All news with #advisory tag

🔒 CISA has ordered federal agencies to secure on‑premises BeyondTrust Remote Support and Privileged Remote Access instances within three days after disclosure of a critical remote code execution flaw (CVE-2026-1731) that is being actively exploited. The OS command injection allows unauthenticated attackers to run system commands and could lead to data exfiltration or service disruption. BeyondTrust patched SaaS instances on Feb 2; on‑premise customers must install fixes manually.

⚠️ Security researcher Wietze Beukema disclosed several techniques at Wild West Hackin' Fest that manipulate Windows .lnk shortcut files to display a benign target in Explorer while executing a different program, including use of malformed LinkTargetIDList and EnvironmentVariableDataBlock fields. These variants can hide command-line arguments and exploit forbidden path characters to show deceptive targets such as "invoice.pdf" while invoking PowerShell or other payloads. Microsoft told the researcher it will not treat the primary finding as a security vulnerability, saying exploitation requires user interaction and pointing to Microsoft Defender, Smart App Control, and built-in warnings for downloaded .lnk files. Beukema published lnk-it-up, an open-source toolkit to generate and detect such shortcuts for testing and research.

🔒 It's Patch Tuesday: more than 60 software vendors released security updates addressing flaws across OS, cloud, and networking platforms. Microsoft fixed 59 vulnerabilities, including six actively exploited zero-days that can bypass protections, escalate privileges, or cause DoS. SAP patched two critical bugs — a SQL injection in CRM/S/4HANA (CVE-2026-0488, CVSS 9.9) and a missing authorization in NetWeaver ABAP (CVE-2026-0509, CVSS 9.6) — which may require kernel updates and role or UCON adjustments. Intel and Google also disclosed five TDX 1.5 vulnerabilities and numerous improvement suggestions; Adobe released multiple product updates with no known in-the-wild exploits reported.

🔒 The ZOLL ePCR iOS mobile application (version 2.6.7) contains a WebView input-sanitization flaw (CVE-2025-12699) that can reflect attacker-controlled strings into rendered HTML/JavaScript. Proof-of-concept testing shows injected scripts may read local application files, potentially exposing device telemetry and protected health information (PHI). CISA assigns a CVSS v3.1 base score of 5.5 (MEDIUM), notes the issue is not remotely exploitable, and reports no known public exploitation. ZOLL decommissioned the iOS app in May 2025 and has no replacement planned.

⚠️ CISA reports two critical authentication vulnerabilities in ZLAN Information Technology Co. ZLAN5143D v1.600. CVE-2026-25084 allows authentication bypass via direct access to internal URLs, while CVE-2026-24789 exposes an unprotected API that enables remote password changes without credentials. Both are scored CVSS 3.1 9.8. CISA notes the vendor did not respond to coordination; users should minimize network exposure, restrict internet access to devices, contact the vendor, and keep systems updated.

⚠️ AVEVA reported that PI to CONNECT Agent (<=v2.4.2520) contains a vulnerability that can record sensitive proxy connection details in event logs. An attacker with local Event Log Reader (S-1-5-32-573) privileges could extract proxy URLs and credentials from those logs and gain unauthorized access to the proxy server. The issue is not remotely exploitable; the vendor’s fix is v2.5.2790 or later. Users should review and sanitize logs, rotate proxy credentials, avoid plain-text passwords in proxy URLs, and restrict Event Log Reader privileges.

⚠️ Yokogawa's FAST/TOOLS (versions R9.01–R10.04) contains multiple web and cryptographic vulnerabilities tracked across 14 CVEs that could enable redirection to malicious sites, decryption of communications, man-in-the-middle attacks, cross-site request forgery, script execution, and unauthorized file access. Example CVSS v3 scores reach up to 8.2 for some issues. Yokogawa advises updating to R10.04, applying patch CS_e12787, then installing R10.04 SP3. CISA recommends minimizing Internet exposure for control systems, isolating OT networks behind firewalls, and using secure remote access.

⚠ AVEVA's PI Data Archive contains an uncaught-exception vulnerability (CVE-2026-1507) that can allow an unauthenticated remote attacker to crash PI core services and cause denial of service. Affected versions include PI Server <=2018_SP3_Patch_7, 2023 (including 2023_Patch_1), and 2024. The issue has a CVSS 3.1 base score of 7.5 (High). AVEVA recommends upgrading to PI Server 2024 R2 or applying vendor patches and restricting inbound access to TCP port 5450.

🔒 CISA ordered federal agencies to remove edge devices that no longer receive vendor security updates and to strengthen lifecycle management within 12–18 months. Directive 26-02 requires agencies to catalog devices, update supported software immediately, report end-of-support items in three months, and decommission listed devices in 12 months and others in 18 months. CISA published an end-of-support edge device list and highlighted routers, firewalls, load balancers, wireless access points and IoT edge gear as high-risk targets for exploitation.

