All news with #advisory tag

🛡️ This week's bulletin highlights both legacy and emerging threats, including a published Microsoft Defender privilege escalation exploit (RedSun) and a 17‑year‑old Excel RCE (CVE‑2009‑0238) newly added to CISA's KEV. Incidents range from a Zerion hot-wallet compromise (~$100K stolen through AI‑enabled social engineering) to a fake macOS Ledger app that drained about $9.5M. Researchers also disclosed novel C2 frameworks, a WordPress plugin supply-chain backdoor affecting 180k+ installs, and a surge in SonicWall/FortiGate brute-force probing. The collection underscores the need to patch promptly, validate app-store integrity, rotate credentials, and audit third-party dependencies.

⚠️ CISA added CVE-2026-34197 — an Apache ActiveMQ improper input validation vulnerability — to the KEV Catalog after evidence of active exploitation. The advisory notes this vulnerability type is a frequent attack vector and poses significant risk to the federal enterprise. CISA reminds Federal Civilian Executive Branch agencies to follow BOD 22-01 remediation deadlines and strongly urges all organizations to prioritize timely mitigation.

⚠️ CISA published an advisory describing multiple critical vulnerabilities in Anviz products, including CX2 Lite, CX7, and CrossChex Standard. Issues range from unauthenticated firmware uploads and command injection to credential exposure and cleartext administrative sessions, any of which can lead to remote code execution and full device compromise. The advisory lists numerous CVEs with example CVSS up to 9.8 and notes no vendor response; organizations are urged to isolate affected devices and apply defensive mitigations immediately.

🔒 A critical authorization vulnerability (CVE-2026-5387) in AVEVA Pipeline Simulation allows an unauthenticated actor to perform actions reserved for Simulator Instructor or Developer roles, with the potential to modify simulation parameters, training configuration, and training records. Affected versions are <=2025_SP1_build_7.1.9497.6351. AVEVA provides a fix: upgrade to 2025 SP1 P01 (build 7.1.9580.8513) or later; interim mitigations include restricting API network access and enforcing TLS.

⚠️ CISA warns of a stack-based buffer overflow (CVE-2026-5726) in Delta Electronics ASDA-Soft affecting versions <=V7.2.2.0 that can enable arbitrary code execution when a specially crafted .par file is parsed. The flaw is rated High (CVSS 3.1 base score 7.8) and requires local access or user interaction to trigger. Delta advises upgrading to ASDA-Soft v7.2.6.0 or later and following network isolation and defense-in-depth practices.

🔒 Horner Automation products contain a weak-password vulnerability (CVE-2026-6284) that allows network attackers to brute-force credentials and gain unauthorized access to PLC systems and services. Affected versions include Cscape v10.0, XL7 v15.60, and XL4 v16.32.0. The vulnerability is scored CVSS 3.1 9.1 (Critical) and is associated with CWE-521: Weak Password Requirements. Horner has released fixes—update to Cscape v10.2 SP2 and the latest XL4/XL7 firmware—and operators should minimize network exposure and use secure remote access.

🛡️ CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2009-0238, a Microsoft Office remote code execution flaw, and CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server. The additions reflect evidence of active exploitation. Under BOD 22-01 FCEB agencies must remediate cataloged CVEs by the due date; CISA urges all organizations to prioritize remediation.

🔐 The UK’s AI Security Institute (AISI) evaluated Anthropic’s Claude Mythos Preview and found it can autonomously discover and exploit vulnerabilities in controlled tests when given network access. In a 32‑step simulated corporate attack the model completed the full sequence in 3 of 10 runs and averaged 22 of 32 steps, though performance varied. AISI stresses these cyber ranges are easier than real environments and recommended organisations strengthen basics — timely patching, robust access controls, secure configuration and comprehensive logging — while also exploring AI to bolster defensive capabilities.

🛡️ CISA on Apr 14, 2026 added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing active exploitation. The flaws affect Fortinet FortiClient EMS, Microsoft components (Exchange Server, Windows drivers, Host Process for Windows Tasks, VBA) and Adobe Acrobat Reader, and include SQL injection, deserialization, out-of-bounds read, use-after-free and insecure library loading. Federal civilian agencies must remediate by April 27, 2026.

