All news with #advisory tag

⚠️ A high-severity heap buffer overflow (CVE-2026-42945, CVSS 9.2) in the ngx_http_rewrite_module of NGINX Plus and NGINX Open (versions 0.6.27–1.30.0) is being exploited in the wild shortly after disclosure. The flaw, reportedly introduced in 2008, can allow unauthenticated attackers to crash worker processes or, when Address Space Layout Randomization (ASLR) is disabled and certain configurations are present, achieve remote code execution. Users are advised to apply F5's fixes and review server configurations urgently.

🔒 Cisco has released fixes for a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182) that it says has been exploited in limited attacks. The flaw allows a remote unauthenticated attacker to become an authenticated peer and obtain administrative privileges by abusing the peering authentication mechanism. Affected deployments include On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP); Cisco urges immediate patching and recommends auditing /var/log/auth.log for suspicious peering or publickey entries.

⚠️ CISA added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on 2026-05-14 after confirming active exploitation. The agency warns that such vulnerabilities are common attack vectors and present significant risk to the federal enterprise. CISA directs organizations to follow Emergency Directive 26-03 and BOD 22-01 guidance, assess exposure, and apply mitigations or discontinue affected Cisco SD-WAN products if mitigations are not available.

🔐 The ICO has published a five-step guide urging organisations to prepare for AI-enhanced cyber threats, including deepfake social engineering, adaptive malware and automated exploitation. It points readers to the NCSC's updated Cyber Assessment Framework and expects baseline adoption of Cyber Essentials and the UK Cyber Governance Code. The guidance emphasises robust patching, MFA, least‑privilege, supply‑chain vetting, DPIAs for high‑risk AI and human oversight of AI-enabled defences.

🔍 Security researchers have identified a campaign called GemStuffer that abuses RubyGems as a storage channel for scraped content rather than as a vehicle for mass malware distribution. More than 150 gems were observed packaging HTTP responses from U.K. local government ModernGov portals into valid .gem archives and publishing them using hardcoded API keys. Variants either build and push gems via the CLI (creating temporary credentials under /tmp and overriding HOME) or upload archives directly to the registry API, after which attackers can retrieve the content with a simple gem fetch.

🔒 ABB disclosed multiple vulnerabilities in the WebPro SNMP Card PowerValue affecting earlier firmware releases. The flaws include an authentication bypass (the device validates only the first character of session cookies and tokens), insufficient session expiration and uncontrolled resource consumption that can cause DoS and Modbus instability on port 502. ABB issued fixes in v1.1.8.p and recommends contacting ABB Digital Service Support and applying defensive measures from the product manual.

⚠️ ABB reported a vulnerability in the Windows Gateway component of Automation Builder that leaves its TCP listener bound to all interfaces by default on port 1217, enabling remote discovery of AC500 PLCs. The gateway may be installed standalone or bundled with other setups such as CODESYS, and unauthenticated actors can scan for PLCs; PLC user management normally prevents control unless disabled. ABB advises restricting access by setting [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 in Gateway.cfg and restarting the gateway, or upgrading to Automation Builder 2.9.0 where the default is local-only.

🔒 Microsoft warns of a new local Linux privilege escalation called Dirty Frag that abuses fragmented page-cache handling to gain root. The chain uses two kernel flaws — CVE-2026-43284 (ESP) and CVE-2026-43500 (RxRPC) — and is already observed in post-compromise attacks. Administrators are urged to disable esp4, esp6, and rxrpc modules, limit local shell access, and monitor for abnormal privilege escalation while vendors roll out patches.

⚠️ The FCC has extended the deadline for suppliers of banned foreign-made consumer routers to deliver security updates to US customers until at least 1 January 2029. The March 2026 import and sale ban put these devices on the FCC’s covered list, with limited exceptions for devices conditionally approved by the DoD or DHS. The extension, announced by the Commission’s Office of Engineering and Technology on 8 May, permits only software and firmware updates that mitigate harm and maintain functionality, not the addition of new features, and it also covers foreign-made drone systems and critical components.

⚠️ Cisco released patches for a high-severity denial-of-service vulnerability (CVE-2026-20188) affecting Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO). The issue stems from inadequate rate limiting on incoming connections and can be exploited remotely by unauthenticated actors to exhaust connection resources and crash systems. Affected releases include CNC 7.1 and earlier and NSO 6.3 and earlier; fixed releases and mitigations are detailed in Cisco's advisory. Cisco's PSIRT says it is not aware of active exploitation but strongly urges customers to upgrade to patched software to avoid manual reboots and service disruption.