🔒 CISA has ordered Federal Civilian Executive Branch agencies to inventory, update where possible, and remove all end-of-support edge devices—firewalls, routers, VPN gateways, load balancers, and other network security appliances—within an 18-month timeline. Agencies must report inventories within three months and begin removals within 12 months. CISA warned unsupported devices represent a substantial and constant threat and urged private sector adoption of similar measures.

⚠️ CISA has issued BOD 26-02 requiring U.S. federal agencies to identify and remove end-of-life (EOL) network edge devices such as routers, firewalls, and switches that no longer receive security updates. Agencies must inventory devices on CISA's end-of-support list within three months, decommission pre-directive EOL devices within 12 months, and replace all identified EOL edge equipment within 18 months. The directive also requires agencies to implement continuous discovery processes within 24 months and encourages non-federal organizations to follow CISA's guidance to mitigate exploitation risks.

🔒 Hitachi Energy reported a critical vulnerability in FOX61x devices when configured to use remote RADIUS authentication. The RADIUS implementation is vulnerable to a chosen-prefix collision attack on the MD5 Response Authenticator, allowing an attacker able to manipulate responses to forge Access-Accept/Access-Reject/Access-Challenge messages and affect confidentiality, integrity, and availability. Affected versions include FOX61x R17A and earlier; update to R18 and enable the RADIUS Message-Authenticator on both the device and the RADIUS server. If immediate upgrade is not possible, segment FOX management traffic to reduce exposure.

⚠️ CISA warns of multiple high‑severity vulnerabilities in Ilevia EVE X1 Server (≤ 4.7.18.0), including pre‑auth path traversal, unauthenticated OS command injection, plaintext credential exposure in logs, and reflected XSS. Successful exploitation can allow arbitrary shell execution and disclosure of sensitive files on critical manufacturing systems. Ilevia and CISA recommend updating the Ilevia Manager, closing TCP/8080, enforcing strong credentials, applying network segmentation, and monitoring for unauthorized access.

🔒 A vulnerability in the TP‑Link VIGI Series IP Camera local web interface allows an attacker on the same LAN to bypass authentication in the password recovery flow and reset the administrator password by manipulating client-side state. Successful exploitation grants full administrative access, compromising device configuration and network security. TP‑Link has released firmware updates and strongly recommends installing the latest builds; CISA advises isolating affected devices from public networks and using secure remote access such as updated VPNs.

⚠️ A critical vulnerability (CVE-2025-15080) affects Mitsubishi Electric MELSEC iQ-R Series firmware (R08/16/32/120PCPU) versions 48 and earlier. An attacker can read device data or parts of control programs, write device data, or cause a denial-of-service by sending specially crafted SLMP or proprietary protocol packets. Mitsubishi Electric recommends updating affected firmware to version 49 or later and, until patched, restricting access via firewalls, IP filters, VPNs, and LAN-only operation.

⚠️ Hitachi Energy disclosed a critical vulnerability (CVE-2024-3596) affecting XMC20 devices that use remote RADIUS authentication. An MD5 Response Authenticator weakness permits a local attacker to forge or convert valid RADIUS responses (Access-Accept, Access-Reject, Access-Challenge), affecting confidentiality, integrity, and availability. Vendor guidance is to upgrade to XMC20 R18 and enable the RADIUS Message-Authenticator on both the device and the RADIUS server; where upgrades are not possible, segment FOX management traffic and apply network mitigations. CISA republishes the vendor advisory for visibility.

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-11953 (React Native Community CLI OS command injection) and CVE-2026-24423 (SmarterTools SmarterMail missing authentication for critical function). The additions reflect evidence of active exploitation and elevated risk to the federal enterprise. Under BOD 22-01 federal agencies must remediate KEV entries by the due date. CISA strongly urges all organizations to prioritize timely remediation.

⚠️ o6 Automation's Open62541 contains a heap out-of-bounds write in builds with PubSub and JSON enabled. A crafted JSON message can overwrite heap memory prior to authentication, reliably crashing the process and causing memory corruption. The vulnerability affects versions >=1.5-rc1 and <1.5-rc2 (CVE-2026-1301). Upgrade to v1.5.0 and apply network-access mitigations such as isolating control networks and restricting remote access to reduce exposure.

⚠️ CISA has ordered federal agencies to patch a five-year-old GitLab SSRF vulnerability (CVE-2021-39935) that is currently being exploited in attacks. GitLab issued a fix for the server-side request forgery bug in December 2021 after it was found that unauthenticated users could reach the CI Lint API when user registration was restricted. Under BOD 22-01, affected Federal Civilian Executive Branch agencies must remediate by February 24, 2026, and CISA urges all organizations to prioritize mitigation. Shodan currently identifies over 49,000 internet-exposed GitLab instances, many reachable on default ports.

⚠️ The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-40551 — a critical remote code execution flaw in SolarWinds Web Help Desk — to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The vendor patched multiple high-severity bugs on January 28 and assigned CVSS scores of 9.8. Administrators are urged to apply the vendor update to Web Help Desk 2026.1 immediately to mitigate unauthenticated deserialization and authentication-bypass risks.