a hard-coded platform salt for request signing, predictable device identifiers, and cleartext Wi‑Fi secrets exposed via UART.
read more →

Yarbo MQTT Credentials and Authorization Flaw

🔒 Yarbo mobile apps and cloud infrastructure expose hard-coded MQTT broker credentials and lack per-device authorization, enabling broad access to telemetry and command topics across the robot fleet. The vulnerability allows wildcard subscription to telemetry and publishing to individual robot command topics using only a serial number. Yarbo recommends updating the mobile app to 3.17.4 or later; server-side broker authorization will be enforced with the May 2026 update. CISA advises network restrictions, isolation behind firewalls, and use of secure remote access methods while organizations perform risk assessments.
read more →

CISA Adds One Vulnerability to KEV Catalog

🔔 CISA has added a new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation. The advisory reiterates that such vulnerabilities are frequent attack vectors and pose significant risks to the federal enterprise. It references BOD 26-04, which requires Federal Civilian Executive Branch agencies to prioritize rapid remediation of high-risk CVEs listed in the KEV catalog and to assess for compromise prior to patching. CISA urges all organizations to adopt risk-based vulnerability management and offers a KEV Nomination Form for reporting exploited vulnerabilities.
read more →

Brickcom Camera Flaw Allows Unauthenticated Video Access

🔒 The advisory describes vulnerabilities in Brickcom cameras that permit unauthenticated attackers to access live snapshots via the /ONVIF endpoint and exploit default credentials to obtain administrative control. CISA reports vendor non-coordination and urges users to contact Brickcom for support while following defensive measures. Recommended mitigations include isolating devices behind firewalls, minimizing internet exposure, and using secure remote access methods such as updated VPNs.
read more →

Microsoft fixes BitLocker recovery bug in Server 2025

🔒 Microsoft has fixed a known issue that caused some Windows Server 2025 devices to boot into BitLocker recovery after the April 2026 security update. The problem affected specific enterprise configurations where BitLocker, certain TPM/PCR7 validation settings, and a 2023-signed Windows Boot Manager interaction could trigger a one-time recovery prompt. Microsoft released KB5094125 (Server 2025) and KB5093998 (Windows 11 23H2) to address the bug and offered mitigation guidance for admins unable to deploy immediately.
read more →

Ivanti patches critical Sentry gateway vulnerabilities

🔒 Ivanti patched two critical vulnerabilities in Ivanti Sentry, an in-line secure mobile gateway formerly called MobileIron Sentry, that could allow unauthenticated remote attackers to take full control of devices. One flaw, CVE-2026-10523, lets attackers bypass authentication to create administrative accounts and is rated 9.9/10. The second, CVE-2026-10520, is a command injection leading to root remote code execution and is rated 10/10. Customers should upgrade to versions 10.5.2, 10.6.2, or 10.7.1 immediately.
read more →

GitHub tightens npm defaults to reduce supply-chain risk

🔒 GitHub will change npm behavior in the upcoming v12 release to block several automatic actions during npm install that have enabled supply-chain attacks. Preinstall, install, and postinstall scripts from dependencies, native builds via node-gyp, and prepare scripts from Git, local file, and linked dependencies will require explicit approval before running. Git and remote URL dependencies will also be disabled by default unless permitted, and developers are advised to test with npm 11.16.0 to surface breaking warnings before upgrading.
read more →

Critical patches from Fortinet, Ivanti and SAP released

🛡️ Fortinet, Ivanti, and SAP issued security updates addressing multiple critical vulnerabilities that could enable arbitrary code execution and data disclosure. Fortinet fixed a command injection in FortiSandbox (CVE-2026-25089, CVSS 9.1). Ivanti patched two critical Ivanti Sentry flaws (CVE-2026-10520, CVSS 10.0; CVE-2026-10523, CVSS 9.9) that allow remote code execution and admin account creation. SAP released fixes for four critical issues across NetWeaver, ABAP Platform, Commerce Cloud, and Data Hub.
read more →

High-severity Langflow path traversal under active exploit

🔒 A critical path traversal flaw, CVE-2026-5027 (CVSS 8.8), in the open-source Langflow low-code AI platform is being actively exploited, per VulnCheck. The issue stems from unsanitized 'filename' input to the POST /api/v2/files endpoint, allowing attackers to write files to arbitrary filesystem locations. Tenable attempted multiple responsible disclosures before public details were released in late March 2026. Public exposure of roughly 7,000 Langflow instances increases exploitation risk across North America and beyond.
read more →

June Patch Tuesday: Record CVE Count and Critical Fixes

🔒 June Patch Tuesday brought an unprecedented wave of fixes: Microsoft released over 200 CVEs including three disclosed zero-days and 32 critical patches, while SAP and Adobe patched multiple high-severity enterprise flaws. Microsoft warns this increase may become the new normal as AI accelerates vulnerability discovery, urging risk-based prioritization and automated patching. Administrators should urgently assess critical kernel, Active Directory, Hyper-V, and Exchange fixes.
read more →

CISA Adds Cisco, Chrome and Arista Flaws to KEV

🔒 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. The flaws include an authenticated command injection in Cisco Catalyst SD-WAN Manager (CVE-2026-20245), a V8 out-of-bounds read/write in Google Chrome (CVE-2026-11645), and a tunnel decapsulation issue in Arista EOS (CVE-2026-7473). Agencies must remediate or mitigate these issues by June 23, 2026.
read more →

