All news with #advisory tag

⚠ CISA has added a critical SolarWinds Web Help Desk vulnerability, CVE-2025-40551, to its Known Exploited Vulnerabilities catalog and flagged it as actively exploited. The flaw is an untrusted data deserialization vulnerability that can enable remote code execution without authentication, allowing attackers to run commands on affected hosts. SolarWinds released patches in WHD version 2026.1 that also address several related high-severity CVEs. Federal Civilian Executive Branch agencies are required to remediate this flaw under BOD 22-01, with a February 6, 2026, deadline.

🔒 CISA has flagged a critical SolarWinds Web Help Desk vulnerability (CVE-2025-40551) as actively exploited and ordered federal agencies to patch within three days under BOD 22-01. The flaw is an untrusted data deserialization weakness that can enable unauthenticated remote command execution; SolarWinds released Web Help Desk 2026.1 on January 28 to address it. Administrators are urged to apply the patch immediately and verify affected systems.

🛡️ Researchers disclosed a critical prompt-injection flaw, codenamed DockerDash, that allowed malicious Docker image metadata to hijack the Ask Gordon AI assistant in Docker Desktop and the Docker CLI. The vulnerability, discovered by Noma Labs, could enable remote code execution or sensitive data exfiltration by treating unverified LABEL fields as executable instructions. Docker fixed the issue in Ask Gordon version 4.50.0 (November 2025). Administrators should upgrade and apply zero-trust validation to AI toolchains and MCP/Gateway integrations.

🔒 A SQL injection vulnerability in the Quiz and Survey Master (QSM) WordPress plugin affected more than 40,000 sites running versions 10.3.1 and earlier. The flaw allowed any logged-in user with Subscriber-level privileges or higher to supply crafted input to a REST API parameter named is_linking, which was concatenated into a database query without sanitisation. Patchstack credited Doan Dinh Van for the report and QSM released version 10.3.2 to enforce integer casting (intval) and mitigate the issue; the defect is tracked as CVE-2025-67987. There is no public evidence of active exploitation, but the bug underscores risks from trusting request data and the need for prepared statements.

🔒 CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog: CVE-2019-19006 (Sangoma FreePBX improper authentication), CVE-2021-39935 (GitLab SSRF), CVE-2025-40551 (SolarWinds Web Help Desk deserialization), and CVE-2025-64328 (Sangoma FreePBX OS command injection). Evidence indicates active exploitation and these issues pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by required deadlines. CISA strongly urges all organizations to prioritize timely remediation and will continue updating the catalog.

🔒 The Synectix LAN 232 TRIO 3‑port serial-to-Ethernet adapter exposes its web management interface without requiring authentication, enabling unauthenticated actors to modify critical device settings or perform a factory reset. Tracked as CVE-2026-1633 and rated CVSS v3.1 10.0 (Critical), the product is end-of-life and Synectix is no longer in business, so firmware fixes are unavailable. CISA recommends minimizing network exposure, isolating control networks behind firewalls, and using up-to-date VPNs or other secure remote-access methods while operators pursue replacement or isolation of affected units.

⚠️ MOMA Seismic Station versions v2.4.2520 and earlier expose the device web management interface without requiring authentication, enabling unauthenticated actors to modify configuration, retrieve device data, or remotely reset the device. The vulnerability is tracked as CVE-2026-1632 and classified as Missing Authentication for Critical Function (CWE-306). CISA assigns a CRITICAL severity (CVSS v3.1 Base Score 9.1) and notes that RISS SRL did not provide a vendor-supplied patch in the advisory.

🛡️ Avation's Light Engine Pro devices expose configuration and control interfaces without authentication, tracked as CVE-2026-1341. Successful exploitation could allow an attacker to take full control of affected units. Avation has not responded to CISA's coordination request; users should contact the vendor and apply mitigations such as isolating devices from the internet, placing them behind firewalls, and using VPNs for remote access. CISA reports no public exploitation to date.

⚠️ NatWest and the UK's National Crime Agency (NCA) have launched a joint awareness campaign to highlight rising invoice fraud affecting businesses, including BEC and payment redirection. The initiative warns that fraudsters impersonate suppliers, intercept emails and pressure victims into urgent payments that are then diverted. Guidance urges businesses to Check, Verify, Never transfer funds until payment details are independently confirmed. The campaign also stresses that Accounts Payable and Finance teams are frequent targets of these schemes.

⚠️ Microsoft says recent Windows 11 boot failures following the January 2026 cumulative update are tied to earlier failed attempts to install the December 2025 security update, which left some systems in an "improper state." After applying KB5074109, affected devices showed a BSOD with stop error UNMOUNTABLE_BOOT_VOLUME. Microsoft is working on a partial resolution to prevent new no-boot cases, but it warns this fix will not repair devices already unable to boot or stop systems from entering the improper state. The company also says the issue appears limited to physical machines.