🔒 On April 29, 2026 researchers disclosed CVE-2026-31431, dubbed Copy Fail, a deterministic local privilege escalation impacting Linux kernels 4.14–6.19.12. The flaw resides in the AF_ALG crypto interface's algif_aead module and permits a controlled four-byte overwrite into the kernel page cache. A standalone 732-byte Python proof-of-concept reliably escalates to root across major distributions. Apply vendor kernel updates immediately or temporarily disable algif_aead; Cortex XDR and XSIAM provide layered detection and mitigation.

🔒 A Norwegian researcher discovered that Microsoft Edge decrypts saved passwords at startup and keeps them resident in process memory, leaving credentials retrievable in plain text on shared or compromised machines. German publication Heise reproduced the finding, locating passwords even after a browser restart. Microsoft reportedly treats the behavior as 'by design,' prompting calls for using alternative password managers.

🔒 A joint advisory from CISA and international partners urges organizations to treat agentic AI cautiously, enforcing strong authentication, Secure by Design principles, and staged rollouts. The guidance stresses least privilege, inventories of agent capabilities, and protections against prompt injection and data exposure. It also recommends continuous monitoring with human-in-the-loop controls, DevSecOps practices, and regular incident-response testing to reduce privilege creep, tool misuse, and other emergent risks.

🔒CISA warns that threat actors are actively exploiting the Linux "Copy Fail" vulnerability tracked as CVE-2026-31431. The flaw exists in the kernel's algif_aead cryptographic algorithm interface and lets unprivileged local users gain root by writing four controlled bytes to the page cache of any readable file. Theori published a "100% reliable" Python PoC; vendors are issuing kernel fixes and CISA has ordered federal patches under BOD 22-01.

⚠️ A path traversal vulnerability in ABB PCM600 (CVE-2018-1002208) could allow an attacker to deliver specially crafted messages to a system node, resulting in insertion and execution of arbitrary code. Affected releases are PCM600 versions >=1.5 and <=2.13; ABB released a fix in PCM600 2.14 (note: RE_630 relays are incompatible with 2.14). CISA rates the issue CVSS 3.1 4.4 (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N), notes exploitation is not remotely trivial, and recommends applying the vendor update or, where immediate upgrade is impractical, applying system-level and network mitigations such as segmentation, firewalls, and updated VPNs.

🔒 CISA published an advisory on 2026-04-30 describing multiple authentication-related vulnerabilities in ABB AWIN Gateways that permit unauthenticated queries to disclose system configuration and, in one case, remotely reboot devices. The issues include an authentication bypass via capture-replay and missing authentication for critical functions. Affected firmware includes AWIN GW100 rev.2 (2.0-0, 2.0-1) and AWIN GW120 (1.2-0, 1.2-1); ABB released fixes (FW 2.1-0 and FW 2.0-0, Product IDs 3BNP102988R1 and 3BNP103003R1) and PSIRT advisory 4JNO000329. CISA recommends isolating devices, removing internet exposure, using secure remote access (for example, up‑to‑date VPNs), and conducting impact analysis before deploying mitigations.

⚠️ ABB disclosed CVE-2025-3756, a vulnerability in its IEC 61850 MMS client stack that can be triggered by a specially crafted 61850 packet. Exploitation requires access to the IEC 61850 network and can force PM 877, CI850, and CI868 modules into a fault state requiring manual restart or repeatedly crash S+ Operations IEC 61850 connectivity, causing denial-of-service. System 800xA IEC61850 Connect is not affected. ABB has released or scheduled firmware updates and advises customers to apply fixes and follow mitigating guidance.

⚠️ ABB has reported critical vulnerabilities in Ability Symphony Plus (S+) Engineering tied to an embedded PostgreSQL component (version 13.11 and earlier) that could allow authenticated users on the S+ client/server network to execute arbitrary code. Affected S+ releases include 2.2 through 2.4 SP2; ABB released an update — S+ Engineering 2.4 SP2 RU1 (re-released December 2024) — to address the issues. CISA recommends network isolation and perimeter firewalling as primary mitigations; no product-specific workarounds exist and ABB reported no known exploitation at the time of the advisory.

🔒 CISA reports a critical authentication bypass in ABB Edgenius Management Portal (CVE-2025-10571) that permits an attacker with network access to send a specially crafted message to a system node and bypass authentication. Successful exploitation can allow arbitrary code execution, removal of installed applications, and modification of application configurations. ABB has released a fix in Ability Edgenius 3.2.2.0 and urges immediate upgrade; until patched, disabling the portal and reducing network exposure are recommended.

⚠️ CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities Catalog for a missing authentication for critical function in WebPros cPanel & WHM and WP2 (WordPress Squared). The issue has evidence of active exploitation and represents a common attack vector that can enable unauthorized access to protected functionality. Under BOD 22-01 federal agencies are required to remediate affected systems by the specified due date; CISA strongly urges all organizations to prioritize patching, apply vendor updates, and implement compensating controls promptly.