< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2054 articles · page 9 of 103

Critical UniFi OS bug enables unauthenticated root access

🔒 Researchers found that three fixed flaws in UniFi OS Server (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) can be chained to achieve remote code execution with root privileges on versions 5.0.6 and earlier. Bishop Fox validated the full attack path on a live instance, showing an authentication bypass via URI normalization differences and a subsequent command injection that escalates to root due to passwordless sudo. A detection script and guidance are available; upgrade to 5.0.8 or later.
read more →

Check Point links VPN zero-day to Qilin gang

🔒 Check Point released security updates to address CVE-2026-50751, a critical authentication-bypass flaw impacting Remote Access VPN and Mobile Access deployments that use the deprecated IKEv1 key exchange. The vulnerability allowed unauthenticated, remote attackers to establish VPN connections and was actively exploited beginning in May, with a surge in early June affecting a few dozen organizations worldwide and one confirmed case tied to the Qilin ransomware affiliate. Check Point also identified a second related issue, CVE-2026-50752, affecting certificate validation in IKEv1 and recommended immediate updates and mitigations for customers unable to patch.
read more →

Critical protobuf.js flaws enable code injection risks

🛡️ Researchers at Cyera disclosed six vulnerabilities in protobuf.js, a JavaScript implementation of Google’s Protocol Buffers, that allow untrusted schema data to influence application behavior. The most severe issues enable code generation and injection via manipulated schema metadata, potentially leading to remote code execution when crafted inputs are accepted. The flaws affect protobuf.js versions up to 7.5.5 and 8.0.1 and also impact protobuf.js-cli; patches are available in updated releases.
read more →

Hotfix Released for IKEv1 VPN Critical Vulnerabilities

🔒 Check Point Research disclosed active exploitation of CVE-2026-50751, a critical authentication bypass affecting Remote Access and Mobile Access VPNs using the deprecated IKEv1 key exchange. Exploitation allows establishment of VPN sessions without valid passwords; observed attacks have targeted a few dozen organizations and included Qilin ransomware activity. Customers using IKEv1 are urged to apply the hotfix immediately and follow remediation guidance.
read more →

CISA Adds Actively Exploited SolarWinds Flaw

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity DoS vulnerability in SolarWinds Serv-U (CVE-2026-28318, CVSS 7.5) to its Known Exploited Vulnerabilities catalog, citing active exploitation. The bug causes uncontrolled resource consumption and crashes the Serv-U service via specially crafted POST requests using Content-Encoding: deflate. SolarWinds released a fix in Serv-U version 15.5.4 HF1 and recommends limiting access and blocking requests with content-encoding as mitigations. Federal agencies must remediate by June 19, 2026.
read more →

Cisco warns of active exploit in SD‑WAN Manager

🔒 Cisco has disclosed a high-severity vulnerability, CVE-2026-20245, affecting Catalyst SD‑WAN Manager deployments including on-premises and cloud variants. The flaw allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root by uploading a crafted file due to insufficient input validation. Cisco noted limited cases of configuration changes pushed to edge devices and advised applying fixes for related authentication bypass flaws (CVE-2026-20182) while monitoring /var/log/scripts.log for IoCs.
read more →

CISA warns of active exploitation of Serv‑U DoS flaw

⚠️ CISA warns that threat actors are actively exploiting a recently patched high-severity SolarWinds Serv-U flaw (CVE-2026-28318) that allows unauthenticated attackers to crash Serv-U file-transfer services via specially crafted POST requests using Content-Encoding: deflate. SolarWinds issued Serv-U 15.5.4 Hotfix 1 to address an uncontrolled resource consumption weakness and advised mitigation steps for admins who cannot immediately patch. Shodan and Shadowserver show thousands of Serv-U instances exposed online, prompting CISA to add the flaw to its Known Exploited Vulnerabilities Catalog and require federal agencies to remediate by June 19 under BOD 22-01.
read more →

Securing CI/CD in an agentic world: Claude Code case

🔒 Microsoft Threat Intelligence found that Anthropic’s Claude Code GitHub Action could expose CI/CD secrets when AI agents process untrusted GitHub content. A gap in sandboxing allowed the action’s Read tool to access /proc/self/environ and leak the ANTHROPIC_API_KEY; Anthropic mitigated the issue in version 2.1.128. Defenders should treat AI workflows that handle untrusted input as high-risk and apply recommended hardening controls.
read more →

Claude Code MCP configuration enables token theft

🔒 Researchers disclosed an attack chain against Anthropic’s command-line coding assistant, Claude Code, that abuses the Model Context Protocol (MCP). A malicious npm post-install hook can rewrite the local ~/.claude.json configuration to redirect authenticated MCP traffic to attacker infrastructure, allowing interception of stored OAuth bearer tokens. Anthropic has been notified but has not issued a patch; defenders are advised to monitor the configuration file, treat npm post-install hooks as high risk, and rotate OAuth tokens tied to Claude Code integrations.
read more →

Critical Cisco SD‑WAN Manager zero‑day enables root

🔒 Cisco warned of a high‑severity, unpatched zero‑day (CVE-2026-20245) in the Catalyst SD‑WAN Manager actively exploited to escalate to root. The flaw affects all deployment types and results from insufficient validation of user‑supplied input, allowing local attackers with netadmin privileges to perform command injection by uploading crafted files. Cisco noted limited cases of configuration changes pushed to edge devices and advised contacting TAC and producing admin‑tech logs for investigation. Patches are not yet available; customers were urged to install fixes for related CVE-2026-20182.
read more →