⚠ Ivanti disclosed two critical code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, both rated 9.8 and observed in limited zero-day exploitation. The flaws allow unauthenticated remote arbitrary code execution and exposure of administrator, user, and managed-device data. Ivanti published RPM hotfixes to mitigate affected builds, advised immediate application, and warned hotfixes must be reapplied after upgrades until a permanent 12.8.0.0 fix is released in Q1 2026.

⚠️ Microsoft released three out-of-band updates in January 2026, including a security update addressing CVE-2026-21509 in Microsoft Office, which has been reportedly exploited in the wild. The vulnerability is rated Important with a CVSS 3.1 score of 7.8 and is considered local, requiring a user to open a malicious Office document or for an attacker to have system access. Microsoft notes the issue cannot be triggered via the Preview Pane and has published mitigation guidance. Talos published Snort and ClamAV detections and advises customers to apply the latest rules and SRU updates.

⚠️ A critical sandbox-escape vulnerability (CVE-2026-22709) was discovered in the vm2 Node.js sandbox library that allows untrusted code to break out of the sandbox and execute commands on the host. The flaw stems from improper sanitization of Promise.prototype.then and Promise.prototype.catch callbacks for asynchronous code, enabling trivial exploitation. Maintainer Patrik Šimek issued sequential fixes in 3.10.1 and 3.10.2 and says 3.10.3 addresses disclosed issues; users should upgrade immediately.

🔒 Microsoft has issued emergency out-of-band updates to patch a high-severity Office zero-day, tracked as CVE-2026-21509, which is being actively exploited. The vulnerability allows an unauthenticated local attacker to bypass Office security features by convincing a user to open a malicious file; Microsoft says the preview pane is not an attack vector. Updates cover Microsoft 365 Apps and Office LTSC 2021/2024; fixes for Office 2016 and 2019 are pending. Microsoft and reporting outlets published registry-based mitigations administrators can apply until official updates are available.

🔐 CISA has published an initial list of hardware and software product categories that either support or are expected to support post-quantum cryptography (PQC) standards, following Executive Order 14306 issued on 6 June 2025. Compiled in collaboration with the NSA, the list covers cloud services, collaboration and web software, endpoint security and networking products, and is intended to guide procurement and risk planning as organizations prepare for quantum threats.

⚠️ CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation, affecting Linux Kernel, SmarterMail, Microsoft Office, and GNU InetUtils. The newly listed CVEs are CVE-2018-14634, CVE-2025-52691, CVE-2026-21509, CVE-2026-23760, and CVE-2026-24061 and represent frequent attack vectors that pose significant risks to federal and enterprise environments. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates, and CISA urges all organizations to prioritize timely remediation as part of vulnerability management.

🔒 AutomationDirect reported two vulnerabilities in CLICK Programmable Logic Controllers (PLCs) — CVE-2025-67652 and CVE-2025-25051 — that expose stored credentials and weak encoding. Both issues carry a CVSS 3.1 base score of 6.1 (Medium) and affect C0-0x, C0-1x, and C2-x product versions. AutomationDirect recommends updating CLICK PLUS and PLC firmware to V3.90; until the update can be applied, implement compensating controls such as network isolation, restricted access, application whitelisting, and enhanced logging and monitoring. CISA notes these vulnerabilities are not exploitable remotely and no public exploitation has been reported.

🔒 CISA reports two high-severity vulnerabilities in Weintek cMT X Series HMI devices that allow low-privileged users to escalate privileges and potentially take full control of affected units. Both issues (CVE-2025-14750 and CVE-2025-14751) receive a CVSS 3.1 base score of 8.3. Vendor firmware updates are available for specific models; apply vendor-supplied patches and follow network-segmentation mitigations.

⚠️ Rockwell Automation's CompactLogix 5370 controllers are affected by a denial-of-service vulnerability (CVE-2025-11743) that can produce a major nonrecoverable fault requiring a restart. The issue is triggered by a malformed CIP Forward Open message and has a CVSS v3.1 base score of 6.5. Affected versions include <=34.013, <=35.012, and 36.011; fixed releases include 37.011, 34.016, 35.015, and 36.012. Rockwell reported the issue to CISA; no known public exploitation has been reported and CISA notes the vulnerability is not exploitable remotely. Users unable to upgrade should follow security best practices to limit exposure.

🔒 CISA warns of multiple high-severity vulnerabilities in EVMAPA electric vehicle charging station software, including missing authentication on a WebSocket endpoint (CVE-2025-54816), unlimited authentication attempts (CVE-2025-53968), and insufficient session expiration (CVE-2025-55705). Exploitation could enable unauthorized remote command execution, spoofing of station statuses, or denial-of-service, with a top CVSS score of 9.4. Vendor responses vary: EVMAPA plans BASIC auth for OCPP 2.x, uses WSS and vendor VPN for some deployments, and reports one issue has been fixed.