🔐An analysis by Bellingcat found passwords for almost 800 Hungarian government email accounts circulating online, many tied to national-security roles. The exposure affected 12 of 13 government departments and involved weak, easily guessed credentials such as variations of "Password", sequences like "1234567", and simple surnames. The leaks reflect poor email hygiene rather than a sophisticated intrusion, and experts urge stronger credential practices including password managers and passkeys. Security teams are urged to deploy enterprise controls and regular training to prevent similar exposures.

⚠ Haifei Li has identified a zero-day vulnerability in Adobe Reader that has been exploited since at least December via maliciously crafted PDFs. The attack uses a highly sophisticated, fingerprinting-style exploit that can harvest local data using Acrobat APIs and may enable follow-on RCE or sandbox escape without user interaction beyond opening a file. Li urges users to avoid PDFs from untrusted sources and to monitor network traffic for the Adobe Synchronizer User-Agent string as a temporary mitigation.

🔒 CISA reports two high‑severity vulnerabilities (CVE‑2025‑14815, CVE‑2025‑14816) in Mitsubishi Electric GENESIS64, ICONICS Suite, and related products that may expose SQL Server credentials stored in local caches or displayed in the Hyper Historian Splitter GUI. Successful exploitation could enable disclosure, tampering, or denial of service on affected systems. Vendor updates are available (10.98+ for GENESIS64/ICONICS products and 11.03+ for GENESIS); administrators should disable local cache, delete cache files, prefer Windows authentication, and restrict administrative and remote access until patches are applied.

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-35616, an Improper Access Control flaw affecting Fortinet FortiClient EMS. The agency reports evidence of active exploitation and highlights that this vulnerability class is a common attack vector posing significant risks to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by their due dates, and CISA urges all organizations to prioritize timely remediation.

🔒Cisco has released patches for a critical authentication bypass in its Integrated Management Controller (IMC), tracked as CVE-2026-20093. The flaw, caused by incorrect handling of password changes, can be exploited via specially crafted HTTP requests to gain unauthenticated admin access. Affected platforms include standalone UCS C-Series, UCS E-Series, Catalyst 8300, and 5000 Series systems. Administrators should apply updates and restrict IMC exposure immediately.

📰 The ThreatsDay Bulletin highlights immediate, actionable risks including a pre-auth RCE chain in Progress ShareFile (CVE-2026-2699/CVE-2026-2701), unpatched ImageMagick zero-days enabling RCE, and novel CloudTrail evasion techniques that erase forensic visibility. It also details widespread mobile-rootkit campaigns, a sharp rise in open-source and supply-chain malware advisories, and phishing apps abusing distribution services to harvest credentials. Defenders should prioritize patching, sandboxing ingest pipelines, and hunting for signs of chained low-and-slow techniques and suspicious AWS API activity.

📧 Microsoft is investigating a known issue that prevents some Classic Outlook users from sending messages via Outlook.com, causing non-delivery reports that indicate permission errors (0x80070005-0x0004dc-0x000524). The problem is more likely when the Outlook.com account is an Outlook profile linked to another Exchange account or when an Exchange Online mail contact shares the same SMTP address. Microsoft published temporary workarounds — remove the M365 account Address Book, hide the Outlook.com contact in the Global Address List, create a fresh Classic profile with only the affected account, or use the New Outlook client or webmail until a permanent fix is deployed.

⚠️ OpenCode Systems' OC Messaging and USSD Gateway version 6.32.2 contain an improper access control vulnerability (CVE-2025-70614, CVSS 3.1 Base Score 8.1) that can allow an authenticated low-privileged user to access SMS messages outside their tenant by providing a crafted company/tenant identifier. OpenCode released version 6.33.11 on 2026-01-06 to remediate the issue. Administrators should upgrade affected systems to 6.33.11 or later and limit network exposure of messaging gateways.

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-33634, an Aqua Security Trivy issue involving embedded malicious code that CISA reports is being actively exploited. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by their due dates; CISA urges all organizations to prioritize timely patching and mitigation. CISA will continue to update the catalog as new evidence of exploitation emerges.

⚠️CISA reports a critical remote code execution vulnerability (CVE-2026-4681) affecting PTC Windchill and FlexPLM, with a CVSS v3.1 base score of 10.0. The issue stems from deserialization of untrusted data (CWE-94) and could allow unauthenticated attackers to run arbitrary code. PTC is developing a patch and advises immediate application of documented workarounds and updated Apache or IIS configurations to protect public, file, and replica servers.

⚠️ CISA has added CVE-2026-33017 — a Langflow code injection vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the specified due dates. CISA urges all organizations to prioritize timely remediation to reduce exposure to active threats.