Cisco fixes UC Manager file-write to root escalation

🔒 Cisco patched a server-side request forgery in Unified Communications Manager tracked as CVE-2026-20230 that allows unauthenticated network attackers to write files to the underlying OS and then escalate to root. Proof-of-concept exploit code is public and Cisco's PSIRT has not observed in-the-wild use yet. The flaw requires the WebDialer service to be running; WebDialer is off by default but exposes systems where it is enabled. Patching is recommended (14SU6 for the 14 train; interim COP or disable WebDialer until 15SU5 for the 15 train).
read more →

HTTP/2 header flaw enables new DoS attacks

🔍 Security researchers disclosed a flaw in default HTTP/2 configurations that enables a denial-of-service technique dubbed the "HTTP/2 Bomb." The issue abuses HPACK header compression and flow-control behavior to force excessive memory allocations and hold them, impacting servers such as nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare’s Pingora. Patches have been released for several implementations, and mitigations include disabling HTTP/2 or enforcing header count caps.
read more →

Anthropic Claude Code Action flaw risk to repos

🔒 A researcher discovered a vulnerability in Anthropic's Claude Code GitHub Action that allowed takeover of public repositories via a single opened GitHub issue. Anthropic patched the core bypass in January and released fixes in claude-code-action v1.0.94, rating the issue 7.8 under CVSS v4.0 and issuing a bounty. The flaw arose from overly permissive triggers that trusted actors ending in "[bot]" and example workflows allowing non-write users, enabling indirect prompt injection to exfiltrate environment secrets and OIDC credentials. Administrators should update to v1.0.94, audit workflows for untrusted inputs, and remove unnecessary permissions and tools to prevent exfiltration.
read more →

Hugging Face Transformers RCE via model configs

🛡️ A high-severity RCE vulnerability in Hugging Face Transformers lets attackers leverage a hidden config field to execute remote code when loading models. The flaw abuses an underscore-prefixed parameter, _attn_implementation_internal, bypassing trust_remote_code=false and triggering unsandboxed kernel downloads. A silent patch was released in Transformers 5.3.0; users should upgrade and scan cached configs.
read more →

NAVTOR NavBox hard-coded SOAP credentials fix

🔒 NAVTOR NavBox through version 4.16.1.20 contained hard-coded credentials in its Windows Communication Foundation (SOAP) implementation. If SOAP is enabled, a local attacker could extract those credentials to authenticate to privileged WCF methods and write or overwrite files within application-defined paths, disrupting operations. NAVTOR released a patch in April 2026; versions 4.17.2.6 and later include the fix, and connected NavBox users will be updated automatically.
read more →

Hitachi Energy MACH HiDraw Heap Overflow Patch

🔒 Hitachi Energy reported a heap-based buffer overflow in MACH HiDraw XML parser where an authenticated local user can trigger memory corruption using a crafted XML file. Successful exploitation may cause application crashes (DoS) or enable arbitrary code execution. A vendor fix is available in version 9.23; contact your local account team for upgrade assistance. CISA recommends network segmentation, firewall controls, and minimizing exposure of control systems to the internet.
read more →

Hitachi Energy RTU500: Multiple Denial‑of‑Service Flaws

🔒 Hitachi Energy has disclosed multiple vulnerabilities affecting RTU500 devices that primarily enable Denial of Service, with potential secondary impacts to confidentiality and integrity. Affected components include PKCS#12 handling, libexpat, and IEC protocol implementations, with issues such as NULL pointer dereferences, integer overflows, and infinite loops. Vendor fixes are available in CMU Firmware versions 13.7.9/13.8.2 (13.7.9 when available), and CISA recommends minimizing network exposure and applying vendor updates and standard mitigations.
read more →

Hitachi Energy ITT600 Explorer DoS Vulnerabilities

🛡️ Hitachi Energy disclosed vulnerabilities in the ITT600 Explorer that can enable Denial of Service (DoS) via crafted IEC61850 messages when IEC61850 server simulation is used. A stack overflow in the libexpat library and uncontrolled recursion/resource allocation issues are identified; affected versions should be updated to 2.1 SP6 HF1 or later and plan for 2.2. CISA republishes the vendor advisory and recommends standard ICS network protections and patching.
read more →

B&R PPT30 OPC‑UA Resource Exhaustion Fix

🔒 B&R has identified a resource exhaustion vulnerability in the OPC‑UA Server used in PPT30 Operating System versions before 1.8.0 that can render the OPC‑UA service inaccessible. The vendor corrected the issue in PPT30 Operating System 1.8.0 and notes the OPC‑UA server is not enabled by default. B&R and CISA recommend updating affected devices, restricting OPC‑UA activation to required systems, and segmenting and firewalling networks to limit access.
read more →

Cisco warns of critical Unified CM flaw

🔒 Cisco released updates for a critical Unified Communications Manager (Unified CM) vulnerability (CVE-2026-20230) that can be exploited via SSRF to gain root privileges. The issue affects systems with the WebDialer service enabled, which is disabled by default, and Cisco notes public proof-of-concept exploit code is available. Administrators should apply patched versions 14SU6 or 15SU5 or temporarily disable the WebDialer service as a mitigation.
read more →