All news with #advisory tag

⚠️ PyPI warned developers after two malicious releases of the Python LLM middleware LiteLLM were briefly posted, potentially exposing any credentials accessible to the package environment. Sonatype and Wiz analyses describe a three-stage, obfuscated payload that harvested environment variables, cloud and CI/CD credentials, SSH keys, and other sensitive artifacts, encrypting stolen data before exfiltration. PyPI linked the uploads to an exploited Trivy dependency in the ongoing TeamPCP supply-chain campaign and urged users to revoke or rotate secrets that may have been exposed.

⚠️ PTC has alerted customers to a critical vulnerability (CVE-2026-4681) in Windchill and FlexPLM that could enable remote code execution via deserialization of trusted data. German authorities (BKA) have taken emergency action to warn organizations, citing an imminent threat. Patches are under development, and PTC published an Apache/IIS rule mitigation that denies access to the affected servlet path without breaking functionality. The vendor also released IoCs and detection guidance; if mitigation is not possible, prioritize disconnecting internet-facing instances or shutting down the service.

⚠️Citrix has released a security bulletin for NetScaler ADC and NetScaler Gateway addressing two vulnerabilities: CVE-2026-3055 (critical out-of-bounds read, CVSS 9.3) and CVE-2026-4368 (race condition, CVSS 7.7). The issues affect customer-managed appliances with specific SAML IDP or Gateway/AAA configurations rather than default installs or Citrix-managed cloud instances. Cloud Software Group recommends immediate installation of the vendor-published patches and notes a temporary Global Deny List mitigation available for select 14.1 builds while upgrades are scheduled.

🔒 Apple is urging users on older versions of iOS to update immediately after reporting that web-based exploit kits such as Coruna and DarkSword have been used to deliver data-stealing malware via compromised sites. Apple says devices running the latest releases (iOS 15 through 26) are not affected, and has released targeted patches for legacy hardware. For devices that cannot be updated, Apple recommends specific interim updates and enabling Lockdown Mode to reduce exposure.

🔒 CISA is urging IT and security leaders to harden endpoint management configurations after pro‑Iranian group Handala reportedly abused Microsoft Intune in a March 11 attack on Stryker that disrupted operations and enabled remote wipes. The guidance emphasizes least‑privilege administrative roles, phishing‑resistant MFA, privileged access hygiene, and multi‑admin approval for destructive actions. Although focused on Intune, CISA says these defensive principles apply to any UEM. Organizations should audit admin access, require multi‑party approvals, and continuously monitor privileged activity.

⚠ A newly disclosed vulnerability called PolyShell affects all Magento Open Source and Adobe Commerce version 2 installations, enabling unauthenticated code execution and potential account takeover. Adobe has issued a fix only in the 2.4.9 alpha, leaving production sites exposed. Sansec warns the exploit method is already circulating and urges admins to restrict access to pub/media/custom_options/, verify nginx/Apache rules, and scan for uploaded shells or backdoors.

⚠ CISA has urged federal agencies to apply patches for two actively exploited vulnerabilities affecting Synacor Zimbra Collaboration Suite and Microsoft Office SharePoint. Zimbra's Classic UI suffered a stored XSS (CVE-2025-66376) patched in versions 10.0.18 and 10.1.13 in November 2025, while SharePoint had a deserialization RCE (CVE-2026-20963) fixed in January 2026. CISA set FCEB patching deadlines and reported no public attribution or scale; separately, Amazon detailed exploitation of a Cisco firewall-management zero-day (CVE-2026-20131) by the Interlock ransomware group.

⚠️ CISA has ordered Federal Civilian Executive Branch agencies to remediate an actively exploited stored cross-site scripting vulnerability in the Zimbra Collaboration Suite, tracked as CVE-2025-66376. The flaw in the Classic UI can be abused via CSS @import directives in HTML emails by remote, unauthenticated attackers to execute arbitrary JavaScript, risking session hijack and data exfiltration. Agencies were given until April 1 under BOD 22-01, and all organizations are urged to apply vendor patches or available mitigations immediately.

🔒 ConnectWise warned customers about a critical cryptographic signature verification bug in ScreenConnect (tracked as CVE-2026-3564) that affects versions prior to 26.1 and can enable unauthorized session authentication and privilege escalation. The vulnerability allows attackers who obtain ASP.NET machine key material to generate or modify protected values the server will accept, potentially resulting in hijacked sessions and elevated access. ConnectWise patched the issue in ScreenConnect 26.1 by adding encrypted storage and improved handling for machine keys; cloud-hosted instances were auto-upgraded while on-premises administrators must upgrade immediately. The vendor reported observed attempts to abuse disclosed machine key material in the wild but has no confirmed evidence of exploitation against ConnectWise-hosted instances and urges responsible disclosure of active findings.