Microsoft patches Exchange Server XSS zero-day exploit

🛡️ Microsoft released updates to fix an actively exploited Exchange Server XSS vulnerability (CVE-2026-42897) that allows remote attackers to execute arbitrary JavaScript in Outlook Web Access without privileges. The flaw affects Exchange Server 2016, 2019, and Subscription Edition; Microsoft initially deployed a temporary mitigation via the Exchange Emergency Mitigation Service and now urges admins to install the June 2026 security updates and retain mitigations for added protection.
read more →

Microsoft warns some upgraded Windows PCs fail updates

⚠️ Microsoft alerted users that a small subset of Windows devices upgraded to Windows 11 24H2 or 25H2 may fail to install the June 2026 cumulative updates, producing errors 0x80073712 or 0x800f0993. Affected systems show these errors in Update history and logs; Microsoft says a restart will roll out a fix to unmanaged and Home devices starting May 19, 2026. For other impacted machines, Microsoft published replacement KBs and recommends removing an impacted package or performing an in-place upgrade if needed.
read more →

Microsoft patches YellowKey, GreenPlasma and MiniPlasma zero-days

🔒 Microsoft released June 2026 updates fixing three zero-day vulnerabilities disclosed by a researcher known as "Nightmare Eclipse." The flaws—GreenPlasma and MiniPlasma (local privilege escalation) and YellowKey (WinRE backdoor)—allow attackers to escalate to SYSTEM or bypass BitLocker on affected Windows systems. Microsoft provided mitigations for YellowKey and criticized the public disclosure of proof-of-concepts.
read more →

Microsoft issues record June 2026 security fixes

🛡️ Microsoft released fixes for a record 206 security vulnerabilities in June 2026, including three publicly disclosed flaws. The update covers 39 Critical and 167 Important issues, spanning privilege escalation, RCE, information disclosure, spoofing, and more, and includes two non-Microsoft CVEs and numerous Chromium fixes affecting Edge. Notable patched bugs include a Windows Kernel use-after-free (CVE-2026-45657), HTTP.sys and DHCP client RCEs, and several BitLocker bypasses addressed after public PoCs.
read more →

Microsoft fixes 200 CVEs in June Patch Tuesday

🛡️ Microsoft released June Patch Tuesday updates addressing 200 vulnerabilities, including three publicly disclosed zero-days. The release fixed 33 critical CVEs — mostly remote code execution bugs — and a large share of elevation-of-privilege issues. Notable fixes include the HTTP/2 Bomb DoS (CVE-2026-49160), a BitLocker bypass (CVE-2026-50507), and a CTFMON elevation-of-privilege flaw (CVE-2026-45586). Administrators are advised to prioritize patches for several high-risk RCE and EoP bugs affecting Windows components like Win32K, Remote Desktop, DHCP client, and Hyper-V.
read more →

Ivanti Sentry critical root code execution patched

🔒 Ivanti has released patches for two critical vulnerabilities in its Sentry secure mobile gateway, including a maximum-severity OS command injection (CVE-2026-10520) that allows remote code execution as root and a critical authentication bypass (CVE-2026-10523) permitting creation of rogue admin accounts. Patches are available in Sentry R10.5.2, R10.6.2, and R10.7.1, and the vendor reports no evidence of active exploitation at disclosure. Administrators are urged to apply updates promptly to prevent potential compromises.
read more →

Six Proto6 Vulnerabilities Impact protobuf.js Ecosystem

🔒 Cybersecurity researchers disclosed six vulnerabilities in protobuf.js, the JavaScript/TypeScript implementation of Protocol Buffers, that can enable remote code execution (RCE) and denial-of-service (DoS) when untrusted schemas or payloads are processed. Named Proto6, the flaws affect Node.js apps, Google Cloud client libraries, messaging frameworks like Baileys, and CI/CD pipelines. Patches are available in protobufjs 7.5.6 and 8.0.2 and protobufjs-cli 1.2.1 and 2.0.2, and users are urged to update to mitigate risks stemming from trusting schema and metadata by default.
read more →

Record-breaking June 2026 Patch Tuesday updates

🚨 Microsoft released fixes addressing nearly 200 vulnerabilities in its June 2026 Patch Tuesday, the largest monthly tally to date, with almost three dozen rated critical and public exploit code for at least three flaws. Multiple zero-days were patched, including CVE-2026-49160 affecting IIS and CVE-2026-50507 for BitLocker, with some reports tied to researcher "Nightmare Eclipse." Microsoft and other vendors noted rising use of AI in vulnerability discovery and unusually high browser flaw counts this month.
read more →

Microsoft June 2026 Patch Tuesday: Key Fixes

🛡️ Microsoft released its June 2026 security update addressing 206 vulnerabilities, including 32 marked critical. Talos highlights multiple RCEs across Windows components, Office, Azure services, and other products, and calls out several vulnerabilities as more likely to be exploited. Cisco Talos published Snort 2 and Snort 3 rules to detect exploitation attempts and urges customers to update rule packs promptly.
read more →