🔒 The Federal Office for Information Security (BSI) has warned that software used in medical practices, clinics and long-term care needs stronger protections to safeguard sensitive patient data. In tests of standard configurations, the agency described the IT security of healthcare software as in need of improvement, finding chains of vulnerabilities in three of four representative practice management systems that could be exploited from the Internet. Outdated encryption algorithms were specifically cited; manufacturers were informed and issued timely fixes.

🛡️ Qualys TRU has disclosed 'CrackArmor,' a set of nine AppArmor vulnerabilities present since Linux kernel 4.11 (2017). These AppArmor flaws allow local, unprivileged users to manipulate security profiles via kernel pseudo-files, enabling local privilege escalation, container isolation bypass, Denial-of-Service and potential kernel-memory exposure. Qualys developed proof-of-concept exploits but has not publicly released the code to limit risk. Organizations should prioritize applying vendor kernel updates and scanning for affected systems.

📧 Microsoft is investigating several issues that are disrupting email synchronization and server connections in the classic Outlook desktop client. One bug causes 'Can't connect to the server' errors when creating groups if Exchange Web Services (EWS) is enabled because an AD Graph validation call fails; Microsoft plans updated group functionality using REST APIs and recommends using the new Outlook or OWA until a fix is released. Separate reports describe 0x800CCC0F and 0x80070057 errors for Gmail and Yahoo accounts after password changes — a temporary workaround is to delete the affected identity registry entries — and a cursor disappearance bug affecting Outlook and some Microsoft 365 apps is also under investigation.

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-3909 (Google Skia out-of-bounds write) and CVE-2026-3910 (Google Chromium V8 unspecified). The agency cites evidence of active exploitation and reminds Federal Civilian Executive Branch agencies of remediation obligations under BOD 22-01. CISA strongly urges all organizations to prioritize timely remediation to reduce exposure to attacks.

⚠️ CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on Mar 10, 2026, citing evidence of active exploitation in SolarWinds Web Help Desk, Ivanti Endpoint Manager, and Omnissa Workspace One UEM. Federal civilian agencies were ordered to apply the SolarWinds fix by March 12 and remediate the other two flaws by March 23. The issues include a critical deserialization bug (CVE-2025-26399), an authentication bypass (CVE-2026-1603), and an SSRF (CVE-2021-22054) tied to ongoing threat activity.

⚠️ The FBI warns that criminals are impersonating city and county planning and zoning officials to phish businesses and individuals with active land-use or permit applications. Victims receive emails referencing permit details, zoning application numbers, or property addresses and are instructed to pay invoices via wire transfers, peer-to-peer platforms, or cryptocurrency, often pressured with urgency. The agency urges recipients to verify sender domains, call local government offices to confirm fees, and report incidents to the IC3.

⚠️The UK National Cyber Security Centre (NCSC) has issued an advisory warning British organisations of an elevated risk of Iranian cyberattacks amid the ongoing Middle East conflict. While the NCSC says there is not yet a significant change in the direct threat to the UK, state‑sponsored and Iran‑linked actors likely retain some capability despite Iran’s domestic Internet blackout. Organisations with operations or supply chains in the region are urged to follow guidance on DDoS, phishing, and ICS targeting, review external attack surfaces, and increase monitoring.

🔒 The UK government says its new Vulnerability Monitoring Service (VMS) has cut the backlog of critical vulnerabilities by 75% and reduced average fix times for serious public-sector website DNS issues from nearly two months to eight days. Operated by the Department for Science, Innovation and Technology (DSIT), the service continuously scans around 6,000 public sector bodies and provides targeted, practical remediation guidance and progress tracking. The update was published on 26 February.

🔔 CISA and international partners warn of active exploitation of Cisco SD-WAN systems, adding CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities Catalog. FCEB agencies are required by Emergency Directive 26-03 to inventory, update, and assess SD-WAN deployments. Organizations should collect artifacts, apply vendor updates, follow the Catalyst SD-WAN Hardening Guide, and hunt for evidence of compromise immediately.

⚠️ CISA has added two Roundcube webmail vulnerabilities — CVE-2025-49113 and CVE-2025-68461 — to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CVE-2025-49113 (CVSS 9.9) is an authenticated deserialization flaw allowing remote code execution via an unvalidated _from parameter and was fixed in June 2025. CVE-2025-68461 (CVSS 7.2) is an XSS triggered by the SVG animate tag and was patched in December 2025 in Roundcube releases 1.6.12 and 1.5.12. Researchers reported weaponization within 48 hours and an exploit was offered for sale; FCEB agencies must remediate by March 13, 2026.

🔒 CISA warns that CVE-2026-1731, a pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access, is being actively exploited in ransomware attacks. The issue is an OS command injection reachable via specially crafted client requests and was added to the Known Exploited Vulnerabilities catalog on February 13. BeyondTrust reports the cloud (SaaS) was auto-patched on February 2; self-hosted customers must enable updates or install Remote Support 25.3.2 or Privileged Remote Access 25.1.1 and later.